185 Amendments of Seán KELLY related to 2012/0011(COD)
Amendment 190 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to anyonly to specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all: (i) only of those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual, and (ii) of the reasonable likeliness of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable from the data.
Amendment 191 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers shall be encouraged to the practice of pseudonymising data.
Amendment 193 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 198 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or service being offered enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 199 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25a) This regulation recognises that the pseudonymisation of data can help minimise the risks to privacy of data subjects. To the extent that a controller pseudonymises data such processing shall be considered justified as a legitimate interest of the controller according to point (f) of paragraph 1 of Article 6.
Amendment 200 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 204 #
Proposal for a regulation
Recital 28
Recital 28
(28) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. A group of undertakings may nominate a single main establishment in the Union.
Amendment 206 #
Proposal for a regulation
Recital 29
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. Such protection is particularly important in the context of social networks, where children should be aware of the identities of those with whom they are communicating. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.
Amendment 225 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 236 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 238 #
Proposal for a regulation
Recital 52
Recital 52
(52) The controller should use all reasonable measures within the context of the product or service being provided, or otherwise within the context of the relationship between the controller and the data subject, and the sensitivity of the personal data being processed to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain nor be forced to gather personal data for the unique purpose of being able to react to potential requests.
Amendment 250 #
Proposal for a regulation
Recital 61
Recital 61
(61) To meet consumer and business expectations around the protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and, appropriate organisational measures armay be taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by defaultMeasures having as an objective to increase consumer information and ease of choice shall be encouraged, based on industry cooperation and favouring innovative solutions, products and services.
Amendment 252 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 253 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 256 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 263 #
Proposal for a regulation
Recital 70
Recital 70
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
Amendment 265 #
Proposal for a regulation
Recital 74
Recital 74
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
Amendment 274 #
Proposal for a regulation
Recital 84
Recital 84
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. In some scenarios, it may be appropriate to encourage controllers and processors to provide even more robust safeguards via additional contractual commitments that supplement standard data protection clauses.
Amendment 285 #
Proposal for a regulation
Recital 97
Recital 97
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
Amendment 288 #
Proposal for a regulation
Recital 105
Recital 105
(105) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for co-operation between the supervisory authorities themselves and the Commission should be established. This mechanism should in particular apply where athe competent supervisory authority intends to take a measure as regards processing operations that are related to the offering of goods or services to data subjects in several Member States, , or to the monitoring such data subjects, or that might substantially affect the free flow of personal data. It should also apply where any supervisory authority or the Commission requests that the matter should be dealt with in the consistency mechanism. This mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
Amendment 303 #
Proposal for a regulation
Recital 139
Recital 139
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and the actual and potential advances in science, health and technology and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to property and in particular the protection of intellectual property the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
Amendment 318 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) which have been rendered anonymous within the meaning of Article 4(2(b)(new);
Amendment 329 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) 'identification number' means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual.
Amendment 335 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 345 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
Amendment 346 #
Proposal for a regulation
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
(12) ‘data concerning health’ means any informationpersonal data which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
Amendment 350 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
Article 4 – paragraph 1 – point 13 a (new)
(13a) 'competent supervisory authority' means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Articles 51(2), 51(3) and 51(4).
Amendment 372 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or on behalf of, a controller or a processor, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 374 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) processing is limited to pseudonymised data and the recipient of the service is given a right to object pursuant to Art. 19 (3) (new).
Amendment 396 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
Amendment 405 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1a. Where an information society service makes social networking facilities available to children it shall take explicit measures to protect their welfare, including by ensuring, in so far as possible, that they are aware of the identities of those with whom they are communicating.
Amendment 414 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or the service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This nevertheless leaves the provisions of 2002/58/EC untouched which state that under certain circumstances consent can be expressed via appropriate settings in the user’s device. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 420 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject including genetic information; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 423 #
Proposal for a regulation
Recital 27
Recital 27
(27) TWhere a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administrationA group of undertakings may nominate a single main establishment in the Union.
Amendment 426 #
Proposal for a regulation
Recital 29
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. Such protection is particularly important in the context of social networks, where children should be aware of the identities of those with whom they are communicating. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.
Amendment 431 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller to identify a natural person, in particular when rendered anonymous or pseudonymous, the controller shall not be obliged to acquire additional information in order to identify or to individualise the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 439 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject or unless the controller has reason to believe that providing the information in electronic form would create a significant risk of fraud.
Amendment 455 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 463 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources
Amendment 467 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 497 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
Amendment 510 #
Proposal for a regulation
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. Paragraphs 1 and 2 do not apply to the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable on the basis of such data, or identification would require the controller to undo the process of pseudonymisation.
Amendment 511 #
Proposal for a regulation
Article 18 – paragraph 2 b (new)
Article 18 – paragraph 2 b (new)
2b. Paragraphs 1 and 2 do not apply where a controller can reasonably demonstrate that it is not possible to separate the data subject's data from data of other data subjects.
Amendment 513 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Amendment 520 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3a. Where pseudonymised data is processed pursuant to point (g) of Art. 6 (1) the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 523 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural personA data subject shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, anddecision which is unfair and discriminatory which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 524 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 532 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 547 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
Article 20 – paragraph 2 – point c a (new)
(ca) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Art. 19 (3) [new] shall apply correspondingly.
Amendment 571 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this RegulatioHaving regard to the state of the art, the nature of personal data processing and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate and demonstrable technical and organizational measures should be implemented in such a way that the processing will meet the requirements of this Regulation and ensures the protection of the rights of the data subject by design.
Amendment 596 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 609 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects.
Amendment 610 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
Amendment 610 #
Proposal for a regulation
Recital 112
Recital 112
Amendment 615 #
Proposal for a regulation
Recital 114
Recital 114
Amendment 616 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
Amendment 617 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall: . The controller and processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:
Amendment 620 #
Proposal for a regulation
Article 26 – paragraph 2 – point a
Article 26 – paragraph 2 – point a
(a) the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
Amendment 626 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 628 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary and the processor's ability to assist with reasonable effort, an agreement as to the appropriate and relevant technical and organiszational requirements fwhich support the fulfilmentability of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
Amendment 630 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
(f) assist the controller in ensuring complianceinsofar as this is possible given the nature of the processing, the information available to the processor and his ability to assist with reasonable effort, an agreement on how compliance will be ensured with the obligations pursuant to Articles 3028 to 34;
Amendment 630 #
Proposal for a regulation
Recital 121
Recital 121
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
Amendment 632 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise/or destroy it in a commercially accepted manner;
Amendment 637 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
Amendment 640 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 670 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by, or on behalf of a data controller or processor.
Amendment 681 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)filing of reports.
Amendment 687 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access it.
Amendment 689 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
Amendment 691 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. SMEs shall only be required to perform an impact assessment after their third year of incorporation where data processing is deemed as a core activity of their business.
Amendment 693 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
Amendment 696 #
Proposal for a regulation
Article 2 – paragraph 2 – point e c (new)
Article 2 – paragraph 2 – point e c (new)
(ec) which have been rendered anonymous;
Amendment 697 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affectto the detriment of the individual;
Amendment 715 #
Proposal for a regulation
Article 33 – paragraph 7 a (new)
Article 33 – paragraph 7 a (new)
(7a) Data protection impact assessments shall be deemed as privileged communications.
Amendment 717 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and who is not acting in his/her professional capacity;
Amendment 725 #
Proposal for a regulation
Article 34 – paragraph 2 – point b
Article 34 – paragraph 2 – point b
(b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
Amendment 727 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opiniondetermines in accordance with its power that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
Amendment 729 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
Amendment 730 #
Proposal for a regulation
Article 34 – paragraph 5
Article 34 – paragraph 5
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
Amendment 730 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) ‘pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort;
Amendment 732 #
Proposal for a regulation
Article 34 – paragraph 9
Article 34 – paragraph 9
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 734 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 b (new)
Article 4 – paragraph 1 – point 2 b (new)
(2b) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data;
Amendment 737 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 748 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 760 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. The Member States and the Commission shall work with controllers, processors and other stakeholders to encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 761 #
Proposal for a regulation
Article 39 – paragraph 1 a (new)
Article 39 – paragraph 1 a (new)
(1a) The data protection certifications mechanisms shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome. These mechanisms shall also be technology neutral and capable of global application and shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
Amendment 765 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
Amendment 777 #
Proposal for a regulation
Article 42 – paragraph 2 – point b
Article 42 – paragraph 2 – point b
(b) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
Amendment 778 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
Article 42 – paragraph 2 – point c
(c) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
Amendment 781 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
Amendment 782 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(d a) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
Amendment 784 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c) or (ce) of paragraph 2 shall not require any further authorisation.
Amendment 786 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) or (e) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
Amendment 786 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and meansthe location as determined by the data controller or data processor on the basis of the following transparent and objective criteria: the location of the pgrocessing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities ofup’s European headquarters, or, the location of the company within the group with delegated data protection responsibilities, or, the location of the company which is best placed (in terms of management function, administrative capability etc) to address and establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Unionnforce the rules as set out in this Regulation, or, the place where the main decisions as to the purposes of processing are taken for the regional group;
Amendment 788 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
(4a) To encourage the use of supplemental contractual clauses as referred to in point (e) of paragraph 2 of this Article, competent authorities may offer a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these safeguards.
Amendment 791 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
Amendment 793 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members, and their external subcontractors;
Amendment 799 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
Amendment 808 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation.
Amendment 809 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
(2a) Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
Amendment 811 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
Article 51 – paragraph 2 b (new)
(2b) Where the Regulation applies to several controllers or/and processors within the same group of undertakings by virtue of both Article 3(1) and 3(2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
Amendment 814 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
Amendment 815 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
Article 53 – paragraph 1 – introductory part
1. EachThe competent supervisory authority shall have the power:
Amendment 816 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Amendment 817 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. EachThe competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
Amendment 818 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. EachThe competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
Amendment 822 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this competent supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
Amendment 824 #
Proposal for a regulation
Article 58 – paragraph 2 – point a
Article 58 – paragraph 2 – point a
(a) relates to processing activities of personal data which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour when the non-EEA controller or processor does not name a representative in the territory of the EEA; or it
Amendment 825 #
Proposal for a regulation
Article 58 – paragraph 2 – point b
Article 58 – paragraph 2 – point b
Amendment 826 #
Proposal for a regulation
Article 58 – paragraph 2 – point c
Article 58 – paragraph 2 – point c
Amendment 828 #
Proposal for a regulation
Article 58 – paragraph 2 – point d
Article 58 – paragraph 2 – point d
Amendment 829 #
Proposal for a regulation
Article 58 – paragraph 2 – point e
Article 58 – paragraph 2 – point e
Amendment 830 #
Proposal for a regulation
Article 58 – paragraph 2 – point f
Article 58 – paragraph 2 – point f
Amendment 838 #
Proposal for a regulation
Article 59
Article 59
Amendment 840 #
Proposal for a regulation
Article 60
Article 60
Amendment 849 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
Article 66 – paragraph 4 a (new)
(4a) Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
Amendment 861 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 864 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage to the extent that the joint controllers' respective liability has not been determined in the legal arrangement referred to in Article 24.
Amendment 867 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they areit is not responsible for the event giving rise to the damage.
Amendment 868 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 878 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply tosuch as in the case of processing data pertaining to a child. The interest or fundamental rights and freedoms of the data subject shall not override processing carried out by public authorities in the performance of their tasks.
Amendment 890 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposespurposes under paragraph 2 of Article 6 and point (i) of Article 9(2) only if:
Amendment 890 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) the data are collected from public registers lists or documents accessible by everyone;
Amendment 898 #
Proposal for a regulation
Article 6 – paragraph 1 – point f c (new)
Article 6 – paragraph 1 – point f c (new)
(fc) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3);
Amendment 900 #
Proposal for a regulation
Article 6 – paragraph 1 – point f d (new)
Article 6 – paragraph 1 – point f d (new)
(fd) processing is necessary for the purpose of anonymisation or pseudonymisation of personal data;
Amendment 905 #
Proposal for a regulation
Article 83 – paragraph 2 – point c a (new)
Article 83 – paragraph 2 – point c a (new)
(ca) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 906 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
(2a) A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific purposes if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 921 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 945 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Amendment 964 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 1012 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 135 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 1016 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1a. Where an information society service makes social networking facilities available to children it shall take explicit measures to protect their welfare, including by ensuring, in so far as possible, that they are aware of the identities of those with whom they are communicating.
Amendment 1048 #
Proposal for a regulation
Article 9 – paragraph 2 – point a a (new)
Article 9 – paragraph 2 – point a a (new)
(aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Amendment 1062 #
Proposal for a regulation
Article 9 – paragraph 2 – point f
Article 9 – paragraph 2 – point f
(f) processing is necessary for the establishment, exercise or defence of legal claims or the legally justified fulfilment of claims of third parties affected; or
Amendment 1084 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
Amendment 1103 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller or a processor to identify a natural person, in particular when rendered anonymous or pseudononymous the controller shall not be obliged to process or acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 1176 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
Amendment 1180 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
Amendment 1189 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
Amendment 1193 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
Amendment 1201 #
Proposal for a regulation
Article 14 – paragraph 1 – point d
Article 14 – paragraph 1 – point d
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject orand to object to the processing of such personal data;
Amendment 1203 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
Article 14 – paragraph 1 – point e
Amendment 1215 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
Amendment 1222 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
Amendment 1238 #
Proposal for a regulation
Article 14 – paragraph 4 – point b
Article 14 – paragraph 4 – point b
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed; or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
Amendment 1248 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
Amendment 1250 #
Proposal for a regulation
Article 14 – paragraph 5 – point c
Article 14 – paragraph 5 – point c
(c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
Amendment 1253 #
Proposal for a regulation
Article 14 – paragraph 5 – point d
Article 14 – paragraph 5 – point d
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.; or
Amendment 1262 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources; or
Amendment 1266 #
Proposal for a regulation
Article 14 – paragraph 5 – point d b (new)
Article 14 – paragraph 5 – point d b (new)
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
Amendment 1268 #
Proposal for a regulation
Article 14 – paragraph 5 – point d c (new)
Article 14 – paragraph 5 – point d c (new)
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
Amendment 1279 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1296 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. TOnly the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
Amendment 1311 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
(d) if known the period for which the personal data will be stored;
Amendment 1324 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
Amendment 1357 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the contentdata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable ofn the personal data referbasis of such data or identification would required to in point (g) of paragraph 1he controller to undo the process of pseudonymisation.
Amendment 1358 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
Article 15 – paragraph 3 a (new)
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
Amendment 1376 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
Amendment 1420 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, pseudonymised data and encrypted data are exempted, where compliance with this provision would require the controller to undo the process of anonymisation, pseudonymisation or encryption.
Amendment 1492 #
Proposal for a regulation
Article 18
Article 18
Amendment 1537 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information. This right shall include a right to object to the collection and use of personal data obtained through online tracking of the data subject's preferences and behaviour across websites. Where a data subject expresses this right to object through technical means, such as a browser setting, controllers and processors shall respect such objection, consistent with technical industry standards, and must obtain the consent of the data subject to process personal data derived from online tracking for marketing purposes. Consent to online tracking shall enable persistent online tracking across all websites unless such consent is subsequently revoked by the data subject.
Amendment 1543 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3a. Where pseudonymised data is processed pursuant to Article 6(1) the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 1549 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right not to be subject to a measureprocessing of personal data which produces adverse legal effects concerning this ndatural person or significanta subject or comparably affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this ndatural persona subject or to analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1585 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
Article 20 – paragraph 2 – point c a (new)
(ca) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Article19(3a) shall apply correspondingly.
Amendment 1598 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. unless the data subject has given consent.
Amendment 1616 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 1750 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
Amendment 1778 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation and shall provide for the following:
Amendment 1784 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 1788 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
Amendment 1792 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
Amendment 1796 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
Amendment 1804 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
(h) make available to the controller and the supervisory authority on request all information necessary to control compliance with the obligations laid down in this Article.
Amendment 1821 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 2573 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Amendment 2596 #
Proposal for a regulation
Article 51 – paragraph 3
Article 51 – paragraph 3
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity and not competent to supervise processing operations of controllers bound by obligations of professional secrecy.
Amendment 2779 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
Amendment 2789 #
Proposal for a regulation
Article 73 – paragraph 3
Article 73 – paragraph 3
Amendment 2813 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
Amendment 2825 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 2830 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, notwithstanding the contractual agreement they might have concluded according to Article 24.
Amendment 2837 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
Amendment 2959 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the Chapter II (general principles in), Chapter II, I (the rights of the data subject in), Chapter III, onV (the controller and processor in), Chapter IV, on the V (transfer of personal data to third countries and international organisations in), Chapter V, the independent I (supervisory authorities in), Chapter VI and on I (co-operation and consistency in) and Articles 73, 74, 76 and 79 of Chapters VII forI (legal remedies, liability and penalties) and X shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
Amendment 3058 #
Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)
Article 83 – paragraph 1 – point b a (new)
(ba) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 3098 #
Proposal for a regulation
Article 84 – paragraph 1
Article 84 – paragraph 1
1. Within the limits of this Regulation, Member States mayshall adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.