BETA

95 Amendments of Cornelia ERNST related to 2012/0010(COD)

Amendment 180 #
Proposal for a directive
Recital 15
(15) The protection of individuals should be technological neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to processing of personal data by automated means, as well as to manual processing if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of this Directive. This Directive should not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, in particular concerning national security, or to data processed by the Union institutions, bodies, offices and agencies, such as Europol or Eurojust.
2013/03/06
Committee: LIBE
Amendment 184 #
Proposal for a directive
Recital 16
(16) The principles of protection should apply to any information concerning an identified or identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable taking full account of the technological "state of the art" and technological trends.
2013/03/06
Committee: LIBE
Amendment 187 #
Proposal for a directive
Recital 19
(19) For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to retain and process personal data, collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context to develop an understanding of criminal phenomena and trends, to gather intelligence about organised criminal networks, and to make links between different offences detected.deleted
2013/03/06
Committee: LIBE
Amendment 190 #
Proposal for a directive
Recital 20 a (new)
(20a) The simple fact that two purposes both relate to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties does not necessarily mean that they are compatible. For example, information about victims of crime should not be used for investigating them for unrelated crimes they might have committed. However, there are cases in which further processing for incompatible purposes should be possible if necessary to comply with a legal obligation to which the controller is subject, in order to protect the vital interests of the data subject or another person, or for the prevention of an immediate and serious threat to public security. Member States should therefore be able to adopt national laws providing for such derogations to the extent strictly necessary. Such national laws should contain a requirement of an individual assessment taking into account all circumstances of the case and provide for adequate safeguards, such as for example judicial authorisation.
2013/03/06
Committee: LIBE
Amendment 192 #
Proposal for a directive
Recital 23
(23) It is inherent to the processing of personal data in the areas of judicial co- operation in criminal matters and police co-operation that personal data relating to different categories of data subjects are processed. Therefore a clear distinction should as far as possible be made between personal data of different categories of data subjects such as suspects, persons convicted of a criminal offence, victims and third parties, such as witnesses, persons possessing relevant information or contacts and associates of suspects and convicted criminals.
2013/03/06
Committee: LIBE
Amendment 195 #
Proposal for a directive
Recital 24
(24) As far as possible pPersonal data should be distinguished according to the degree of their accuracy and reliability. Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by the competent authorities.
2013/03/06
Committee: LIBE
Amendment 197 #
Proposal for a directive
Recital 25
(25) In order to be lawful, the processing of personal data should be necessary for compliance with a legal obligation to which the controller is subject, for the performance of a task carried out in the public interest by a competent authority based on law or in order to protect the vital interests of the data subject or of another person, or for the prevention of an immediate and serious threat to public security.
2013/03/06
Committee: LIBE
Amendment 199 #
Proposal for a directive
Recital 25 a (new)
(25a) In single and exceptional cases and based on law, the processing of personal data may be allowed for other purposes as well, where such processing is necessary for compliance with a legal obligation to which the controller is subject, in order to protect the vital interests of the data subject or of another natural person, or for the prevention of an immediate and serious threat to public security.
2013/03/06
Committee: LIBE
Amendment 201 #
Proposal for a directive
Recital 26
(26) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights or privacy, including genetic data, deserve specific protection. Such data should not be processed, unless processing is specifically authorised by a law which provides for suitable measures to safeguard the data subject's fundamental rights and legitimate interests; or processing is necessary to protect the vital interests of the data subject or of another natural person; or the processing relates to data which are manifestly made public by the data subject.
2013/03/06
Committee: LIBE
Amendment 205 #
Proposal for a directive
Recital 27
(27) Every natural person should have the right not to be subject to a measure which is based solely on automated pon profiling. Processing if itwhich produces an adverse legal effect for that person, unless authorised by law and subject to suitable measures to safeguard the data subject's legitimate interests or otherwise affects him or her should be prohibited, unless strictly necessary in a democratic society, proportionate to the legitimate aim pursued, explicitly authorised by law and subject to suitable measures to safeguard the data subject's fundamental rights and legitimate interests, including the right to be provided with meaningful information about the logic used in the profiling. Such processing should in no circumstances contain, generate, or discriminate based on special categories of data.
2013/03/06
Committee: LIBE
Amendment 207 #
Proposal for a directive
Recital 28
(28) In order to exercise their rights, any information to the data subject should be easily accessible and easy to understand, including the use of clear and plain language. This information shall be adapted to the data subject, if necessary through the use of simple language and/or foreign language.
2013/03/06
Committee: LIBE
Amendment 214 #
Proposal for a directive
Recital 30
(30) The principle of fair and transparent processing requires that the data subjects should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
2013/03/06
Committee: LIBE
Amendment 217 #
Proposal for a directive
Recital 33
(33) Member States should be allowed to adopt legislative measures delaying, or restricting or omitting the information of data subjects or the access to their personal data to the extent that and as long as such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, to avoid obstructing official or legal inquiries, investigations or procedures, to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties, to protect public security or national security, or, to protect the data subject or the rights and freedoms of others.
2013/03/06
Committee: LIBE
Amendment 219 #
Proposal for a directive
Recital 36
(36) Any person should have the right to have inaccurate personal data concerning them rectified and the right of erasure where the processing of such data is not in compliance with the main principles laid down in this Directive. Where the personal data are processed in the course of a criminal investigation and proceedings,, rectification, the rights of information, access, erasure and restriction of processing may be carried out in accordance with national rules on judicial proceedings.
2013/03/06
Committee: LIBE
Amendment 227 #
Proposal for a directive
Recital 42
(42) A personal data breach may, if not addressed in an adequate and timely manner, result in harm, including reputational damage to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, it should notify the breach to the competent national authority. The individuals whose personal data or privacy could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of an individual where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the processing of personal data.
2013/03/06
Committee: LIBE
Amendment 229 #
Proposal for a directive
Recital 43
(43) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of misuse. Moreover, such rules and procedures should take into account the legitimate interests of competent authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach. Encryption should not be considered unbreakable.
2013/03/06
Committee: LIBE
Amendment 230 #
Proposal for a directive
Recital 43 a (new)
(43a) Some forms of processing, such as profiling, the processing of sensitive categories of data, the monitoring of publicly accessible spaces (including video surveillance), as well as the processing of genetic and biometric data or of data on children, present special risks. In order to address these risks, controllers should carry out an assessment of the impact on fundamental rights if they are planning to put such processing operations in place. This assessment should explain the risks and the measures taken to address them, especially as regards discrimination. Controllers should also seek the view of data subjects or their representatives in this context.
2013/03/06
Committee: LIBE
Amendment 231 #
Proposal for a directive
Recital 44
(44) The controller or the processor should designate a person who would assist the controller or processor to monitor compliance with the provisions adopted pursuant to this Directive. A data protection officer may be appointed jointly by several entities of the competent authority. The data protection officers must be in a position to perform their duties and tasks independently and effectively. This includes rules avoiding conflicts of interests, providing an adequate amount of resources and an appropriate administrative attachment to avoid interference by controllers.
2013/03/06
Committee: LIBE
Amendment 233 #
Proposal for a directive
Recital 45
(45) Member States should ensure that a transfer to a third country only takes place if it is necessary for the prevention, investigation, detection or prosecution of one or more specific criminal offences or the execution of criminal penalties, and the controller in the third country or international organisation is an public authority competent within the meaning of this Directive. A transfer may take place in cases where the Commission has decided that the third country or international organisation in question ensures an adequate level or protection, or when appropriate safeguards have been adduced. Data transferred to competent public authorities in third countries should not be further processed for purposes other than the one they were transferred for.
2013/03/06
Committee: LIBE
Amendment 234 #
Proposal for a directive
Recital 45 a (new)
(45a) Further onward transfers from competent authorities in third countries or international organisations to which personal data have been transferred should only be allowed if the onward transfer is necessary for the same specific purpose as the original transfer and the second recipient is also a competent public authority. This could for example be the case in case the onward transfer is necessary for the prevention, investigation, detection or prosecution of the same criminal offence that justified the original transfer or for the execution of the same criminal penalty that justified the original transfer. Further onward transfers should not be allowed for general law-enforcement purposes. Additionally, the competent authority that carried out the original transfer should have agreed to the onward transfer.
2013/03/06
Committee: LIBE
Amendment 235 #
Proposal for a directive
Recital 46
(46) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation.
2013/03/06
Committee: LIBE
Amendment 237 #
Proposal for a directive
Recital 48
(48) The Commission should equally be able to recognise that a third country, or a territory or a processing sector within a third country, or an international organisation, does not offer an adequate level of data protection. Consequently the transfer of personal data to that third country should be prohibited except when they are based on an international agreement, appropriate safeguards which ensures the minimum level of protection set out in this Directive, or a derogation. Provision should be made for procedures for consultations between the Commission and such third countries or international organisations. However, such a Commission decision shall be without prejudice to the possibility to undertake transfers on the basis of appropriate safeguards or on the basis of a derogation laid down in the Directive.
2013/03/06
Committee: LIBE
Amendment 239 #
Proposal for a directive
Recital 49
(49) Transfers not based on such an adequacy decision should only be allowed where appropriate safeguards have been adduced in a legally binding instrument, which ensure the protection of the personal data or where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and, based on this assessment, considers that appropriate safeguards with respect to the protection of personal data exist. In cases where no grounds for allowing a transfer exist, derogations should be allowed if necessary in order to protect the vital interests of the data subject or another natural person, or to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides, or where it is essential for the prevention of an immediate and serious threat to the public security of a Member State or a third country, or in individual cases for the purposes of prevention, investigation, detection or prosecution of specific criminal offences or the execution of criminal penalties, or in individual cases for the establishment, exercise or defence of legal claims. Where the Commission has issued a negative adequacy decision, the use of derogations should be restricted to cases where the transfer is necessary in order to protect the vital interests of the data subject or another person or where it is essential for the prevention of an immediate and serious threat to the public security of a Member State or a third country. In any case, these derogations should be interpreted restrictively. In particular, derogations should not be used to allow frequent, massive, or structural transfers. Also when transferring data on individual cases, the amount of data should be limited to what is strictly necessary. Additionally, any transfer based on a derogation should be comprehensively documented. This documentation should be made available to the supervisory authority on request.
2013/03/06
Committee: LIBE
Amendment 240 #
Proposal for a directive
Recital 54
(54) The general conditions for the members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members should be either appointed by the parliament or the government of the Member State, and include rules on the personal qualification of the members and the position of those members.
2013/03/06
Committee: LIBE
Amendment 245 #
Proposal for a directive
Recital 61
(61) Any body, organisation or association which aims to protects the rights and interests of dnata subjects in relation to the protection of their dataural persons and is constituted according to the law of a Member State should have the right to lodge a complaint or exercise the right to a judicial remedy on behalf of data subjects if duly mandated by them, or to lodge, independently of a data subject's complaint, its own complaint where it considers that a personal data breach has occurred or where it considers that a controller has not complied with the principles of data protection by design and by default.
2013/03/06
Committee: LIBE
Amendment 246 #
Proposal for a directive
Recital 64
(64) Any damage, whether pecuniary or not, which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability only if they prove that they are not responsible for the damage, in particular where they establish fault on the part of the data subject or in case of force majeure.
2013/03/06
Committee: LIBE
Amendment 255 #
Proposal for a directive
Recital 73
(73) In order to ensure a comprehensive and coherent protection of personal data in the Union, international agreements concluded by the Union or by the Member States prior to the entry force of this Directive should be amended in line with this Directive.
2013/03/06
Committee: LIBE
Amendment 267 #
Proposal for a directive
Article 2 – paragraph 3 – point a
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
2013/03/06
Committee: LIBE
Amendment 275 #
Proposal for a directive
Article 3 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
2013/03/06
Committee: LIBE
Amendment 278 #
Proposal for a directive
Article 3 – paragraph 1 – point 3 a (new)
(3a) 'profiling' means any form of automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour;
2013/03/06
Committee: LIBE
Amendment 281 #
Proposal for a directive
Article 3 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2013/03/06
Committee: LIBE
Amendment 319 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
1. Member States shall provide that, as far as possible, the controller makes a clear distinction between personal data of different categories of data subjects, such as:
2013/03/06
Committee: LIBE
Amendment 324 #
Proposal for a directive
Article 5 – paragraph 1 – point d
(d) third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in (a) and (b); and;
2013/03/06
Committee: LIBE
Amendment 325 #
Proposal for a directive
Article 5 – paragraph 1 – point d a (new)
(da) persons who can provide information on criminal offences;
2013/03/06
Committee: LIBE
Amendment 326 #
Proposal for a directive
Article 5 – paragraph 1 – point d b (new)
(db) contacts or associates to one of the persons mentioned in (a) and (b); and
2013/03/06
Committee: LIBE
Amendment 330 #
Proposal for a directive
Article 5 – paragraph 1 a (new)
1a. Member States shall provide specific rules on the consequences of this categorisation, taking into account the different purposes for which data are collected. These specific rules shall include conditions for collecting data, time limits for retention, possible limitations to data subject's rights of access and information and the modalities of access to data by competent authorities.
2013/03/06
Committee: LIBE
Amendment 344 #
Proposal for a directive
Article 7 – paragraph 1 – introductory part
Member States shall provide that the processing of personal data is lawful only if and to the extent that processing is necessary: (a) for the performance of a task carried out by a competent authority, based on Union or national law for the purposes set out in Article 1(1); or (b) for compliance with a legal obligation to which the controller is subject; or (c) in order to protect the vital interests of the data subject or of another person; or (d) for the prevention of an immediate and serious threat to public security and not further processed in a way that is incompatible with these purposes.
2013/03/06
Committee: LIBE
Amendment 347 #
Proposal for a directive
Article 7 a (new)
Article 7a Further processing for incompatible purposes 1. Member States may adopt legislative measures allowing further processing for incompatible purposes if such processing is strictly necessary: (a) for compliance with a legal obligation to which the controller is subject; or (b) in order to protect the vital interests of the data subject or of another person; or (c) for the prevention of an immediate and serious threat to public security. 2. Legislative measures referred to in paragraph 1 shall provide for: (a) an individual assessment taking into account all relevant circumstances of the case; and (b) adequate safeguards for the rights of the data subject.
2013/03/06
Committee: LIBE
Amendment 355 #
Proposal for a directive
Article 8 – paragraph 1
1. Member States shall prohibit the processing of personal data revealing race or ethnic origin, political opinions, religion or beliefsphilosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, of genetic data or of data concerning health or sex life.
2013/03/06
Committee: LIBE
Amendment 361 #
Proposal for a directive
Article 9 – paragraph 1
1. Member States shall provide that measures which produce an adverse legal effect for the data subject or significantly affect them and which are based solely on automated processing of personal data intended to evaluate certain personal aspects relating to the data subjecton profiling shall be prohibited unless authorised by a law which also lays down measures to safeguard the data subject's legitimate interests, including the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention.
2013/03/06
Committee: LIBE
Amendment 368 #
Proposal for a directive
Article 9 – paragraph 2
2. Automated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall not be based solely oninclude or generate special categories of personal data referred to in Article 8.
2013/03/06
Committee: LIBE
Amendment 370 #
Proposal for a directive
Article 9 – paragraph 2 a (new)
2a. Profiling that, whether intentionally or otherwise, has the effect of discriminating against individuals on the basis of race or ethnic origin, socio- economic status, political opinions, religion or philosophical beliefs, trade union membership, or sexual orientation or gender identity, or that, whether intentionally or otherwise, result in measures which have such effect, shall be prohibited in all cases.
2013/03/06
Committee: LIBE
Amendment 374 #
Proposal for a directive
Article 10 – paragraph 2
2. Member States shall provide that any information and any communication relating to the processing of personal data are to be provided by the controller to the data subject in an intelligible form, using clear and plain language. This communication shall be adapted to the data subject, if necessary through the use of simple language and/or foreign language.
2013/03/06
Committee: LIBE
Amendment 379 #
Proposal for a directive
Article 10 – paragraph 5
5. Member States shall provide that the information and any action taken by the controller following a request referred to in paragraphs 3 and 4 are free of charge. Where requests are vexatiousmanifestly excessive, in particular because of their repetitive character, or the size or volume of the request, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the vexatiousmanifestly excessive character of the request.
2013/03/06
Committee: LIBE
Amendment 383 #
Proposal for a directive
Article 10 a (new)
Article 10a Rights in relation to recipients Member States shall provide that the controller shall communicate any change, rectification or erasure, carried out in accordance with Articles 15 and 16 of this Directive or for other reasons, to each recipient to whom the data have been disclosed and obtain information on the actions taken following this communication, unless this proves impossible or involves a disproportionate effort.
2013/03/06
Committee: LIBE
Amendment 386 #
Proposal for a directive
Article 11 – paragraph 1 – point f
(f) the recipients or categories of recipients of the personal data, including in third countries or international organisations and on potential access to the data under the rules of that third country or international organisation;
2013/03/06
Committee: LIBE
Amendment 387 #
Proposal for a directive
Article 11 – paragraph 1 – point f a (new)
(fa) where the controller processes personal data as described in Article 9(1), information about the existence of processing for a measure of the kind referred to in Article 9(1) and the intended effects of such processing on the data subject;
2013/03/06
Committee: LIBE
Amendment 389 #
Proposal for a directive
Article 11 – paragraph 1 – point f b (new)
(fb) information regarding specific security measures taken to protect personal data;
2013/03/06
Committee: LIBE
Amendment 391 #
Proposal for a directive
Article 11 – paragraph 2 a (new)
2a. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the data originate.
2013/03/06
Committee: LIBE
Amendment 394 #
Proposal for a directive
Article 11 – paragraph 4 – introductory part
4. Member States may adopt legislative measures delaying, or restricting or omitting the provision of the information to the data subject to the extent that, and as long as, such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, based on a concrete and individual examination of each specific case:
2013/03/06
Committee: LIBE
Amendment 397 #
Proposal for a directive
Article 11 – paragraph 4 – point d
(d) to protect national security;deleted
2013/03/06
Committee: LIBE
Amendment 398 #
Proposal for a directive
Article 11 – paragraph 5
5. Member States may determine categories of data processing which may wholly or partly fall under the exemptions of paragraph 4.deleted
2013/03/06
Committee: LIBE
Amendment 405 #
Proposal for a directive
Article 12 – paragraph 1 – point c
(c) the recipients or categories of recipients to whom the personal data have been disclosed, in particularcluding all the recipients in third countries;
2013/03/06
Committee: LIBE
Amendment 409 #
Proposal for a directive
Article 12 – paragraph 1 – point g a (new)
(ga) the significance and envisaged consequences of the processing, at least in the case of profiling;
2013/03/06
Committee: LIBE
Amendment 411 #
Proposal for a directive
Article 12 – paragraph 1 – point g b (new)
(gb) in the case of measures based on profiles, meaningful information about the logic used in the profiling.
2013/03/06
Committee: LIBE
Amendment 412 #
Proposal for a directive
Article 12 – paragraph 2
2. Member States shall provide for the right of the data subject to obtain from the controller a copy of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
2013/03/06
Committee: LIBE
Amendment 419 #
Proposal for a directive
Article 13 – paragraph 1 – introductory part
1. Member States may adopt legislative measures restricting, wholly or partly, the data subject's right of access to the extent and for the period that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, based on a concrete and individual examination of each specific case:
2013/03/06
Committee: LIBE
Amendment 423 #
Proposal for a directive
Article 13 – paragraph 1 – point d
(d) to protect national security;deleted
2013/03/06
Committee: LIBE
Amendment 429 #
Proposal for a directive
Article 13 – paragraph 2
2. Member States may determine by law categories of data processing which may wholly or partly fall under the exemptions of paragraph 1.deleted
2013/03/06
Committee: LIBE
Amendment 435 #
Proposal for a directive
Article 13 – paragraph 3
3. In the cases referred to in paragraphs 1 and 2, Member States shall provide that the controller informs the data subject in writing on any refusal or restriction of access, on the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy. The information on factual or legal reasons on which the decision is based may be omitted where the provision of such information would undermine a purpose under paragraph 1.
2013/03/08
Committee: LIBE
Amendment 440 #
Proposal for a directive
Article 14 – paragraph 2
2. Member States shall provide that the controller informs the data subject of the right to request the intervention of the supervisory authority pursuant to paragraph 1.
2013/03/08
Committee: LIBE
Amendment 444 #
Proposal for a directive
Article 15 – paragraph 1
1. Member States shall provide for the right of the data subject to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, in particular by way of a corrective statement. The controller shall not be able to refuse the rectification request if the personal data contained therein are factually correct.
2013/03/08
Committee: LIBE
Amendment 450 #
Proposal for a directive
Article 15 – paragraph 2 a (new)
2a. The controller shall communicate any rectification carried out to each recipient to whom the data have been disclosed, unless it proves impossible to do so.
2013/03/08
Committee: LIBE
Amendment 458 #
Proposal for a directive
Article 16 – paragraph 3 – introductory part
3. Instead of erasure, the controller shall markrestrict the processing of the personal data where:
2013/03/08
Committee: LIBE
Amendment 468 #
Proposal for a directive
Article 16 – paragraph 3 a (new)
3a. Personal data referred to in paragraph 3 may, with the exception of storage, only be processed when necessary for purposes of proof, or the protection of vital interests of the data subject or another person.
2013/03/08
Committee: LIBE
Amendment 471 #
Proposal for a directive
Article 16 – paragraph 3 b (new)
3b. Where processing of personal data is restricted pursuant to paragraph 3, the controller shall inform the data subject before lifting the restriction.
2013/03/08
Committee: LIBE
Amendment 473 #
Proposal for a directive
Article 16 – paragraph 4
4. Member States shall provide that the controller informs the data subject in writing of any refusal of erasure or markingrestriction of the processing, the reasons for the refusal and the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
2013/03/08
Committee: LIBE
Amendment 475 #
Proposal for a directive
Article 16 – paragraph 4 a (new)
4a. Member States shall provide that the controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
2013/03/08
Committee: LIBE
Amendment 477 #
Proposal for a directive
Article 16 – paragraph 4 b (new)
4b. The controller shall communicate any restriction on processing or any erasure carried out to each recipient to whom the data have been disclosed, unless it proves impossible to do so.
2013/03/08
Committee: LIBE
Amendment 484 #
Proposal for a directive
Article 19 – paragraph 1
1. Member States shall provide that, having regard to the state of the art and, the cost of implementntroller shall, both at the time of the determination, of the controller shallmeans for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject. This shall include both: (a) technical measures relating to the technical design and architecture of the product or service; and (b) organisational measures which relate to operational policies of the controller.
2013/03/08
Committee: LIBE
Amendment 487 #
Proposal for a directive
Article 19 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default,; only those personal data which are necessary for the purposes of the processing are processed and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. This shall be ensured using technical and/or organisational measures, as appropriate. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
2013/03/08
Committee: LIBE
Amendment 501 #
Proposal for a directive
Article 21 – paragraph 2
2. Member States shall provide that the carrying out of processing by a processor must be governed by a legal act binding the processor to the controller and stipulating. These acts shall in particular stipulate that the processor shall: (a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited. ; (b) employ only staff who are under a statutory obligation of confidentiality; (c) take all required measures to comply with the provisions adopted pursuant to Article 27; (d) enlist another processor only with the prior permission of the controller; (e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III; (f) assist the controller in ensuring compliance with the provisions adopted pursuant to Articles 27 to 32; (g) hand over all results to the controller after the end of the processing and not process the personal data otherwise; (h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article. (i) take into account the principle of data protection by design and default.
2013/03/08
Committee: LIBE
Amendment 503 #
Proposal for a directive
Article 21 – paragraph 2 a (new)
2a. The controller and the processor shall document in writing the controller's instructions and the processor's obligation referred to in paragraph 2.
2013/03/08
Committee: LIBE
Amendment 519 #
Proposal for a directive
Article 23 – paragraph 2 – point d a (new)
(da) the description of the measures referred to in Article 18(3).
2013/03/08
Committee: LIBE
Amendment 525 #
Proposal for a directive
Article 24 – paragraph 1
1. Member States shall ensure that records are kept of at least the following processing operations: collection, alteration, consultation, disclosure, combination or erasure. The records of consultation and disclosure shall show in particular the purpose, date and time of such operations and as far as possible the identification of the person who consulted or disclosed personal data.
2013/03/08
Committee: LIBE
Amendment 533 #
Proposal for a directive
Article 25 – paragraph 2
2. In response to the supervisory authority's exercise of its powers under points (a) and (b) of Article 46, the controller and the processor shall reply to the supervisory authority within a reasonable period to be specified by the supervisory authority. The reply shall include a description of the measures taken and the results achieved, in response to the remarks of the supervisory authority.
2013/03/08
Committee: LIBE
Amendment 535 #
Proposal for a directive
Article 25 a (new)
Article 25a Data Protection impact assessment 1. Member States shall provide that, prior to the processing of personal data, the controller or the processor shall carry out an assessment of the impact of the envisaged processing systems and procedures on the protection of personal data, where the processing operations are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. 2. In particular the following processing operations are likely to present such specific risks as referred to in paragraph 1: (a) processing of personal data in large scale filing systems for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties; (b) processing of special categories of personal data within the meaning of Article 8, of personal data related to children, location data and of biometric data for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties. (c) an evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's behaviour, which is based on automated processing and likely to result in measures that produces legal effects concerning the individual or significantly affects the individual; (d) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance); or (e) other processing operations for which the consultation of the supervisory authority is required pursuant to Article 26(1). 3. The assessment shall contain a systematic and detailed description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate the compliance with the provisions adopted pursuant to this Directive, taking into account the fundamental rights and legitimate interests of the data subjects and other persons concerned. 4. Member States shall provide that the controller consults all relevant stakeholders, including representatives of data subjects, on the intended processing. 5. The assessment shall be made easily accessible to the public. 6. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 56 for the purpose of specifying further the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and audit ability.
2013/03/08
Committee: LIBE
Amendment 548 #
Proposal for a directive
Article 27 – paragraph 1
1. Member States shall provide that the controller and the processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.
2013/03/08
Committee: LIBE
Amendment 554 #
Proposal for a directive
Article 28 – paragraph 4 a (new)
4a. The supervisory authority shall keep a public register of the types of breaches notified.
2013/03/08
Committee: LIBE
Amendment 562 #
Proposal for a directive
Article 29 – paragraph 2
2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (ba) and (ce) of Article 28(3).
2013/03/08
Committee: LIBE
Amendment 564 #
Proposal for a directive
Article 29 – paragraph 4
4. The communication to the data subject may be delayed, or restricted or omitted on the grounds referred to in Article 11(4).
2013/03/08
Committee: LIBE
Amendment 573 #
Proposal for a directive
Article 30 – paragraph 3 a (new)
3a. Member States shall provide that the controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.
2013/03/08
Committee: LIBE
Amendment 574 #
Proposal for a directive
Article 30 – paragraph 3 b (new)
3b. Member States shall provide that data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
2013/03/08
Committee: LIBE
Amendment 580 #
Proposal for a directive
Article 33
General principles for transfers of Member States shall provide that any transfer of personal data by competent authorities that is undergoing processing or is intended for processing after transfer to a third country, or to an international organisation, including further onward transfer to another third country or international organisation, may take place only if: (a) the transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and (b) the conditions laid down in this Chapter are complied with by the controller and processor.Article 33 deleted personal data
2013/03/08
Committee: LIBE
Amendment 589 #
Proposal for a directive
Article 33 a (new)
Article 33a Transfers to recipients not subject to the provisions implementing this Directive Member States shall provide that transfers of personal data by competent authorities to recipients that are not subject to the provisions implementing this Directive may only take place if such transfers are: (a) provided for in national law; such laws must be in compliance with the Charter of Fundamental Rights of the European Union and the Convention for the Protection of Human Rights and Fundamental Freedoms, and be in line with the case law of the Court of Justice of the European Union and the European Court of Human Rights; or (b) necessary for the protection of the vital interests of the data subject or another natural person; or (c) carried out upon request of the data subject.
2013/03/08
Committee: LIBE
Amendment 591 #
Proposal for a directive
Article 33 b (new)
Article 33b General principles for transfers of personal data 1. Member States shall provide that any transfer of personal data by competent authorities that is undergoing processing or is intended for processing after transfer to a public competent authority in a third country, or to an international organisation, including further onward transfer to another public competent authority in a third country or international organisation, may take place only if: (a) the specific transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; (b) the data are transferred to a controller in a third country or international organisation that is an public authority competent for the purposes referred in Article 1(1); (c) the conditions laid down in Articles 34 to 37 are complied with by the controller and the processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation; (d) the other provisions adopted pursuant to this Directive are complied with by the controller and processor; and (e) the level of protection of the personal data individuals guaranteed in the Union by this Directive is not undermined. 2. Member States shall provide that further onward transfers referred to in paragraph 1 of this Article may only take place if, in addition to the conditions laid out in that paragraph: (a) the onward transfer is necessary for the same specific purpose as the original transfer; and (b) the competent authority that carried out the original transfer authorises the onward transfer.
2013/03/08
Committee: LIBE
Amendment 602 #
Proposal for a directive
Article 35 – paragraph 1 – introductory part
1. Where the Commission has taken no decision pursuant to Article 34, Member States shall provide that a transfer of personal data to a recipientcompetent public authority in a third country or an international organisation may take place where: (a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument; or (b) the controller or processor has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with respect to the protection of personal data.
2013/03/08
Committee: LIBE
Amendment 610 #
Proposal for a directive
Article 35 – paragraph 2
2. The decision for transfers under paragraph 1 (b) must be made by duly authorised staff. These transfers must be documented and the documentation must be made available to the supervisory authority on request. Or. en (wrong numbering of the paragraphs in the Commission document)
2013/03/08
Committee: LIBE
Amendment 616 #
Proposal for a directive
Article 36 – paragraph 1 – introductory part
By way of derogation from Articles 34 and 35, Member States shall provide that a transfer of personal data to a competent public authority in a third country or an international organisation may take place only on condition that the controller has obtained prior authorisation in accordance with paragraph 1a and:
2013/03/08
Committee: LIBE
Amendment 619 #
Proposal for a directive
Article 36 – paragraph 1 a (new)
Member States shall provide that prior to carrying out a transfer based on paragraph 1, the controller shall obtain prior authorisation from the supervisory authority, in order to ensure the compliance of the transfer with the provisions adopted pursuant to this Directive and to in particular to mitigate the risk involved for the data subject.
2013/03/08
Committee: LIBE
Amendment 621 #
Proposal for a directive
Article 36 – paragraph 1 b (new)
Member States shall provide that when any of the derogations in paragraph 1 is invoked, the controller shall: (a) only transfer the amount of personal data strictly necessary to achieve the aim of the transfer; and (b) document these transfers, including the date and time of the transfer, information about the recipient authority, the justification for the transfer and the data transferred. This documentation shall be made available to the supervisory authority on request.
2013/03/08
Committee: LIBE
Amendment 630 #
Proposal for a directive
Article 41 – paragraph 1
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
2013/03/08
Committee: LIBE
Amendment 642 #
Proposal for a directive
Article 45 – paragraph 6
6. Where requests are vexatious, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action required by the data subjectreasonable fee. The supervisory authority shall bear the burden of proving of the vexatious character of the request.
2013/03/08
Committee: LIBE
Amendment 655 #
Proposal for a directive
Article 50 – paragraph 2
2. Member States shall provide for the right of any body, organisation or association which aims to protect data subjects' rights and interests concerning the protection of their personal data and is being properly constituted according to the law of a Member State to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects, if it considers that a data subject's rights under this Directive have been infringed as a result of the processing of personal data. The organisation or association must be duly mandated by the data subject(s).
2013/03/08
Committee: LIBE
Amendment 659 #
Proposal for a directive
Article 53 – paragraph 1
1. Member States shall provide for the right of any body, organisation or association referred to in Article 50(2) to exercise the rights referred to in Articles 51, 52 and 524 on behalf of one or more data subjects.
2013/03/08
Committee: LIBE