[ParlTrack]

Proposal for a regulation
Article 3 – paragraph 2 – introductory part

2. This Regulation applies toas far as legally possible and is compatible with the legal system of a third country, the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 4 – paragraph 1 – point 8

(8) ‘the data subject’s consent’ means any freely given, specific, and informed ~~and explicit~~, contract or indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 5 – paragraph 1 – point a

(a) processed lawfully, ~~fairly and in a~~proportionate and transparent manner in relation to the data subject;

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 5 – paragraph 1 – point b

(b) collected for specified, ~~explicit~~clear and legitimate purposes and not further processed in a way incompatible with those purposes;

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)

(fa) processing is necessary in the interest of public safety, the welfare, safety, or health of an individual in line with fundamental rights and freedom;

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 6 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 7 – paragraph 2

2. If the data subject's consent is to be given in the context of a written declaration which ~~also~~ concerns an~~other~~ entirely new, separate or unrelated matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 7 – paragraph 4

~~4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.~~deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 1

1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 2

~~2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.~~deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 4

4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 4 a (new)

4a. Every child must be free to say what they think and to seek and receive all kinds of information, as long as it is within the law.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 4 b (new)

4b. Every child has the right to privacy. The law should protect the child's private, family and home life.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 8 – paragraph 4 c (new)

4c. Every child has the right to reliable information. This should be information that children can understand. Member State Government's must help protect children from materials that could harm them.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 9 – paragraph 2 – point c

(c) processing is necessary to protect the ~~vital~~ interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 9 – paragraph 2 – point d

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, or association ~~or any other non-profit-seeking body~~ with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 9 – paragraph 2 – point j

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A ~~complete~~ny register of criminal convictions shall be kept only under the control of official authority.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 9 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 10 – paragraph 1

If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 11 – paragraph 1

1. The controller shall have transparent and easily accessible policies as laid out in a code of practice with regard to the processing of personal data and for the exercise of data subjects' rights.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 11 – paragraph 2

2. The controller shall ~~provide any information and any communic~~make available information relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 1

1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 2

2. The controller shall inform the data subject without undue delay and, at the latest within ~~one month~~30 working days of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further ~~month~~30 working days, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller~~. T~~ or in case the information ~~shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form,~~would be incomplete or inaccurate. The information shall be given in the medium in which it was requested unless otherwise requested by the data subject.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 3

3. If the controller ~~refuses to~~does not take action on the request of the data subject, the ~~controller shall inform the data subject of~~data subject shall have the right to ask the controller for the reasons for the ~~refusal~~inaction and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 4

4. The information and the actions taken on requests referred to in paragraph 1 shall be either free of charge~~. Where requests are manifestly excessive, in particular because of~~ or at a maximum, sufficient to cover the administrative costs of handling, particularly with regard to repeat or bulk requests. Where requests are manifestly excessive, in particular with the aim of causing disruption, inconvenience or financial burden due to their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated ~~acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.~~

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 12 – paragraph 6

6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 1

1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information: (a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer; (b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (c) the period for which the personal data will be stored; (d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; (f) the recipients or categories of recipients of the personal data; (g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission; (h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.deleted

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 1 a (new)

1a. Where personal data relating to a data subject is collected from the data subject, the controller shall at the time when personal data are obtained, provide the data subject with the following information: (a) the identity and the contract details of the controller and, if any, of the controller's representative and of the data protection officer; (b) the purpose of the processing for which the personal data are intended, including the contract terms and general conditions. Further information shall be provided at the request of the data subject, which would include the following information: (a) the period for which the personal data will be stored; (b) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (c) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; (d) the recipients or categories of recipients of the personal data; (e) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission; (f) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

2013/03/04
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 3

3. Where the personal data ~~are not collected from~~collected would have potentially harmful consequences or is wholly unrelated to the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 6

6. In the case referred to in point (b) of paragraph 5, the controller shall ~~provide appropriate measur~~undertake the necessary actions and protections in their activities to protect the data subject's legitimate interests.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 7

~~7. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 14 – paragraph 8

8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 15 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 15 – paragraph 4

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 16 – paragraph 1

The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data~~, including by way of supplementing a corrective statement~~.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 17 – paragraph 1 – introductory part

1. The data subject shall have the right to ~~obtain~~request from the controller, and pursue, the erasure of personal data relating to them and the abstention from further dissemination of such data, ~~especially in relation to personal data which are made available by the data subject while he or she was a child,~~ where one of the following grounds applies:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 17 – paragraph 2

2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)

(ea) if in the legitimate interest of data controllers maintaining data so long as it does not cause prejudice or harm to the data subject, their rights or interests.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 17 – paragraph 8

~~8. Where the erasure is carried out, the controller shall not otherwise process such personal data.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 18 – paragraph 1

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject, in so far as it does not breach the intellectual property rights or legitimate private trade practices of the data controller.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 18 – paragraph 3

3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 19 – paragraph 1

1. The data subject shall have the right to object to processing, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 19 – paragraph 2

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object ~~free of charge~~to processing to the processing of their personal data for such marketing. This right shall be ~~explicitly~~ offered to the data subject in an intelligible and clear manner and shall be clearly distinguishable from other information.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 19 – paragraph 3

~~3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 20 – paragraph 1

1. Every natural person shall have the right not to be subject to a measure which ~~produces legal effects concerning this natural person or significantly affects this natural person, and which~~ is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour, without prejudice to legal and legitimate forms of profiling in commercial use or for the purpose of the prevention, investigation or prosecution of criminal activity.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 20 – paragraph 4

4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 ~~and the envisaged effects of such processing on the data subject~~.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 21 – paragraph 1 – point c

(c) other public interests of the Union or of a Member State~~, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity~~;

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 21 – paragraph 1 – point d a (new)

(da) the protection of international relations;

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 22 – paragraph 1

1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with th~~is Regulation~~e data protection principles laid out in this Regulation, and that the intended outcome is achieved for data subjects.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 22 – paragraph 2 – introductory part

2. The measures provided for in paragraph 1 ~~shall in particular include~~may include measures such as:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 22 – paragraph 3

3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. ~~If proportionate, this verification shall be carried out by independent internal or external auditors.~~

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 22 – paragraph 4

~~4. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 23 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 23 – paragraph 4

4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 25 – paragraph 1

1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union to act as a facilitator between the data subject, the data protection supervisor and the third country data controller.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 25 – paragraph 2

2. This obligation shall not apply to: (a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering only occasionally goods or services to data subjects residing in the Union.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 25 – paragraph 3

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 25 – paragraph 4

~~4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 26 – paragraph 4

4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 26 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 1

1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 2

2. The controller or processor acting on the controller's behalf shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: (a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks; or (b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 3

3. Where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 4

4. The supervisory authority shall establish and make public a list of the processing operations which ~~are subject to prior consultation pursuant to point (b) of paragraph 2. T~~may be referred for a high degree of specific risks, in such cases, processing shall be prohibited and data processors shall make appropriate proposals to remedy such compliance where the supervisory authority ~~shall communic~~is of the opinion thate th~~ose lists to the European Data Protection Board~~e intended processing does not comply with this Regulation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 6

6. The controller or processor shall provide the supervisory authority with the data protection impact assessment provided for in Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 34 – paragraph 7

7. Member States ~~shall~~may consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 1 – introductory part

1. The controller and the processor shall designate a data protection officer responsible for data protection oversight and compliance in any case where:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 1 – point a

~~(a) the processing is carried out by a public authority or body; or~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 1 – point b

(b) the processing is carried out by an enterprise employing 2500 persons or more; or

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 7

7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 8

~~8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 10

10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation, and for them to take the first steps in rectifying the situation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 35 – paragraph 11

~~11. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 36 – paragraph 2

2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently ~~and does not receive any instructions as regards the exercise of the function~~. The data protection officer shall directly report to the management of the controller or the processor.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 37 – paragraph 1

1. The controller or the processor shall en~~trust~~sure the data protection officer ~~at least with the following tasks: (a) to inform and advise the controller or the processor of thei~~has a clear jobligations pursuant to this Regulation and to document this activity and the responses received; (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; (c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation; (d) to ensure that the documentation referred to in Article 28 is maintained; (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32; (f) to monitor the performance of the data protection impact assessment by the controller or processor description and code of conduct which explicitly lays out their data protection duties which they are entrusted to carry out, particularly the implementation and ~~the~~ application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34; (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative; (h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiativeof this Regulation and their role as liaison with the supervisory authority.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 38 – paragraph 1 – introductory part

1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct or the adoption of a code of conduct drawn up by a Supervisory Authority intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 38 – paragraph 3

3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the ~~Commission~~European Data Protection Board.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 38 – paragraph 4

4. The ~~Commission~~European Data Protection Board may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 38 – paragraph 5

5. The ~~Commission~~European Data Protection Board shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 39 – paragraph 2

2. The ~~Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further~~Supervisory Authorities and the European Data Protection Board shall lay down and specify~~ing the~~ criteria and requirements for the data protection certification mechanisms ~~referred to in paragraph 1~~, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 39 – paragraph 3

3. The ~~Commission~~Supervisory Authorities and the European Data Protection Board may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. ~~Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).~~

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 41 – paragraph 1

1. A transfer may take place where the European Data Protection Board in consultation with the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 41 – paragraph 5

5. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 42 – paragraph 1

1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards ~~with respect to the protection of personal data in a legally binding instrument~~.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 42 – paragraph 5

5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 43 – paragraph 2 – point f

(f) the acceptance by the controller or processor ~~established on the territory of a Member State~~ of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 47 – paragraph 2

2. The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody, and maintain complete independence and impartiality.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 50

The members and the staff of the supervisory authority shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties, whilst conducting their duties with independence and transparency as set out in the Regulation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 51 – paragraph 2

2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority ~~of the main establishment of the controller or processor shall be competent for the~~shall decide in consultation with the European Data Protection Board which authority will supervis~~ion of~~e the processing activities of the data controller ~~or the~~s and processors in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 52 – paragraph 1 – point a

~~(a) monitor and ensure the application of this Regulation;~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 52 – paragraph 1 – point f

(f) be consulted by Member State institutions and bodies on legislative and administrative measures re~~lating to~~garding the protection of individuals‘ rights and freedoms with regard to the processing of personal data;

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 52 – paragraph 6

6. Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall ~~bear the burden of~~, if requested, prov~~ing~~e the manifestly excessive character of the request.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 58 – paragraph 1

1. Before a supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board ~~and the Commission~~.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 60 – paragraph 1

1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 63 – paragraph 1

~~1. For the purposes of this Regulation, an enforceable measure of the supervisory authority of one Member State shall be enforced in all Member States concerned.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 63 – paragraph 2

2. Where a supervisory authority does not submit a draft measure to the consistency mechanism in breach of Article 58(1) to (5), the measure of the supervisory authority shall not be legally valid and enforceable.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 65 – paragraph 2

2. Without prejudice to requests by the Commission referred to in point (b) of paragraph 1 and in paragraph 2 of Article 66, the European Data Protection Board shall, in the performance of its tasks, neither seek nor take instructions from anybody.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 72 – paragraph 1

1. The discussions of the European Data Protection Board shall be confidential where necessary, whilst upholding the highest possible standards of transparency and openness as to its general work.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 72 – paragraph 2

2. Documents submitted to members of the European Data Protection Board, experts and representatives of third parties shall be confidential, unless access is granted to those documents in accordance with Regulation (EC) No 1049/2001 or the European Data Protection Board otherwise makes them public.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 73 – paragraph 1

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in ~~any~~their own Member State or the Supervisory Authority in the Member State ifwhere they con~~sider that~~troller is established and where the processing of personal data relating to them does not comply with this Regulation.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 73 – paragraph 2

2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects ~~if it considers that~~with the consent of the data subject if a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 74 – paragraph 1

~~1. Each natural or legal person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 74 – paragraph 2

2. Each data subject shall have the right to a judicial remedy obliging the supervisory authority to act on a complaint in the absence of a decision necessary to protect their rights, or where the supervisory authority does not inform the data subject within three months on the progress or outcome of the complaint pursuant to point (b) of Article 52(1).deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 74 – paragraph 3

~~3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is establish~~deleted.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 74 – paragraph 4

4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 74 – paragraph 5

~~5. The Member States shall enforce final decisions by the courts referred to in this Article.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 78 – paragraph 2

~~2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.~~deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 79 – paragraph 2

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall ~~be fixed with due regard to~~reflect the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 79 – paragraph 3

3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.deleted

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 79 – paragraph 4 – introductory part

4. The supervisory authority shall impose ~~a fine up to~~fines graded in relation to the seriousness and scale of the incident, as well as the harm or potential harm caused, the length of the breach, previous infringements and the response to the incident or incidents concerned, up to a maximum of 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover~~, to anyone who, intentionally or negligently~~. Such infringements and fines may apply to anyone who:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 79 – paragraph 5 – introductory part

5. The supervisory authority shall impose a fine u~~p to~~nder the same criteria as listed in article 79 paragraph 4, for the more serious breaches, up to a maximum of 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who~~, intentionally or negligently~~:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 79 – paragraph 6 – introductory part

6. The supervisory authority shall impose a fine u~~p to~~nder the same criteria as listed in Article 79(4) for the most serious breaches, up to a maximum of 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who~~, intentionally or negligently~~:

2013/03/06
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 83 – paragraph 1 – point b

(b) data enabling the attribution of information to an identified or identifiable data subject where technically and practically possible is kept separately from the other information as long as these purposes can be fulfilled in this manner.

2013/03/08
Committee: LIBE

Timothy KIRKHOPE

Proposal for a regulation
Article 83 – paragraph 2

2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if: (a) the data subject has given consent, subject to the conditions laid down in Article 7; (b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or (c) the data subject has made the data public.deleted

2013/03/08
Committee: LIBE

Activities of Timothy KIRKHOPE related to 2012/0011(COD)

Plenary speeches (2)

Shadow reports (2)

Amendments (116)

ParlTrack - 2011-2024