Activities of Csaba SÓGOR related to 2012/0011(COD)
Plenary speeches (1)
Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
Amendments (25)
Amendment 475 #
Proposal for a regulation
Recital 45 a (new)
Recital 45 a (new)
(45a) The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling. Moreover the data subject should also have the possibility of lodging a complaint with regard to the processing of personal data by a controller or processor with the competent data protection authority and to bring legal proceedings in order to enforce his or her rights as well as the right to compensation and damages resulting of an unlawful processing operation or from an action incompatible with this Regulation. The provisions of this Regulation should strengthen, clarify, guarantee and where appropriate, codify those rights.
Amendment 533 #
Proposal for a regulation
Recital 66
Recital 66
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation should be promoted, and, where appropriate, cooperate with third countries should be encouraged to cooperate.
Amendment 540 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority in the country where it is based without undue delay and, where feasible, within 24 hoursone working day. Where this cannot achieved within 24 hoursone working day, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 564 #
Proposal for a regulation
Recital 75
Recital 75
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise or relates to more than 249 data subjects per year, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. When establishing whether data about a large number of data subjects are processed, archived data that is restricted in such a way that they are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection officers, whether or not an employee of the controller and whether or not performing that task full time, should be in a position to perform their duties and tasks independently. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
Amendment 567 #
Proposal for a regulation
Recital 75 a (new)
Recital 75 a (new)
(75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organizational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and full knowledge of the role and competence of an employee representative. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.
Amendment 603 #
Proposal for a regulation
Recital 101
Recital 101
(101) Each supervisory authority should hear complaints lodged by any data subject or organisation acting in the public interest and should investigate the matter. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.
Amendment 614 #
Proposal for a regulation
Recital 112
Recital 112
(112) AIn the spirit of this Regulation, any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data andacting in the public interest which is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject's complaint, an own complaint where it considers that a personal data breach has occurred.
Amendment 617 #
Proposal for a regulation
Recital 114
Recital 114
(114) In the spirit of this Regulation, in order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aimcting to protect the rights and interests of data subjects in relation to the protection of their datain the public interest to bring on the data subject’sir behalf proceedings against that supervisory authority to the competent court in the other Member State.
Amendment 650 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of dataspecifying the technical formats for giving consent; specifying conditions of modes based on icons and other graphic features for provision of information; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relfor verification tof the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogthe adequate level of protection afforded by a third country or an international organisations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level and in particular with the European Data Protection Board. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
Amendment 721 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an unique identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or, social identityor gender identity or sexual orientation of that person;
Amendment 1006 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society goods and services directly to a child, the processing of personal data of a child below the age of 134 years shall only be lawful if and to the extent that consent is given or authorised by the child'’s parent or custodianlegal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
Amendment 1115 #
Proposal for a regulation
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. Information for data subjects shall be provided in a format offering data subjects the information needed to understand their position and make decisions in an appropriate way. Therefore the controller shall provide and communicate its data protection policies through an easily understandable mode of description based on icons and other graphic features for the different types of data processing, their conditions and consequences. Full information shall be available on request in accordance with Article 14.
Amendment 1117 #
Proposal for a regulation
Article 11 – paragraph 2 b (new)
Article 11 – paragraph 2 b (new)
2b. The Commission shall be empowered to adopt, after requesting an opinion of The European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the mode of description based on icons and other graphic features which is referred to in paragraph 3 concerning the nature of the processing, duration of storage, transfer or erasure of data by establishing icons or other instruments in order to provide information in a standardised way.
Amendment 1325 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in a freely-available electronic format, the information shall be provided in electronic form which enables the data subject to make subsequent use of it, unless otherwise requested by the data subject.
Amendment 1337 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
Amendment 1539 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no luse the personal data congcer use or otherwise process the personal data concernedned only for historical, statistical or research purposes or, depending on the option chosen, delete it.
Amendment 1644 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. In particular, any legislative measure referred to in paragraph 1 must be necessary and proportionate in the information society and shall contain specific provisions at least as to: (a) the objectives to be pursued by the processing and; (b) the determination of the controller; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards to prevent abuse; (g) the right of data subjects to be informed about the restriction.
Amendment 1720 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms forWhere the data subject is given a choice regarding the processing of personal data, the controller shall ensuringe that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that information in the form of a request for consent regarding the distribution of personal data will be obtained.
Amendment 2280 #
Proposal for a regulation
Article 36 – paragraph 3 a (new)
Article 36 – paragraph 3 a (new)
3a. Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject. Where in the course of their activities data protection officers become aware of data for which the head of the data controller or a person employed by the data controller has the right to refuse to give evidence, that right shall also apply to data protection officers and their subordinates.
Amendment 2411 #
Proposal for a regulation
Article 41 – paragraph 8
Article 41 – paragraph 8
8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commiss for two years from the entry into force of this Regulation.
Amendment 2459 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain priAuthorisations by a supervisory authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid,ty on the basis of Article 26(2) of Directive 95/46/EC shall remain in force for no longer than two years from the entry into force of this Regulation or until amended, replaced or repealed by thate supervisory authority.
Amendment 2537 #
Proposal for a regulation
Article 45 a (new)
Article 45 a (new)
Article 45a The Commission shall, starting four years from the date referred to in Article 91(1) (the date of entry into force of this Regulation), submit a report on the application of Articles 40 and 45 every two years to the European Parliament. and the Council. To this end, the Commission may request information from the Member States and the supervisory authorities; such information must be delivered promptly. The reports will be published.
Amendment 2556 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concern– following consultation with the parliament – the government of the Member State concerned, always ensuring that political influence is kept to a minimum; the requisite qualifications, absence of conflicts of interest and positions of the members must also be regulated.
Amendment 2760 #
Proposal for a regulation
Article 69 – paragraph 1
Article 69 – paragraph 1
1. The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
Amendment 3047 #
Proposal for a regulation
Article 82 a (new)
Article 82 a (new)
Article 82a Processing in the social security context 1. Member States may, in accordance with the rules set out in this Regulation, adopt specific legislative rules particularising the conditions for the processing of personal data by their public institutions and departments in the social security context if carried out in the public interest. 2. Each Member State shall notify the Commission of the rules adopted in national law pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and of any subsequent amendment affecting them within one month of the amendment being adopted.