Activities of Louis MICHEL related to 2012/0011(COD)
Plenary speeches (1)
Protection of individuals with regard to the processing of personal data (A8-0139/2016 - Jan Philipp Albrecht) FR
Amendments (193)
Amendment 359 #
Proposal for a regulation
Recital 12
Recital 12
(12) The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of personal data. With regard to the processing of data which concern legal persons and in particular undertakings established as legal personundertakings, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should not be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.
Amendment 381 #
Proposal for a regulation
Recital 21 a (new)
Recital 21 a (new)
(21a) In order to determine whether a processing activity can be considered as relating to ‘the offering of goods or services’, it should be ascertained that the offer is clearly addressed and not only made accessible to data subjects in the Union. The possibilities of delivery in the EU, the language used as well as the domain name used may be taken into account. The notion should apply irrespective of whether a payment of the data subject is required.
Amendment 382 #
Proposal for a regulation
Recital 22 a (new)
Recital 22 a (new)
(22a) The law of a Member State includes collective agreements in the labour market. A collective agreement in the labour market is an agreement between one or more representative employee organisation(s) and one or more representative employers organisation(s) or one or more employer(s). Such an agreement defines the collective and individual relationships (e.g. working conditions and salary) between employers and employees of all enterprises or of the enterprises of a specific sector of industry. It also fixes the rights and obligations of the parties to the agreement. A collective agreement in the labour market adds elements to employment law that are not foreseen by the employment act (Code de travail) or adapts general clauses of this employment act to the specific situation of the sector of industry involved. The collective agreement thus applies to every employee or to every employee of the sector of industry involved.
Amendment 391 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to anyonly to information concerning an identified or identifiable natural person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to. A natural person should not be considered identifiable if identification requires a disproportionate amount of time, effort or material resources or if the controller has put in place the measures to prevent the information from fully identifying the individualnatural person. The principles of data protection should not therefore apply to data where the data subject is not yet identifiable or data which is rendered anonymous in such a way that the data subject is no longert identifiable.
Amendment 403 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, internet ports or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factoserial numbers of products, IP addresses, internet ports, International Mobile Equipment Identity codes of mobile telephones or other such identifiers as such need not necessarily be considered as personal data in all circumstances.
Amendment 409 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishesll, either by a statement or by a clear affirmativen action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by using appropriate settings or by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should covers all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 421 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all data directly pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information derived from the testing or examination of a body part or bodily substance, including biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 438 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment that has no legitimate reason. When personal data, which are processed on the basis of a data subject’s consent are necessary for the provision of a service or other benefit for the data subject, the withdrawal of the consent should constitute a ground for the termination or the non execution of a contract by the service provider.
Amendment 446 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal. There is no imbalance when the data are processed byin the employercontext of employees’ personal data in the employment contextment or risk protection. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 471 #
Proposal for a regulation
Recital 41
Recital 41
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations fromNevertheless, when processing personal data, account should be taken of the context in which the processing takes place. This means in particular that in order to fall under the scope of thise prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the cour, the processing of personal data concerning health should be intended to reveal information concerning health. In this regard, all explicit and implicit purposes of the processing should be taken into account. It should suffice that one of the purposes of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms. the processing consists of retrieving information concerning health for the prohibition to process the data to apply.
Amendment 472 #
Proposal for a regulation
Recital 42
Recital 42
(42) Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedom. Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health, such as protection against serious transborder health threats or in order to ensure high quality and security standards including for medication or medical tools, and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
Amendment 480 #
Proposal for a regulation
Recital 48
Recital 48
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. WThe level of detail of the information relating to the period for which the personal data will be stored may vary depending on the particular circumstances. Where it is possible, it may be expressed with a particular timing but otherwise, a reference to a term, such as prescription rules, will be enough. here the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 486 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including, for example, trade secrets such as algorithms used, protection of network and information security or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 504 #
Proposal for a regulation
Recital 55
Recital 55
Amendment 514 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural person or significantly affects that natural person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Amendment 523 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 531 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operationshould maintain a description of processing operations under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 552 #
Proposal for a regulation
Recital 74
Recital 74
Amendment 586 #
Proposal for a regulation
Recital 87
Recital 87
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, between bodies responsible for fighting against match-fixing and fraud in sport, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences.
Amendment 638 #
Proposal for a regulation
Recital 124 a (new)
Recital 124 a (new)
(124a) The regulation shall be applied in the respect of sport specificity as recognized by Article 165 TFEU, taking into account that due to it societal role sports serves public interests.
Amendment 688 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) by sport organisations for the purposes of prevention, detection and investigation of any violations of sports integrity linked with match fixing and doping;
Amendment 716 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. A natural person shall not be considered identifiable if identification requires a disproportionate amount of time, effort or material resources;
Amendment 725 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2
Article 4 – paragraph 1 – point 2
(2) ‘personal data’ means any information relating to a data subject where this information is identifiable as concerning the data subject; information which dot not allow for identification of a data subject and information which would not allow for such identification without a disproportionate amount of time, effort or material resources shall not be considered as personal data;
Amendment 747 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 758 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, and informed and explicit indication of his or her wisexpression of will, eithesr by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processeda statement, an action or a specific conduct, which, in view of the context and circumstances at the time consent is required, signifies the data subject’s agreement to the processing of the personal data;
Amendment 770 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed when such personal data has not been rendered unintelligible to any person who is not authorized to access it and where such a breach causes or is likely to cause a significant adverse effect on the privacy of the data subject;
Amendment 783 #
Proposal for a regulation
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
(12) ‘data concerning health’ means any information which directly relates to the physical or mental health of an individual, or to the provision of health services to the individual;
Amendment 819 #
Proposal for a regulation
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes, where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in Article 6(1)(a) to (f), as well as respect all other dispositions of this Regulation;
Amendment 824 #
Proposal for a regulation
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) adequate, relevant, and limited to the minimum nenot excessaryive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
Amendment 837 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage and technical and organizational measures are put in place to limit access to the data only for the purposes of historical, statistical and scientific research;
Amendment 860 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller or the group of undertakings of which the controller is a member or any other member thereof is subject;
Amendment 880 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers or by a third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 888 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) processing is necessary in order to ensure availability, reliability, confidentiality and security of the information and communications systems, in particular where this is necessary to discharge the controller's obligations under law, contract or under internal policies, aimed at complying with such obligations;
Amendment 896 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(fb) processing is necessary for the establishment, exercise or defence of legal claims;
Amendment 918 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
Amendment 939 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
Amendment 963 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 969 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
Amendment 978 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal nor shall it affect the lawfulness of processing of data based on other grounds referred to in Article 6(1).
Amendment 991 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller. There shall be no significant imbalance when the data are processed in the context of employment or contracts protecting against risk.
Amendment 1043 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measuressex life and the processing of personal data intended to reveal information concerning health shall be prohibited.
Amendment 1059 #
Proposal for a regulation
Article 9 – paragraph 2 – point d
Article 9 – paragraph 2 – point d
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, organisations active in the labour market or any other non-profit-seeking body with a political, philosophical, religious, sporting or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
Amendment 1067 #
Proposal for a regulation
Article 9 – paragraph 2 – point g
Article 9 – paragraph 2 – point g
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or
Amendment 1071 #
Proposal for a regulation
Article 9 – paragraph 2 – point h
Article 9 – paragraph 2 – point h
(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81personal data intended to reveal information concerning health is necessary for purposes of preventative or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, where those data are processed by a health professional subject to the obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law or rules established by national competent bodies; or
Amendment 1081 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of personal data relating to offences, criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 1083 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
(ja) processing is necessary for sole purpose of complying with or giving effect to equal opportunity rights of individuals or for the promotion of inclusion and diversity within the workforce of the controller or the group of undertakings of which the controller is a member.
Amendment 1092 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 1100 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller, through means used by the controller, to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 1125 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. TWhe controller shall provide in particular mechanisms for facilitating the request for the actionre the data subject wishes to exercise the rights referred to in Article 13 and Articles 15 to- 19. Where personal data he shall make a re processed by automated means, the controller shall also provide means for requests to be made electronicallyquest to this effect to the controller by a personally signed or otherwise comparable verified document.
Amendment 1131 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the requestexcessive delay, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subjecte information shall be given in writing, electronic means included.
Amendment 1142 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge, except for the costs actually bore by the controller to handle the requests. Where requests are vexatious or manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the requestrefuse to take the action requested.
Amendment 1152 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 1158 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
Amendment 1179 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer or, if significant, the identity and contact details of the group of undertakings and its data protection officer;
Amendment 1185 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
Amendment 1191 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
Amendment 1202 #
Proposal for a regulation
Article 14 – paragraph 1 – point d
Article 14 – paragraph 1 – point d
(d) the existence of the right to request from the controller access to and rectification, to be forgotten or erasure of the personal data concerning the data subject or to object to the processing of such personal data or to obtain data portability;
Amendment 1206 #
Proposal for a regulation
Article 14 – paragraph 1 – point f
Article 14 – paragraph 1 – point f
(f) where applicable, the recipients or categories of recipients of the personal data outside the controller or the group of undertakings of which the controller is member;
Amendment 1211 #
Proposal for a regulation
Article 14 – paragraph 1 – point g
Article 14 – paragraph 1 – point g
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
Amendment 1214 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
Amendment 1231 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which categories of source the personal data originate, except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
Amendment 1239 #
Proposal for a regulation
Article 14 – paragraph 4 – point b
Article 14 – paragraph 4 – point b
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed, or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
Amendment 1244 #
Proposal for a regulation
Article 14 – paragraph 5 – point a
Article 14 – paragraph 5 – point a
(a) the data subject has already or can be reasonably expected to know the information referred to in paragraphs 1, 2 and 3; or
Amendment 1251 #
Proposal for a regulation
Article 14 – paragraph 5 – point c
Article 14 – paragraph 5 – point c
(c) the data are not collected from the data subject and recordobtaining or disclosure is expressly laid down by law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests, considering the risks represented by the processing and the nature of the personal data; or
Amendment 1258 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the information or part of the information referred to in Article 14(1) to (3) is likely to serious impair the ensuring of network and information security. From the moment that the information is not anymore likely to serious impair the achievement of network and information security, the data subject shall be informed without delay.
Amendment 1277 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1284 #
Proposal for a regulation
Article 14 – paragraph 8
Article 14 – paragraph 8
Amendment 1315 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
Article 15 – paragraph 1 – point h
(h) in the case of decisions referred to in Article 20, knowledge of the logic involved in any automatic data processing, the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
Amendment 1331 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Amendment 1353 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
Amendment 1361 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
Amendment 1368 #
Proposal for a regulation
Article 15 – paragraph 4 a (new)
Article 15 – paragraph 4 a (new)
4a. The information or part of the information to be provided for in Article 15(1) and 15(2) does not have to be delivered when the delivery of information could seriously impair the securing, protecting and maintaining the resiliency of one or more information systems, unless these interests are overridden by the interest of fundamental rights and freedoms of the data subject. From the moment that the information is not anymore likely to seriously impair the achievement of the network and information security, the controller shall grant the data subject access to the information without delay.
Amendment 1373 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are objectively inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, including by way of and the right to include a supplementing a cstatement for rective statementfication of data which, in the data subject's opinion, are inaccurate.
Amendment 1378 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
The rights provided for in Article 16(1) do not apply when the data are processed for historical, statistical or scientific purposes and the rectification is likely to render impossible or seriously impair the achievement of the historical, statistical or scientific purposes.
Amendment 1388 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where. There is no other legal ground for processing than the data subject's consent and one of the following grounds applies:
Amendment 1395 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
Amendment 1396 #
Proposal for a regulation
Article 17 – paragraph 1 – point b a (new)
Article 17 – paragraph 1 – point b a (new)
(ba) when the storage period consented to has expired;
Amendment 1397 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) the data subject has successfully objectsed to the processing of personal data pursuant to Article 19;
Amendment 1413 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 1427 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention of the personal data is necessary:
Amendment 1441 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
Article 17 – paragraph 3 – point d
(d) for compliance with a legal obligation including the requirements of supervisory authorities to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
Amendment 1456 #
Proposal for a regulation
Article 17 – paragraph 4 – point a
Article 17 – paragraph 4 – point a
Amendment 1459 #
Proposal for a regulation
Article 17 – paragraph 4 – point b
Article 17 – paragraph 4 – point b
(b) the controller no longer needs the personal data for the accomplishment of its task but theydata have to be maintained for purposes of proof;
Amendment 1463 #
Proposal for a regulation
Article 17 – paragraph 4 – point d
Article 17 – paragraph 4 – point d
Amendment 1472 #
Proposal for a regulation
Article 17 – paragraph 7
Article 17 – paragraph 7
Amendment 1482 #
Proposal for a regulation
Article 17 – paragraph 9
Article 17 – paragraph 9
Amendment 1496 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
Amendment 1509 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
Amendment 1519 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
Amendment 1529 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The data subject shall have the right to object, on compelling legitimate grounds relating to theirhis particular situation, at any time to the processing of personal data relating to him which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
Amendment 1535 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Where personal data are processed or intended to be processed for direct marketing purposes, the data subject shall have at any time, without any further justification, the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 1544 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Measures based on profilautomated processing
Amendment 1555 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measuredecision which produces legal effects concerning this natural person orand significantly negatively affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, or reliability or behaviour.
Amendment 1559 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, a person may be subjected to a measuredecision of the kind referred to in paragraph 1 only if the processing:
Amendment 1574 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized bynecessary to comply with a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 1584 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
Article 20 – paragraph 2 – point c a (new)
(ca) is carried out in the purpose of monitoring and prevention of frauds; or
Amendment 1586 #
Proposal for a regulation
Article 20 – paragraph 2 – point c b (new)
Article 20 – paragraph 2 – point c b (new)
(cb) is carried out based on well-founded suspicion of committing a crime to the detriment of the controller; or
Amendment 1587 #
Proposal for a regulation
Article 20 – paragraph 2 – point c c (new)
Article 20 – paragraph 2 – point c c (new)
(cc) is carried out for the purpose of assessing risk and credit worthiness, assuring safety and reliability of services provided by a controller; or
Amendment 1588 #
Proposal for a regulation
Article 20 – paragraph 2 – point c d (new)
Article 20 – paragraph 2 – point c d (new)
(cd) is necessary to pursue controller's legitimate interest in accordance with Article 6(1)(ja); or
Amendment 1589 #
Proposal for a regulation
Article 20 – paragraph 2 – point c e (new)
Article 20 – paragraph 2 – point c e (new)
(ce) is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the personal data are disclosed; or
Amendment 1590 #
Proposal for a regulation
Article 20 – paragraph 2 – point c f (new)
Article 20 – paragraph 2 – point c f (new)
(cf) is necessary for the purposes of the legitimate interests of the controller or the third party or parties to whom the profiles or data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the data subjects; or
Amendment 1591 #
Proposal for a regulation
Article 20 – paragraph 2 – point c g (new)
Article 20 – paragraph 2 – point c g (new)
(cg) is necessary in the vital interests of the data subject.
Amendment 1610 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measuredecision of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
Amendment 1615 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 1650 #
Proposal for a regulation
Article 21 – paragraph 2 a (new)
Article 21 – paragraph 2 a (new)
2a. Articles 11 to 20 shall not apply where the processing of personal data is necessary to enable the controller to comply with other legal, regulatory and professional obligations especially in respect of prevention of money laundering and/or terrorist financing.
Amendment 1749 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
Amendment 1753 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
Amendment 1782 #
Proposal for a regulation
Article 26 – paragraph 2 – point c
Article 26 – paragraph 2 – point c
Amendment 1785 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
(d) determine the conditions for enlisting another processor only with the prior permission of the controller, such as the need of specific or general prior permission of the controller, or the need of written agreement imposing the same obligations on the subprocessor as are imposed on the processor under this regulation;
Amendment 1787 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
Amendment 1791 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
Amendment 1795 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
Amendment 1800 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
Amendment 1813 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
Amendment 1820 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 2101 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
Amendment 2103 #
Proposal for a regulation
Article 34 – paragraph 1 a (new)
Article 34 – paragraph 1 a (new)
1a. Member States may submit by law the processing of personal data by public or private institutions who execute a task of public interest, such as the contribution to the application of the social security or to the execution of public health, to the prior authorization, in order to avoid processing which gravely affects the data subject's fundamental rights.
Amendment 2106 #
Proposal for a regulation
Article 34 – paragraph 2
Article 34 – paragraph 2
Amendment 2117 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opiniondetermines in accordance with its powers that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
Amendment 2120 #
Proposal for a regulation
Article 34 – paragraph 4
Article 34 – paragraph 4
Amendment 2124 #
Proposal for a regulation
Article 34 – paragraph 5
Article 34 – paragraph 5
Amendment 2127 #
Proposal for a regulation
Article 34 – paragraph 6
Article 34 – paragraph 6
Amendment 2132 #
Proposal for a regulation
Article 34 – paragraph 7
Article 34 – paragraph 7
7. Member States shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensurdemonstrate the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.
Amendment 2137 #
Proposal for a regulation
Article 34 – paragraph 8
Article 34 – paragraph 8
Amendment 2141 #
Proposal for a regulation
Article 34 – paragraph 9
Article 34 – paragraph 9
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, andnon mandatory standard forms and procedures for informing the supervispriory authorities pursuant to paragraph 6sations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 2144 #
Proposal for a regulation
Article 35 – paragraph 1
Article 35 – paragraph 1
1. The controller and the processor shallMember States shall encourage the designateion of a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjectsby the data controller and the data processor and may require such designation in some cases provided for in their national legislation.
Amendment 2192 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, aA group of undertakings may appoint a single data protection officer.
Amendment 2204 #
Proposal for a regulation
Article 35 – paragraph 4
Article 35 – paragraph 4
Amendment 2223 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 2236 #
Proposal for a regulation
Article 35 – paragraph 8
Article 35 – paragraph 8
Amendment 2239 #
Proposal for a regulation
Article 35 – paragraph 9
Article 35 – paragraph 9
Amendment 2258 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
Amendment 2291 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection officer at least with the following tasksdetermine the tasks to be performed by the data protection organisation or the data protection officer in order to ensure compliance with this Regulation:
Amendment 2294 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
Amendment 2297 #
Proposal for a regulation
Article 37 – paragraph 1 – point b
Article 37 – paragraph 1 – point b
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related auditsdevelop, support and monitor the implementation of measures referred to in Article 22;
Amendment 2301 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights undercompliance this Regulation;
Amendment 2304 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
Amendment 2307 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
Amendment 2310 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
Amendment 2316 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
Amendment 2319 #
Proposal for a regulation
Article 37 – paragraph 1 – point h
Article 37 – paragraph 1 – point h
Amendment 2327 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
Amendment 2339 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the CommissionEuropean Data Protection Board.
Amendment 2342 #
Proposal for a regulation
Article 38 – paragraph 4
Article 38 – paragraph 4
Amendment 2420 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a controller or processor in a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
Amendment 2435 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(da) cooperation agreements or unilateral undertaking by public authorities.
Amendment 2440 #
Proposal for a regulation
Article 42 – paragraph 2 a (new)
Article 42 – paragraph 2 a (new)
2a. The appropriate safeguards referred to in paragraph 1 may also be provided by a single legally binding instrument between the processor and another processor that impose substantively the same obligations on the subprocessor as the EU standard data protection clauses adopted by the Commission where a processor is engaged by multiple controllers to carry out substantively similar processing operations in relation to their respective personal data and such personal data of multiple controllers are transferred to another processor in a third country by the processor and/or by the controller.
Amendment 2447 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation, a single legally binding document as referred to in paragraph 3 or between groups of undertakings with binding corporate rules shall be deemed to comply with paragraph 1 of this Article and shall not require any consultation with, submission to, approval or authorisation by supervisory authorities.
Amendment 2463 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where thepublic authorities make use of appropriate safeguards with respect to the protection of personal data but these are not provided for in a legally binding instrument, the controller or processoras mentioned in paragraph 2 sub d a), they shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Amendment 2468 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
Article 43 – paragraph 1 – introductory part
1. A supervisory authority shall in accordance withControllers and/or processors that wish to provide appropriate safeguards by binding corporate rules as referred to in Article 42(2)(a) shall notify the appropriate supervisory authorities of the consexistency mechanism set out in Article 58e of their binding corporate rules and the supervisory authorities shall be deemed to have approved the binding corporate rules, provided that they:
Amendment 2473 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their subcontractors that is included in the scope of the binding corporate rules, and include their employees;
Amendment 2479 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members and their subcontractors;
Amendment 2482 #
Proposal for a regulation
Article 43 – paragraph 2 – point h
Article 43 – paragraph 2 – point h
(h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;
Amendment 2483 #
Proposal for a regulation
Article 43 – paragraph 2 a (new)
Article 43 – paragraph 2 a (new)
2a. Where a processor wishes to provide appropriate safeguards by binding corporate rules as referred to in Article 42(2)(a), the matters referred to in Article 43(2)(a) to (k): (a) shall only apply to the extent they are applicable to the processor and are relevant to the data subject; and (b) can be specified in relation to each controller.
Amendment 2484 #
Proposal for a regulation
Article 43 – paragraph 3
Article 43 – paragraph 3
Amendment 2486 #
Proposal for a regulation
Article 43 – paragraph 4
Article 43 – paragraph 4
Amendment 2505 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards authorized by a supervisory authority with respect to the protection of personal data, where necessary.
Amendment 2560 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
Amendment 2563 #
Proposal for a regulation
Article 48 – paragraph 4
Article 48 – paragraph 4
4. A member may be dismissed or deprived oif the right to a pension or other benefits in its stead by the competent national court, if the member no longer fulfils the conditions required for the performance of thehis duties or is guilty of serious misconductas member of the supervisory authority.
Amendment 2606 #
Proposal for a regulation
Article 52 – paragraph 1 – point f a (new)
Article 52 – paragraph 1 – point f a (new)
(fa) decide in which cases a Privacy Impact Assessment referred to in Article 33 needs to be carried out, in particular when it is consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;
Amendment 2620 #
Proposal for a regulation
Article 53 – paragraph 1 – point a
Article 53 – paragraph 1 – point a
(a) to notify the controller or the processor of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, order the controller or the processor to remedy that breach, in a specific manner, in order to improve the protection of the data subject or, where necessary, oblige the controller to communicate the personal data breach to the data subject;
Amendment 2678 #
Proposal for a regulation
Article 58 – paragraph 7
Article 58 – paragraph 7
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within onetwo week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within onetwo month by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authorityies competent under Article 51 of the opinion and make it public.
Amendment 2682 #
Proposal for a regulation
Article 58 – paragraph 8
Article 58 – paragraph 8
8. The supervisory authority referred to in paragraph 1 and the supervisory authorityies competent under Article 51 (1) shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
Amendment 2693 #
Proposal for a regulation
Article 59 – paragraph 3
Article 59 – paragraph 3
Amendment 2698 #
Proposal for a regulation
Article 59 – paragraph 4
Article 59 – paragraph 4
4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1one month and provide a reasoned justification. In this case the draft measureThis reasoned justification shall not be madopted for one further monthe publicly available.
Amendment 2699 #
Proposal for a regulation
Article 59 – paragraph 4 a (new)
Article 59 – paragraph 4 a (new)
4a. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take the utmost account of the Commission's opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure.
Amendment 2701 #
Proposal for a regulation
Article 60
Article 60
Amendment 2745 #
Proposal for a regulation
Article 66 – paragraph 1 – point g a (new)
Article 66 – paragraph 1 – point g a (new)
(ga) examine codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to Article 38(3).
Amendment 2778 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
Amendment 2788 #
Proposal for a regulation
Article 73 – paragraph 3
Article 73 – paragraph 3
Amendment 2812 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
Amendment 2823 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller for the processor for the damage suffereddamage suffered. If a processor processes personal data for purposes other than as instructed by the controller, they may be held liable should any person suffer damage as a result of such processing.
Amendment 2829 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damageshall be liable only to the extent that he is responsible for the event giving rise to the damage and that liability has not already been established in the determination or responsibilities envisaged in Article 24.
Amendment 2833 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
Amendment 2851 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 2864 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism. In setting an administrative fine, supervisory authorities shall also take into account fines, damages or other penalties previously imposed by a court or other body on the natural or legal person in respect of the violation issue. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (a) repeated violations committed in reckless disregard of applicable law; (b) refusal to cooperate with or obstruction of an enforcement process; and (c) violations that are deliberate, serious and likely to cause substantial damage. Mitigating factors which support administrative fines at the lower limits shall include: (a) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (b) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (c) immediate termination of the violation upon knowledge; and (d) cooperation with any enforcement processes.
Amendment 2877 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
Amendment 2890 #
Proposal for a regulation
Article 79 – paragraph 4 – introductory part
Article 79 – paragraph 4 – introductory part
4. The supervisory authority shallmay impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2903 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shall imposes a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2909 #
Proposal for a regulation
Article 79 – paragraph 5 – point c
Article 79 – paragraph 5 – point c
(c) does not comply with the right to be forgotten or to erasure, on websites or data within their control, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
Amendment 2912 #
Proposal for a regulation
Article 79 – paragraph 5 – point e
Article 79 – paragraph 5 – point e
Amendment 2913 #
Proposal for a regulation
Article 79 – paragraph 5 – point f
Article 79 – paragraph 5 – point f
Amendment 2923 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shallmay impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 2931 #
Proposal for a regulation
Article 79 – paragraph 6 – point e
Article 79 – paragraph 6 – point e
Amendment 2933 #
Proposal for a regulation
Article 79 – paragraph 6 – point f
Article 79 – paragraph 6 – point f
Amendment 2935 #
Proposal for a regulation
Article 79 – paragraph 6 – point i
Article 79 – paragraph 6 – point i
Amendment 2946 #
Proposal for a regulation
Article 79 – paragraph 7
Article 79 – paragraph 7
7. Where convincing evidence exists of continued negligence or gross negligence by organisations in the execution of their responsibilities under this Regulation or the failure of these sanctions to deter serious abuses that cannot be addressed under the current framework. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts or conditions of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
Amendment 2957 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the gChapter II (General principles in), Chapter II, the rI (Rights of the data subject in), Chapter III, on cV (Controller and processor in), Chapter IV, on the tV (Transfer of personal data to third countries and international organisations in), Chapter V, the iI (Independent supervisory authorities in ), Chapter VI and on co-I (Cooperation and consistency in Chapter VII for) as well as Articles 73, 74, 76 and 79 of Chapter VIII (Remedies, liability and sanctions) shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
Amendment 2966 #
Proposal for a regulation
Article 80 – paragraph 2
Article 80 – paragraph 2
Amendment 2970 #
Proposal for a regulation
Article 80 a (new)
Article 80 a (new)
Article 80a Member States may determine the conditions for processing a national identification number or any other identifier of general application.
Amendment 2972 #
Proposal for a regulation
Article 81
Article 81
Amendment 3092 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
Amendment 3132 #
Proposal for a regulation
Article 91 – paragraph 2 – subparagraph 1
Article 91 – paragraph 2 – subparagraph 1
It shall apply from [two years from the date referred to in paragraph 1] without prejudice to the use of personal data lawfully processed before that date.