47 Amendments of Morten LØKKEGAARD related to 2012/0011(COD)
Amendment 102 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 115 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject. However, imbalance between the controller and the data subject is not a problem where Union or Member State law has made the data subject's consent a specific condition for a specific type of processing of the personal data or set of processing operations.
Amendment 147 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 158 #
Proposal for a regulation
Article 3 – paragraph 2 – point b
Article 3 – paragraph 2 – point b
(b) the monitoring of their behaviourthe behaviour of such data subjects with a view to offering goods or services to them.
Amendment 165 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2
Article 4 – paragraph 1 – point 2
(2) ‘personal data’ means any information relating to a data subject; data that cannot be related to a data subject such as anonymised data or some pseudonymised data fall outside the scope of this regulation; Business Contact Information fall outside this regulation;
Amendment 174 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, and informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 177 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; strongly encrypted data, where there is evidence that the encryption key has not been compromised fall outside this legislation
Amendment 186 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with aor to avoid breach of an EU or national legal obligation or legal right to which thea controller is subject; including the performance of a task carried out for assessing creditworthiness or for fraud prevention and detection purposes.
Amendment 188 #
Proposal for a regulation
Article 6 – paragraph 1 – point e
Article 6 – paragraph 1 – point e
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the performance of a task carried out for assessing creditworthiness or for fraud prevention and detection purposes;
Amendment 194 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(f a) The data are collected from public registers, lists or documents accessible by everyone;
Amendment 197 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(f b) The processing is necessary to defend an interest, collecting evidences as judicial proofs or file an action.
Amendment 199 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 2
Article 6 – paragraph 3 – subparagraph 2
The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be. The law of the Member State must also respect this regulation and international treatises that the Member State has decided to follow. Finally the Member State is obliged to evaluate and decide if national legislation is proportionate to the legitimate aim pursued or if a legitimate aim could be achieved using less privacy invasive solutions.
Amendment 205 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal or in cases where a minimum mandatory term of storage is provided by a European or national law, or data are processed according to European and national regulatory provisions, or for anti-fraud or legal purposes. The data subject has to communicate his willingness to withdraw his or her consent to the processor. The withdrawal of the consent is effective 30 days after the receipt of the declaration.
Amendment 211 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller; on the labour market there is not considered to be a significant imbalance between employer and employee.
Amendment 212 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
Amendment 224 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, significant social problems, private information and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
Amendment 227 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or, Member State law, or collective agreements on the labour market providing for adequate safeguards; or
Amendment 228 #
Proposal for a regulation
Article 9 – paragraph 2 – point d
Article 9 – paragraph 2 – point d
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, organizations on the labour market or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
Amendment 230 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of officialsupervision of the competent supervisory authority or when the processing is necessary for compliance with a legal or regulatory obligationor to avoid a breach of an EU or a national legal or regulatory obligation or collective agreements on the labour market to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 231 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
Amendment 246 #
Proposal for a regulation
Article 14 a (new)
Article 14 a (new)
Article 14 a The controller must ensure that sufficient documentation for a data subject's identity has been received, when the data subject enforces the rights referred to in articles 14-19 in this regulation.
Amendment 256 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller at any time, on request and by paying the cost of extracting the information, confirmation as to whether or not personal data relating to the data subject are being processed in order to be aware and verify the lawfulness of the processing. Where such personal data are being processed, the controller shall provide the following information:
Amendment 268 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and the legal mandatory retention period has expired;
Amendment 274 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform those third parties which are processing such data contractually on behalf of the controller, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, some pseudonymised data and publicly unavailable or unreadable data are excepted
Amendment 281 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
Amendment 283 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
Amendment 291 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 296 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 301 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized bynecessary to comply with a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 356 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it which will have significant risk of harm to citizens, the controller shall without undue delay, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 364 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. WIn the case of any significantly harmful personal data breach, when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
Amendment 369 #
Proposal for a regulation
Article 32 – paragraph 1 – subparagraph 1 (new)
Article 32 – paragraph 1 – subparagraph 1 (new)
Exemptions from data breach provisions should be awarded where sophisticated encryption is used or if measures are taken to adequately compensate those affected.
Amendment 371 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the data breach does not have significant risk of harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Amendment 374 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, or where processing takes place as a public sector infrastructure project the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Amendment 377 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
Amendment 378 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned and also taking into account modern technologies and methods that can improve citizens' privacy.
Amendment 380 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
Amendment 381 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
Amendment 393 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
Amendment 397 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Amendment 400 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive or where, prior to such transfer, the personal data is already made public in the third country, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
Amendment 424 #
Proposal for a regulation
Article 79 – paragraph 3 a (new)
Article 79 – paragraph 3 a (new)
3 a. In case of full compliance with this regulation no sanction shall be imposed
Amendment 429 #
Proposal for a regulation
Article 79 – paragraph 4 – introductory part
Article 79 – paragraph 4 – introductory part
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 432 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 435 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 440 #
Proposal for a regulation
Article 82 – paragraph 1
Article 82 – paragraph 1
1. Within the limits of this Regulation, Member States may adopt by law or collective agreement among employers and employees specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, criminal conviction and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Amendment 459 #
Proposal for a regulation
Article 90 – paragraph 1 a (new)
Article 90 – paragraph 1 a (new)
Delegated acts and Implementing acts adopted by the Commission should be evaluated by the Parliament and the Council every second year.