Activities of Adina-Ioana VĂLEAN related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (485)
Amendment 190 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to anyonly to specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all: (i) only of those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual, and (ii) of the reasonable likeliness of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable from the data.
Amendment 191 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers shall be encouraged to the practice of pseudonymising data.
Amendment 193 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 198 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or service being offered enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 199 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25a) This regulation recognises that the pseudonymisation of data can help minimise the risks to privacy of data subjects. To the extent that a controller pseudonymises data such processing shall be considered justified as a legitimate interest of the controller according to point (f) of paragraph 1 of Article 6.
Amendment 200 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 204 #
Proposal for a regulation
Recital 28
Recital 28
(28) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. A group of undertakings may nominate a single main establishment in the Union.
Amendment 213 #
Proposal for a regulation
Recital 34
Recital 34
Amendment 225 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 236 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 238 #
Proposal for a regulation
Recital 52
Recital 52
(52) The controller should use all reasonable measures within the context of the product or service being provided, or otherwise within the context of the relationship between the controller and the data subject, and the sensitivity of the personal data being processed to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain nor be forced to gather personal data for the unique purpose of being able to react to potential requests.
Amendment 250 #
Proposal for a regulation
Recital 61
Recital 61
(61) To meet consumer and business expectations around the protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and, appropriate organisational measures armay be taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by defaultMeasures having as an objective to increase consumer information and ease of choice shall be encouraged, based on industry cooperation and favouring innovative solutions, products and services.
Amendment 252 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 253 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 256 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 263 #
Proposal for a regulation
Recital 70
Recital 70
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
Amendment 265 #
Proposal for a regulation
Recital 74
Recital 74
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
Amendment 274 #
Proposal for a regulation
Recital 84
Recital 84
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. In some scenarios, it may be appropriate to encourage controllers and processors to provide even more robust safeguards via additional contractual commitments that supplement standard data protection clauses.
Amendment 285 #
Proposal for a regulation
Recital 97
Recital 97
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
Amendment 288 #
Proposal for a regulation
Recital 105
Recital 105
(105) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for co-operation between the supervisory authorities themselves and the Commission should be established. This mechanism should in particular apply where athe competent supervisory authority intends to take a measure as regards processing operations that are related to the offering of goods or services to data subjects in several Member States, , or to the monitoring such data subjects, or that might substantially affect the free flow of personal data. It should also apply where any supervisory authority or the Commission requests that the matter should be dealt with in the consistency mechanism. This mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
Amendment 297 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data, and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Councilppropriate industry-led measures and policies shall take due account of the principles of technology, service and business model neutrality so as to favour the free movement of personal data within the Union.
Amendment 299 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament andimplementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment ofn the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implemarket and the free circulation of such equipment ing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterpris and between Member States.
Amendment 300 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterpris. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 303 #
Proposal for a regulation
Recital 139
Recital 139
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and the actual and potential advances in science, health and technology and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to property and in particular the protection of intellectual property the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
Amendment 308 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data wholly or partly by automated means, without discrimination between such processing means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Amendment 318 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) which have been rendered anonymous within the meaning of Article 4(2(b)(new);
Amendment 324 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person and who is not acting in his/her professional capacity;
Amendment 328 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2
Article 4 – paragraph 1 – point 2
(2) ‘personal data’ means any informationdata specifically relating to a data subject whose specific identity can be identified, directly or indirectly by the controller;
Amendment 329 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) 'identification number' means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual.
Amendment 335 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 336 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘'controller’' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 337 #
Proposal for a regulation
Article 4 – paragraph 1 – point 6
Article 4 – paragraph 1 – point 6
(6) ‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; is able to access personal data in a technically feasible way, without disproportionate effort, and is reasonably likely to gain knowledge of its content;
Amendment 340 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 345 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
Amendment 346 #
Proposal for a regulation
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
(12) ‘data concerning health’ means any informationpersonal data which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
Amendment 350 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
Article 4 – paragraph 1 – point 13 a (new)
(13a) 'competent supervisory authority' means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Articles 51(2), 51(3) and 51(4).
Amendment 351 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mayshall be addressed by anythe competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
Amendment 352 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mashall only be addressed by any supervisory authority and other bodies in the Union instead of the controllerof the establishment of the representative, with regard to the obligations of the controller under this Regulation;
Amendment 354 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
Amendment 356 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) 'financial crime' means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
Amendment 358 #
Proposal for a regulation
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) adequate, relevant, and limited to the minimum necessaryproportionate in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
Amendment 360 #
Proposal for a regulation
Article 5 – paragraph 1 – point d
Article 5 – paragraph 1 – point d
(d) accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
Amendment 361 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 364 #
Proposal for a regulation
Recital 14
Recital 14
(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/2001, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
Amendment 366 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subject, regulatory rule, guidance, industry code of practice, either domestically or internationally to which the controller is subject including the requirements of supervisory authorities;
Amendment 367 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) processing of data necessary to ensure network and information security;
Amendment 370 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller in adequacy with points (a) to (e) of the same paragraph, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 372 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or on behalf of, a controller or a processor, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 375 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) the data are collected from public registers, lists or documents accessible by everyone;
Amendment 376 #
Proposal for a regulation
Recital 19
Recital 19
(19) Any processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect.
Amendment 378 #
Proposal for a regulation
Recital 20
Recital 20
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.
Amendment 380 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to determt should be ascertained whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are trackedinvolves tracking of individuals on the internet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Amendment 381 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(fb) processing is conducted for the purpose of anonymisation.
Amendment 383 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. PSubsequent processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.
Amendment 390 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to anyonly to specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all: (i) only of those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual, and (ii) of the reasonably likeliness of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable from the data.
Amendment 395 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This Regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use of additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
Amendment 396 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
Amendment 399 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 402 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 403 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a childdata subject below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 406 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 408 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
Amendment 408 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 415 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25a) This Regulation recognises that the pseudonymisation of data can help minimise the risks to privacy of data subjects. To the extent that a controller pseudonymises data, such processing should be considered justified as a legitimate interest of the controller.
Amendment 417 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data including genetic information relating to health should include in particular all data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information derived from the testing or examination of a body part or bodily substance, including biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 419 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 423 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of officialsubject to the conditions and safeguards referred to in Article 83a or under the supervision of a supervisory authority or when the processing is necessary for compliance with or to avoid a breach of a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 424 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
Amendment 424 #
Proposal for a regulation
Recital 28
Recital 28
(28) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. A group of undertakings may nominate a single main establishment in the Union.
Amendment 428 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
Data Protection Regulation should not apply to data rendered anonymous. If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 429 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller, through means used by the controller, to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 429 #
Proposal for a regulation
Recital 29 a (new)
Recital 29 a (new)
(29a) The same personal data can have different significance depending on the context of and the risks represented by its processing. Controllers should therefore implement appropriate technical and organisational measures and procedures in respect to the context of and the risks represented by the data processing.
Amendment 433 #
Proposal for a regulation
Recital 30
Recital 30
(30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not be fulfilled by other means. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Amendment 436 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11a Article 12 of Directive 2002/58/EC and Articles 20 and 21(3)(e) of 2002/22/EC are an application of the data subjects' right to transparent information and communication which requires that the controller informs data subjects of their rights with respect to the use of their personal information and draws attention to the presence of systems which have been developed in accordance with the principles of privacy by design.
Amendment 438 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shallmay also provide means for requests to be made electronically.
Amendment 439 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject or unless the controller has reason to believe that providing the information in electronic form would create a significant risk of fraud.
Amendment 440 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the requestcharges for taking action or providing information upon the request of data subject referred to in paragraph 1 shall not exceed actual costs of handling the requests born by the controller.
Amendment 442 #
Proposal for a regulation
Recital 34
Recital 34
Amendment 444 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 456 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller, or the third party or parties in whose interest the data is processed, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 463 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources
Amendment 465 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 472 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
Article 15 – paragraph 1 – point h
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
Amendment 477 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The Commission may specifyuggest standard forms and specify procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 478 #
Proposal for a regulation
Recital 47
Recital 47
(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixed deadline and give reasons, in case he does not comply with the data subject’s request.
Amendment 480 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 481 #
Proposal for a regulation
Recital 48
Recital 48
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the datathe estimated period of time for which the will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 483 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processfurther processed and the legally mandatory minimum retention period has expired;
Amendment 484 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 485 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing or storage of the data;
Amendment 486 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) the data subject objects to the processing of personal data pursuant to Article 19, and the objection is upheld;
Amendment 488 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. The controller shall take all reasonable steps to communicate any erasure to each legal entity to whom the data have been disclosed.
Amendment 488 #
Proposal for a regulation
Recital 52
Recital 52
(52) The controller should use all reasonable measures within the context of the product or service being provided, or otherwise within the context of the relationship between the controller and the data subject, and the sensitivity of the personal data being processed to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain nor be forced to gather personal data for the unique purpose of being able to react to potential requests.
Amendment 489 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
Article 17 – paragraph 1 b (new)
1b. The application of paragraph 1 is dependent upon the ability of the data controller to confirm the identity of the data subject making the erasure request.
Amendment 491 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third partieslegal entities to whom the original controller had authorised to further process personal data and which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where tThe controller has authorised a third party publication ofwill not be responsible for the personal data, the controller shall be considered responsible for thatat the data subject has made publication.
Amendment 492 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
Amendment 496 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:
Amendment 499 #
Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)
Article 17 – paragraph 3 – point e a (new)
(ea) for prevention or detection of fraud, confirming identity, and/or determining creditworthiness, or ability to pay.
Amendment 500 #
Proposal for a regulation
Article 17 – paragraph 6 a (new)
Article 17 – paragraph 6 a (new)
6a. Requests for the rectification, erasure or blocking of data shall not prejudice processing that is necessary to secure, protect and maintain the resiliency of one or more information systems. In addition, the right of rectification and/or erasure or personal data shall not apply to any personal data that is required to be maintained by legal obligation or to protect the rights of the controller, processor or third parties.
Amendment 500 #
Proposal for a regulation
Recital 54
Recital 54
Amendment 501 #
Proposal for a regulation
Article 18
Article 18
Amendment 506 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
Amendment 514 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 515 #
Proposal for a regulation
Article 18 a (new)
Article 18 a (new)
Article 18a Controller must ensure that sufficient documentation for a data subject's identity has been received, when the data subject enforces the rights referred to in articles 14-19 in this regulation.
Amendment 517 #
Proposal for a regulation
Recital 59
Recital 59
(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the protection of the data subject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Amendment 518 #
Proposal for a regulation
Recital 60
Recital 60
(60) ComprehensiveOverall responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established in order to ensure accountability. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.
Amendment 520 #
Proposal for a regulation
Recital 61
Recital 61
(61) To meet consumer and business expectations around the protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and, appropriate organisational measures arshould be taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by defaultMeasures having as an objective to increase consumer information and ease of choice should be encouraged, based on industry cooperation and favouring innovative solutions, products and services.
Amendment 522 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 526 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right to request not to be subject to a measure which produces legal effects concerningadversely affects this ndatural person or significantly affects this natural person,a subject and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to this natural person or to, analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 527 #
Proposal for a regulation
Recital 63
Recital 63
(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data subjects, or to the monitoring their behaviour, the controller should designate a representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprise or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by anythe competent supervisory authority.
Amendment 529 #
Proposal for a regulation
Article 20 – paragraph 1 a (new)
Article 20 – paragraph 1 a (new)
1a. Data controllers should notify the data subject where such processing takes place and give the individual the right to have any such decision reviewed.
Amendment 530 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 531 #
Proposal for a regulation
Article 20 – paragraph 1 b (new)
Article 20 – paragraph 1 b (new)
1b. Is based on the legitimate interests pursued by the data controller.
Amendment 535 #
Proposal for a regulation
Recital 66
Recital 66
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation, and, where appropriate, cooperate with third countries.
Amendment 536 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, a persondata subject may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 541 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 542 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized bynecessary to comply with a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 545 #
Proposal for a regulation
Recital 70
Recital 70
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
Amendment 547 #
Proposal for a regulation
Recital 71
Recital 71
Amendment 555 #
Proposal for a regulation
Recital 74
Recital 74
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
Amendment 556 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
Amendment 559 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 566 #
Proposal for a regulation
Recital 75
Recital 75
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person or an organisation should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, or data protections organisations should be in a position to perform their duties and tasks independently.
Amendment 571 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this RegulatioHaving regard to the state of the art, the nature of personal data processing and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate and demonstrable technical and organizational measures should be implemented in such a way that the processing will meet the requirements of this Regulation and ensures the protection of the rights of the data subject by design.
Amendment 572 #
Proposal for a regulation
Article 22 – paragraph 1 a (new)
Article 22 – paragraph 1 a (new)
1a. Upon request by the competent data protection authority, the controller or processor shall demonstrate the existence of technical and organizational measures.
Amendment 573 #
Proposal for a regulation
Article 22 – paragraph 1 b (new)
Article 22 – paragraph 1 b (new)
1b. Group of undertakings may apply joint technical and organizational measures to meet its obligations arising from the Regulation.
Amendment 574 #
Proposal for a regulation
Article 22 – paragraph 1 c (new)
Article 22 – paragraph 1 c (new)
1c. This article does not apply to a natural person processing personal data without commercial interest.
Amendment 575 #
Proposal for a regulation
Article 22 – paragraph 2 – introductory part
Article 22 – paragraph 2 – introductory part
2. TheSuch measures provided for in paragraph 1 shall in particular includeinclude, without limitation:
Amendment 576 #
Proposal for a regulation
Article 22 – paragraph 2 – point a
Article 22 – paragraph 2 – point a
(a) keeping the documentation pursuant to Article 28independent management oversight of processing of personal data to ensure the existence and effectiveness of the technical and organizational measures;
Amendment 578 #
Proposal for a regulation
Article 22 – paragraph 2 – point b
Article 22 – paragraph 2 – point b
(b) implementing the data security requirements laid down in Article 30; existence of proper policies, instructions or other guidelines to guide data processing needed to comply with the Regulation as well as procedures and enforcement to make such guidelines effective;
Amendment 579 #
Proposal for a regulation
Article 22 – paragraph 2 – point c
Article 22 – paragraph 2 – point c
(c) performing a data protection impact assessment pursuant to Article 33existence of proper planning procedures to ensure compliance and to address potentially risky processing of personal data prior to the commencement of the processing;
Amendment 579 #
Proposal for a regulation
Recital 84
Recital 84
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. In some scenarios, it may be appropriate to encourage controllers and processors to provide even more robust safeguards via additional contractual commitments that supplement standard protection clauses.
Amendment 580 #
Proposal for a regulation
Article 22 – paragraph 2 – point d
Article 22 – paragraph 2 – point d
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2)existence of appropriate documentation of data processing to enable compliance with the obligations arising from the Regulation;
Amendment 583 #
Proposal for a regulation
Article 22 – paragraph 2 – point e
Article 22 – paragraph 2 – point e
(e) designating a data protection officer pursuant to Article 35(1). existence of adequately skilled data protection organization or data protection officer supported with adequate resources to oversee implementation of measures defined in this article and to monitor compliance with this Regulation, having particular regard to ensuring organizational independence of such data protection officer or organisation to prevent inappropriate conflicts of interest. Such a function may be fulfilled by way of a service contract;
Amendment 584 #
Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)
Article 22 – paragraph 2 – point e a (new)
(ea) existence of proper awareness and training of the staff participating in data processing and decisions thereto of the obligations arising from this Regulation.
Amendment 586 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
Amendment 589 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
Amendment 595 #
Proposal for a regulation
Recital 97
Recital 97
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
Amendment 596 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 597 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefSuch measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security (b) follow the principle of technology, service and business model neutrality (c) be based on global industry-led efforts and standards (d) take due account of inite number of individuals.rnational developments
Amendment 602 #
Proposal for a regulation
Article 23 – paragraph 2 a (new)
Article 23 – paragraph 2 a (new)
2a. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 604 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 605 #
Proposal for a regulation
Recital 105
Recital 105
(105) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for co-operation between the supervisory authorities themselves and the Commission should be established. This mechanism should in particular apply where athe competent supervisory authority intends to take a measure as regards processing operations that are related to the offering of goods or services to data subjects in several Member States, , or to the monitoring such data subjects, or that might substantially affect the free flow of personal data. It should also apply where any supervisory authority or the Commission requests that the matter should be dealt with in the consistency mechanism. This mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
Amendment 607 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
4. TWhe Commission may lay down technical standards for the rre required, measures may be adopted to ensure that terminal equirepments laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) is constructed in a way that is compatible with Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications, and consistent with international industry-led standardisation efforts.
Amendment 609 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects.
Amendment 610 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
Amendment 615 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
Amendment 616 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
Amendment 618 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:.
Amendment 619 #
Proposal for a regulation
Article 26 – paragraph 2 – point a
Article 26 – paragraph 2 – point a
Amendment 621 #
Proposal for a regulation
Article 26 – paragraph 2 – point b
Article 26 – paragraph 2 – point b
Amendment 623 #
Proposal for a regulation
Article 26 – paragraph 2 – point c
Article 26 – paragraph 2 – point c
Amendment 624 #
Proposal for a regulation
Recital 120
Recital 120
(120) In order to strengthen and harmonise administrative sanctions against infringements of this Regulation, each supervisory authority should have the power to sanction administrative offences. This Regulation should indicate these offences and the upper limit for the related aAdministrative fines, which should be fixed in each individual case proportionate to the specific situation, with due regard in particular to the nature, gravity and duration of the breach, the procedures implemented in respect to the contexts of and risks represented by the data processing, the degree of responsibility of the natural or legal person and of previous breaches by this person, the degree of technical and organisational measures and procedures implemented, as well as the degree of cooperation with the supervisory authority. The consistency mechanism may also be used to cover divergences in the application of administrative sanctions.
Amendment 625 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 626 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 627 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
Amendment 629 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
Amendment 631 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
Amendment 633 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
Amendment 635 #
Proposal for a regulation
Article 26 – paragraph 3
Article 26 – paragraph 3
Amendment 637 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
Amendment 640 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 642 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
Amendment 644 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain appropriate documentation of allthe main processing operations under its responsibility.
Amendment 645 #
Proposal for a regulation
Article 28 – paragraph 1 a (new)
Article 28 – paragraph 1 a (new)
1a. The obligation made to the controller shall not apply to SMEs processing data only as an activity ancillary to the sale of goods or services. Ancillary activity should be defined as business or non- trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 651 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operimplementing the provisions of this Regulation, it should be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and rpment, which could impede the placing of equirepments for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council on the market and the free circulation of such equipment in and between Member States.
Amendment 653 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific. In implementing the provisions of this Regulation, it should be ensured that no mandatory requirements for the specurity of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterprisific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 654 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
Amendment 655 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
Amendment 656 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
Amendment 658 #
Proposal for a regulation
Recital 139
Recital 139
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and the actual and potential advances in science, health and technology and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to property and in particular the protection of intellectual property the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
Amendment 661 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data wholly or partly by automated means, without discrimination between such processing means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Amendment 662 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
Amendment 664 #
Proposal for a regulation
Article 29 – paragraph 1
Article 29 – paragraph 1
1. The controller and the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph. The controller and the processor and, if any, the representative of the controller, shall make the documentation available, on the basis of a request outlining the reasons for requiring access to the documents, to the supervisory authority.
Amendment 669 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
2a. The implementation by the controller and the processor of measures, as referred to in paragraphs 1 and 2, and the execution thereof which would require processing of certain data to increase network and information security, falls under Article 6 (1) f.
Amendment 670 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by, or on behalf of a data controller or processor.
Amendment 671 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
Amendment 672 #
Proposal for a regulation
Article 30 – paragraph 4 – subparagraph 2
Article 30 – paragraph 4 – subparagraph 2
Amendment 674 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, twhe controller shall without unn the breach is likely to produce delay and, where feasible, not latlegal effects to the detriment of the data subject's privacy, the controller tshan 24 hours after having become aware of it,ll without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 675 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest, who does not make the data accessible to an indefinite number of people in the course of its own exclusively personal or household activity;
Amendment 676 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay andat will have significant risk of harm to citizens, wthere feasible, not lat controller tshan 24 hours after having become aware of it,ll without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 677 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediatwithout undue delay after the establishmentidentification of a personal data breach that is likely to produce legal effects to the detriment of the data subject's privacy.
Amendment 678 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
Article 31 – paragraph 3 – point e
(e) describe the measures proposed or taken by the controller to address the personal data breach and/or mitigate its effects.
Amendment 679 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
Amendment 681 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)filing of reports.
Amendment 685 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) made by the employer as part of the treatment of employee personal data in the employment context
Amendment 686 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the data breach does not have significant risk of harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Amendment 686 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) which have been rendered anonymous within the meaning of Article 4(2c);
Amendment 687 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access it.
Amendment 689 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
Amendment 691 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. SMEs shall only be required to perform an impact assessment after their third year of incorporation where data processing is deemed as a core activity of their business.
Amendment 692 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting onor where processing takes place as a public sector infrastructure project the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Amendment 693 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
Amendment 696 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
(1a) SMEs shall only be required to perform an impact assessment after their 3rd year of incorporation if data processing is deemed as a core activity of their business. That is, where sale or revenue from processing makes up for 50% of the SMEs revenue.
Amendment 697 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affectto the detriment of the individual;
Amendment 700 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
Amendment 703 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. This Regulation applies to the processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union.
Amendment 706 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller or a processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour.
Amendment 709 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
Amendment 711 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
Amendment 713 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 715 #
Proposal for a regulation
Article 33 – paragraph 7 a (new)
Article 33 – paragraph 7 a (new)
(7a) Data protection impact assessments shall be deemed as privileged communications.
Amendment 715 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person and who is not acting in his/her professional capacity;
Amendment 716 #
Proposal for a regulation
Article 34 – title
Article 34 – title
Prior authorisation and prior consultation
Amendment 719 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. The controller or the processor as the case may be shall obtain an authorisation frommay consult the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
Amendment 721 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The controller or processor acting on the controller's behalf shallmay consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Amendment 724 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2
Article 4 – paragraph 1 – point 2
(2) ‘personal data’ means any informationdata specifically relating to a data subject whose specific identity can be identified, directly or indirectly by the controller or by any other natural or legal person, working together with the controller;
Amendment 725 #
Proposal for a regulation
Article 34 – paragraph 2 – point b
Article 34 – paragraph 2 – point b
(b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
Amendment 726 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
Amendment 727 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opiniondetermines in accordance with its power that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
Amendment 727 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) ‘identification number’ means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual;
Amendment 729 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
Amendment 730 #
Proposal for a regulation
Article 34 – paragraph 5
Article 34 – paragraph 5
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
Amendment 732 #
Proposal for a regulation
Article 34 – paragraph 9
Article 34 – paragraph 9
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 732 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 b (new)
Article 4 – paragraph 1 – point 2 b (new)
Amendment 735 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
Amendment 737 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 737 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 c (new)
Article 4 – paragraph 1 – point 2 c (new)
(2c) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject;
Amendment 738 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
Amendment 740 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
Amendment 741 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 744 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection organisation or data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 745 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 746 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 748 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection organisation or data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
Amendment 750 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that thedata protection organisation or data protection officer shall performs t his or her duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Amendment 751 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection organisation or data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 753 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
Amendment 755 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under thisin compliance with the Regulation;
Amendment 755 #
Proposal for a regulation
Article 4 – paragraph 1 – point 7 a (new)
Article 4 – paragraph 1 – point 7 a (new)
(7a) ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
Amendment 757 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 760 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. The Member States and the Commission shall work with controllers, processors and other stakeholders to encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 761 #
Proposal for a regulation
Article 39 – paragraph 1 a (new)
Article 39 – paragraph 1 a (new)
(1a) The data protection certifications mechanisms shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome. These mechanisms shall also be technology neutral and capable of global application and shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 762 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries, provided such measures are technology neutral.
Amendment 763 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 769 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Amendment 774 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
Amendment 776 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
Amendment 777 #
Proposal for a regulation
Article 42 – paragraph 2 – point b
Article 42 – paragraph 2 – point b
(b) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
Amendment 778 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
Article 42 – paragraph 2 – point c
(c) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
Amendment 779 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
Article 42 – paragraph 2 – point c
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
Amendment 779 #
Proposal for a regulation
Article 4 – paragraph 1 – point 11
Article 4 – paragraph 1 – point 11
(11) ‘biometric data’ means any personal data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;
Amendment 780 #
Proposal for a regulation
Article 42 – paragraph 2 – point d
Article 42 – paragraph 2 – point d
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.; or
Amendment 781 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
Amendment 782 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(d a) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
Amendment 782 #
Proposal for a regulation
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
(12) ‘data concerning health’ means any informationpersonal data which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
Amendment 784 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c) or (ce) of paragraph 2 shall not require any further authorisation.
Amendment 786 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) or (e) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
Amendment 787 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
(4a) A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
Amendment 788 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
(4a) To encourage the use of supplemental contractual clauses as referred to in point (e) of paragraph 2 of this Article, competent authorities may offer a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these safeguards.
Amendment 790 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
Article 43 – paragraph 1 – introductory part
1. AOne supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rulesnd through a single act of approval authorize binding corporate rules for a group of undertakings. Those rules will allow multiple intercompany international transfers in and out of Europe, provided that they:
Amendment 791 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
Amendment 791 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
Article 4 – paragraph 1 – point 13 a (new)
(13a) ‘competent supervisory authority’ means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Article 51(2), (3) and (4);
Amendment 793 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members, and their external subcontractors;
Amendment 794 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mainstead of the controller and shall only be addressed by anythe competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
Amendment 796 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
Amendment 798 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
Amendment 799 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
Amendment 805 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
Amendment 808 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation.
Amendment 809 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
(2a) Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
Amendment 811 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
Article 51 – paragraph 2 b (new)
(2b) Where the Regulation applies to several controllers or/and processors within the same group of undertakings by virtue of both Article 3(1) and 3(2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
Amendment 814 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
Amendment 815 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
Article 53 – paragraph 1 – introductory part
1. EachThe competent supervisory authority shall have the power:
Amendment 816 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Amendment 817 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. EachThe competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
Amendment 818 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. EachThe competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
Amendment 818 #
Proposal for a regulation
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatirreconcilable with those purposes;
Amendment 819 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operationcause legal effects to the detriment of the data subjects.
Amendment 820 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations that have been proven contrary to this Regulation.
Amendment 822 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this competent supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
Amendment 824 #
Proposal for a regulation
Article 58 – paragraph 2 – point a
Article 58 – paragraph 2 – point a
(a) relates to processing activities of personal data which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour when the non-EEA controller or processor does not name a representative in the territory of the EEA; or it
Amendment 825 #
Proposal for a regulation
Article 58 – paragraph 2 – point b
Article 58 – paragraph 2 – point b
Amendment 826 #
Proposal for a regulation
Article 58 – paragraph 2 – point c
Article 58 – paragraph 2 – point c
Amendment 827 #
Proposal for a regulation
Article 58 – paragraph 2 – point c
Article 58 – paragraph 2 – point c
Amendment 828 #
Proposal for a regulation
Article 58 – paragraph 2 – point d
Article 58 – paragraph 2 – point d
Amendment 829 #
Proposal for a regulation
Article 58 – paragraph 2 – point e
Article 58 – paragraph 2 – point e
Amendment 829 #
Proposal for a regulation
Article 5 – paragraph 1 – point d
Article 5 – paragraph 1 – point d
(d) accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
Amendment 830 #
Proposal for a regulation
Article 58 – paragraph 2 – point f
Article 58 – paragraph 2 – point f
Amendment 833 #
Proposal for a regulation
Article 58 – paragraph 4
Article 58 – paragraph 4
4. In order to ensure correct and consistent application of this Regulation, the Commission may, acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
Amendment 835 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 838 #
Proposal for a regulation
Article 59
Article 59
Amendment 840 #
Proposal for a regulation
Article 60
Article 60
Amendment 841 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular within their territory, when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by clear breach or unjustified inaction of the competent supervisory authority, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board and to, the Commission and the controller or processor.
Amendment 842 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board and to the Commission.
Amendment 845 #
Proposal for a regulation
Article 66 – paragraph 1 – introductory part
Article 66 – paragraph 1 – introductory part
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or, at the request of the Commission or other stakeholders, in particular:
Amendment 847 #
Proposal for a regulation
Article 66 – paragraph 1 – point b
Article 66 – paragraph 1 – point b
(b) examine, on its own initiative or on request of one of its members or on request of the Commission,, the Commission or other stakeholders any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
Amendment 849 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
Article 66 – paragraph 4 a (new)
(4a) Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
Amendment 859 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subject, regulatory rule, guidance, industry code of practice, either domestically or internationally to which the controller is subject including the requirements of supervisory authorities;
Amendment 861 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 864 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage to the extent that the joint controllers' respective liability has not been determined in the legal arrangement referred to in Article 24.
Amendment 867 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they areit is not responsible for the event giving rise to the damage.
Amendment 868 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 868 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) processing of data necessary to ensure network and information security;
Amendment 869 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism.
Amendment 871 #
Proposal for a regulation
Article 6 – paragraph 1 – point e
Article 6 – paragraph 1 – point e
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in the third party to which the data are transferred;
Amendment 873 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:.
Amendment 874 #
Proposal for a regulation
Article 79 – paragraph 3 – point a
Article 79 – paragraph 3 – point a
Amendment 874 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by athe controller, except where such interests are overridden by or by the third party or parties to whom the data are disclosed and the legitimate expectations of the data subject based on his or her relationship with the controller, taking into account the interests or rights and freedoms of the controller to conduct a business as well as the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 875 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
Article 79 – paragraph 3 – point b
Amendment 887 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) processing is limited to pseudonymous data and the recipient of the service is given a right to object pursuant to Article 19(3);
Amendment 890 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposespurposes under paragraph 2 of Article 6 and point (i) of Article 9(2) only if:
Amendment 894 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
Amendment 895 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(fb) the data are collected from public registers, lists or documents accessible by everyone;
Amendment 897 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
(1a) Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible under point (b) of Article 5(1) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.
Amendment 897 #
Proposal for a regulation
Article 6 – paragraph 1 – point f c (new)
Article 6 – paragraph 1 – point f c (new)
(fc) processing is necessary for the purpose of pseudonymisation or anonymisation of personal data;
Amendment 899 #
Proposal for a regulation
Article 6 – paragraph 1 – point f d (new)
Article 6 – paragraph 1 – point f d (new)
(fd) processing is necessary for the purposes of ensuring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted data and the security of the related services offered by or accessible via these networks and systems;
Amendment 905 #
Proposal for a regulation
Article 83 – paragraph 2 – point c a (new)
Article 83 – paragraph 2 – point c a (new)
(ca) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 906 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
(2a) A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific purposes if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 919 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. PSubsequent processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.
Amendment 933 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 2
Article 6 – paragraph 3 – subparagraph 2
The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others,. The law of the Member State must also respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursuedthis regulation and international treatises that the Member State has decided to follow. Finally the Member State is obliged to evaluate and decide if national legislation is and be proportionate to the legitimate aim pursued or if a legitimate aim could be achieved using less privacy invasive solutions.
Amendment 948 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (ef) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Amendment 959 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 977 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. TWithout prejudice to the data subject's existing contractual obligations, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It is lawful that the withdrawal of consent might result in the termination of the relationship with the controller.
Amendment 986 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 1024 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 1033 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
Amendment 1041 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, significant social problems and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
Amendment 1050 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law or collective agreements on the labour market providing for adequate safeguards; or
Amendment 1057 #
Proposal for a regulation
Article 9 – paragraph 2 – point d
Article 9 – paragraph 2 – point d
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, organizations on the labour market or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
Amendment 1078 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of officialsubject to the conditions and safeguards referred to in Article 83a or under the supervision of a supervisory authority or when the processing is necessary for compliance with or to avoid a breach of a legal or regulatory obligation or collective agreements on the labour market to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 1090 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 1102 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller to identify a natural person, in particular when rendered anonymous or pseudonymous, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 1112 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
Amendment 1118 #
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Amendment 1124 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shallmay also provide means for requests to be made electronically.
Amendment 1130 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shallmay be provided in electronic form, unless otherwise requested by the data subject or unless the controller has reason to believe that providing the information in electronic form would create a significant risk of fraud.
Amendment 1139 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character or their complexity, the controller may charge a fee for providing the information or taking the action requested, or the controller may notthat reflects the administrative costs for providing the information or takeing the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 1150 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 1161 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 1195 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
(c) the estimated period for which the personal data will be stored;
Amendment 1228 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate, except where the data originate from a publicly available source or where the transfer is provided for by law.
Amendment 1260 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data are processed by, are entrusted or become known to a person subject to legal professional privilege, professional secrecy regulated by the Member State, a statutory obligation of secrecy in the exercise of his profession or any like obligation not to reveal such data.
Amendment 1275 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1292 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed,ith the exception of data being used for historical, statistical or scientific research purposes the controller shall provide the following information when person data are being processed:
Amendment 1309 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
(d) the estimated period for which the personal data will be stored;
Amendment 1313 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
Article 15 – paragraph 1 – point h
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
Amendment 1339 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. The data subject shall have the right to obtain from the controller of the data source at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed to a research data base.
Amendment 1340 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5) (da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
Amendment 1348 #
Proposal for a regulation
Article 15 – paragraph 2 b (new)
Article 15 – paragraph 2 b (new)
2b. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, it is not obliged to comply with the request, unless: (a) the other individual has explicitly consented to the disclosure of the information to the person making the request; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
Amendment 1365 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The Commission may specifysuggest standard forms and specify procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 1383 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 1393 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and are not required to pursue legal claims or when the legally mandatory minimum retention period has expired;
Amendment 1394 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the retention storage period consented to has expired, and where there is no other legal ground for the processing or storage of the data;
Amendment 1400 #
Proposal for a regulation
Article 17 – paragraph 1 – point c a (new)
Article 17 – paragraph 1 – point c a (new)
(ca) a court based in the Union has ruled as final and absolute that the data concerned must be erased;
Amendment 1405 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. The controller shall take all reasonable steps to communicate any erasure to each legal entity to whom the data have been disclosed.
Amendment 1410 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
Article 17 – paragraph 1 b (new)
1b. The application of paragraph 1 shall be dependent upon the ability of the data controller to verify the identity of the data subject requesting the erasure.
Amendment 1417 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third partieslegal entities to whom the original controller had authorised to further process personal data and which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where tThe controller has authorised a third party publication ofwill not be responsible for the personal data, the controller shall be considered responsible for thatat the data subject has made publication.
Amendment 1426 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:
Amendment 1432 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
Article 17 – paragraph 3 – point b
(b) for reasons of public interest in the area of public health and public health purposes in accordance with Article 81;
Amendment 1448 #
Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)
Article 17 – paragraph 3 – point e a (new)
(ea) for prevention or detection of fraud, confirming identity, and/or determining creditworthiness, or ability to pay.
Amendment 1470 #
Proposal for a regulation
Article 17 – paragraph 6 a (new)
Article 17 – paragraph 6 a (new)
6a. Requests for the rectification, erasure or blocking of data shall not prejudice processing that is necessary to secure, protect and maintain the resiliency of one or more information systems. In addition, the right of rectification and/or erasure or personal data shall not apply to any personal data that is required to be maintained by legal obligation or to protect the rights of the controller, processor or third parties.
Amendment 1481 #
Proposal for a regulation
Article 17 – paragraph 9
Article 17 – paragraph 9
Amendment 1494 #
Proposal for a regulation
Article 18 – title
Article 18 – title
Right to data portabilityobtain data
Amendment 1505 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. TWhere the data subject shall have the right,s provided the personal data and where personal data are processed by electronic means and in a structured and commonly used format,, the data subject shall have the right to obtain from the controller a copy of data undergoing processingthe provided personal data in an electronic and structured format which is commonly used and allows for further use by the data subject, without hindrance from the controller from whom the personal data are withdrawn.
Amendment 1507 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
Amendment 1521 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Commission may specify the electronic format, referred to in paragraph 1 and the technical standards, modlated functionalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), shall be determined by the controller by reference to the most appropriate industry standards available or as defined by industry stakeholders or standardisation bodies. The Commission shall promote and assist industry, stakeholders and standardisation bodies in the mapping and adoption of technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2.
Amendment 1526 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
Amendment 1542 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3a. Where pseudonymous data is processed pursuant to Article 6 (1), the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 1547 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right to request not to be subject to a measure which produces legal effects concerningadversely affects this ndatural person or significantly affects this natural person,a subject and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to this natural person or to, analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1556 #
Proposal for a regulation
Article 20 – paragraph 1 b (new)
Article 20 – paragraph 1 b (new)
1b. Is based on the legitimate interests pursued by the data controller.
Amendment 1557 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 1568 #
Proposal for a regulation
Article 20 – paragraph 2 – point a a (new)
Article 20 – paragraph 2 – point a a (new)
(aa) is based on pseudonymous data;
Amendment 1594 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 1604 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 1613 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 1625 #
Proposal for a regulation
Article 21 – paragraph 1 a (new)
Article 21 – paragraph 1 a (new)
1a. Parties on the labour market may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction have been agreed by national collective agreements to constitutes a necessary and proportionate measure.
Amendment 1634 #
Proposal for a regulation
Article 21 – paragraph 1 – point c
Article 21 – paragraph 1 – point c
(c) other public interests of the Union or of a Member State, in particularsuch as an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;
Amendment 1647 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. In particular, any legislative measure referred to in paragraph 1 shall comply with the standards of necessity and proportionality in accordance with Article 1 and shall contain specific provisions at least as to the objectivpurposes to be pursued by the processing and the determination of the controller.
Amendment 1658 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this RegulatioHaving regard to the state of the art, the nature of personal data processing and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate and demonstrable technical and organizational measures should be implemented in such a way that the processing will meet the requirements of this Regulation and ensures the protection of the rights of the data subject by design.
Amendment 1663 #
Proposal for a regulation
Article 22 – paragraph 1 a (new)
Article 22 – paragraph 1 a (new)
1a. Upon request by the competent data protection authority, the controller or processor shall demonstrate the existence of technical and organizational measures.
Amendment 1664 #
Proposal for a regulation
Article 22 – paragraph 1 b (new)
Article 22 – paragraph 1 b (new)
1b. A group of undertakings may apply joint technical and organizational measures to meet its obligations arising from the Regulation.
Amendment 1665 #
Proposal for a regulation
Article 22 – paragraph 1 c (new)
Article 22 – paragraph 1 c (new)
1c. This article does not apply to a natural person processing personal data without commercial interest.
Amendment 1668 #
Proposal for a regulation
Article 22 – paragraph 2 – introductory part
Article 22 – paragraph 2 – introductory part
2. TheSuch measures provided for in paragraph 1 shall in particular includeinclude, without limitation:
Amendment 1671 #
Proposal for a regulation
Article 22 – paragraph 2 – point a
Article 22 – paragraph 2 – point a
(a) keeping the documentation pursuant to Article 28independent management oversight of processing of personal data to ensure the existence and effectiveness of the technical and organizational measures;
Amendment 1673 #
Proposal for a regulation
Article 22 – paragraph 2 – point b
Article 22 – paragraph 2 – point b
(b) implementing the data security requirements laid down in Article 30a control management system, including the assignment of responsibilities, training of staff and adequate instructions;
Amendment 1675 #
Proposal for a regulation
Article 22 – paragraph 2 – point c
Article 22 – paragraph 2 – point c
(c) performing a data protection impact assessment pursuant to Article 33existence of proper policies, instructions or other guidelines to guide data processing needed to comply with the Regulation as well as procedures and enforcement to make such guidelines effective;
Amendment 1679 #
Proposal for a regulation
Article 22 – paragraph 2 – point d
Article 22 – paragraph 2 – point d
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2)existence of proper planning procedures to ensure compliance and to address potentially risky processing of personal data prior to the commencement of the processing;
Amendment 1680 #
Proposal for a regulation
Article 22 – paragraph 2 – point e
Article 22 – paragraph 2 – point e
(e) designating a data protection officer pursuant to Article 35(1). the existence of appropriate documentation of data processing to enable compliance with the obligations arising from the Regulation;
Amendment 1683 #
Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)
Article 22 – paragraph 2 – point e a (new)
(ea) the existence of adequately skilled data protection organization or data protection officer supported with adequate resources to oversee implementation of measures defined in this article and to monitor compliance with this Regulation, having particular regard to ensuring organizational independence of such data protection officer or organisation to prevent inappropriate conflicts of interest. Such a function may be fulfilled by way of a service contract;
Amendment 1685 #
Proposal for a regulation
Article 22 – paragraph 2 – point e b (new)
Article 22 – paragraph 2 – point e b (new)
(eb) the existence of proper awareness and training of the staff participating in data processing and decisions thereto of the obligations arising from this Regulation.
Amendment 1694 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shallmay be carried out by independent internal or external auditors.
Amendment 1703 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
Amendment 1715 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 1726 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for eachSuch measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefurity; (b) follow the principle of technology, service and business model neutrality; (c) be based on global industry-led efforts and standards; (d) take due account of inite number of individuals. rnational developments.
Amendment 1730 #
Proposal for a regulation
Article 23 – paragraph 2 a (new)
Article 23 – paragraph 2 a (new)
2a. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 1736 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 1742 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 1748 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects.
Amendment 1770 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.
Amendment 1774 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
Amendment 1777 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:
Amendment 1779 #
Proposal for a regulation
Article 26 – paragraph 2 – point a
Article 26 – paragraph 2 – point a
(a) the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
Amendment 1781 #
Proposal for a regulation
Article 26 – paragraph 2 – point b
Article 26 – paragraph 2 – point b
Amendment 1783 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 1790 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary and the processor's ability to assist with reasonable effort, an agreement as to the appropriate and relevant technical and organisational requirements fwhich support the fulfilmentability of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
Amendment 1793 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
(f) assist the controller in ensuring complianceinsofar as this is possible given the nature of processing, the information available to the processor and his ability to assist with reasonable effort, an agreement on how compliance will be ensured with the obligations pursuant to Articles 30 to 34;
Amendment 1798 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
(g) hand over all results to the controller after the end of the processing and, not process the personal data otherwise and delete existing copies without prejudice to Union or Member State laws;
Amendment 1803 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
Amendment 1806 #
Proposal for a regulation
Article 26 – paragraph 3
Article 26 – paragraph 3
Amendment 1808 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
Amendment 1817 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 2092 #
Proposal for a regulation
Article 34 – title
Article 34 – title
Prior authorisation and prior consultation
Amendment 2095 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Amendment 2108 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The controller or processor acting on the controller's behalf shallmay consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Amendment 2113 #
Proposal for a regulation
Article 34 – paragraph 2 – point b a (new)
Article 34 – paragraph 2 – point b a (new)
(ba) a controller adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
Amendment 2115 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opiniondetermines in accordance with its power that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
Amendment 2119 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
Amendment 2129 #
Proposal for a regulation
Article 34 – paragraph 6
Article 34 – paragraph 6
6. The controller or processor shall provide the supervisory authority, on request, with the data protection impact assessment provided for inursuant to Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
Amendment 2136 #
Proposal for a regulation
Article 34 – paragraph 8
Article 34 – paragraph 8
Amendment 2140 #
Proposal for a regulation
Article 34 – paragraph 9
Article 34 – paragraph 9
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 2146 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
Amendment 2180 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 2194 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, aA group of undertakings may appoint a single data protection organisation or data protection officer.
Amendment 2198 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
Amendment 2217 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
Amendment 2226 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
Amendment 2243 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection organisation or data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 2249 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 2255 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection organisation or data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
Amendment 2262 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that thedata protection organisation or data protection officer shall performs the duties and his or her tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the executive management of the controller or the processor.
Amendment 2273 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection organisation or data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 2289 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
Amendment 2300 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under thiscompliance with the Regulation;
Amendment 2314 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
Amendment 2326 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
Amendment 2335 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority mshall without undue delay give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
Amendment 2354 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. The Member States and the Commission shall work with controllers, processors and other stakeholders to encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 2359 #
Proposal for a regulation
Article 39 – paragraph 1 a (new)
Article 39 – paragraph 1 a (new)
1a. The data protection certifications mechanisms shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome. These mechanisms shall also be technology neutral and capable of global application and shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 2368 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries, provided such measures are technology neutral.
Amendment 2374 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 2410 #
Proposal for a regulation
Article 41 – paragraph 7
Article 41 – paragraph 7
7. The Commission shall publish in the Official Journal of the European Union and on its website a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.
Amendment 2418 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
Amendment 2433 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
Amendment 2438 #
Proposal for a regulation
Article 42 – paragraph 2 – point d b (new)
Article 42 – paragraph 2 – point d b (new)
(db) for historical, statistical or scientific purposes, the measures referred to in Article 83(4).
Amendment 2445 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c) or (ce) of paragraph 2 shall not require any further authorisation.
Amendment 2449 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
Amendment 2453 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
Amendment 2466 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
Article 43 – paragraph 1 – introductory part
1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58authorise through a single act of approveal binding corporate rules for a group of undertakings, provided that they:
Amendment 2471 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
Amendment 2477 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members and their external subcontractors;
Amendment 2494 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
Amendment 2520 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. The public interest referred to in point (d) of paragraph 1 must be recognised in international conventions, in Union law or in the law of the Member State to which the controller is subject.
Amendment 2571 #
Proposal for a regulation
Article 49 – paragraph 1 a (new)
Article 49 – paragraph 1 a (new)
1a. Insofar as competent professional supervisory bodies for persons subject to legal professional privilege or professional secrecy exist at the time of the entry into force of the present Regulation, these bodies may establish the supervisory authority in respect of data processing by those over whom they exercise professional supervision.
Amendment 2581 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in Article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation.
Amendment 2589 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
2a. Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
Amendment 2591 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
Article 51 – paragraph 2 b (new)
2b. Where the Regulation applies to several controllers or/and processors within the same group of undertakings by virtue of Article 3(1) and (2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
Amendment 2614 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
Amendment 2618 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
Article 53 – paragraph 1 – introductory part
1. EachThe competent supervisory authority shall have the power:
Amendment 2627 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Amendment 2633 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. EachThe competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
Amendment 2635 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. EachThe competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
Amendment 2645 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operationcause legal effects to the detriment of the data subjects.
Amendment 2648 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations that have been proven contrary to this Regulation.
Amendment 2662 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this competent supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
Amendment 2673 #
Proposal for a regulation
Article 58 – paragraph 4
Article 58 – paragraph 4
4. In order to ensure correct and consistent application of this Regulation, the Commission may, acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
Amendment 2679 #
Proposal for a regulation
Article 58 – paragraph 8
Article 58 – paragraph 8
8. The competent supervisory authority referred to in paragraph 1 and the supervisory authority competent under Article 51 shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
Amendment 2697 #
Proposal for a regulation
Article 59 – paragraph 4
Article 59 – paragraph 4
4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
Amendment 2711 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of a data subjects, in particular within their competent supervisory, when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasonstrough a clear data breach or an unjustified inaction by the competent supervisory authority, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to the Commissioncompetent supervisory authority, the European Data Protection Board, the Commission and to the controller or processor.
Amendment 2712 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board, the controller or processor concerned and to the Commission.
Amendment 2714 #
Proposal for a regulation
Article 61 – paragraph 2
Article 61 – paragraph 2
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it mayit shall request an urgent opinion of the European Data Protection Board, giving reasons for requesting such opinionthe claim, including for the urgency of final measures.
Amendment 2734 #
Proposal for a regulation
Article 66 – paragraph 1 – introductory part
Article 66 – paragraph 1 – introductory part
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or, at the request of the Commission or other stakeholders, in particular:
Amendment 2739 #
Proposal for a regulation
Article 66 – paragraph 1 – point b
Article 66 – paragraph 1 – point b
(b) examine, on its own initiative or on request of one of its members or on request of the Commission,, the Commission or other stakeholders any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
Amendment 2756 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
Article 66 – paragraph 4 a (new)
4a. Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in this Article, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
Amendment 2822 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 2828 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damageshall be liable for the entire amount of the damage, to the extent that liability has not been already established in the determination of responsibilities as referred to in Article 24.
Amendment 2836 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from thise liability under paragraph 2, in whole or in part, if the respective controller or the procvessor proves that they are not not to be responsible for the event giving rise to the damage.
Amendment 2848 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 2859 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism.
Amendment 2873 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities. The competent supervisory authority may impose a fine, in accordance with the amount of harm caused, up to EUR 1 000 000 for repeated, intentional breaches or, in the case of a company, of up to 1% of its annual worldwide turnover.
Amendment 2887 #
Proposal for a regulation
Article 79 – paragraph 4
Article 79 – paragraph 4
Amendment 2898 #
Proposal for a regulation
Article 79 – paragraph 5
Article 79 – paragraph 5
Amendment 2918 #
Proposal for a regulation
Article 79 – paragraph 6
Article 79 – paragraph 6
Amendment 2943 #
Proposal for a regulation
Article 79 – paragraph 7
Article 79 – paragraph 7
Amendment 2993 #
Proposal for a regulation
Article 81 – paragraph 3
Article 81 – paragraph 3
Amendment 3004 #
Proposal for a regulation
Article 82 – paragraph 1
Article 82 – paragraph 1
1. Within the limits of this Regulation, Member States or collective agreement among employers and employees may adopt by law specific rules regulating the processing of employees‘' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, criminal conviction, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Amendment 3042 #
Proposal for a regulation
Article 82 – paragraph 3
Article 82 – paragraph 3
Amendment 3051 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
Amendment 3063 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
1a. Within the limits of this Regulation, especially this article, Member States may adopt specific regulations concerning the processing of personal data for scientific research purposes, in particular public health research.
Amendment 3065 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
1a. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible with Article 5(1)(b) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.
Amendment 3077 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
2a. A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific purposes if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 3085 #
Proposal for a regulation
Article 83 – paragraph 2 – point c a (new)
Article 83 – paragraph 2 – point c a (new)
(ca) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 3090 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
Amendment 3093 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements, exempt technical requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
Amendment 3129 #
Proposal for a regulation
Article 89 – paragraph 2
Article 89 – paragraph 2
2. Article 1(2), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.