[ParlTrack]

Axel VOSS, Véronique MATHIEU HOUILLON, Seán KELLY, Wim van de CAMP, Renate SOMMER, Monika HOHLMEIER, Lara COMI, Kinga GÁL

Proposal for a regulation
Article 28 – paragraph 1

1. Each controller ~~and processor~~ and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 28 – paragraph 2 – point g a (new)

(ga) where the processor processes personal data in a third country a general indication of the national obligations of the law in the third country;

2013/03/06
Committee: LIBE

Axel VOSS, Véronique MATHIEU HOUILLON, Seán KELLY, Renate SOMMER, Wim van de CAMP, Monika HOHLMEIER, Lara COMI, Kinga GÁL

Proposal for a regulation
Article 28 – paragraph 3

3. The controller ~~and the processor~~ and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 28 – paragraph 4 – introductory part

4. The obligations referred to in paragraphs 1, 2 and 23 shall not apply to the following controllers and processors:

2013/03/06
Committee: LIBE

Axel VOSS, Véronique MATHIEU HOUILLON, Seán KELLY, Wim van de CAMP, Renate SOMMER, Monika HOHLMEIER, Lara COMI, Kinga GÁL

Proposal for a regulation
Article 28 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

2013/03/06
Committee: LIBE

Axel VOSS, Seán KELLY, Wim van de CAMP, Véronique MATHIEU HOUILLON, Renate SOMMER, Monika HOHLMEIER

Proposal for a regulation
Article 30 – paragraph 1

1. The controller and the processor shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 30 – paragraph 2 a (new)

2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by or on behalf of a data controller or processor, as referred to in Article 6(1)(f).

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 30 – paragraph 4

4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Axel VOSS, Monika HOHLMEIER, Seán KELLY, Renate SOMMER, Véronique MATHIEU HOUILLON, Lara COMI, Hubert PIRKER, Salvatore IACOLINO

Proposal for a regulation
Article 31 – paragraph 1

1. In the case of a personal data breach~~, the controller shall without undue delay and, where~~ relating to special categories of personal data, personal data which are subject to profeassi~~ble, not later than 24 hours after having become aware of it, notify the~~onal secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data bre~~ach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours~~lating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 31 – paragraph 2

2. ~~Pursuant to point (f) of Article 26(2), t~~The processor shall alert and inform the controller immediately after the establishment of a personal data breach.

2013/03/06
Committee: LIBE

Axel VOSS, Hubert PIRKER, Véronique MATHIEU HOUILLON, Seán KELLY, Wim van de CAMP, Monika HOHLMEIER, Renate SOMMER

Proposal for a regulation
Article 31 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

2013/03/06
Committee: LIBE

Axel VOSS, Hubert PIRKER, Véronique MATHIEU HOUILLON, Seán KELLY, Wim van de CAMP, Monika HOHLMEIER, Renate SOMMER

Proposal for a regulation
Article 32 – paragraph 1

1. When the personal data breach is likely to adversely affect the protection of the personal data or, the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.

2013/03/06
Committee: LIBE

Axel VOSS, Seán KELLY, Wim van de CAMP, Véronique MATHIEU HOUILLON, Renate SOMMER, Monika HOHLMEIER, Hubert PIRKER, Lara COMI

Proposal for a regulation
Article 32 – paragraph 3

3. The communication of a personal data breach to the data subject shall not be required if the ~~controller demonstrates to the satisfaction of the supervisory authority that it~~data breach has not produced significant harm and the controller has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access to it.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 33 – paragraph 1

1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller ~~or the processor acting on the controller's behalf~~ shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. An impact assessment is not necessary where: (a) the processing is a legal obligation; or (b) a consent of the data subject is given; or (c) Article 6(1)(b) or Article 38a applies.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 33 – paragraph 2 – point a

(a) respecting the exceptions of Article 20(2)(c) and Article 21 a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly negative affect the individual;

2013/03/06
Committee: LIBE

Véronique MATHIEU HOUILLON, Axel VOSS

Proposal for a regulation
Article 33 – paragraph 2 – point c

~~c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;~~deleted

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 33 – paragraph 3 a (new)

3a. If the controller or the processor has designated a data protection organisation or a data protection officer, he/she should be involved in the impact assessment proceeding.

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 33 – paragraph 4

4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted

2013/03/06
Committee: LIBE

Véronique MATHIEU HOUILLON, Axel VOSS

Proposal for a regulation
Article 33 – paragraph 4

4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted

2013/03/06
Committee: LIBE

Axel VOSS

Proposal for a regulation
Article 33 – paragraph 6

~~6. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.

2013/03/06
Committee: LIBE

Activities of Axel VOSS related to 2011/0011(COD)

Legal basis opinions (0)

Amendments (20)

ParlTrack - 2011-2024