BETA

Activities of Malcolm HARBOUR related to 2012/0011(COD)

Shadow opinions (1)

OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
2016/11/22
Committee: IMCO
Dossiers: 2012/0011(COD)
Documents: PDF(675 KB) DOC(863 KB)

Amendments (55)

Amendment 104 #
Proposal for a regulation
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence orThis is notwithstanding the possibility to express consent to processing in activity should therefore not constitute consentcordance with Directive 2002/58/EC by using the appropriate settings of a browser or other application. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
2012/11/08
Committee: IMCO
Amendment 107 #
Proposal for a regulation
Recital 27
(27) The main establishment of a controller in the Union, including a controller that is also a processor, should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. The main establishment of the processor that is not also a controller should be the place of its central administration in the Union.
2012/11/08
Committee: IMCO
Amendment 133 #
Proposal for a regulation
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operationmaintain relevant information on the main categories of processing undertaken. The Commission should establish a uniform format for the documentation of this information across the EU. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operassist the supervisory authority in evaluating the compliance of those main categories of processing with this Regulations.
2012/11/08
Committee: IMCO
Amendment 150 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
(e a) that has been rendered anonymous.
2012/11/08
Committee: IMCO
Amendment 163 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or an identifiable natural person who can be identifieduniquely, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources, the natural living person shall not be considered identifiable;
2012/11/08
Committee: IMCO
Amendment 168 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 – point a (new)
a) 'anonymous data' shall mean information that has never related to a data subject or has been collected, altered or otherwise processed so that it cannot be attributed to a data subject.
2012/11/08
Committee: IMCO
Amendment 171 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
(3 a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort
2012/11/08
Committee: IMCO
Amendment 175 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processedorm of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;
2012/11/08
Committee: IMCO
Amendment 178 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;, which is likely to adversely affect the protection of the personal data or privacy of the data subject.
2012/11/08
Committee: IMCO
Amendment 180 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
(13) 'main establishment' means as regards the location as designated by the undertaking or group of undertakings, whether controller, the place of its establishment in the Union where the main decisions as or processor, subject to the consistency mechanism set out in Article 57, on the basis of, but not limited to, the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administrfollowing optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation inof the Union;main establishment.
2012/11/08
Committee: IMCO
Amendment 182 #
Proposal for a regulation
Article 5 – paragraph 1 – point c
(c) adequate, relevant, and limited to the minimum nenot excessaryive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
2012/11/08
Committee: IMCO
Amendment 184 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
2012/11/08
Committee: IMCO
Amendment 196 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
(f a) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
2012/11/08
Committee: IMCO
Amendment 198 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
(f b) only pseudonymous data is processed.
2012/11/08
Committee: IMCO
Amendment 207 #
Proposal for a regulation
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where the processing of personal data is an essential element to the controllers' ability to provide adequate security in the provision of a service to the data subject, the withdrawal of consent can lead to the termination of the service.
2012/11/08
Committee: IMCO
Amendment 210 #
Proposal for a regulation
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.deleted
2012/11/08
Committee: IMCO
Amendment 223 #
Proposal for a regulation
Article 8 – paragraph 4 a (new)
4 a. Paragraphs 1,2, and 3 shall not apply where the processing of personal data of a child concerns health data and where the Member State law in the field of health and social care prioritises the competence of an individual over physical age.
2012/11/08
Committee: IMCO
Amendment 242 #
Proposal for a regulation
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because ofowing to their high volume, complexity or their repetitive character, the controller may charge an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may notdecline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
2012/11/08
Committee: IMCO
Amendment 255 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or
2012/11/08
Committee: IMCO
Amendment 258 #
Proposal for a regulation
Article 15 – paragraph 1 – point h a (new)
(h a) where applicable, where data is collected and processed in exchange for the provision of free services, the controller's value estimate of the subject's processed data.
2012/11/08
Committee: IMCO
Amendment 263 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
2012/11/08
Committee: IMCO
Amendment 264 #
Proposal for a regulation
Article 17 – title
Right to be forgotten and to erasure
2012/11/08
Committee: IMCO
Amendment 266 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
1 a. The right to erasure shall not apply when the retention of personal data is necessary for the performance of a contract between an organisation and the data subject, or when there is a regulatory requirement to retain this data, or for fraud prevention purposes;
2012/11/08
Committee: IMCO
Amendment 267 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;deleted
2012/11/08
Committee: IMCO
Amendment 270 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
2012/11/08
Committee: IMCO
Amendment 272 #
Proposal for a regulation
Article 17 – paragraph 1 – point d
(d) the processing of the data does not comply with this Regulation for other reasons.deleted
2012/11/08
Committee: IMCO
Amendment 284 #
Proposal for a regulation
Article 18 – paragraph 3
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) shall be determined by the controller by reference to harmonised industry standards, or where these are not already defined, shall be developed by industry stakeholders through standardisation bodies.
2012/11/08
Committee: IMCO
Amendment 289 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
3 a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
2012/11/08
Committee: IMCO
Amendment 290 #
Proposal for a regulation
Article 20 – title
Measures based on profilautomated processing
2012/11/08
Committee: IMCO
Amendment 294 #
Proposal for a regulation
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviourA data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.
2012/11/08
Committee: IMCO
Amendment 295 #
Proposal for a regulation
Article 20 – paragraph 2
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.deleted
2012/11/08
Committee: IMCO
Amendment 309 #
Proposal for a regulation
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.deleted
2012/11/08
Committee: IMCO
Amendment 314 #
Proposal for a regulation
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.deleted
2012/11/08
Committee: IMCO
Amendment 317 #
Proposal for a regulation
Article 20 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
2012/11/08
Committee: IMCO
Amendment 324 #
Proposal for a regulation
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will Where required, mandatory measures may be adopted to ensure that categories of goods or services are designed and have default settings meeting the requirements of this Regulation relating to the protection of individuals with regard to the processing of personal data. Such measures shall be based on standardisation pursuant to [Regulation .../2012 of the European Parliameent the requirements of this Reguland of the Council on European standardisation, and ensure the protection of the rights of the data subjectmending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Decision 87/95/EEC and Decision No 1673/2006/EC].
2012/11/08
Committee: IMCO
Amendment 328 #
Proposal for a regulation
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only thoseUntil such time as mandatory measures have been adopted peursonal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both uant to paragraph 1, Member States shall ensure that no mandatory design or default requirements are imposed on goods or services relating terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to ao the protection of individuals with regard to the processing of personal data which could impede the placing of equipment on the market and the free circulation of such goods and services in iandefinite number of individual between Member States.
2012/11/08
Committee: IMCO
Amendment 330 #
Proposal for a regulation
Article 23 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
2012/11/08
Committee: IMCO
Amendment 332 #
Proposal for a regulation
Article 23 – paragraph 4
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2012/11/08
Committee: IMCO
Amendment 333 #
Proposal for a regulation
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
2012/11/08
Committee: IMCO
Amendment 334 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
(d) enlist another processor only with the prior permission of the controller;deleted
2012/11/08
Committee: IMCO
Amendment 336 #
Proposal for a regulation
Article 26 – paragraph 3 a (new)
3 a. The controller is deemed to have fulfilled the obligations set out in paragraph 1 when choosing a processor who has voluntarily self-certified or voluntarily obtained a certification, seal or mark pursuant to Articles 38 or 39 of this Regulation showing the implementation of appropriate standard technical and organizational measures in response to the requirements set out in this Regulation.
2012/11/08
Committee: IMCO
Amendment 338 #
Proposal for a regulation
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsthe main categories of processing under its responsibility.
2012/11/08
Committee: IMCO
Amendment 340 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
2. The core documentation shall contain at least the following information:
2012/11/08
Committee: IMCO
Amendment 341 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);generic purposes of processing.
2012/11/08
Committee: IMCO
Amendment 344 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
(f) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or an international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriata reference to the safeguards employed;
2012/11/08
Committee: IMCO
Amendment 360 #
Proposal for a regulation
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours, notify the personal data breach to the supervisory authority.
2012/11/08
Committee: IMCO
Amendment 375 #
Proposal for a regulation
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, unless the activities concerned do not present a risk to the privacy of the data subject.
2012/11/08
Committee: IMCO
Amendment 382 #
Proposal for a regulation
Article 33 – paragraph 5
5. Where the controller is a public authority or body or where the data is processed by another body which has been entrusted with the responsibility of delivering public service tasks, and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
2012/11/08
Committee: IMCO
Amendment 387 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shallould designate a data protection officer in any case where:
2012/11/08
Committee: IMCO
Amendment 398 #
Proposal for a regulation
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.
2012/11/08
Committee: IMCO
Amendment 399 #
Proposal for a regulation
Article 42 – paragraph 2 – point c a (new)
(c a) standard data protection clauses, as adopted according to points (a) and (b), between the data controller or data processor and the recipient of data situated in a third country, which may include standard terms for onward transfers to a recipient situated in a third country;
2012/11/08
Committee: IMCO
Amendment 417 #
Proposal for a regulation
Article 79 – paragraph 1
1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
2012/11/08
Committee: IMCO
Amendment 420 #
Proposal for a regulation
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the data in issue, the intentional or negligent character of the infringement, the degree of harm or risk of harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. Where appropriate, the data protection authority shall also be empowered to require that a data protection officer is appointed if the body, organisation or association has opted not to do so.
2012/11/08
Committee: IMCO
Amendment 421 #
Proposal for a regulation
Article 79 – paragraph 2 a (new)
2 a. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; (iii) violations that are deliberate, serious and likely to cause substantial damage; (iv) a data protection impact assessment has not been undertaken; (v) a data protection officer has not been appointed.
2012/11/08
Committee: IMCO
Amendment 422 #
Proposal for a regulation
Article 79 – paragraph 2 b (new)
2 b. Mitigating factors which support administrative fines at the lower limits established in paragraphs 4 to 6 shall include: (i) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (iii) immediate termination of the violation upon knowledge; (iv) co-operation with any enforcement processes; (v) a data protection impact assessment has been undertaken; (vi) a data protection officer has been appointed.
2012/11/08
Committee: IMCO