20 Amendments of Wim van de CAMP related to 2011/0011(COD)
Amendment 1834 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibilityshall maintain an overview of all processing operations under its responsibility, which pose a high degree of risk to the fundamental rights of the data subjects, in particular their right to privacy, pursuant to the outcome of the privacy impact assessment as referred to in Article 33.
Amendment 1837 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
Amendment 1845 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The documentationoverview shall contain at least the following information:
Amendment 1851 #
Proposal for a regulation
Article 28 – paragraph 2 – point b
Article 28 – paragraph 2 – point b
Amendment 1880 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The controller and the processor andor, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
Amendment 1884 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
Amendment 1889 #
Proposal for a regulation
Article 28 – paragraph 4
Article 28 – paragraph 4
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a natural persons processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
Amendment 1911 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
Amendment 1924 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
1. The controller and the processor shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
Amendment 1953 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case ofWhere a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours is likely to have a significant adverse effect on the interests, rights and freedoms of the data subjects, especially their right to privacy, the controller, after having become aware of it, shall without unreasonable delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 1960 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
1a. Controllers shall notify the supervisory authority of the Member State in which they are established. Where the notification is carried out in accordance with paragraph 4, the supervisory authority of the Member State in which the controller responsible for the personal data breach is established shall be notified. Controllers which are not established on the territory of the European Union, shall notify the supervisory authority of the Member State in which their representative is established.
Amendment 1987 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
Amendment 1999 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. When the personal data breach is likely to adversely affect the protection of the personal data or, the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Amendment 2003 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that itdata breach has not produced significant harm and the controller has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access to it.
Amendment 2021 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specificare likely to present high degree of risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal datarights and freedoms of the data subjects, especially their right to privacy.
Amendment 2035 #
Proposal for a regulation
Article 33 – paragraph 2 – point c
Article 33 – paragraph 2 – point c
Amendment 2064 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union or Member State law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
Amendment 2073 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
Amendment 2079 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterpriseencourage, in particular at the European level, the establishment of common criteria for determining the level of risk of the processing operations as well as the execution of privacy impact assessments, taking into account the specific features of the various sectors, the size of the controller, the nature of the data, the consequences of the processing for the data subjects and the nature of the processing operations.
Amendment 2084 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7