Activities of Baroness Sarah LUDFORD related to 2012/0011(COD)
Plenary speeches (2)
Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
Amendments (113)
Amendment 392 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply only to any specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of allonly those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual and of the reasonable likelihood of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer or not yet identifiable from the data.
Amendment 412 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. The act of seeking and agreeing to specific healthcare treatment should be considered as consent within the meaning of Articles 4(8) and 6(1)(a) to the processing of personal health data related to that specific treatment and as meeting the burden of proof under Article 7(1), without preventing Member States from maintaining existing more stringent national rules in this regard. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 466 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 494 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
Amendment 687 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) that has been rendered anonymous;
Amendment 729 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) ‘pseudonymised data’ means any personal data that has been altered so that it cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non-attribution;
Amendment 733 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 b (new)
Article 4 – paragraph 1 – point 2 b (new)
(2b) ‘anonymised data’ or ‘data rendered anonymous’ means personal data that has been modified in a way that the information can no longer be attributed to an identifiable natural person;
Amendment 762 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, and informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 821 #
Proposal for a regulation
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of data for health, historical, statistical, or scientific purposes shall not be considered as incompatible subject to compliance with the conditions in Article 81 or Article 83 as appropriate;
Amendment 841 #
Proposal for a regulation
Article 5 – paragraph 1 – point e a (new)
Article 5 – paragraph 1 – point e a (new)
(ea) protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
Amendment 842 #
Proposal for a regulation
Article 5 – paragraph 1 – point e b (new)
Article 5 – paragraph 1 – point e b (new)
(eb) afford appropriate safeguards when processed outside the EEA. Such processing will remain the responsibility of the controller;
Amendment 862 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation or regulatory rule or industry code of practice, either domestically or internationally, to which the controller is subject;
Amendment 876 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller such as to detect crime or to prevent crime, fraud, loss or harm or to meet the legitimate expectations of the data subject in the efficient delivery of the service, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 930 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
(ba) internationally recognised regulations, rules, guidance, standards and/or industry codes of practice relevant to the business of the controller.
Amendment 981 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal, or legitimate processing post consent such as record retention or health, historical, statistical or scientific research.
Amendment 994 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance or coercive relationship between the position of the data subject and the controller. The patient-healthcare provider relationship is not considered a significantly imbalanced or coercive relationship.
Amendment 1120 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
Amendment 1133 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request,excessive delay whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subjecte information shall be given in writing.
Amendment 1137 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. If the controller refuses todoes not take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities ofdata subject shall have the right to lodginge a complaint towith the supervisory authority and seeking a judicial remedy.
Amendment 1146 #
Proposal for a regulation
Article 12 – paragraph 4 a (new)
Article 12 – paragraph 4 a (new)
4a. The following shall apply to requests under Article 15: (a) the controller may charge a fee for providing the relevant information. Such a fee shall not be excessive; (b) no obligation to provide the relevant information shall apply until the controller has received the following; (i) any fee required in accordance with (a) above; and (ii) any information as to the identity of the person making a request as the controller may reasonably require. (c) where a data controller has previously complied with a request by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request; (d) the controller must have regard to any guidance issued under Article 38 in deciding: (i) whether a subsequent request is identical or similar to a previous request; (ii) whether a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
Amendment 1153 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 1159 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
Amendment 1177 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide or make readily available to the data subject with at least the following information:
Amendment 1188 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the purposes of the processingr purposes for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); to be processed; and
Amendment 1192 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
Amendment 1210 #
Proposal for a regulation
Article 14 – paragraph 1 – point g
Article 14 – paragraph 1 – point g
Amendment 1217 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collectedwhich is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
Amendment 1220 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
Amendment 1223 #
Proposal for a regulation
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2a. In deciding on further information which is necessary to make the processing fair under 1(d), controllers must have regard to any relevant guidance under Article 38.
Amendment 1224 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
Amendment 1232 #
Proposal for a regulation
Article 14 – paragraph 4
Article 14 – paragraph 4
Amendment 1241 #
Proposal for a regulation
Article 14 – paragraph 4 a (new)
Article 14 – paragraph 4 a (new)
4a. Article 14 shall not apply where: (a) the data subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort; (c) obtaining or disclosure is found in Union or Member State law; (d )where the data originate from publicly available sources; (e) where the data must remain confidential in accordance with a legal provision or on account of the overriding justified interests of a third party.
Amendment 1242 #
Proposal for a regulation
Article 14 – paragraph 5
Article 14 – paragraph 5
Amendment 1261 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data consists of information in respect of which a claim to legal professional privilege, or equivalent professional secrecy provisions could be maintained under national law or rules established by national competent bodies.
Amendment 1267 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data are processed for health, historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Articles 81 or 83 as appropriate, and the provision of such information proves impossible or would involve a disproportionate effort.
Amendment 1270 #
Proposal for a regulation
Article 14 – paragraph 6
Article 14 – paragraph 6
Amendment 1280 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1285 #
Proposal for a regulation
Article 14 – paragraph 8
Article 14 – paragraph 8
Amendment 1297 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. TSubject to Article 12(4), the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information from the controller:
Amendment 1299 #
Proposal for a regulation
Article 15 – paragraph 1 a (new)
Article 15 – paragraph 1 a (new)
1a. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: (a) the other individual has consented to the disclosure of the information to the person making the request; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
Amendment 1300 #
Proposal for a regulation
Article 15 – paragraph 1 b (new)
Article 15 – paragraph 1 b (new)
1b. In paragraph (1) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that paragraph is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. In determining for the purposes of this paragraph whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to: (a) any duty of confidentiality owed to the other individual; (b) any steps taken by the data controller with a view to seeking the consent of the other individual; (c) whether the other individual is capable of giving consent; and (d) any express refusal of consent by the other individual.
Amendment 1307 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
Amendment 1316 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
Article 15 – paragraph 1 – point h
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.
Amendment 1336 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5)(da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
Amendment 1344 #
Proposal for a regulation
Article 15 – paragraph 2 b (new)
Article 15 – paragraph 2 b (new)
2b. In complying with requests under this Article, data controllers shall take account of any relevant guidance.
Amendment 1354 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
Amendment 1363 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
Amendment 1390 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain, as appropriate, from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
Amendment 1401 #
Proposal for a regulation
Article 17 – paragraph 1 – point d
Article 17 – paragraph 1 – point d
Amendment 1414 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 1433 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
Article 17 – paragraph 3 – point b
(b) for rheasons of public interest in the area of public healthlth purposes in accordance with Article 81;
Amendment 1434 #
Proposal for a regulation
Article 17 – paragraph 3 – point b a (new)
Article 17 – paragraph 3 – point b a (new)
(ba) for maintaining medical records for prevention, medical diagnosis, treatment, palliative care, clinical trials, patient registries, and other health research and medical innovation purposes;
Amendment 1443 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
Article 17 – paragraph 3 – point d
(d) for compliance with or to avoid a breach of a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
Amendment 1460 #
Proposal for a regulation
Article 17 – paragraph 4 – point b
Article 17 – paragraph 4 – point b
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for the purposes of proofdefending legal claims;
Amendment 1637 #
Proposal for a regulation
Article 21 – paragraph 1 – point c
Article 21 – paragraph 1 – point c
(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;
Amendment 1643 #
Proposal for a regulation
Article 21 – paragraph 1 – point f a (new)
Article 21 – paragraph 1 – point f a (new)
(fa) legal professional privilege and lawyer-client confidentiality.
Amendment 1826 #
Proposal for a regulation
Article 28
Article 28
Amendment 2097 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Amendment 2102 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. TWhe controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisationre an impact assessment has been undertaken in accordance with Article 33, the controller must consult the supervisory authority in accordance with this Article if, despite the measures envisaged in the impact assessment to ensure protection of personal data, the controller considers that it is likely that the intended processing would result in serious harm to fundamental rights and freedoms of data subjects.
Amendment 2104 #
Proposal for a regulation
Article 34 – paragraph 1 a (new)
Article 34 – paragraph 1 a (new)
Amendment 2118 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the supervisory authority is of the opinion that the intended processing doesreferred to in paragraph 2 would not comply with this Regulation, in particular wt shall within a maximum period of 6 weeks following the re risks are insufficiently identifiquest for consultation make appropriate recommendations to the data controller. This period may be extended for mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliancea further month, taking into account the complexity of the intended processing. Where the extended period applies, the controller of processor shall be informed within one month of receipt of the request of the reasons for the delay.
Amendment 2122 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
4. The supervisory authority shall establish and make public a list of the processing operations for which are subject to prior consultation would be recommended pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
Amendment 2125 #
Proposal for a regulation
Article 34 – paragraph 5
Article 34 – paragraph 5
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the listEuropean Data Protection Board shall produce guidance to ensure consistent application, taking into account the specific circumstances of Member States.
Amendment 2150 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall consider whether to designate a data protection officer in any case where:
Amendment 2183 #
Proposal for a regulation
Article 35 – paragraph 1 a (new)
Article 35 – paragraph 1 a (new)
1a. In considering whether to appoint a data protection officer, a controller or processor must have regard to factors including the nature, scope and purposes of the processing, the risks for the fundamental rights and freedoms of data subjects that may arise from it, the other measures it proposes to take in order to comply with this Regulation and cost- effectiveness.
Amendment 2184 #
Proposal for a regulation
Article 35 – paragraph 1 b (new)
Article 35 – paragraph 1 b (new)
1b. Member States may provide in national law for controllers or processors to be required to appoint a data protection officer for the purposes of this Regulation. In doing so, Member States must at least consider the factors referred to in paragraph 1a. Any such measures shall be notified to the European Commission.
Amendment 2202 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, tha single data protection officer may be designated for several of its entitsuch authorities or bodies, taking account of their organisational structure of the public authority or bodyand size.
Amendment 2209 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
Amendment 2215 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
Amendment 2224 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 2252 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 2270 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Amendment 2285 #
Proposal for a regulation
Article 37
Article 37
Amendment 2336 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendmentprocessing under the code is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
Amendment 2358 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. The Member States, professional bodies and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 2366 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
Amendment 2375 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 2384 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation, without prejudice to decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC or authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC.
Amendment 2395 #
Proposal for a regulation
Article 41 – paragraph 2 – point c
Article 41 – paragraph 2 – point c
(c) the international commitments the third country or international organisation in question has entered into, in particular any legally binding conventions or instruments under human rights law or international law.
Amendment 2401 #
Proposal for a regulation
Article 41 – paragraph 4 a (new)
Article 41 – paragraph 4 a (new)
4a. The Commission shall adopt and make public binding procedures for reaching decisions concerning the adequacy of protection, which shall contain at least the following information: (a) the procedures by which a third country, territory, a processing sector within that third country (which can be represented by an association or group of data controllers or data processors), or an international or regional organisation may request that an adequacy decision be issued; (b) the steps of the decision-making procedure, including time limits within which each step must be completed; (c) the rights of the party or parties that have requested an adequacy decision to present their case in the various steps of the procedure; (d) how interested parties (including individuals, consumer organisations, academic experts, government entities, data controllers and processors, and others) may express their opinion concerning the proposed decision. The Commission shall either approve or refuse an application for a decision regarding the adequacy of protection within one year of its submission.
Amendment 2437 #
Proposal for a regulation
Article 42 – paragraph 2 – point d b (new)
Article 42 – paragraph 2 – point d b (new)
(db) the measures referred to in Article 81 for health purposes or Article 83 for historical, statistical or scientific research purposes.
Amendment 2452 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based onthe relevant safeguards are provided for on the basis of contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities whichensure compliance of the intended processing with this Regulation and mitigate any risks involved for the data subject. The supervisory authority shall support the compliance of the Regulation by providing guidance and advice under this provision. If the processing concerns data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57EDPB shall provide guidance to ensure consistent application of the Regulation, taking into account the specific circumstances of individual Member States.
Amendment 2464 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transffor example in a memorandum of understanding, the controller shall ensure compliance of the intended processing with this Regulation and mitigate any risks involved for the data subject. The supervisory authority shall support the compliance of the Regulation by providing guidance and advice under this related to processing activities whichprovision. If the processing concerns data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57EDPB shall provide guidance to ensure consistent application of the Regulation, taking into account the specific circumstances of individual Member States. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Amendment 2469 #
Proposal for a regulation
Article 43 – paragraph 1
Article 43 – paragraph 1
1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules,Where appropriate safeguards are provided through binding corporate rules data controllers shall ensure compliance with the Regulation by provideding that theyBCRs: (a) are legally binding and apply to and are enforced by every member within the controller’'s or processor's group of undertakings, and include their employees; (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. The supervisory authority shall support the compliance of this Regulation by providing guidance and advice under this provision.
Amendment 2506 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transferprocessing is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessmentand where the controller has adduced appropriate safeguards with respect to the protection of personal data, where necessary.
Amendment 2508 #
Proposal for a regulation
Article 44 – paragraph 1 – point h a (new)
Article 44 – paragraph 1 – point h a (new)
(ha) the personal data has been anonymised;
Amendment 2510 #
Proposal for a regulation
Article 44 – paragraph 1 – point h b (new)
Article 44 – paragraph 1 – point h b (new)
(hb) the personal data has been pseudonymised, and the key and the data are kept separately, and contractual clauses forbid the controller to access the key.
Amendment 2598 #
Proposal for a regulation
Article 51 – paragraph 3
Article 51 – paragraph 3
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity: (a) by a judge; or (b) by a person acting on the instructions or on behalf of a judge; or (c) for the purpose of exercising judicial functions including functions of appointment, discipline, administration or leadership of judges.
Amendment 2608 #
Proposal for a regulation
Article 52 – paragraph 1 – point j a (new)
Article 52 – paragraph 1 – point j a (new)
(ja) provide micro, small and medium sized enterprise processors and controllers with a comprehensive list of their responsibilities and obligations in accordance with this Regulation.
Amendment 2703 #
Proposal for a regulation
Article 60
Article 60
Amendment 2854 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article. The administrative sanctions available to supervisory authorities must include at least financial penalties and other administrative sanctions such as warnings and recommendations for remedial action, including in relation to technical and organisational measures.
Amendment 2866 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. TheAn administrative sanction shall be in eachvery individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard toIn deciding on the nature, scope and seriousness of the administrative sanction to apply the supervisory authority shall have regard to all the circumstances and, in particular: (a) the nature, gravity and duration of the breach, the intentional or negligent cha; (b) whether the breach was deliberacter of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and; (c) whether reasonable steps were taken to prevent it; (d) whether the breach did or is likely to cause substantial harm or substantial prejudice to the fundamental rights and freedoms of a data subject, or substantial distress to a data subject; (e) any steps taken to mitigate the consequences of a breach, including the degree of co-operation with the supervisory authority in order to remedy the breach. or its consequences; (f) any previous breaches.
Amendment 2871 #
Proposal for a regulation
Article 79 – paragraph 3
Article 79 – paragraph 3
Amendment 2884 #
Proposal for a regulation
Article 79 – paragraph 3 a (new)
Article 79 – paragraph 3 a (new)
3a. A supervisory authority may, in particular, decide that it is appropriate to apply a sanction other than a financial penalty if the nature, scope or purposes of the processing activities are such that the activity is unlikely to represent risks for the fundamental rights of a data subject.
Amendment 2895 #
Proposal for a regulation
Article 79 – paragraph 4 – introductory part
Article 79 – paragraph 4 – introductory part
4. The supervisory authority shallmay impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2907 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shallmay impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2928 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shallmay impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2956 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII and the provisions regarding processing concerning health and processing for historical, statistical and scientific research purposes in this chapter whenever this is necessary for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
Amendment 2962 #
Proposal for a regulation
Article 80 – paragraph 1 a (new)
Article 80 – paragraph 1 a (new)
Amendment 2981 #
Proposal for a regulation
Article 81 – paragraph 1 – point c
Article 81 – paragraph 1 – point c
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system and the provision of health services.
Amendment 2985 #
Proposal for a regulation
Article 81 – paragraph 2
Article 81 – paragraph 2
2. PWithout prejudice to any exemptions or derogations made under Article 80, processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is subject to the conditions and safeguards referred to in Article 83.
Amendment 2987 #
Proposal for a regulation
Article 81 – paragraph 2 a (new)
Article 81 – paragraph 2 a (new)
Amendment 2992 #
Proposal for a regulation
Article 81 – paragraph 3
Article 81 – paragraph 3
Amendment 2997 #
Proposal for a regulation
Article 81 – paragraph 3 a (new)
Article 81 – paragraph 3 a (new)
3a. A controller or processor may transfer personal data to a third country or an international organisation for health purposes if: (a) these purposes cannot reasonably be fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 2998 #
Proposal for a regulation
Article 81 – paragraph 3 b (new)
Article 81 – paragraph 3 b (new)
3b. Within the limits of this Regulation, personal data may be processed for the purposes of a manufacturer's regulatory pre- and post-marketing obligations with respect to clinical evaluation of medical devices.
Amendment 3054 #
Proposal for a regulation
Article 83 – paragraph 1 – point b
Article 83 – paragraph 1 – point b
Amendment 3069 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
Amendment 3072 #
Proposal for a regulation
Article 83 – paragraph 1 – point a
Article 83 – paragraph 1 – point a
(a) these purposes cannot be otherwise fulfillreasonably be achieved by processing data which does not permit or not any longer permit the identification of the data subject; and
Amendment 3079 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
2a. Where the data subject is required to give his/her consent under this article, the option of broad consent should be available.
Amendment 3089 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
Amendment 3094 #
Proposal for a regulation
Article 83 – paragraph 3 a (new)
Article 83 – paragraph 3 a (new)
3a. A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific research purposes if: (a) these purposes cannot reasonably be fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 3095 #
Proposal for a regulation
Article 83 – paragraph 3 b (new)
Article 83 – paragraph 3 b (new)
3b. The provisions in this Article are without prejudice to exemptions or derogations which Member States should provide for under Article 80 in order to reconcile the right to the protection of personal data with the rules governing freedom of expression including as these relate to freedom of academic inquiry.
Amendment 3096 #
Proposal for a regulation
Article 83 a (new)
Article 83 a (new)
Article 83a Processing of criminal convictions data for the purpose of the prevention of financial crime Within the limits of this Regulation and in accordance with Article 9(2)(j), processing of personal data concerning criminal convictions or related security measures shall be permitted if it provides for appropriate measures to protect the data subject's fundamental rights and freedoms and is for: (a) the purposes of the prevention, investigation or detection of financial crime; or (b) reasons of public interest such as protecting against cross-border threats of financial crime, and in either case, must necessarily be carried out without the consent of the data subject being sought so as not to prejudice those purposes.