BETA

Activities of Axel VOSS related to 2012/0011(COD)

Legal basis opinions (0)

Amendments (310)

Amendment 366 #
Proposal for a regulation
Recital 15
(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus or a private sale and without any connection with a professional or commercial activity. The exemption should also not apply to controllers or processors which provide the means for processing, irrespective of the number of personals the data for such personal or domestic activitiesare made available to.
2013/03/04
Committee: LIBE
Amendment 370 #
Proposal for a regulation
Recital 15 a (new)
(15a) This Regulation should not apply to processing personal data by small enterprises which are using personal data exclusively for its own business such as offers and invoices. If there is no risk for the processed personal data that no one else than the enterprise itself is handling the data there is no need for an additional protection than securing the data for access. This exemption should not apply for Articles 15, 16 and 17.
2013/03/04
Committee: LIBE
Amendment 396 #
Proposal for a regulation
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
2013/03/04
Committee: LIBE
Amendment 400 #
Proposal for a regulation
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be undertaken, on a case-by-case basis and in accordance with technological developments, of whether identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
2013/03/04
Committee: LIBE
Amendment 413 #
Proposal for a regulation
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The information provided in order for children to express the consent should be given in a clear and age-appropriate language, in a way that it would be easy to understand for a child above the age of 13.
2013/03/04
Committee: LIBE
Amendment 414 #
Proposal for a regulation
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or the service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This nevertheless leaves the provisions of 2002/58/EC untouched which state that under certain circumstances consent can be expressed via appropriate settings in the user’s device. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
2013/03/04
Committee: LIBE
Amendment 420 #
Proposal for a regulation
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject including genetic information; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
2013/03/04
Committee: LIBE
Amendment 423 #
Proposal for a regulation
Recital 27
(27) TWhere a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administrationA group of undertakings may nominate a single main establishment in the Union.
2013/03/04
Committee: LIBE
Amendment 425 #
Proposal for a regulation
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data and they are also vulnerable consumers. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. In particular, child-friendly language should be used to ensure the right of consent for children above the age of 13.
2013/03/04
Committee: LIBE
Amendment 427 #
Proposal for a regulation
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual isSuch protection is particularly important in the context of social networks. For the purpose of this regulation a child should be defined as an individual under the age of 18. Where data processing is based on the data subject’s consent in relation to the offering of information society services directly to a child, this Re regulation should take differentiate between children abover the definition laid down by the UN Convention on the Rights ofage of 13 and children under the age of 13 who require a higher level of protection to the extent that consent is given or authorised by the Cchild’s parent or custodian.
2013/03/04
Committee: LIBE
Amendment 435 #
Proposal for a regulation
Recital 31
(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation. The allowance of a controller to process personal data should include the allowance to process personal data with other joint controllers and to allow personal data to be processed by a processor established in or outside the European Union.
2013/03/04
Committee: LIBE
Amendment 443 #
Proposal for a regulation
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.deleted
2013/03/04
Committee: LIBE
Amendment 449 #
Proposal for a regulation
Recital 36
(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association. The data processing may also be performed on the basis of agreements under collective labour law. Agreements under collective labour law are agreements concluded between employers or their representatives and representatives of employees or between these parties and a State entity at national, sectoral or firm level.
2013/03/04
Committee: LIBE
Amendment 455 #
Proposal for a regulation
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 458 #
Proposal for a regulation
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 467 #
Proposal for a regulation
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
2013/03/04
Committee: LIBE
Amendment 470 #
Proposal for a regulation
Recital 41
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of entering into or performance of a contract with the data subject or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
2013/03/04
Committee: LIBE
Amendment 483 #
Proposal for a regulation
Recital 51
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what periodthe criteria which may be used to determine for how long the data will be stored for each purpose, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
2013/03/04
Committee: LIBE
Amendment 496 #
Proposal for a regulation
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
2013/03/04
Committee: LIBE
Amendment 497 #
Proposal for a regulation
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
2013/03/04
Committee: LIBE
Amendment 498 #
Proposal for a regulation
Recital 53 a (new)
(53a) A data subject should always have the option to give broad consent for his or her data to be used for historical, statistical or scientific research purposes, and to withdraw consent at any time.
2013/03/04
Committee: LIBE
Amendment 513 #
Proposal for a regulation
Recital 58
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
2013/03/04
Committee: LIBE
Amendment 515 #
Proposal for a regulation
Recital 58
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
2013/03/04
Committee: LIBE
Amendment 524 #
Proposal for a regulation
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
2013/03/04
Committee: LIBE
Amendment 525 #
Proposal for a regulation
Recital 62 a (new)
(62a) Exchanges of data between the entity responsible and a party processing data under contract do not constitute communication of data which is subject to the further preconditions for admissibility laid down in the regulation. The joint responsibility arising from a contractual agreement and the uniform level of protection created thereby guarantees careful treatment of personal data. Entities responsible and parties processing data under contract should therefore not be regarded as recipients.
2013/03/04
Committee: LIBE
Amendment 532 #
Proposal for a regulation
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
2013/03/04
Committee: LIBE
Amendment 537 #
Proposal for a regulation
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hoursa reasonable time period, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
2013/03/04
Committee: LIBE
Amendment 557 #
Proposal for a regulation
Recital 74 a (new)
(74a) The data protection organisation or the data protection officer monitors the processing of personal data by the controller and the processor in order to advise the controller and the processor on compliance with this Regulation; he or she thereby should assist in ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.
2013/03/04
Committee: LIBE
Amendment 558 #
Proposal for a regulation
Recital 74 b (new)
(74b) Data protection organisations or data protection officers act independently, which means that they do not receive instructions as regards the exercise of their function as authority assigned for data protection. The data protection organisation or the data protection officer should directly report to the management of the controller or the processor.
2013/03/04
Committee: LIBE
Amendment 572 #
Proposal for a regulation
Recital 77
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services. After a certification procedure certified enterprises would be classified in having sufficient data protection guarantees installed for appropriate technical security and organisational measures and procedures regarding the requirements of this Regulation to ensure the protection of the right of the data subject.
2013/03/04
Committee: LIBE
Amendment 584 #
Proposal for a regulation
Recital 87
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cwhich should include international data transfers on the baseis of international data transfers betweenagreements or arrangements to third country authorities for example such as competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, between bodies responsible for fighting fraud in sports, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer should be to be carried out.
2013/03/04
Committee: LIBE
Amendment 610 #
Proposal for a regulation
Recital 112
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a personal data breach has occurred.deleted
2013/03/04
Committee: LIBE
Amendment 615 #
Proposal for a regulation
Recital 114
(114) In order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data to bring on the data subject’s behalf proceedings against that supervisory authority to the competent court in the other Member State.deleted
2013/03/04
Committee: LIBE
Amendment 620 #
Proposal for a regulation
Recital 118
(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure.
2013/03/04
Committee: LIBE
Amendment 630 #
Proposal for a regulation
Recital 121
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
2013/03/04
Committee: LIBE
Amendment 632 #
Proposal for a regulation
Recital 123 a (new)
(123a) The processing of personal data concerning health, as a special category of data, may be necessary for reasons of historical, statistical or scientific research. Therefore this Regulation should ensure that the harmonisation of conditions provided for the processing of personal data concerning health, subject to specific and suitable safeguards so as to protect the fundamental rights and the personal data of individuals, do not act as a barrier to translational, clinical and public health research.
2013/03/04
Committee: LIBE
Amendment 633 #
Proposal for a regulation
Recital 124
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order to regulate the processing of employees' personal data in the employment context, Member States should be able, within the limits of this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector. By virtue of collective agreements (wage agreements, company agreements and agreements with committees of senior staff), the provisions of the regulation may be disregarded.
2013/03/04
Committee: LIBE
Amendment 656 #
Proposal for a regulation
Recital 134
(134) Directive 95/46/EC should be repealed by this Regulation. However, Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC should remain in force. This should be also valid for international agreements or arrangements between the EU or a Member state with a third country especially when Directive 95/46/EC was already in force.
2013/03/04
Committee: LIBE
Amendment 668 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
(b) by the Union institutions, bodies, offices and agencies;deleted
2013/03/04
Committee: LIBE
Amendment 674 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest in the course of its own exclusively personal or householdfor a purpose which cannot be attributed either to his trade or to his self-employed professional activity;
2013/03/04
Committee: LIBE
Amendment 678 #
Proposal for a regulation
Article 2 – paragraph 2 – point d a (new)
(da) by small enterprises in the course of its own exclusively activity and strict and exclusively internal use.
2013/03/04
Committee: LIBE
Amendment 684 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
(ea) for historical, statistical and scientific research purposes;
2013/03/04
Committee: LIBE
Amendment 690 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
(ea) by churches and religious associations or communities;
2013/03/04
Committee: LIBE
Amendment 694 #
Proposal for a regulation
Article 2 – paragraph 2 – point e b (new)
(eb) made by the employer as part of the treatment of employee personal data in the employment context;
2013/03/04
Committee: LIBE
Amendment 696 #
Proposal for a regulation
Article 2 – paragraph 2 – point e c (new)
(ec) which have been rendered anonymous;
2013/03/04
Committee: LIBE
Amendment 701 #
Proposal for a regulation
Article 3 – paragraph 1
1. This Regulation applies to the processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union.
2013/03/04
Committee: LIBE
Amendment 707 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
(a) the offering of goods orand services in the Union to such data subjects, in the Unioncluding services provided without financial costs to the individual; or
2013/03/04
Committee: LIBE
Amendment 710 #
Proposal for a regulation
Article 3 – paragraph 3
3. This Regulation applies to the processing of personal data by a controller which is not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
2013/03/04
Committee: LIBE
Amendment 717 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and who is not acting in his/her professional capacity;
2013/03/04
Committee: LIBE
Amendment 730 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
(2a) ‘pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort;
2013/03/04
Committee: LIBE
Amendment 734 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 b (new)
(2b) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data;
2013/03/04
Committee: LIBE
Amendment 736 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 c (new)
(2c) ‘identification number’ means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual;
2013/03/04
Committee: LIBE
Amendment 748 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
2013/03/04
Committee: LIBE
Amendment 765 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
2013/03/04
Committee: LIBE
Amendment 774 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
2013/03/04
Committee: LIBE
Amendment 786 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and meansthe location as determined by the data controller or data processor on the basis of the following transparent and objective criteria: the location of the pgrocessing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities ofup’s European headquarters, or, the location of the company within the group with delegated data protection responsibilities, or, the location of the company which is best placed (in terms of management function, administrative capability etc) to address and establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Unionnforce the rules as set out in this Regulation, or, the place where the main decisions as to the purposes of processing are taken for the regional group;
2013/03/04
Committee: LIBE
Amendment 790 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
(13a) ‘competent supervisory authority’ means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Article 51(2), (3) and (4);
2013/03/04
Committee: LIBE
Amendment 793 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mayshall be addressed by anythe competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
2013/03/04
Committee: LIBE
Amendment 795 #
Proposal for a regulation
Article 4 – paragraph 1 – point 17
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings in or outside the Union;
2013/03/04
Committee: LIBE
Amendment 797 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
2013/03/04
Committee: LIBE
Amendment 802 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19
(19) ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 46Does not affect the English version.
2013/03/04
Committee: LIBE
Amendment 803 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘financial crime’ means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
2013/03/04
Committee: LIBE
Amendment 807 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘blocking’ means marking stored personal data in order to restrict their further processing;
2013/03/04
Committee: LIBE
Amendment 828 #
Proposal for a regulation
Article 5 – paragraph 1 – point d
(d) accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
2013/03/04
Committee: LIBE
Amendment 832 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
2013/03/04
Committee: LIBE
Amendment 845 #
Proposal for a regulation
Article 5 – paragraph 1 – point f
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation. , if required to do so, demonstrate compliance of the controller’s processing with the provisions of this Regulation to the supervisory authority having competence under Article 51(2).
2013/03/04
Committee: LIBE
Amendment 856 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
(b) processing is necessary for the performance of a contractr execution of a contract or of collective agreements and company- level agreements, to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
2013/03/04
Committee: LIBE
Amendment 857 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subjectr contractual obligation based in Union or national law of a Member State, regulatory rule, guidance, industry code of practice, either domestically or internationally or for a permission of supervisory requirement or a different legal rule to which the controller is subject including the requirements of supervisory authorities;
2013/03/04
Committee: LIBE
Amendment 864 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller, the group of companies of which the controller is a member or any other member of that group of companies is subject;
2013/03/04
Committee: LIBE
Amendment 867 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
(da) processing of data necessary to ensure network and information security;
2013/03/04
Committee: LIBE
Amendment 869 #
Proposal for a regulation
Article 6 – paragraph 1 – point e
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or the third party to whom the data is transferred;
2013/03/04
Committee: LIBE
Amendment 878 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply tosuch as in the case of processing data pertaining to a child. The interest or fundamental rights and freedoms of the data subject shall not override processing carried out by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 890 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
(fa) the data are collected from public registers lists or documents accessible by everyone;
2013/03/04
Committee: LIBE
Amendment 894 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
(fb) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice;
2013/03/04
Committee: LIBE
Amendment 898 #
Proposal for a regulation
Article 6 – paragraph 1 – point f c (new)
(fc) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3);
2013/03/04
Committee: LIBE
Amendment 900 #
Proposal for a regulation
Article 6 – paragraph 1 – point f d (new)
(fd) processing is necessary for the purpose of anonymisation or pseudonymisation of personal data;
2013/03/04
Committee: LIBE
Amendment 901 #
Proposal for a regulation
Article 6 – paragraph 1 – point f e (new)
(fe) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to Article 38c;
2013/03/04
Committee: LIBE
Amendment 921 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 922 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 927 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
(ba) international conventions to which the Union or a Member State is a party.
2013/03/04
Committee: LIBE
Amendment 931 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 a (new)
These provisions may regulate details of the lawfulness of processing, particularly as regards data controllers, the purpose of processing and purpose limitation, the nature of the data and the data subjects, processing measures and procedures, recipients, and the duration of storage.
2013/03/04
Committee: LIBE
Amendment 945 #
Proposal for a regulation
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
2013/03/04
Committee: LIBE
Amendment 964 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2013/03/04
Committee: LIBE
Amendment 966 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2013/03/04
Committee: LIBE
Amendment 970 #
Proposal for a regulation
Article 7 – paragraph 2
2. If the data subject's consent is to be given in the context of a written or an electronic declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
2013/03/04
Committee: LIBE
Amendment 988 #
Proposal for a regulation
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.deleted
2013/03/04
Committee: LIBE
Amendment 1013 #
Proposal for a regulation
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, without prejudice of Article 6(1). The controller shall make reasonable efforts to obtain verifiable consentprovide notice and obtain meaningful, verifiable consent (e.g. by obtaining the consent from the email address of the parent or the custodian), taking into consideration available technology.
2013/03/04
Committee: LIBE
Amendment 1014 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
1a. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 18 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, using the parent or custodian's email address. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
2013/03/04
Committee: LIBE
Amendment 1015 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
1a. The information provided in order to express the consent should be given in a clear and age-appropriate language, in a way that would be easy to understand for the child above the age of 13 years.
2013/03/04
Committee: LIBE
Amendment 1017 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
2013/03/04
Committee: LIBE
Amendment 1018 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
2013/03/04
Committee: LIBE
Amendment 1019 #
Proposal for a regulation
Article 8 – paragraph 1 c (new)
1c. Where services referred to in paragraph 1 are particularly appropriate and suitable for a child and have been notified and are controlled by the relevant national authorities, the requirements referred to in paragraph 1 do not apply.
2013/03/04
Committee: LIBE
Amendment 1022 #
Proposal for a regulation
Article 8 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
2013/03/04
Committee: LIBE
Amendment 1026 #
Proposal for a regulation
Article 8 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
2013/03/04
Committee: LIBE
Amendment 1039 #
Proposal for a regulation
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions, criminal offences, including offences and matters which have not lead to conviction, significant social problems, or related security measures shall be prohibited.
2013/03/04
Committee: LIBE
Amendment 1048 #
Proposal for a regulation
Article 9 – paragraph 2 – point a a (new)
(aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
2013/03/04
Committee: LIBE
Amendment 1049 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law or collective agreements on the labour market in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or
2013/03/04
Committee: LIBE
Amendment 1062 #
Proposal for a regulation
Article 9 – paragraph 2 – point f
(f) processing is necessary for the establishment, exercise or defence of legal claims or the legally justified fulfilment of claims of third parties affected; or
2013/03/04
Committee: LIBE
Amendment 1069 #
Proposal for a regulation
Article 9 – paragraph 2 – point h
(h) processing of data concerning health is necessary for health purposes, including for historical, statistical or scientific research and subject to the conditions and safeguards referred to in Article 81; or
2013/03/04
Committee: LIBE
Amendment 1073 #
Proposal for a regulation
Article 9 – paragraph 2 – point h a (new)
(ha) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3) and the processing is necessary for the purpose of the legitimate interest pursued by the controller or a third party.
2013/03/04
Committee: LIBE
Amendment 1084 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
2013/03/04
Committee: LIBE
Amendment 1086 #
Proposal for a regulation
Article 9 – paragraph 2 – point j b (new)
(jb) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to in Article 38c.
2013/03/04
Committee: LIBE
Amendment 1088 #
Proposal for a regulation
Article 9 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
2013/03/04
Committee: LIBE
Amendment 1103 #
Proposal for a regulation
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller or a processor to identify a natural person, in particular when rendered anonymous or pseudononymous the controller shall not be obliged to process or acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
2013/03/04
Committee: LIBE
Amendment 1127 #
Proposal for a regulation
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
2013/03/04
Committee: LIBE
Amendment 1148 #
Proposal for a regulation
Article 12 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
2013/03/04
Committee: LIBE
Amendment 1156 #
Proposal for a regulation
Article 12 – paragraph 6
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/04
Committee: LIBE
Amendment 1164 #
Proposal for a regulation
Article 13 – title
Rights in relation to recipientsNotification requirement in the event of rectification and erasure
2013/03/04
Committee: LIBE
Amendment 1176 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
2013/03/04
Committee: LIBE
Amendment 1180 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
2013/03/04
Committee: LIBE
Amendment 1189 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
2013/03/06
Committee: LIBE
Amendment 1193 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
(c) the period for which the personal data will be stordeleted;
2013/03/06
Committee: LIBE
Amendment 1201 #
Proposal for a regulation
Article 14 – paragraph 1 – point d
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject orand to object to the processing of such personal data;
2013/03/06
Committee: LIBE
Amendment 1203 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;deleted
2013/03/06
Committee: LIBE
Amendment 1215 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collecdeleted.
2013/03/06
Committee: LIBE
Amendment 1222 #
Proposal for a regulation
Article 14 – paragraph 2
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
2013/03/06
Committee: LIBE
Amendment 1226 #
Proposal for a regulation
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
2013/03/06
Committee: LIBE
Amendment 1238 #
Proposal for a regulation
Article 14 – paragraph 4 – point b
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed; or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
2013/03/06
Committee: LIBE
Amendment 1248 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
2013/03/06
Committee: LIBE
Amendment 1250 #
Proposal for a regulation
Article 14 – paragraph 5 – point c
(c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
2013/03/06
Committee: LIBE
Amendment 1253 #
Proposal for a regulation
Article 14 – paragraph 5 – point d
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.; or
2013/03/06
Committee: LIBE
Amendment 1262 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources; or
2013/03/06
Committee: LIBE
Amendment 1266 #
Proposal for a regulation
Article 14 – paragraph 5 – point d b (new)
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
2013/03/06
Committee: LIBE
Amendment 1268 #
Proposal for a regulation
Article 14 – paragraph 5 – point d c (new)
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
2013/03/06
Committee: LIBE
Amendment 1279 #
Proposal for a regulation
Article 14 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
2013/03/06
Committee: LIBE
Amendment 1296 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
1. TOnly the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
2013/03/06
Committee: LIBE
Amendment 1311 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
(d) if known the period for which the personal data will be stored;
2013/03/06
Committee: LIBE
Amendment 1324 #
Proposal for a regulation
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.deleted
2013/03/06
Committee: LIBE
Amendment 1345 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
2a. Successors in right and title must be able to exercise the right of access to data in the event of the death of the data subject.
2013/03/06
Committee: LIBE
Amendment 1357 #
Proposal for a regulation
Article 15 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the contentdata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable ofn the personal data referbasis of such data or identification would required to in point (g) of paragraph 1he controller to undo the process of pseudonymisation.
2013/03/06
Committee: LIBE
Amendment 1358 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
2013/03/06
Committee: LIBE
Amendment 1376 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
2013/03/06
Committee: LIBE
Amendment 1377 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Successors in right and title must be able to exercise the right of rectification in the event of the death of the data subject.
2013/03/06
Committee: LIBE
Amendment 1381 #
Proposal for a regulation
Article 17 – title
Right to be forgotten and to erasure
2013/03/06
Committee: LIBE
Amendment 1385 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a childitself, where one of the following grounds applies:
2013/03/06
Committee: LIBE
Amendment 1392 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and the legally mandatory minimum retention period has expired;
2013/03/06
Committee: LIBE
Amendment 1407 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
1a. Successors in right and title must be able to exercise the right of erasure in the event of the death of the data subject.
2013/03/06
Committee: LIBE
Amendment 1420 #
Proposal for a regulation
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, pseudonymised data and encrypted data are exempted, where compliance with this provision would require the controller to undo the process of anonymisation, pseudonymisation or encryption.
2013/03/06
Committee: LIBE
Amendment 1430 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
(b) for rheasons of public interest in the area of public health in accordance with Article 81lth proposes in accordance with Article 81 and for maintaining medical records and other health research purposes;
2013/03/06
Committee: LIBE
Amendment 1440 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursuedcontract to which the data subject is party or for compliance with a legal obligation or other requirements of a supervisory body or other legal requirements to retain the personal data by Union or Member State law to which the controller is subject;
2013/03/06
Committee: LIBE
Amendment 1446 #
Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)
(ea) for prevention or detection of fraud or other financial crime, confirming identity or determining creditworthiness.
2013/03/06
Committee: LIBE
Amendment 1454 #
Proposal for a regulation
Article 17 – paragraph 4 – introductory part
4. Instead of erasure, the controller shall restrict processing of personal datadata shall be blocked where:
2013/03/06
Committee: LIBE
Amendment 1458 #
Proposal for a regulation
Article 17 – paragraph 4 – point b
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof or for compliance with legal record obligations;
2013/03/06
Committee: LIBE
Amendment 1465 #
Proposal for a regulation
Article 17 – paragraph 4 – point d a (new)
(da) or, on account of the particular type of storage, erasure would be impossible or would involve disproportionate efforts.
2013/03/06
Committee: LIBE
Amendment 1468 #
Proposal for a regulation
Article 17 – paragraph 5
5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof or for compliance with legal record obligations, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.
2013/03/06
Committee: LIBE
Amendment 1492 #
Proposal for a regulation
Article 18
Article 18 Right to data portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 1537 #
Proposal for a regulation
Article 19 – paragraph 2
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information. This right shall include a right to object to the collection and use of personal data obtained through online tracking of the data subject's preferences and behaviour across websites. Where a data subject expresses this right to object through technical means, such as a browser setting, controllers and processors shall respect such objection, consistent with technical industry standards, and must obtain the consent of the data subject to process personal data derived from online tracking for marketing purposes. Consent to online tracking shall enable persistent online tracking across all websites unless such consent is subsequently revoked by the data subject.
2013/03/06
Committee: LIBE
Amendment 1540 #
Proposal for a regulation
Article 19 – paragraph 3
3. Where an objection is upheld pursuant to paragraphs 1, 2 and 2,3a the controller shall no longer use or otherwise process the personal data concerned.
2013/03/06
Committee: LIBE
Amendment 1543 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
3a. Where pseudonymised data is processed pursuant to Article 6(1) the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
2013/03/06
Committee: LIBE
Amendment 1549 #
Proposal for a regulation
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right not to be subject to a measureprocessing of personal data which produces adverse legal effects concerning this ndatural person or significanta subject or comparably affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this ndatural persona subject or to analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
2013/03/06
Committee: LIBE
Amendment 1572 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State lawlegal basis which also lays down suitable measures to safeguard the data subject's legitimate interests; or
2013/03/06
Committee: LIBE
Amendment 1585 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
(ca) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Article19(3a) shall apply correspondingly.
2013/03/06
Committee: LIBE
Amendment 1598 #
Proposal for a regulation
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. unless the data subject has given consent.
2013/03/06
Committee: LIBE
Amendment 1603 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
3a. In any case, children should not be subject to measures of profiling, as referred to in paragraph 1.
2013/03/06
Committee: LIBE
Amendment 1616 #
Proposal for a regulation
Article 20 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
2013/03/06
Committee: LIBE
Amendment 1619 #
Proposal for a regulation
Article 21 – title
RExtensions and restrictions
2013/03/06
Committee: LIBE
Amendment 1624 #
Proposal for a regulation
Article 21 – paragraph 1 – introductory part
1. Union or Member State law may extend or restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such an extension or restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
2013/03/06
Committee: LIBE
Amendment 1626 #
Proposal for a regulation
Article 21 – paragraph 1 – point a a(new)
(aa) national security;
2013/03/06
Committee: LIBE
Amendment 1627 #
Proposal for a regulation
Article 21 – paragraph 1 – point a b (new)
(ab) defence;
2013/03/06
Committee: LIBE
Amendment 1630 #
Proposal for a regulation
Article 21 – paragraph 1 – point b a (new)
(ba) in cases where pseudonymised data is used;
2013/03/06
Committee: LIBE
Amendment 1687 #
Proposal for a regulation
Article 22 – paragraph 3
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.deleted
2013/03/06
Committee: LIBE
Amendment 1701 #
Proposal for a regulation
Article 22 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
2013/03/06
Committee: LIBE
Amendment 1711 #
Proposal for a regulation
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Notwithstanding, the controller should only be burdened with measures that are proportionate to the risk of data processing reflected by the nature of the personal data to be processed.
2013/03/06
Committee: LIBE
Amendment 1723 #
Proposal for a regulation
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefSuch measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security (b) follow the principle of technology, service and business model neutrality (c) be based on global industry-led efforts and standards (d) take due account of inite number of individualrnational developments.
2013/03/06
Committee: LIBE
Amendment 1734 #
Proposal for a regulation
Article 23 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
2013/03/06
Committee: LIBE
Amendment 1750 #
Proposal for a regulation
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
2013/03/06
Committee: LIBE
Amendment 1778 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation and shall provide for the following:
2013/03/06
Committee: LIBE
Amendment 1784 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
(d) enlist another processor only with the prior permission of the controller;deleted
2013/03/06
Committee: LIBE
Amendment 1788 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;deleted
2013/03/06
Committee: LIBE
Amendment 1792 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;deleted
2013/03/06
Committee: LIBE
Amendment 1796 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;deleted
2013/03/06
Committee: LIBE
Amendment 1804 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
(h) make available to the controller and the supervisory authority on request all information necessary to control compliance with the obligations laid down in this Article.
2013/03/06
Committee: LIBE
Amendment 1807 #
Proposal for a regulation
Article 26 – paragraph 3
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2. In this case the requirements of Chapter II are complied for the processor if the controller complies the requirements.
2013/03/06
Committee: LIBE
Amendment 1821 #
Proposal for a regulation
Article 26 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
2013/03/06
Committee: LIBE
Amendment 2116 #
Proposal for a regulation
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
2013/03/06
Committee: LIBE
Amendment 2135 #
Proposal for a regulation
Article 34 – paragraph 8
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
2013/03/06
Committee: LIBE
Amendment 2142 #
Proposal for a regulation
Article 35 – title
Designation of the data protection organisation or data protection officer
2013/03/06
Committee: LIBE
Amendment 2148 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
2013/03/06
Committee: LIBE
Amendment 2179 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from the use of this data. In relation to data protection, dataprocessing activities which do not represent more than 50% of companies’ turnover shall be considered ancillary.
2013/03/06
Committee: LIBE
Amendment 2188 #
Proposal for a regulation
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection organisation or data protection officer.
2013/03/06
Committee: LIBE
Amendment 2193 #
Proposal for a regulation
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer. A corporate group may also appoint a single data protection officer for one or more processing operations by several organisations within it.
2013/03/06
Committee: LIBE
Amendment 2196 #
Proposal for a regulation
Article 35 – paragraph 2 a (new)
2a. In the case referred to in paragraph 1(b) Articles 33 and 34 do not apply.
2013/03/06
Committee: LIBE
Amendment 2197 #
Proposal for a regulation
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
2013/03/06
Committee: LIBE
Amendment 2205 #
Proposal for a regulation
Article 35 – paragraph 4
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection organisation or a data protection officer.
2013/03/06
Committee: LIBE
Amendment 2208 #
Proposal for a regulation
Article 35 – paragraph 4 a(new)
4a. Where the controller belongs to a professional body or a body of controllers from the same sector, he may appoint a data protection officer duly mandated by the body concerned.
2013/03/06
Committee: LIBE
Amendment 2210 #
Proposal for a regulation
Article 35 – paragraph 5
5. The controller or processor shall designate the data protection organisation or data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
2013/03/06
Committee: LIBE
Amendment 2216 #
Proposal for a regulation
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
2013/03/06
Committee: LIBE
Amendment 2219 #
Proposal for a regulation
Article 35 – paragraph 6 a (new)
6a. The data protection officer can either be an employee of the controller or processor or he/she can likewise be an external service provider.
2013/03/06
Committee: LIBE
Amendment 2221 #
Proposal for a regulation
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.deleted
2013/03/06
Committee: LIBE
Amendment 2229 #
Proposal for a regulation
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years at a suitable hierarchical level. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
2013/03/06
Committee: LIBE
Amendment 2234 #
Proposal for a regulation
Article 35 – paragraph 8
8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.deleted
2013/03/06
Committee: LIBE
Amendment 2240 #
Proposal for a regulation
Article 35 – paragraph 9
9. The controller or the processor shall communicate the name and contact details of the data protection organisation or the data protection officer to the supervisory authority and to the public.
2013/03/06
Committee: LIBE
Amendment 2242 #
Proposal for a regulation
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection organisation or the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
2013/03/06
Committee: LIBE
Amendment 2248 #
Proposal for a regulation
Article 35 – paragraph 11
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
2013/03/06
Committee: LIBE
Amendment 2253 #
Proposal for a regulation
Article 36 – title
Position of the data protection organisation or the data protection officer
2013/03/06
Committee: LIBE
Amendment 2254 #
Proposal for a regulation
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection organisation or the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
2013/03/06
Committee: LIBE
Amendment 2260 #
Proposal for a regulation
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exerciserganisation ofr the function. The data protection officer shall directly report to the management of the controller or the processorperforms the duties and tasks independently.
2013/03/06
Committee: LIBE
Amendment 2272 #
Proposal for a regulation
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection organisation or the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
2013/03/06
Committee: LIBE
Amendment 2281 #
Proposal for a regulation
Article 36 – paragraph 3 a (new)
3a. The controller or the processor shall designate a data protection organisation or a data protection officer for an initial period of at least two years in case of a data protection organisation and for an initial period of at least four years in case of a data protection officer, as long as he/she is not an external service provider. In the least case the period for data protection organisations shall apply. The data protection organisations or data protection officers may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. These provisions do not apply in case of the voluntary engagement of a data protection organisation or a data protection officer as laid out in Article 38a of this Regulation.
2013/03/06
Committee: LIBE
Amendment 2284 #
Proposal for a regulation
Article 36 – paragraph 3 b (new)
3b. The data protection organisation or the data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract. The designation as a data protection organisation or a data protection officer does not necessarily require fulltime occupation of the respective organisation or employee.
2013/03/06
Committee: LIBE
Amendment 2287 #
Proposal for a regulation
Article 37 – title
Tasks of the data protection organisation or the data protection officer
2013/03/06
Committee: LIBE
Amendment 2288 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
2013/03/06
Committee: LIBE
Amendment 2293 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
(a) to raise awareness, to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
2013/03/06
Committee: LIBE
Amendment 2299 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under thisincompliance with the Regulation;
2013/03/06
Committee: LIBE
Amendment 2308 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
(e) to develop processes to monitor the, documentation, notificationy and communication ofe personal data breaches pursuant to Articles 31 and 32;
2013/03/06
Committee: LIBE
Amendment 2313 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
(f) to develop processes that monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
2013/03/06
Committee: LIBE
Amendment 2317 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the competence of the data protection organisation or the data protection officer's competencer, co-operating with the supervisory authority at the latter's request or on the own initiative of the data protection organisation or the data protection officer's own initiative;
2013/03/06
Committee: LIBE
Amendment 2324 #
Proposal for a regulation
Article 37 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
2013/03/06
Committee: LIBE
Amendment 2330 #
Proposal for a regulation
Chapter 4 – section 5 – title
SELF-REGULATION, BINDING CORPORATE RULES, CODES OF CONDUCT AND CERTIFICATION
2013/03/06
Committee: LIBE
Amendment 2331 #
Proposal for a regulation
Article 38
1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to: (a) fair and transparent data processing; (b) the collection of data; (c) the information of the public and of data subjects; (d) requests of data subjects in exercise of their rights; (e) information and protection of children; (f) transfer of data to third countries or international organisations; (g) mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75. 2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts. 3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. 4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2). 5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.deleted
2013/03/06
Committee: LIBE
Amendment 2340 #
Proposal for a regulation
Article 38 – paragraph 4
4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 2348 #
Proposal for a regulation
Article 38 a (new)
Article 38a Promoting Self-Regulation 1. The Member States, the national and European supervisory authorities and the Commission shall encourage self- regulation instruments like binding corporate rules, code of conducts and certification or - in cases of companies which do not fall under the provision of Article 35 - the feature of the voluntarily designation of a data protection organisation or a data protection officer. 2. Single undertakings, multicorporate enterprises, industries, professional associations and other associations of every kind which represent specific groups of controllers or processors may submit drafts of the self-regulation instruments in paragraph 1. If the self- regulation instrument should only apply in a Member State the national supervisory authority in that Member State can be asked to confirm the compliance with this regulation. If the self-regulation instrument should apply in all Member States of the EU the European Data Protection Board can be asked to confirm the compliance with this Regulation. The national supervisory authority or the European Data Protection Board shall examine the compatibility of the submitted drafts with the applicable law on this data protection Regulation. If there is no reaction in a 3- month-period the self-regulation instrument is classified as in compliance with this Regulation. 3. If the self-regulation instrument provides an adequate proceeding in data protection issues of this Regulation, Article 14 (Information to the data subject), Article 28 (documentation), Article 33 (data protection impact assessment) and Article 34 (prior authorisation and prior consultation) shall not apply.
2013/03/06
Committee: LIBE
Amendment 2349 #
Proposal for a regulation
Article 38 b (new)
Article 38b Binding corporate rules 1. The competent supervisory authority shall authorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multiple intercompany international transfers in and out of Europe, provided that they: (a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings, and include their employees; (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. 2. The binding corporate rules shall at least specify: (a) the structure and contact details of the group of undertakings and its members; (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; (c) their legally binding nature, both internally and externally; (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies; (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules; (f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage; (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11; (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling; (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules; (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority; (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned. 4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2013/03/06
Committee: LIBE
Amendment 2350 #
Proposal for a regulation
Article 38 c (new)
Article 38c Codes of conduct 1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to: (a) fair and transparent data processing; (b) the collection of data; (c) the information of the public and of data subjects; (d) requests of data subjects in exercise of their rights; (e) information and protection of children; (f) transfer of data to third countries or international organisations; (g) mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75. 2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts. 3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. 4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2). 5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.
2013/03/06
Committee: LIBE
Amendment 2352 #
Proposal for a regulation
Article 39 – paragraph 1
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations. The responsibility for a corresponding certification act should be transferred to independent and qualified auditors. Such an auditor shall be: (a) accredited by a national supervisory authority; and (b) be responsible for the rewarding process of a corresponding privacy certificate; and (c) liable for consequences resulting in the inadequate reward of the data protection certificate.
2013/03/06
Committee: LIBE
Amendment 2367 #
Proposal for a regulation
Article 39 – paragraph 2
2. The Commission shall be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. The Commission shall also be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further defining the accreditation requirements for auditors.
2013/03/06
Committee: LIBE
Amendment 2382 #
Proposal for a regulation
Chapter 5 – title
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES, GROUP OF UNDERTAKINGS OR INTERNATIONAL ORGANISATIONS
2013/03/06
Committee: LIBE
Amendment 2383 #
Proposal for a regulation
Article 40 – paragraph 1
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country, internal of a group of undertakings or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country, in a group of undertakings or an international organisation to another third country or to another international organisation.
2013/03/06
Committee: LIBE
Amendment 2389 #
Proposal for a regulation
Article 41 – paragraph 1
1. A transfer may take place where international agreements or arrangements between the EU or a Member State with a third country are in force or the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
2013/03/06
Committee: LIBE
Amendment 2407 #
Proposal for a regulation
Article 41 – paragraph 6 a (new)
6a. The adequacy decision by the Commission pursuant to this Article may be reconsidered when the level of protection in the third country are not longer exist.
2013/03/06
Committee: LIBE
Amendment 2414 #
Proposal for a regulation
Article 41 – paragraph 8 a (new)
8a. International agreements or arrangements between the EU or a Member state with a third country are considered as adequate in the sense of this article.
2013/03/06
Committee: LIBE
Amendment 2416 #
Proposal for a regulation
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country, to a branch abroad of a group of undertakings or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
2013/03/06
Committee: LIBE
Amendment 2421 #
Proposal for a regulation
Article 42 – paragraph 2 – point a
(a) binding corporate rules in accordance with Article 438b; or
2013/03/06
Committee: LIBE
Amendment 2426 #
Proposal for a regulation
Article 42 – paragraph 2 – point b
(b) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
2013/03/06
Committee: LIBE
Amendment 2429 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
(c) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the Union, which may include standard terms for onward transfers outside the Union, adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
2013/03/06
Committee: LIBE
Amendment 2434 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
2013/03/06
Committee: LIBE
Amendment 2439 #
Proposal for a regulation
Article 42 – paragraph 2 – point d b (new)
(db) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
2013/03/06
Committee: LIBE
Amendment 2446 #
Proposal for a regulation
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c), (d), (da) or (cdb) of paragraph 2 shall not require any further authorisation.
2013/03/06
Committee: LIBE
Amendment 2451 #
Proposal for a regulation
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) or (da) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
2013/03/06
Committee: LIBE
Amendment 2454 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to the relevant provisions in paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
2013/03/06
Committee: LIBE
Amendment 2455 #
Proposal for a regulation
Article 42 – paragraph 4 b (new)
4b. To encourage the use of supplemental contractual clauses as referred to the relevant provisions of paragraph 2 of this Article, competent authorities may offer a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these safeguards.
2013/03/06
Committee: LIBE
Amendment 2465 #
Proposal for a regulation
Article 43
Transfers by way of binding corporate 1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they: (a) are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. 2. The binding corporate rules shall at least specify: (a) the structure and contact details of the group of undertakings and its members; (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; (c) their legally binding nature, both internally and externally; (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies; (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules; (f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage; (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11; (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling; (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules; (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority; (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned. 4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted rules
2013/03/06
Committee: LIBE
Amendment 2467 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
1. AThe competent supervisory authority shall in accordance with the consistency mechanism set out in Arauthorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multicple 58 approve binding corporate rulesintracompany international transfers in and out of Europe, provided that they:
2013/03/06
Committee: LIBE
Amendment 2472 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
2013/03/06
Committee: LIBE
Amendment 2478 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members, and their external subcontractors;
2013/03/06
Committee: LIBE
Amendment 2480 #
Proposal for a regulation
Article 43 – paragraph 2 – point b
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and where appropriate the identification of the third country or countries in question;
2013/03/06
Committee: LIBE
Amendment 2490 #
Proposal for a regulation
Article 43 a (new)
Article 43a Transfers by way of binding corporate rules The provisions of Article 38b shall apply accordingly.
2013/03/06
Committee: LIBE
Amendment 2492 #
Proposal for a regulation
Article 44 – title
DerogationOther legitimate grounds for international transfers
2013/03/06
Committee: LIBE
Amendment 2495 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
2013/03/06
Committee: LIBE
Amendment 2504 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
2013/03/06
Committee: LIBE
Amendment 2507 #
Proposal for a regulation
Article 44 – paragraph 1 – point h a (new)
(ha) the transfer is necessary for the purposes of the legitimate interests of the data subject especially when required or necessary for the entry of the third country.
2013/03/06
Committee: LIBE
Amendment 2519 #
Proposal for a regulation
Article 44 – paragraph 5
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject, or in applicable international agreements or arrangements.
2013/03/06
Committee: LIBE
Amendment 2526 #
Proposal for a regulation
Article 44 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying ‘important grounds of public interest’ within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
2013/03/06
Committee: LIBE
Amendment 2543 #
Proposal for a regulation
Article 46 – paragraph 1
1. Each Member State shall provide that one or more publica lead public supervisory authorities arey responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
2013/03/06
Committee: LIBE
Amendment 2547 #
Proposal for a regulation
Article 47 – paragraph 1
1. The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it, notwithstanding co-operative and consistency arrangements related to Chapter VII of this Regulation and within the legal and administrative limits of the own Member State.
2013/03/06
Committee: LIBE
Amendment 2573 #
Proposal for a regulation
Article 49 a (new)
Article 49a Professional supervision of persons subject to an obligation of professional secrecy Insofar as, when this regulation enters into force, entities exist which are responsible for the professional supervision of persons subject to an obligation of professional secrecy, these may establish the supervisory authority.
2013/03/06
Committee: LIBE
Amendment 2578 #
Proposal for a regulation
Article 51 – paragraph 1
1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation. Data processing by a public authority are supervised only by the supervisory authority of that Member State.
2013/03/06
Committee: LIBE
Amendment 2583 #
Proposal for a regulation
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation. This provision also apply for legal entities of a group of undertakings, where these undertakings are located in more than one Member State.
2013/03/06
Committee: LIBE
Amendment 2590 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
2a. Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
2013/03/06
Committee: LIBE
Amendment 2592 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
2b. Where the Regulation applies to several controllers and/ or processors with the same group of undertakings by virtue of Article 3(1) and (2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
2013/03/06
Committee: LIBE
Amendment 2596 #
Proposal for a regulation
Article 51 – paragraph 3
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity and not competent to supervise processing operations of controllers bound by obligations of professional secrecy.
2013/03/06
Committee: LIBE
Amendment 2601 #
Proposal for a regulation
Article 52 – paragraph 1 – point b
(b) hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
2013/03/06
Committee: LIBE
Amendment 2612 #
Proposal for a regulation
Article 52 – paragraph 2 a (new)
2a. Each supervisory authority shall together with the European Data Protection Board promote the awareness for controllers and processors on risks, rules, safeguards and rights in relation to the processing of personal data. This includes a register of sanctions and breaches. The register should enrol both all warnings and sanctions as detailed as possible and the resolving of breaches.
2013/03/06
Committee: LIBE
Amendment 2615 #
Proposal for a regulation
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
2013/03/06
Committee: LIBE
Amendment 2619 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
1. EachPursuant to Article 51 the competent supervisory authority shall have the power:
2013/03/06
Committee: LIBE
Amendment 2621 #
Proposal for a regulation
Article 53 – paragraph 1 – point d
(d) to ensure the compliance with prior authorisations and prior consultations referred to in Article 34;
2013/03/06
Committee: LIBE
Amendment 2624 #
Proposal for a regulation
Article 53 – paragraph 1 – point j a (new)
(ja) to inform the controller and/or the processor of the judicial remedies available against its decision.
2013/03/06
Committee: LIBE
Amendment 2628 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
EachPursuant to Article 51 the competent supervisory authority shall have the investigative power to obtain from the controller or the processor:
2013/03/06
Committee: LIBE
Amendment 2634 #
Proposal for a regulation
Article 53 – paragraph 3
3. EachPursuant to Article 51 the competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
2013/03/06
Committee: LIBE
Amendment 2636 #
Proposal for a regulation
Article 53 – paragraph 4
4. EachPursuant to Article 51 the competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
2013/03/06
Committee: LIBE
Amendment 2641 #
Proposal for a regulation
Article 54 a (new)
Article 54a Lead authority and consistency 1. The following procedure shall be used where a data subject complains of a violation of his or her rights under this regulation in connection with the processing of personal data, or where the consistent application of this regulation needs to be ensured in accordance with Article 46: (a) Where a data subject is involved: the data subject’s relevant supervisory authority shall be the lead authority; (b) Where no data subject is involved: Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, or where personal data relating to persons resident in several Member States are being processed, the supervisory authority of the Member State in which the controller or processor has its main establishment shall be the sole contact point for the controller or processor and shall be the lead authority. 2. The lead authority shall see to coordination with the other supervisory authorities involved at every stage of the supervisory procedure. To that end it shall pass on all relevant information and shall consult the other supervisory authorities involved before taking any measures with legal consequences. The lead authority shall give full consideration to the opinions of the supervisory authorities involved. The lead authority shall also involve the Commission at all stages of the supervisory procedure. If the supervisory authorities involved, headed by the lead authority, together with the Commission, have found a common solution within four weeks, this solution shall be adopted without the European Data Protection Board needing to consider the matter. The data subject, the controller or the processor shall have available to them all the legal remedies set out in this regulation and all other remedies of general application. If the supervisory authorities involved, headed by the lead authority together with the Commission, have not found a common solution within four weeks, the matter shall be submitted to the European Data Protection Board. To that end the lead authority shall take the necessary steps in accordance with this regulation. 3. If the European Data Protection Board, together with the Commission, has found a common solution within eight weeks, this solution shall be adopted. The data subject, the controller or the processor shall have available to them all the legal remedies set out in this regulation and all other remedies of general application. If the European Data Protection Board, together with the Commission, has not found a common solution within eight weeks, the Commission shall be empowered and required to propose within a further four weeks a solution in the framework of a delegated act, taking into consideration the opinion of the European Data Protection Board. If it does not do so, all those involved, including the legislator, shall have available to them all the legal remedies set out in this regulation and all other remedies of general application; this concerns in particular the data subject, the data controller and the processor. 4. If Parliament or the Council object to the substance of the delegated act using the procedure laid down for that purpose, the Commission shall launch a legislative initiative using the procedure laid down for that purpose. All those involved shall have available to them all the legal remedies set out in this regulation and all other remedies of general application; this concerns in particular the data subject, the data controller and the processor.
2013/03/06
Committee: LIBE
Amendment 2644 #
Proposal for a regulation
Article 55 – paragraph 1
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operations. The leading supervisory authority according to Article 51(2) ensures the coordination with the relevant authorities involved and acts as central contact point for the controller and processor.
2013/03/06
Committee: LIBE
Amendment 2647 #
Proposal for a regulation
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations contrary to this Regulation.
2013/03/06
Committee: LIBE
Amendment 2650 #
Proposal for a regulation
Article 55 – paragraph 4 a (new)
4a. In cases covered by Article 55(4), the admissibility of the measure to which the request for assistance relates shall be determined in accordance with the law of the requesting authority; the lawfulness of providing assistance shall be determined in accordance with the law of the requested authority;
2013/03/06
Committee: LIBE
Amendment 2651 #
Proposal for a regulation
Article 55 – paragraph 6
6. Supervisory authorities shall supply the information requested by other supervisory authorities by electronic means and within the shortest possible period of time, using a standardised format. Both the request and the electronic transfer of information shall be made using the Internal Market Information System.
2013/03/06
Committee: LIBE
Amendment 2652 #
Proposal for a regulation
Article 55 – paragraph 7
7. No fee shall be charged to the requesting supervisory authority for any action taken following a request for mutual assistance.
2013/03/06
Committee: LIBE
Amendment 2653 #
Proposal for a regulation
Article 55 – paragraph 8
8. Where a supervisory authority does not act within one month of the time limit referred to in paragraph 2 on request of another supervisory authority, the requesting supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1) and shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57. Where no definitive measure is yet possible because the assistance is not yet completed, the requesting supervisory authority may take interim measures under Article 53 in the territory of its Member State.
2013/03/06
Committee: LIBE
Amendment 2655 #
Proposal for a regulation
Article 55 – paragraph 10
10. The Commission may specify the format and procedures for mutual assistance referred to in this article and the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the European Data Protection Board, in particular the standardised format referred to in paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted
2013/03/06
Committee: LIBE
Amendment 2660 #
Proposal for a regulation
Article 56 – paragraph 4
4. Supervisory authorities shall lay down the practical aspects of specific co- operation actions in their rules of procedure. The rules of procedures shall be made public in the Official Journal of the European Union.
2013/03/06
Committee: LIBE
Amendment 2664 #
Proposal for a regulation
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
2013/03/06
Committee: LIBE
Amendment 2666 #
Proposal for a regulation
Article 58 – paragraph 2 – point a
(a) relates to processing activities of personal data which are related to the offering of goods or services to data subjects in several Member States, or to when the mconitoring of their behaviour; ortroller or processor outside of the Union does not name a representative in the territory of the Union;
2013/03/06
Committee: LIBE
Amendment 2668 #
Proposal for a regulation
Article 58 – paragraph 2 – point f
(f) aims to approve binding corporate rules within the meaning of Article 438b.
2013/03/06
Committee: LIBE
Amendment 2669 #
Proposal for a regulation
Article 58 – paragraph 2 – point f a (new)
(fa) permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3).
2013/03/06
Committee: LIBE
Amendment 2671 #
Proposal for a regulation
Article 58 – paragraph 3
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisorythe competent authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
2013/03/06
Committee: LIBE
Amendment 2674 #
Proposal for a regulation
Article 58 – paragraph 4
4. In order to ensure correct and consistent application of this Regulation, the Commission may, acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
2013/03/06
Committee: LIBE
Amendment 2675 #
Proposal for a regulation
Article 58 – paragraph 6
6. The chair of the European Data Protection Board shall immediatwithout undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair of the European Data Protection Board shall provide translations of relevant information, where necessary.
2013/03/06
Committee: LIBE
Amendment 2681 #
Proposal for a regulation
Article 58 – paragraph 8
8. The competent supervisory authority referred to in paragraph 1 and the supervisory authority competent under Article 51 shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
2013/03/06
Committee: LIBE
Amendment 2713 #
Proposal for a regulation
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to, the Commission and the controller or processor concerned.
2013/03/06
Committee: LIBE
Amendment 2715 #
Proposal for a regulation
Article 61 – paragraph 2
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may, it shall request an urgent opinion of the European Data Protection Board, giving reasons for the requesting such opinion, including for the urgency of final measures.
2013/03/06
Committee: LIBE
Amendment 2721 #
Proposal for a regulation
Article 62 – paragraph 1 – subparagraph 1 – point a
(a) deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or 61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article 60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;deleted
2013/03/06
Committee: LIBE
Amendment 2737 #
Proposal for a regulation
Article 66 – paragraph 1 – introductory part
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission or other stakeholders, in particular:
2013/03/06
Committee: LIBE
Amendment 2741 #
Proposal for a regulation
Article 66 – paragraph 1 – point b
(b) examine, on its own initiative or on request of one of its members or on request of the Commission, the Commission or other stakeholders, any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
2013/03/06
Committee: LIBE
Amendment 2757 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
4a. Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in Article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
2013/03/06
Committee: LIBE
Amendment 2763 #
Proposal for a regulation
Article 69 – paragraph 2
2. The term of office of the chair and of the deputy chairpersons shall be five years and be renewable. Their appointment may be revoked by a decision of the European Parliament adopted by a two-thirds majority of the votes cast, representing a majority of its component Members.
2013/03/06
Committee: LIBE
Amendment 2779 #
Proposal for a regulation
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.deleted
2013/03/06
Committee: LIBE
Amendment 2789 #
Proposal for a regulation
Article 73 – paragraph 3
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.deleted
2013/03/06
Committee: LIBE
Amendment 2796 #
Proposal for a regulation
Article 74 – paragraph 1
1. Each controller, processor or other natural or legal person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.
2013/03/06
Committee: LIBE
Amendment 2813 #
Proposal for a regulation
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.deleted
2013/03/06
Committee: LIBE
Amendment 2825 #
Proposal for a regulation
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2013/03/06
Committee: LIBE
Amendment 2830 #
Proposal for a regulation
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, notwithstanding the contractual agreement they might have concluded according to Article 24.
2013/03/06
Committee: LIBE
Amendment 2837 #
Proposal for a regulation
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
2013/03/06
Committee: LIBE
Amendment 2861 #
Proposal for a regulation
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to: (a) the nature, gravity and duration of the breach,; (b) the intentional or negligent character of the infringement,; (c) the particular categories of personal data; (d) the degree of responsibility of the natural or legal person and of previous breaches by this person,; (e) the degree of responsibility for data protection by technical and organisational measures and procedures especially pursuant to Articles 35, 38a, 38b, 38c, 39; (f) the technical and organisational measures and procedures implemented pursuant to Article 23; and (g) the degree of co-operation with the supervisory authority in order to remedy the breach.
2013/03/06
Committee: LIBE
Amendment 2874 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non- compliance with this Regulation, a warning in writing may be given annd if there is no data subject affected the supervisory authority shall find an agreement with the controller or processor concerned nto sanction imposed, where: (a) a natural person is processing personal datresolve the non- compliance with this Regulation without a written warning or imposing a sanction. In case of a serious non-compliance with this Regulation, the supervisory authority should give at first a writhout a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activititen warning including supposed measures to resolve the data breaches within a reasonable time without imposing a sanction. The supervisory authority may only impose a fine with regard to paragraph 2 of up to EUR 1 000 000 or, in the case of a company, of up to 2 % of its annual worldwide turnover, for not resolving the data breaches with measures given in a written warning or for repeated, deliberate breaches.
2013/03/06
Committee: LIBE
Amendment 2876 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
2013/03/06
Committee: LIBE
Amendment 2886 #
Proposal for a regulation
Article 79 – paragraph 4
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).deleted
2013/03/06
Committee: LIBE
Amendment 2897 #
Proposal for a regulation
Article 79 – paragraph 5
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.deleted
2013/03/06
Committee: LIBE
Amendment 2917 #
Proposal for a regulation
Article 79 – paragraph 6
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32; (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.deleted
2013/03/06
Committee: LIBE
Amendment 2942 #
Proposal for a regulation
Article 79 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
2013/03/06
Committee: LIBE
Amendment 2959 #
Proposal for a regulation
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the Chapter II (general principles in), Chapter II, I (the rights of the data subject in), Chapter III, onV (the controller and processor in), Chapter IV, on the V (transfer of personal data to third countries and international organisations in), Chapter V, the independent I (supervisory authorities in), Chapter VI and on I (co-operation and consistency in) and Articles 73, 74, 76 and 79 of Chapters VII forI (legal remedies, liability and penalties) and X shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
2013/03/08
Committee: LIBE
Amendment 2964 #
Proposal for a regulation
Article 80 – paragraph 2
2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.deleted
2013/03/08
Committee: LIBE
Amendment 2978 #
Proposal for a regulation
Article 81 – paragraph 1 – point c
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system and the provision of health services.
2013/03/08
Committee: LIBE
Amendment 2990 #
Proposal for a regulation
Article 81 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
2013/03/08
Committee: LIBE
Amendment 3001 #
Proposal for a regulation
Article 82
Processing in the employment context 1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. 2. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.Article 82 deleted
2013/03/08
Committee: LIBE
Amendment 3050 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, pPersonal data may be processed for historical, statistical or scientific research purposes only if:
2013/03/08
Committee: LIBE
Amendment 3058 #
Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)
(ba) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
2013/03/08
Committee: LIBE
Amendment 3076 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
2a. Where the data subject is required to give his/her consent for the processing of medical data exclusively for public health research purposes, the option of broad consent may be available to the data subject for the purposes of epidemiological, translational and clinical research. Where personal data is collected for statistical and public health purposes, such data should be made anonymous immediately after the end of data collection, checking or matching operations, except if the identification data remain necessary for statistical, and public health purposes such as epidemiological, translational and clinical research.
2013/03/08
Committee: LIBE
Amendment 3082 #
Proposal for a regulation
Article 83 – paragraph 2 – point a
(a) the data subject has given consent, subject to the conditions laid down in Article 7; or
2013/03/08
Committee: LIBE
Amendment 3087 #
Proposal for a regulation
Article 83 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
2013/03/08
Committee: LIBE
Amendment 3098 #
Proposal for a regulation
Article 84 – paragraph 1
1. Within the limits of this Regulation, Member States mayshall adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.
2013/03/08
Committee: LIBE
Amendment 3127 #
Proposal for a regulation
Article 89 – paragraph 2
2. Article 1(2), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.
2013/03/08
Committee: LIBE