Activities of Jens ROHDE related to 2017/0002(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
Amendments (26)
Amendment 5 #
Proposal for a regulation
Recital 5
Recital 5
(5) It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States. Whenever the provisions of this Regulation are based on the same concept as the provisions of Regulation (EU) 2016/679, those two provisions should be interpreted homogeneously, in particular because the scheme of this Regulation should be understood as equivalent to the scheme of Regulation (EU) 2016/679.
Amendment 12 #
Proposal for a regulation
Recital 10
Recital 10
(10) Where the founding act of a Union agency carrying out activities which fall within the scope of Chapters 4 and 5 of Title V of the Treaty lays down a standalone data protection regime for the processing of operational personal data such regimes should be unaffected by this Regulation, as long as they are consistent with the provisions of Regulation (EU) 2016/679. However, the Commission should, in accordance with Article 62 of Directive (EU) 2016/680, by 6 May 2019 review Union acts which regulate processing by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and, where appropriate, make the necessary proposals to amend those acts to ensure a consistent approach to the protection of personal data in the area of judicial cooperation in criminal matters and police cooperation.
Amendment 17 #
Proposal for a regulation
Recital 18
Recital 18
(18) The Union law including the internal rules referred to in this Regulation should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.
Amendment 21 #
Proposal for a regulation
Recital 23
Recital 23
(23) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data should not be processed unless processing is allowed in specific cases as laid down in this Regulation. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Amendment 24 #
Proposal for a regulation
Recital 24
Recital 24
(24) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to proportionate, suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council15, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data beinglead to any further processeding for other purposes, including processing by third parties. _________________ 15 Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
Amendment 27 #
Legal acts adopted on the basis of the Treaties or internal rules of Union institutions and bodies may impose restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, confidentiality of electronic communications as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers, for a limited period of time and as far as necessary and proportionate in a democratic society to safeguard public security, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, including the protection of human life especially in response to natural or manmade disasters, internal security of Union institutions and bodies, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.
Amendment 33 #
Proposal for a regulation
Recital 42
Recital 42
(42) In order to demonstrate compliance with this Regulation, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility. Union institutions and bodies should be obliged to cooperate with the European Data Protection Supervisor and make their records, on request, available to it, so that they might serve for monitoring those processing operations. Union institutions and bodies should be able to establish a central register of records of their processing activities. For reasons of transparency, they should also be able to make such a register public. Data subjects should be able to consult the register upon request.
Amendment 36 #
Proposal for a regulation
Recital 50
Recital 50
(50) Regulation (EU) 2016/679 established the European Data Protection Board as an independent body of the Union with legal personality. The Board should contribute to the consistent application of Regulation (EU) 2016/679 and Directive 2016/680 throughout the Union, including by advising the Commission. At the same time, the European Data Protection Supervisor should continue to exercise its supervisory and advisory functions in respect of all Union institutions and bodies, including on its own initiative or upon request. In order to ensure consistency of data protection rules throughout the Union, a consultation by the Commission should be obligatory following twhen adoption ofng proposals for legislative acts or during the preparation of delegated acts and implementing acts as defined in Article 289, 290 and 291 TFEU and following twhen adoption ofng recommendations and proposals relating to agreements with third countries and international organisations as provided for in Article 218 TFEU, which have an impact on the right to personal data protection. In such cases, the Commission should be obliged to consult the European Data Protection Supervisor, except when the Regulation (EU) 2016/679 provides for mandatory consultation of the European Data Protection Board, for example on adequacy decisions or delegated acts on standardised icons and requirements for certification mechanisms. Where the act in question is of particular importance for the protection of individuals' rights and freedoms with regard to the processing of personal data, the Commission should be able, in addition, to consult the European Data Protection Board. In those cases, the European Data Protection Supervisor should, as a member of the European Data Protection Board, coordinate its work with the latter with a view to issue a joint opinion. The European Data Protection Supervisor, and where applicable, the European Data Protection Board should provide its written advice within eight weeks. That time-frame should be shorter in case of urgency or otherwise appropriate, for example when the Commission is preparing delegated and implementing acts.
Amendment 38 #
Proposal for a regulation
Recital 52
Recital 52
(52) When personal data are transferred from the Union institutions and bodies to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation and in accordance with Regulation (EU) 2016/679. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
Amendment 39 #
Proposal for a regulation
Recital 54
Recital 54
Amendment 42 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities which fall, wholly or partially within the scope of Union law.
Amendment 53 #
Proposal for a regulation
Article 8 – title
Article 8 – title
Conditions applicable to children's consent in relation to information society services
Amendment 54 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Where point (d) of Article 5(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 136 years old. Where the child is below the age of 136 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Amendment 61 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
Processing of personal data relating to criminal convictions and offences or related security measures pursuant to Article 5(1) may be carried out only if authorised by Union law, which may include internal rules, providing the appropriate specific safeguards for the rights and freedoms of data subjects.
Amendment 64 #
Proposal for a regulation
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. Legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the application of Articles 14 to 22, 34 and 38, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
Amendment 69 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
Amendment 72 #
Proposal for a regulation
Article 25 – paragraph 5
Article 25 – paragraph 5
Amendment 79 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
5. Union institutions and bodies may decide toshall keep their records of processing activities in a central register. In this case, they may also decide toThey shall make the register publicly accessible.
Amendment 83 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Union institutions and bodies shall ensure the confidentiality of electronic communications, in particular by securing their electronic communication networksaccordance with Regulation (EU) 2017/XXXX.
Amendment 90 #
Proposal for a regulation
Article 42 – paragraph 2
Article 42 – paragraph 2
2. Where an act referred to in paragraph 1 is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data, the Commission mayshall also consult the European Data Protection Board. In such cases the European Data Protection Supervisor and the European Data Protection Board shall coordinate their work with a view to issue a joint opinion.
Amendment 91 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The data protection officer mayshall be a staff member of the Union institution or, body, or fulfil the tasks on the basis of a service contractffice or agency.
Amendment 95 #
Proposal for a regulation
Article 46 – paragraph 1 – point g a (new)
Article 46 – paragraph 1 – point g a (new)
(ga) ensure that the rights and freedoms of data subjects are not adversely affected by the processing.
Amendment 96 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. A transfer of personal data to a third country or international organisation may take place where the Commission has decidedadopted an implementing act pursuant to Article 45(3) of Regulation (EU) 2016/679 which stipulates that an adequate level of protection is ensured in the third country, a territory or one or more specified sectors within that third country, or within the international organisation and the personal data are transferred solely to allow tasks covered by the competence of the controller to be carried out. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or the international organisation. The implementing act shall further indicate its territorial and sectorial application and shall identify the supervisory authority. Chapter V of Regulation (EU) 2016/679 shall apply.
Amendment 98 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
1. The European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up byjointly by the European Parliament, the Council and the Commission following a public call for candidates. The call for candidates shall enable all interested parties throughout the Union to submit their applications. The list of candidates drawn up by the Commission shall be public. On the ba and shall consist of the list drawn up by the Commission, tat least five candidates. The competent committee of the European Parliament may decide to hold a hearing of the listed candidates in order to enable it to express a preference.
Amendment 102 #
Proposal for a regulation
Article 63 – paragraph 1 a (new)
Article 63 – paragraph 1 a (new)
1a. In cases where the data subject is a child, Member States shall provide for specific safeguards, in particular with regard to legal aid.
Amendment 103 #
Proposal for a regulation
Chapter IX a (new)
Chapter IX a (new)
Chapter IXa Article 70a Review Clause 1. No later than 1 June 2021, and every five years thereafter, the Commission shall present to the European Parliament a report on the application of this Regulation, accompanied, if necessary, by appropriate legislative proposals. 2. The ex-post evaluation outlined in paragraph 1 shall pay particular attention to the appropriateness of the scope of this Regulation, the consistency with other legislative acts in the field of data protection and assess, in particular, the implementation of Chapter V of this Regulation. 3. No later than 1 June 2021, and every five years thereafter, the Commission shall report to the European Parliament on the application of Chapter VIII of this Regulation and the penalties and sanctions applied.