Activities of Malcolm HARBOUR related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (55)
Amendment 104 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence orThis is notwithstanding the possibility to express consent to processing in activity should therefore not constitute consentcordance with Directive 2002/58/EC by using the appropriate settings of a browser or other application. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 107 #
Proposal for a regulation
Recital 27
Recital 27
(27) The main establishment of a controller in the Union, including a controller that is also a processor, should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. The main establishment of the processor that is not also a controller should be the place of its central administration in the Union.
Amendment 133 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operationmaintain relevant information on the main categories of processing undertaken. The Commission should establish a uniform format for the documentation of this information across the EU. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operassist the supervisory authority in evaluating the compliance of those main categories of processing with this Regulations.
Amendment 150 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(e a) that has been rendered anonymous.
Amendment 163 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or an identifiable natural person who can be identifieduniquely, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources, the natural living person shall not be considered identifiable;
Amendment 168 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 – point a (new)
Article 4 – paragraph 1 – point 3 – point a (new)
a) 'anonymous data' shall mean information that has never related to a data subject or has been collected, altered or otherwise processed so that it cannot be attributed to a data subject.
Amendment 171 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3 a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort
Amendment 175 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processedorm of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;
Amendment 178 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;, which is likely to adversely affect the protection of the personal data or privacy of the data subject.
Amendment 180 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘'main establishment’' means as regards the location as designated by the undertaking or group of undertakings, whether controller, the place of its establishment in the Union where the main decisions as or processor, subject to the consistency mechanism set out in Article 57, on the basis of, but not limited to, the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administrfollowing optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation inof the Union;main establishment.
Amendment 182 #
Proposal for a regulation
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) adequate, relevant, and limited to the minimum nenot excessaryive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
Amendment 184 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 196 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(f a) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
Amendment 198 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(f b) only pseudonymous data is processed.
Amendment 207 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where the processing of personal data is an essential element to the controllers' ability to provide adequate security in the provision of a service to the data subject, the withdrawal of consent can lead to the termination of the service.
Amendment 210 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 223 #
Proposal for a regulation
Article 8 – paragraph 4 a (new)
Article 8 – paragraph 4 a (new)
4 a. Paragraphs 1,2, and 3 shall not apply where the processing of personal data of a child concerns health data and where the Member State law in the field of health and social care prioritises the competence of an individual over physical age.
Amendment 242 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because ofowing to their high volume, complexity or their repetitive character, the controller may charge an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may notdecline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 255 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or
Amendment 258 #
Proposal for a regulation
Article 15 – paragraph 1 – point h a (new)
Article 15 – paragraph 1 – point h a (new)
(h a) where applicable, where data is collected and processed in exchange for the provision of free services, the controller's value estimate of the subject's processed data.
Amendment 263 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
Amendment 264 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 266 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1 a. The right to erasure shall not apply when the retention of personal data is necessary for the performance of a contract between an organisation and the data subject, or when there is a regulatory requirement to retain this data, or for fraud prevention purposes;
Amendment 267 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
Amendment 270 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
Amendment 272 #
Proposal for a regulation
Article 17 – paragraph 1 – point d
Article 17 – paragraph 1 – point d
Amendment 284 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) shall be determined by the controller by reference to harmonised industry standards, or where these are not already defined, shall be developed by industry stakeholders through standardisation bodies.
Amendment 289 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3 a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 290 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Measures based on profilautomated processing
Amendment 294 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviourA data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.
Amendment 295 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 309 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 314 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 317 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 324 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will Where required, mandatory measures may be adopted to ensure that categories of goods or services are designed and have default settings meeting the requirements of this Regulation relating to the protection of individuals with regard to the processing of personal data. Such measures shall be based on standardisation pursuant to [Regulation .../2012 of the European Parliameent the requirements of this Reguland of the Council on European standardisation, and ensure the protection of the rights of the data subjectmending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Decision 87/95/EEC and Decision No 1673/2006/EC].
Amendment 328 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only thoseUntil such time as mandatory measures have been adopted peursonal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both uant to paragraph 1, Member States shall ensure that no mandatory design or default requirements are imposed on goods or services relating terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to ao the protection of individuals with regard to the processing of personal data which could impede the placing of equipment on the market and the free circulation of such goods and services in iandefinite number of individual between Member States.
Amendment 330 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 332 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 333 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
Amendment 334 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 336 #
Proposal for a regulation
Article 26 – paragraph 3 a (new)
Article 26 – paragraph 3 a (new)
3 a. The controller is deemed to have fulfilled the obligations set out in paragraph 1 when choosing a processor who has voluntarily self-certified or voluntarily obtained a certification, seal or mark pursuant to Articles 38 or 39 of this Regulation showing the implementation of appropriate standard technical and organizational measures in response to the requirements set out in this Regulation.
Amendment 338 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsthe main categories of processing under its responsibility.
Amendment 340 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The core documentation shall contain at least the following information:
Amendment 341 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
Article 28 – paragraph 2 – point c
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);generic purposes of processing.
Amendment 344 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
Article 28 – paragraph 2 – point f
(f) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or an international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriata reference to the safeguards employed;
Amendment 360 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours, notify the personal data breach to the supervisory authority.
Amendment 375 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, unless the activities concerned do not present a risk to the privacy of the data subject.
Amendment 382 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the controller is a public authority or body or where the data is processed by another body which has been entrusted with the responsibility of delivering public service tasks, and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
Amendment 387 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shallould designate a data protection officer in any case where:
Amendment 398 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.
Amendment 399 #
Proposal for a regulation
Article 42 – paragraph 2 – point c a (new)
Article 42 – paragraph 2 – point c a (new)
(c a) standard data protection clauses, as adopted according to points (a) and (b), between the data controller or data processor and the recipient of data situated in a third country, which may include standard terms for onward transfers to a recipient situated in a third country;
Amendment 417 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 420 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the data in issue, the intentional or negligent character of the infringement, the degree of harm or risk of harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. Where appropriate, the data protection authority shall also be empowered to require that a data protection officer is appointed if the body, organisation or association has opted not to do so.
Amendment 421 #
Proposal for a regulation
Article 79 – paragraph 2 a (new)
Article 79 – paragraph 2 a (new)
2 a. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; (iii) violations that are deliberate, serious and likely to cause substantial damage; (iv) a data protection impact assessment has not been undertaken; (v) a data protection officer has not been appointed.
Amendment 422 #
Proposal for a regulation
Article 79 – paragraph 2 b (new)
Article 79 – paragraph 2 b (new)
2 b. Mitigating factors which support administrative fines at the lower limits established in paragraphs 4 to 6 shall include: (i) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (iii) immediate termination of the violation upon knowledge; (iv) co-operation with any enforcement processes; (v) a data protection impact assessment has been undertaken; (vi) a data protection officer has been appointed.