176 Amendments of Jürgen CREUTZMANN related to 2012/0011(COD)
Amendment 190 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to anyonly to specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all: (i) only of those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual, and (ii) of the reasonable likeliness of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable from the data.
Amendment 191 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers shall be encouraged to the practice of pseudonymising data.
Amendment 193 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 198 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or service being offered enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 199 #
Proposal for a regulation
Recital 25 a (new)
Recital 25 a (new)
(25a) This regulation recognises that the pseudonymisation of data can help minimise the risks to privacy of data subjects. To the extent that a controller pseudonymises data such processing shall be considered justified as a legitimate interest of the controller according to point (f) of paragraph 1 of Article 6.
Amendment 200 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 204 #
Proposal for a regulation
Recital 28
Recital 28
(28) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. A group of undertakings may nominate a single main establishment in the Union.
Amendment 225 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 236 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 238 #
Proposal for a regulation
Recital 52
Recital 52
(52) The controller should use all reasonable measures within the context of the product or service being provided, or otherwise within the context of the relationship between the controller and the data subject, and the sensitivity of the personal data being processed to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain nor be forced to gather personal data for the unique purpose of being able to react to potential requests.
Amendment 250 #
Proposal for a regulation
Recital 61
Recital 61
(61) To meet consumer and business expectations around the protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and, appropriate organisational measures armay be taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by defaultMeasures having as an objective to increase consumer information and ease of choice shall be encouraged, based on industry cooperation and favouring innovative solutions, products and services.
Amendment 252 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 256 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 263 #
Proposal for a regulation
Recital 70
Recital 70
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
Amendment 265 #
Proposal for a regulation
Recital 74
Recital 74
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
Amendment 285 #
Proposal for a regulation
Recital 97
Recital 97
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
Amendment 288 #
Proposal for a regulation
Recital 105
Recital 105
(105) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for co-operation between the supervisory authorities themselves and the Commission should be established. This mechanism should in particular apply where athe competent supervisory authority intends to take a measure as regards processing operations that are related to the offering of goods or services to data subjects in several Member States, , or to the monitoring such data subjects, or that might substantially affect the free flow of personal data. It should also apply where any supervisory authority or the Commission requests that the matter should be dealt with in the consistency mechanism. This mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
Amendment 297 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data, and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Councilppropriate industry-led measures and policies shall take due account of the principles of technology, service and business model neutrality so as to favour the free movement of personal data within the Union.
Amendment 299 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament andimplementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment ofn the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implemarket and the free circulation of such equipment ing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterpris and between Member States.
Amendment 300 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterpris. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 303 #
Proposal for a regulation
Recital 139
Recital 139
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and the actual and potential advances in science, health and technology and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to property and in particular the protection of intellectual property the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
Amendment 308 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data wholly or partly by automated means, without discrimination between such processing means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Amendment 324 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person and who is not acting in his/her professional capacity;
Amendment 328 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2
Article 4 – paragraph 1 – point 2
(2) ‘personal data’ means any informationdata specifically relating to a data subject whose specific identity can be identified, directly or indirectly by the controller;
Amendment 329 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) 'identification number' means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual.
Amendment 336 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘'controller’' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 340 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 345 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
Amendment 346 #
Proposal for a regulation
Article 4 – paragraph 1 – point 12
Article 4 – paragraph 1 – point 12
(12) ‘data concerning health’ means any informationpersonal data which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
Amendment 350 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
Article 4 – paragraph 1 – point 13 a (new)
(13a) 'competent supervisory authority' means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Articles 51(2), 51(3) and 51(4).
Amendment 351 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mayshall be addressed by anythe competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
Amendment 354 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
Amendment 356 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) 'financial crime' means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
Amendment 358 #
Proposal for a regulation
Article 5 – paragraph 1 – point c
Article 5 – paragraph 1 – point c
(c) adequate, relevant, and limited to the minimum necessaryproportionate in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
Amendment 360 #
Proposal for a regulation
Article 5 – paragraph 1 – point d
Article 5 – paragraph 1 – point d
(d) accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
Amendment 361 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 366 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subject, regulatory rule, guidance, industry code of practice, either domestically or internationally to which the controller is subject including the requirements of supervisory authorities;
Amendment 367 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) processing of data necessary to ensure network and information security;
Amendment 375 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) the data are collected from public registers, lists or documents accessible by everyone;
Amendment 381 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(fb) processing is conducted for the purpose of anonymisation.
Amendment 396 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
Amendment 399 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 403 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a childdata subject below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 423 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of officialsubject to the conditions and safeguards referred to in Article 83a or under the supervision of a supervisory authority or when the processing is necessary for compliance with or to avoid a breach of a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 424 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
Amendment 428 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
Data Protection Regulation should not apply to data rendered anonymous. If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 429 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller, through means used by the controller, to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 438 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shallmay also provide means for requests to be made electronically.
Amendment 439 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject or unless the controller has reason to believe that providing the information in electronic form would create a significant risk of fraud.
Amendment 440 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the requestcharges for taking action or providing information upon the request of data subject referred to in paragraph 1 shall not exceed actual costs of handling the requests born by the controller.
Amendment 463 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources
Amendment 472 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
Article 15 – paragraph 1 – point h
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
Amendment 480 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 483 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processfurther processed and the legally mandatory minimum retention period has expired;
Amendment 486 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) the data subject objects to the processing of personal data pursuant to Article 19, and the objection is upheld;
Amendment 488 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. The controller shall take all reasonable steps to communicate any erasure to each legal entity to whom the data have been disclosed.
Amendment 489 #
Proposal for a regulation
Article 17 – paragraph 1 b (new)
Article 17 – paragraph 1 b (new)
1b. The application of paragraph 1 is dependent upon the ability of the data controller to confirm the identity of the data subject making the erasure request.
Amendment 491 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third partieslegal entities to whom the original controller had authorised to further process personal data and which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where tThe controller has authorised a third party publication ofwill not be responsible for the personal data, the controller shall be considered responsible for thatat the data subject has made publication.
Amendment 496 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:
Amendment 499 #
Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)
Article 17 – paragraph 3 – point e a (new)
(ea) for prevention or detection of fraud, confirming identity, and/or determining creditworthiness, or ability to pay.
Amendment 500 #
Proposal for a regulation
Article 17 – paragraph 6 a (new)
Article 17 – paragraph 6 a (new)
6a. Requests for the rectification, erasure or blocking of data shall not prejudice processing that is necessary to secure, protect and maintain the resiliency of one or more information systems. In addition, the right of rectification and/or erasure or personal data shall not apply to any personal data that is required to be maintained by legal obligation or to protect the rights of the controller, processor or third parties.
Amendment 501 #
Proposal for a regulation
Article 18
Article 18
Amendment 526 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right to request not to be subject to a measure which produces legal effects concerningadversely affects this ndatural person or significantly affects this natural person,a subject and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to this natural person or to, analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 529 #
Proposal for a regulation
Article 20 – paragraph 1 a (new)
Article 20 – paragraph 1 a (new)
1a. Data controllers should notify the data subject where such processing takes place and give the individual the right to have any such decision reviewed.
Amendment 536 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, a persondata subject may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 542 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized bynecessary to comply with a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 556 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
Amendment 559 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 571 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this RegulatioHaving regard to the state of the art, the nature of personal data processing and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate and demonstrable technical and organizational measures should be implemented in such a way that the processing will meet the requirements of this Regulation and ensures the protection of the rights of the data subject by design.
Amendment 572 #
Proposal for a regulation
Article 22 – paragraph 1 a (new)
Article 22 – paragraph 1 a (new)
1a. Upon request by the competent data protection authority, the controller or processor shall demonstrate the existence of technical and organizational measures.
Amendment 573 #
Proposal for a regulation
Article 22 – paragraph 1 b (new)
Article 22 – paragraph 1 b (new)
1b. Group of undertakings may apply joint technical and organizational measures to meet its obligations arising from the Regulation.
Amendment 574 #
Proposal for a regulation
Article 22 – paragraph 1 c (new)
Article 22 – paragraph 1 c (new)
1c. This article does not apply to a natural person processing personal data without commercial interest.
Amendment 575 #
Proposal for a regulation
Article 22 – paragraph 2 – introductory part
Article 22 – paragraph 2 – introductory part
2. TheSuch measures provided for in paragraph 1 shall in particular includeinclude, without limitation:
Amendment 576 #
Proposal for a regulation
Article 22 – paragraph 2 – point a
Article 22 – paragraph 2 – point a
(a) keeping the documentation pursuant to Article 28independent management oversight of processing of personal data to ensure the existence and effectiveness of the technical and organizational measures;
Amendment 578 #
Proposal for a regulation
Article 22 – paragraph 2 – point b
Article 22 – paragraph 2 – point b
(b) implementing the data security requirements laid down in Article 30; existence of proper policies, instructions or other guidelines to guide data processing needed to comply with the Regulation as well as procedures and enforcement to make such guidelines effective;
Amendment 579 #
Proposal for a regulation
Article 22 – paragraph 2 – point c
Article 22 – paragraph 2 – point c
(c) performing a data protection impact assessment pursuant to Article 33existence of proper planning procedures to ensure compliance and to address potentially risky processing of personal data prior to the commencement of the processing;
Amendment 580 #
Proposal for a regulation
Article 22 – paragraph 2 – point d
Article 22 – paragraph 2 – point d
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2)existence of appropriate documentation of data processing to enable compliance with the obligations arising from the Regulation;
Amendment 583 #
Proposal for a regulation
Article 22 – paragraph 2 – point e
Article 22 – paragraph 2 – point e
(e) designating a data protection officer pursuant to Article 35(1). existence of adequately skilled data protection organization or data protection officer supported with adequate resources to oversee implementation of measures defined in this article and to monitor compliance with this Regulation, having particular regard to ensuring organizational independence of such data protection officer or organisation to prevent inappropriate conflicts of interest. Such a function may be fulfilled by way of a service contract;
Amendment 584 #
Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)
Article 22 – paragraph 2 – point e a (new)
(ea) existence of proper awareness and training of the staff participating in data processing and decisions thereto of the obligations arising from this Regulation.
Amendment 586 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
Amendment 589 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
Amendment 596 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 597 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefSuch measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security (b) follow the principle of technology, service and business model neutrality (c) be based on global industry-led efforts and standards (d) take due account of inite number of individuals.rnational developments
Amendment 602 #
Proposal for a regulation
Article 23 – paragraph 2 a (new)
Article 23 – paragraph 2 a (new)
2a. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
Amendment 604 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 607 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
4. TWhe Commission may lay down technical standards for the rre required, measures may be adopted to ensure that terminal equirepments laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) is constructed in a way that is compatible with Council Decision 87/95/EEC of 22 December 1986 on standardisation in the field of information technology and communications, and consistent with international industry-led standardisation efforts.
Amendment 609 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects.
Amendment 618 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:.
Amendment 619 #
Proposal for a regulation
Article 26 – paragraph 2 – point a
Article 26 – paragraph 2 – point a
Amendment 621 #
Proposal for a regulation
Article 26 – paragraph 2 – point b
Article 26 – paragraph 2 – point b
Amendment 623 #
Proposal for a regulation
Article 26 – paragraph 2 – point c
Article 26 – paragraph 2 – point c
Amendment 625 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 627 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
Amendment 629 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
Amendment 631 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
Amendment 633 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
Amendment 635 #
Proposal for a regulation
Article 26 – paragraph 3
Article 26 – paragraph 3
Amendment 642 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
Amendment 645 #
Proposal for a regulation
Article 28 – paragraph 1 a (new)
Article 28 – paragraph 1 a (new)
1a. The obligation made to the controller shall not apply to SMEs processing data only as an activity ancillary to the sale of goods or services. Ancillary activity should be defined as business or non- trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 654 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
Amendment 655 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
Amendment 662 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
Amendment 664 #
Proposal for a regulation
Article 29 – paragraph 1
Article 29 – paragraph 1
1. The controller and the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph. The controller and the processor and, if any, the representative of the controller, shall make the documentation available, on the basis of a request outlining the reasons for requiring access to the documents, to the supervisory authority.
Amendment 669 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
2a. The implementation by the controller and the processor of measures, as referred to in paragraphs 1 and 2, and the execution thereof which would require processing of certain data to increase network and information security, falls under Article 6 (1) f.
Amendment 671 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
Amendment 672 #
Proposal for a regulation
Article 30 – paragraph 4 – subparagraph 2
Article 30 – paragraph 4 – subparagraph 2
Amendment 674 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, twhe controller shall without unn the breach is likely to produce delay and, where feasible, not latlegal effects to the detriment of the data subject's privacy, the controller tshan 24 hours after having become aware of it,ll without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 677 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediatwithout undue delay after the establishmentidentification of a personal data breach that is likely to produce legal effects to the detriment of the data subject's privacy.
Amendment 678 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
Article 31 – paragraph 3 – point e
(e) describe the measures proposed or taken by the controller to address the personal data breach and/or mitigate its effects.
Amendment 679 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
Amendment 681 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)filing of reports.
Amendment 687 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access it.
Amendment 689 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
Amendment 693 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
Amendment 696 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
(1a) SMEs shall only be required to perform an impact assessment after their 3rd year of incorporation if data processing is deemed as a core activity of their business. That is, where sale or revenue from processing makes up for 50% of the SMEs revenue.
Amendment 697 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affectto the detriment of the individual;
Amendment 711 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
Amendment 713 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 716 #
Proposal for a regulation
Article 34 – title
Article 34 – title
Prior authorisation and prior consultation
Amendment 719 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. The controller or the processor as the case may be shall obtain an authorisation frommay consult the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
Amendment 721 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The controller or processor acting on the controller's behalf shallmay consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Amendment 726 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
Amendment 735 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
Amendment 737 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 738 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
Amendment 740 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
Amendment 741 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 744 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection organisation or data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 745 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 748 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection organisation or data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
Amendment 750 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that thedata protection organisation or data protection officer shall performs t his or her duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Amendment 751 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection organisation or data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 753 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
Amendment 755 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under thisin compliance with the Regulation;
Amendment 762 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries, provided such measures are technology neutral.
Amendment 763 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
Amendment 774 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
Amendment 779 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
Article 42 – paragraph 2 – point c
(c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
Amendment 780 #
Proposal for a regulation
Article 42 – paragraph 2 – point d
Article 42 – paragraph 2 – point d
(d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.; or
Amendment 782 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(d a) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
Amendment 784 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c) or (ce) of paragraph 2 shall not require any further authorisation.
Amendment 787 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
(4a) A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
Amendment 790 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
Article 43 – paragraph 1 – introductory part
1. AOne supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rulesnd through a single act of approval authorize binding corporate rules for a group of undertakings. Those rules will allow multiple intercompany international transfers in and out of Europe, provided that they:
Amendment 791 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
Amendment 793 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members, and their external subcontractors;
Amendment 796 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
Amendment 808 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation.
Amendment 809 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
(2a) Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
Amendment 811 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
Article 51 – paragraph 2 b (new)
(2b) Where the Regulation applies to several controllers or/and processors within the same group of undertakings by virtue of both Article 3(1) and 3(2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
Amendment 814 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
Amendment 815 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
Article 53 – paragraph 1 – introductory part
1. EachThe competent supervisory authority shall have the power:
Amendment 816 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Amendment 817 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. EachThe competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
Amendment 818 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. EachThe competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
Amendment 819 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operationcause legal effects to the detriment of the data subjects.
Amendment 820 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations that have been proven contrary to this Regulation.
Amendment 822 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this competent supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
Amendment 833 #
Proposal for a regulation
Article 58 – paragraph 4
Article 58 – paragraph 4
4. In order to ensure correct and consistent application of this Regulation, the Commission may, acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
Amendment 842 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board and to the Commission.
Amendment 845 #
Proposal for a regulation
Article 66 – paragraph 1 – introductory part
Article 66 – paragraph 1 – introductory part
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or, at the request of the Commission or other stakeholders, in particular:
Amendment 847 #
Proposal for a regulation
Article 66 – paragraph 1 – point b
Article 66 – paragraph 1 – point b
(b) examine, on its own initiative or on request of one of its members or on request of the Commission,, the Commission or other stakeholders any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
Amendment 849 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
Article 66 – paragraph 4 a (new)
(4a) Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
Amendment 861 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 864 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage to the extent that the joint controllers' respective liability has not been determined in the legal arrangement referred to in Article 24.
Amendment 867 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they areit is not responsible for the event giving rise to the damage.
Amendment 868 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 869 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism.
Amendment 873 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:.
Amendment 874 #
Proposal for a regulation
Article 79 – paragraph 3 – point a
Article 79 – paragraph 3 – point a
Amendment 875 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
Article 79 – paragraph 3 – point b
Amendment 890 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposespurposes under paragraph 2 of Article 6 and point (i) of Article 9(2) only if:
Amendment 894 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
Amendment 897 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
(1a) Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible under point (b) of Article 5(1) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.
Amendment 905 #
Proposal for a regulation
Article 83 – paragraph 2 – point c a (new)
Article 83 – paragraph 2 – point c a (new)
(ca) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 906 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
(2a) A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific purposes if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
Amendment 1719 #
Proposal for a regulation
Article 23 – paragraph 1 a (new)
Article 23 – paragraph 1 a (new)
1a. In order to foster its widespread implementation in different economic sectors, data protection by design shall be a prerequisite for public procurement tenders according to the Directive of the European Parliament and of the Council on public procurement as well as according to the Directive of the European Parliament and of the Council on procurement by entities operating in the water, energy, transport and postal services sector (Utilities Directive).