BETA

32 Amendments of Jens ROHDE related to 2011/0011(COD)

Amendment 1832 #
Proposal for a regulation
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
2013/03/06
Committee: LIBE
Amendment 1842 #
Proposal for a regulation
Article 28 – paragraph 1 a (new)
1a. The obligation made to the controller shall not apply to SMEs processing data only as an activity ancillary to the sale of goods or services. Ancillary activity should be defined as business or non- trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
2013/03/06
Committee: LIBE
Amendment 1854 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);deleted
2013/03/06
Committee: LIBE
Amendment 1857 #
Proposal for a regulation
Article 28 – paragraph 2 – point d
(d) a description of categories of data subjects and of the categories of personal data relating to them;deleted
2013/03/06
Committee: LIBE
Amendment 1859 #
Proposal for a regulation
Article 28 – paragraph 2 – point e
(e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;deleted
2013/03/06
Committee: LIBE
Amendment 1863 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
(f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;deleted
2013/03/06
Committee: LIBE
Amendment 1866 #
Proposal for a regulation
Article 28 – paragraph 2 – point g
(g) a general indication of the time limits for erasure of the different categories of data;deleted
2013/03/06
Committee: LIBE
Amendment 1874 #
Proposal for a regulation
Article 28 – paragraph 2 – point h
(h) the description of the mechanisms referred to in Article 22(3).deleted
2013/03/06
Committee: LIBE
Amendment 1881 #
Proposal for a regulation
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 1894 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
2013/03/06
Committee: LIBE
Amendment 1906 #
Proposal for a regulation
Article 28 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
2013/03/06
Committee: LIBE
Amendment 1909 #
Proposal for a regulation
Article 28 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
2013/03/06
Committee: LIBE
Amendment 1919 #
Proposal for a regulation
Article 29 – paragraph 1
1. The controller and the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph. The controller and the processor and, if any, the representative of the controller, shall make the documentation available, on the basis of a request outlining the reasons for requiring access to the documents, to the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 1923 #
Proposal for a regulation
Article 30 – paragraph 1
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
2013/03/06
Committee: LIBE
Amendment 1933 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by, or on behalf of a data controller or processor.
2013/03/06
Committee: LIBE
Amendment 1936 #
Proposal for a regulation
Article 30 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.
2013/03/06
Committee: LIBE
Amendment 1942 #
Proposal for a regulation
Article 30 – paragraph 4
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 1955 #
Proposal for a regulation
Article 31 – paragraph 1
1. In the case of a personal data breach, twhe controller shall without undue dn the breach is likely to adverselay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification toffect the protection of the personal data or the privacy of the data subject, the controller shall without undue delay notify the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hourssonal data breach to the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 1964 #
Proposal for a regulation
Article 31 – paragraph 2
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediatwithout undue delay after the establishmentidentification of a personal data breach that is likely to produce adverse legal effects to the protection of athe personal data breachor the privacy of the data subject.
2013/03/06
Committee: LIBE
Amendment 1972 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
(e) describe the measures proposed or taken by the controller to address the personal data breach and/or mitigate its effects.
2013/03/06
Committee: LIBE
Amendment 1977 #
Proposal for a regulation
Article 31 – paragraph 4
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
2013/03/06
Committee: LIBE
Amendment 1995 #
Proposal for a regulation
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)filing of reports.
2013/03/06
Committee: LIBE
Amendment 2000 #
Proposal for a regulation
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the data breach has not produced significant harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access it.
2013/03/06
Committee: LIBE
Amendment 2015 #
Proposal for a regulation
Article 32 a (new)
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
2013/03/06
Committee: LIBE
Amendment 2022 #
Proposal for a regulation
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
2013/03/06
Committee: LIBE
Amendment 2026 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
1a. SMEs shall only be required to perform an impact assessment after their 3rd year of incorporation if data processing is deemed as a core activity of their business. That is, where sale or revenue from processing makes up for 50% of the SMEs revenue.
2013/03/06
Committee: LIBE
Amendment 2030 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce adverse legal effects concerning the individual or significantly affect the individualto the privacy of the data subject;
2013/03/06
Committee: LIBE
Amendment 2033 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
(b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
2013/03/06
Committee: LIBE
Amendment 2053 #
Proposal for a regulation
Article 33 – paragraph 4
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted
2013/03/06
Committee: LIBE
Amendment 2056 #
Proposal for a regulation
Article 33 – paragraph 4
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted
2013/03/06
Committee: LIBE
Amendment 2075 #
Proposal for a regulation
Article 33 – paragraph 6
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
2013/03/06
Committee: LIBE
Amendment 2086 #
Proposal for a regulation
Article 33 – paragraph 7
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE