BETA

36 Amendments of Louis MICHEL related to 2011/0011(COD)

Amendment 1836 #
Proposal for a regulation
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsthe main categories of processing under its responsibility.
2013/03/06
Committee: LIBE
Amendment 1848 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
2. TheSuch documentation shall contain at least the following information:
2013/03/06
Committee: LIBE
Amendment 1849 #
Proposal for a regulation
Article 28 – paragraph 2 – point a
(a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;
2013/03/06
Committee: LIBE
Amendment 1853 #
Proposal for a regulation
Article 28 – paragraph 2 – point b
(b) the name and contact details of the data protection organisation or data protection officer, if any;
2013/03/06
Committee: LIBE
Amendment 1855 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
(c) the generic purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
2013/03/06
Committee: LIBE
Amendment 1860 #
Proposal for a regulation
Article 28 – paragraph 2 – point e
(e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;deleted
2013/03/06
Committee: LIBE
Amendment 1865 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
(f) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or an international organisation, and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriatea reference to safeguards employed;
2013/03/06
Committee: LIBE
Amendment 1868 #
Proposal for a regulation
Article 28 – paragraph 2 – point g (new)
(g) a general indication of the time limits for erasure ofr data retention policy applicable to the different categories of data;
2013/03/06
Committee: LIBE
Amendment 1875 #
Proposal for a regulation
Article 28 – paragraph 2 – point h
(h) the description of the mechanisms referred to in Article 22(3).deleted
2013/03/06
Committee: LIBE
Amendment 1883 #
Proposal for a regulation
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 1885 #
Proposal for a regulation
Article 28 – paragraph 3 a (new)
3a. In the case of a group of undertakings where each data controller within the group of undertakings carries out substantively the same type of processing operation, only one set of documentation shall be kept at group level.
2013/03/06
Committee: LIBE
Amendment 1886 #
Proposal for a regulation
Article 28 – paragraph 3 b (new)
3b. Where a controller engages a processor, the controller shall be responsible for maintaining the documentation referred to in Article 28(1) and can require the processor to provide assistance in compiling the information.
2013/03/06
Committee: LIBE
Amendment 1895 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
2013/03/06
Committee: LIBE
Amendment 1910 #
Proposal for a regulation
Article 28 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
2013/03/06
Committee: LIBE
Amendment 1916 #
Proposal for a regulation
Article 28 – paragraph 6
6. To ensure harmonized requirements within the Union, the Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2013/03/06
Committee: LIBE
Amendment 1956 #
Proposal for a regulation
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, wh which causes or is likely to cause significant adverse feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification toeffect on the privacy of the data subject, the controller shall after having become aware, fully investigated and confirmed it, without undue delay, notify the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hourssonal data breach to the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 1970 #
Proposal for a regulation
Article 31 – paragraph 3 – introductory part
3. The notification referred to in paragraph 1 must at leastif possible:
2013/03/06
Committee: LIBE
Amendment 1971 #
Proposal for a regulation
Article 31 – paragraph 3 – point b
(b) communicate the identity and contact details of the data protection officcontroller or other contact point where more information can be obtained;
2013/03/06
Committee: LIBE
Amendment 1973 #
Proposal for a regulation
Article 31 – paragraph 3 a (new)
3a. The notification referred to in paragraph 1 shall not be required if the controller or the processor has implemented appropriate technological measures, which were applied to the data concerned by the personal data breach, such as measures which render the data unintelligible to any person who is not authorised to access it.
2013/03/06
Committee: LIBE
Amendment 1979 #
Proposal for a regulation
Article 31 – paragraph 4
4. The controller shall document any personal data breaches referred to in paragraph 1, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
2013/03/06
Committee: LIBE
Amendment 1986 #
Proposal for a regulation
Article 31 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
2013/03/06
Committee: LIBE
Amendment 1990 #
Proposal for a regulation
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 1998 #
Proposal for a regulation
Article 32 – paragraph 1
1. When the personal data breach causes or is likely to cause significant adversely a effect on the protection of the personal data or privacy of theivacy of the data subject and minimizing of the harm requires action by data subjects, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay unless this is disproportionally difficult. When communication to data subjects would risk causing further serious harm to the protection of the personal data or privacy of the data subject, the controller may, after consulting with the supervisory authority, delay communication to data subjects until such risk no longer prevails.
2013/03/06
Committee: LIBE
Amendment 2001 #
Proposal for a regulation
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall have the purpose to render the data unintelligible to any person who is not authorised to access ithem, taking into account the nature of the data, the state of the art and the cost.
2013/03/06
Committee: LIBE
Amendment 2008 #
Proposal for a regulation
Article 32 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
2013/03/06
Committee: LIBE
Amendment 2010 #
Proposal for a regulation
Article 32 – paragraph 6
6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 2024 #
Proposal for a regulation
Article 33 – paragraph 1
1. Where processing operations present specific high degree of risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on or when the DPA decides that a privacy impact assessment is necessary, the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
2013/03/06
Committee: LIBE
Amendment 2029 #
Proposal for a regulation
Article 33 – paragraph 2 – introductory part
2. The following processing operations in particularare likely to present specific high degree of risks referred to in paragraph 1:
2013/03/06
Committee: LIBE
Amendment 2032 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
(a) taking into account the exceptions of Article 20(2)(c) and the restrictions of Article 21, a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, or reliability or behaviour, which is solely based on automated processing and on which measuredecisions are based that produce legal effects concerning the individual or significantadversely affect the individualfundamental rights of a data subject in a significantly negative manner;
2013/03/06
Committee: LIBE
Amendment 2038 #
Proposal for a regulation
Article 33 – paragraph 2 – point c
(c) monitoring publicly accessible areas, especially winvolving then using optic-electronic devices (video surveillance) on a large scalee of specific techniques such as facial recognition, or not answering to the reasonable expectations of the general public;
2013/03/06
Committee: LIBE
Amendment 2042 #
Proposal for a regulation
Article 33 – paragraph 2 – point e
(e) other processing operations for which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2).deleted
2013/03/06
Committee: LIBE
Amendment 2044 #
Proposal for a regulation
Article 33 – paragraph 3
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.deleted
2013/03/06
Committee: LIBE
Amendment 2054 #
Proposal for a regulation
Article 33 – paragraph 4
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted
2013/03/06
Committee: LIBE
Amendment 2065 #
Proposal for a regulation
Article 33 – paragraph 5
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union or Member State law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
2013/03/06
Committee: LIBE
Amendment 2077 #
Proposal for a regulation
Article 33 – paragraph 6
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
2013/03/06
Committee: LIBE
Amendment 2087 #
Proposal for a regulation
Article 33 – paragraph 7
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE