Activities of Christian ENGSTRÖM related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (25)
Amendment 113 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. Similarly, consent should not provide a legal basis for data processing when the data subject has no different access to equivalent services. Default settings such as pre-ticked boxes, silence, or the simple use of a service do not imply consent.
Amendment 116 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, : -where personal data are processed by the employer of employees' personal data in the employment context. W or; -where the processor or controller is in a dominant market position as regards the products or services offered to the data subject or; -where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 160 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an unique identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or , social identityor gender identity or sexual orientation of that person;
Amendment 169 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3 a) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
Amendment 189 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
Amendment 213 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
4 a. The execution of a contract or the provision of a service may not be made dependent on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service according to Article 6 (1) (b).
Amendment 233 #
Proposal for a regulation
Article -11 (new)
Article -11 (new)
Article -11 General principles for data subject rights 1. The basis of data protection are clear and unambiguous rights for the data subject with respect to the data controller. The provisions of this Regulation aim to strengthen, clarify, guarantee and where appropriate, codify, these rights. 2. Such rights include, inter alia, the provision of clear, easily understood information regarding the data controller's policies for data subject access, rectification and erasure to their data, the right to data portability and the right to object to profiling; that such rights in general must be exercised free of charge and that the data controller will undertake requests from the data subject within a reasonable period of time.
Amendment 235 #
Proposal for a regulation
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2 a. Information for data subjects shall be provided in a format offering data subjects the information needed to understand their position and make decisions in an appropriate way. Full information shall be available on request. Therefore the controller shall provide transparency in information and communication in his data protection policies through an easily understandable icon-based mode of description for the different steps of data-processing.
Amendment 236 #
Proposal for a regulation
Article 11 – paragraph 2 b (new)
Article 11 – paragraph 2 b (new)
2 b. The Commission may lay down technical standards for the purpose of further specifying the mode of description laid down in paragraph 3 concerning e.g. the processing, storage duration, transfer or deletion of data by establishing icons or other instruments in order to provide information in a standardised way. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87 (2).
Amendment 240 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 275 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public without the consent of the data subject, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
Amendment 292 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right, both offline and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 297 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 299 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
(a) is carried out in the course ofnecessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or including the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or
Amendment 303 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or
Amendment 304 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.
Amendment 310 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely oninclude or generate any data that fall under the special categories of personal data referred to in Article 9, except when they fall under the exceptions listed in Article 9(2).
Amendment 311 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
Amendment 313 #
Proposal for a regulation
Article 20 – paragraph 3 b (new)
Article 20 – paragraph 3 b (new)
3 b. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be used to identify or individualise children.
Amendment 315 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Articles 14 and 15 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject, as well as the access to the logic underpinning the data undergoing processing.
Amendment 318 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. TWithin six months of the coming into force of this Regulation, the Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's' legitimate interests referred to in paragraph 2. The Commission shall consult representatives of data subjects and the Data Protection Board on its proposals before issuing them.
Amendment 357 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 724 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 724 hours.
Amendment 367 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delayin the 72 hours after having become aware of the data breach.
Amendment 409 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data andacting in the public interest rather than only on an individual s behalf which has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
Amendment 413 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74, 75 and 757 on behalf of one or more data subjects.