28 Amendments of Carmen ROMERO LÓPEZ related to 2012/0011(COD)
Amendment 411 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The subject should also have the right to withdraw their consent at any time and with the same facility as it was granted.
Amendment 493 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a 'right to be forgotten' where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Nevertheless, in these cases, and insofar as the subject’s fundamental freedoms, rights and interests should prevail, he/she should be able to exercise the right to oppose the creation of links, copies or reproductions of such data where they are not necessary for these purposes.
Amendment 503 #
Proposal for a regulation
Recital 54
Recital 54
(54) To strengthen the 'right to be forgotten' in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In cases where the measures taken by the controller have been ineffective or where the latter has disappeared, ceased to exist or cannot be contacted by the data subject, the latter should be entitled to oblige the third party to erase any link to the data, or copies or reproductions thereof. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
Amendment 598 #
Proposal for a regulation
Recital 97 a (new)
Recital 97 a (new)
(97a) In the event of complaints or objections from the data subject, the latter should in all cases be able to have recourse to the supervisory authority in their Member State, which should be able, if the scale of the incident so warrants, to propose a coordinated response involving several supervisory bodies and headed by the lead authority, which should take a decision which should be implemented by all the supervisory bodies involved. Any discrepancies arising amongst the supervisory bodies concerned should be resolved by the European Data Protection Board.
Amendment 752 #
Proposal for a regulation
Article 4 – paragraph 1 – point 6 a (new)
Article 4 – paragraph 1 – point 6 a (new)
(6a) ‘data protection by design’ means data protection embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal;
Amendment 753 #
Proposal for a regulation
Article 4 – paragraph 1 – point 6 b (new)
Article 4 – paragraph 1 – point 6 b (new)
(6b) ‘data protection by default’ means configuration of the privacy settings on services and products so that these comply with the general principles of data protection, such as transparency, data minimisation, purpose limitation, integrity, storage minimisation, intervention possibility and accountability.
Amendment 946 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible withdifferent from the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Amendment 979 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The option of withdrawing consent shall be made as easily accessible and shall involve the same level of practical difficulty attached to the granting of consent.
Amendment 1419 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publicationwho made the personal data public has taken steps measures that have had no effect has disappeared, has ceased to exist or cannot be contacted by the data subject, the latter shall have the right to obtain third parties the erasure of any links to, or copy or replication of the personal data.
Amendment 1452 #
Proposal for a regulation
Article 17 – paragraph 3 – subparagraph 1 a (new)
Article 17 – paragraph 3 – subparagraph 1 a (new)
When data are retained under the provisions of points (a), (b), (c) and (d), and the controller has made them public, the data subject may, for reasons related to overriding interests, rights or freedoms, exercise the right to object to links to, or the copying or replication of, such data, unless such processing forms an essential part of the rights, interests, obligations or purposes to which these points relate.
Amendment 1764 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons; orprocessing carried out by an enterprise employing 250 persons or more, or of one of the special categories of data listed in Article 9(1), or of personal data which could, if processed, threaten the reputation, income or employment of the data subject; o
Amendment 1786 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
(d) enlist another processor only with the prior permission of the controller, with the other processor subcontracted to provide personal data processing services being bound by the same contractual obligations or binding legal terms relating to personal data protection as the original processor;
Amendment 2171 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or more; or concerns any of the special categories of personal data referred to in Article 9(1), or personal data whose processing would pose an economic or labour-related risk to, or harm the reputation of, the interested party;o
Amendment 2386 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. Transfers to third countries in which the law specifically allows data to be processed in ways which are illegal under the terms of this regulation or are otherwise incompatible with EU fundamental rights, such as processing carried out for national or foreign policy purposes which is not necessary to maintain national security or uphold the law, shall be prohibited.
Amendment 2584 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, except with regard to decisions in response to the complaints referred to in Article 73, in which case it shall coordinate the actions of the supervisory authorities concerned, without prejudice to the provisions of Chapter VII of this Regulation.
Amendment 2604 #
Proposal for a regulation
Article 52 – paragraph 1 – point d
Article 52 – paragraph 1 – point d
(d) conduct investigations either on its own initiative or on the basis of a complaint, on receipt of information about illegal processing of personal data, or on request of another supervisory authority, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;
Amendment 2642 #
Proposal for a regulation
Article 54 a (new)
Article 54 a (new)
Amendment 2672 #
Proposal for a regulation
Article 58 – paragraph 3
Article 58 – paragraph 3
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisory authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56. , or where a supervisory authority concerned opposes a draft measure proposed by another supervisory authority concerned or by the lead authority, as per the provisions of Article 54(a).
Amendment 2748 #
Proposal for a regulation
Article 66 – paragraph 1 – point g a (new)
Article 66 – paragraph 1 – point g a (new)
(ga) set out common procedures for the receipt and investigation of information pertaining to complaints concerning the unlawful processing of personal data with a view to protecting whistleblowers from reprisals, and to safeguarding the confidentiality of the sources of such information in cases where whistleblowers may be affected by third countries’ laws prohibiting the uncovering of such unlawful processing of personal data.
Amendment 2759 #
Proposal for a regulation
Article 68 – paragraph 1 a (new)
Article 68 – paragraph 1 a (new)
1a. In votes on the European Data Protection Board, each representative of the supervisory authority of their Member State shall have as many votes as its Member State has in the Council of the European Union.
Amendment 2762 #
Proposal for a regulation
Article 69 – paragraph 1
Article 69 – paragraph 1
1. The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
Amendment 2766 #
Proposal for a regulation
Article 71 – paragraph 1
Article 71 – paragraph 1
1. The European Data Protection Board shall have a secretariat. The European Data Protection Supervisor shall provide that secretariat. Secretariat of the Council shall provide that secretariat, and allocate the human and financial resources necessary to ensure it can exercise its duties effectively and independently under the management of its Chair.
Amendment 2770 #
Proposal for a regulation
Article 71 – paragraph 3 a (new)
Article 71 – paragraph 3 a (new)
3a. The Commission shall propose, within two years from the entry into force of this Regulation, a draft regulation for the establishment of an independent agency which shall run that secretariat, which shall have sufficient human and financial resources to ensure it can exercise its duties effectively and independently under the management of its Chair.
Amendment 2775 #
Proposal for a regulation
Article 73 – paragraph 1
Article 73 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in anytheir Member State of residence if they consider that the processing of personal data relating to them does not comply with this Regulation.
Amendment 2783 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with the supervisory authority in anythat Member State on behalf of one or more data subjects residing in that Member State if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
Amendment 2792 #
Proposal for a regulation
Article 73 – paragraph 3
Article 73 – paragraph 3
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member Stin the Member State in which are located, if it considers that a personal data breach affecting data subjects residing in that Member State has occurred.
Amendment 2803 #
Proposal for a regulation
Article 74 – paragraph 4
Article 74 – paragraph 4
Amendment 2976 #
Proposal for a regulation
Article 81 – paragraph 1 – point b
Article 81 – paragraph 1 – point b
(b) reasons of public interest in the area of public health, such asincluding protecting against serious cross-border threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or medical devices; or