Progress: Procedure completed
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | LIBE | ALBRECHT Jan Philipp ( Verts/ALE) | VOSS Axel ( PPE), LAURISTIN Marju ( S&D), IN 'T VELD Sophia ( ALDE), KIRKHOPE Timothy ( ECR), WINBERG Kristina ( EFD) |
Former Responsible Committee | LIBE | ALBRECHT Jan Philipp ( Verts/ALE) | |
Former Committee Opinion | ITRE | KELLY Seán ( PPE) | |
Former Committee Opinion | JURI | BOULLIER GALLO Marielle ( PPE) | |
Former Committee Opinion | IMCO | COMI Lara ( PPE) | Matteo SALVINI ( ENF) |
Former Committee Opinion | EMPL | HIRSCH Nadja ( ALDE) | Jean LAMBERT ( Verts/ALE), Traian UNGUREANU ( PPE) |
Former Committee Opinion | ECON |
Lead committee dossier:
Legal Basis:
TFEU 016-p2, TFEU 114-p1
Legal Basis:
TFEU 016-p2, TFEU 114-p1Subjects
Events
PURPOSE: to modernise the existing rules on data protection in order to ensure a high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union (reform of data protection).
LEGISLATIVE ACT: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
CONTENT: the new Regulation establishes rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data . It protects the fundamental rights and freedoms of natural persons, and particularly their right to protection of their personal data. The reform of data protection also includes a Directive on protection of data processed for the purpose of law enforcement (intended to replace the 2008 Framework Decision on data protection.)
The main points are as follows:
Scope: the Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. It applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not .
Principles relating to processing of personal data: personal data shall be:
· processed lawfully, fairly and in a transparent manner in relation to the data subject;
· collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
· adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
· kept in a form permitting identification of the person concerned for a period that does not exceed what is necessary for the purposes of processing;
· processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Lawfulness of processing: processing shall be lawful only if:
· the data subject has clearly and explicitly given consent to the processing;
· processing is necessary for: (i) the performance of a contract; (ii) compliance with a legal obligation; (iii) protecting the vital interests of the data subject or of another natural person; (iv) the performance of a task carried out in the public interest; (v) the purposes of the legitimate interests pursued by the controller or by a third party.
A specific protective regime is provided for consent by children in relation to the offering of information society services: if a child below the age of 16 years wishes to use online services, the service provider must verify that those with parental responsibility over the child have given their consent. Member States may lower this age limit, but it may not be below 13 years.
In principle, processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. The data may, however, be processed under certain conditions set out in the Regulation.
Rights of the data subject: the Regulation sets out stronger rights in respect of data protection and strengthens the accountability of controllers. The rights of the data subject include:
· the right to information: this information must be concise, transparent, intelligible and easily accessible form, in particular for any information addressed specifically to a child. Natural persons must be informed about the policy in force with respect to data protection, in clear and simple terms; this may also be done through standardised icons;
· the right of access to personal data , i.e. the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where such personal data are being processed, access to the information concerning, e.g. the purposes of the processing for which the personal data are intended, data categories, the recipients of the personal data, and where possible, the period for which the personal data will be stored;
· the right of rectification of incorrect data;
· the right to erasure to erasure of personal data, including the " right to be forgotten ";
· the right to restriction of processing ;
· the right to data portability , facilitating the transfer of personal data from one service provider, such as a social network, to another;
· the right to object and the right not be the subject of automated decision-making, including profiling . Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing.
These rights may be restricted where such restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defence or public security .
Responsibility of the controller or processor: the Regulation establishes the legal framework on the responsibility and liability for any processing of personal data carried out by a controller or, on the controller's behalf, by a processor. The controller is obliged to implement appropriate technical and organisational measures and be able to demonstrate the compliance of its processing operations with the Regulation.
Data security: in order to maintain security and to prevent processing in infringement of the Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption . Those measures should ensure an appropriate level of security, including confidentiality.
The controller should communicate to the data subject a personal data breach , without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The controller should also notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Data protection officer: the controller and the processor shall designate a data protection officer in any case where a public authority or body carries out the processing. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the Regulation.
Transfers of personal data outside the EU: as a general principle any transfer of personal data to a third country or to an international organisation may only take place if the controller and processor comply with the rules under the Regulation.
The Commission will decide, through implementing acts, that the third country or an international organisation ensures an adequate level of protection. The implementing act shall provide for a mechanism for a periodic review, at least every four years.
Supervision: to increase legal certainty and reduce administrative burden, in cross-border cases involving several national supervisory authorities, a consistency mechanism is established . The mechanism allows an enterprise active in several Member States to deal only with the data protection authority in the Member State in which it has its main establishment. The mechanism also provides for a single decision applicable to the whole EU in case of disputes.
Redress, responsibility and penalties: the Regulation sets out a detailed set of rules to allow persons to claim judicial redress or compensation in case of damage following a breach of the Regulation.
The Regulation provides that non-compliance with an order by the supervisory authority shall be subject to administrative fines up to EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
ENTRY INTO FORCE: 24.5.2016.
APPLICATION: from 25.5.2018.
DELEGATED ACTS: the Commission may adopt delegated acts, particularly in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons. The power to adopt such acts is conferred on the Commission for an indeterminate period from 24 May 2016 . The European Parliament or the Council may raise objections to a delegated act within three months of the date of notification (this may be extended by three months.) If Parliament or Council raise objections, the delegated act will not come into force.
The European Parliament adopted a legislative resolution on the Council position at first reading with a view to the adoption of a regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Following the recommendation for second reading by the Committee on Civil Liberties, Justice and Home Affairs, Parliament approved the Council position at first reading , without amendment.
The Committee on Civil Liberties, Justice and Home Affairs adopted the recommendation for second reading contained in the report by Jan Philipp ALBRECHT (Greens/EFA, DE) on the Council position at first reading with a view to the adoption of a regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The committee recommended that Parliament approve the Council position in first reading without amendment.
To recall, the proposed regulation establishes rules regarding the protection of individuals with regard to the processing of personal data and rules on the free flow of such data. It will replace the 1995 Directive on data protection.
The Commission supports the political agreement reached between the European Parliament and the Council in informal trilogues on 15 December 2015, since the agreement is in keeping with the objectives of the Commission proposal.
The proposal for a regulation focuses on reinforcing individuals' rights, strengthening the
EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The new rules provide for the following:
· easier access to one's data: individuals will have more information on how their data is processed in a clear and understandable way;
· a "right to be forgotten": when an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;
· the right to know when one's data has been hacked: companies must notify the supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures;
· a right to data portability: this will make it easier for individuals to transmit personal data between service providers.
The proposed regulation also supports the digital single market to realise its potential through:
· one continent, one law principle ;
· a 'one-stop-shop' for businesses;
· a level playing field: companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market;
· technological neutrality: the regulation enables innovation to continue to thrive under the new rules.
The Commission notes that the agreement:
· maintains the nature of the legal instrument as proposed by the Commission, namely a regulation as opposed to a directive;
· ensures the necessary level of harmonisation while leaving room of maneouvre for Member States as regards the specifications of the data protection rules for the public sector;
· confirms the Commission approach as regards the territorial scope of the regulation which will also apply to controllers or processors established in a third country if they offer goods or services or monitor the behaviour of data subjects in the Union;
· strengthens the principles of data processing (e.g. data minimisation) and the rights of data subjects by enshrining a right to be forgotten and a right to portability and by further developing existing rights such as the right to information or the right of access;
· preserves and further develops the risk-based approach , which requires that controllers and, in some cases the processors, take into account the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of the data subject of such processing;
· provides that "one-stop-shop" mechanism is legally and institutionally sound, and maintains the key simplification element of having a single decision across the EU and a single interlocutor for business and for the individual;
· further clarifies and specifies the rules on international transfers ;
· empowers supervisory authorities to impose financial sanctions for infringements of the Regulation, going up to 2 - 4% of the global annual turnover of an undertaking.
However, the Council position, contrary to the Commission proposal, does not consider the regulation as a development of the Schengen acquis . Therefore, the Commission considers that a statement in this regard is necessary. In that statement, the Commission considers, in particular, that as far as visas, border control and return are concerned, the general data protection regulation constitutes a development of the Schengen acquis for the four States associated with the implementation, application and development of said acquis.
The Council adopted its position at first reading with a view to the adoption of a general data protection regulation. The proposed regulation aims to reinforce data protection rights of individuals, facilitate the free flow of personal data in the single market and reduce administrative burden, and harmonise the data protection rules in the European Union.
The Council position at first reading maintains the objectives of Directive 95/46/EC: protection of data protection rights and the free flow of data . At the same time, it seeks to adapt the data protection rules currently in force in light of the ever-increasing volume of personal data that is processed as a result of technological change and globalisation.
The main points of the Council position at first reading are as follows:
Scope: the Council position provides that the general data protection regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of any structured set of personal data which are accessible according to specific criteria.
Furthermore, the Council position strengthens the accountability of controllers (responsible for determining the purposes and the means of the processing of personal data) and processors (responsible for processing personal data on behalf of the controller). It creates a level playing field for controllers and processors in terms of territorial scope by covering all controllers and processors irrespective whether they are established in the Union or not .
The main points in the Council position at first reading are as follows:
Principles relating to personal data processing: with a view to providing legal certainty, the Council position builds on the Directive 95/46 in specifying that processing of personal data is only lawful if at least one of the following conditions is fulfilled:
· the data subject has clearly and explicitly consented to the processing for one or more specific purposes; the Council Position provides for a specific protective regime for consent by children in relation to the offering of information society services;
· the processing is necessary for: (i) a contract; (ii) a legal obligation; (iii) protection of vital interests of the data subject or of another natural person; (iv) a task carried out in the public interest or in the exercise of official authority vested in the controller; (v) the legitimate interests pursued by a controller or by a third party.
The Council position:
· allows Member States to maintain or introduce more specific provisions which adapt the application of the rules of the regulation if personal data is processed for compliance with a legal obligation or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· provides that processing for another purpose than the one for which the personal data has been originally collected is only lawful where that further processing is compatible with the purposes for which the personal data were originally processed.
Empowerment of data subjects: the Council position provides data subjects with reinforced data protection rights and by placing obligations on controllers. The rights of the data subject encompass:
· the right to information: controllers must provide information and communication in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed to a child;
· the right of access to personal data, i.e. the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where such personal data are being processed, access to the information listed in the regulation;
· the right to rectification ;
· the right to erasure of personal data, including a "right to be forgotten" ;
· the right to restriction of processing;
· the right to data portability : data subjects have the right to receive the personal data concerning them, which they provided to a controller in a structured, commonly used, machine-readable and interoperable format and to transmit this data to another controller
· the right to object , and the right not to be subject to a decision solely based on automated processing, including profiling . It is specified that where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her.
Controller and Processor: the Council position establishes the legal framework for the responsibility and liability for any processing of personal data carried out by a controller or, on the controller's behalf, by a processor. In line with the principle of accountability, the controller is obliged to implement appropriate technical and organisational measures and be able to demonstrate the compliance of its processing operations with the regulation. The regulation lays down rules relating to the responsibilities of the controller concerning:
· impact assessments, where processing operations involve a high risk, for the rights and freedoms of individuals;
· keeping records of processing,
· data breaches,
· the designation of a Data Protection Officer, and
· codes of conducts and certification mechanisms.
Transfer of personal data to third countries or international organisations: the level of protection guaranteed by the Union must not be undermined if personal data of EU citizens are transferred outside the Union. As a general principle, any transfer of personal data to a third country or to an international organisation, may only take place if controllers and processors comply with the rules of the regulation.
Supervisory Authorities: each Member State must provide that one or more independent public authorities are responsible for monitoring the application of the regulation on their territory. Each supervisory authority and its members must act with complete independence, including with integrity, in performing the tasks and exercising the powers entrusted to that supervisory authority and its members.
European Data Protection Board: the Council position at first reading establishes the European Data Protection Board as body of the Union having legal personality with a view to ensuring a correct and consistent application of the regulation.
Remedies, liabilities and penalties: the regulation contains an elaborate set of rules that enables data subjects several avenues for remedies, including claiming compensation in case of damage as a result of infringement of the regulation.
In order to ensure compliance with the provisions of the regulation, the Council position provides that supervisory authorities can impose administrative fines , which go up to 20 million EUR or 4 % of the world-wide turnover of the infringer.
The Council adopted its position at first reading with a view to the adoption of a general data protection regulation. The proposed regulation aims to reinforce data protection rights of individuals, facilitate the free flow of personal data in the single market and reduce administrative burden, and harmonise the data protection rules in the European Union.
The Council position at first reading maintains the objectives of Directive 95/46/EC: protection of data protection rights and the free flow of data . At the same time, it seeks to adapt the data protection rules currently in force in light of the ever-increasing volume of personal data that is processed as a result of technological change and globalisation.
The main points of the Council position at first reading are as follows:
Scope: the Council position provides that the general data protection regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of any structured set of personal data which are accessible according to specific criteria.
Furthermore, the Council position strengthens the accountability of controllers (responsible for determining the purposes and the means of the processing of personal data) and processors (responsible for processing personal data on behalf of the controller). It creates a level playing field for controllers and processors in terms of territorial scope by covering all controllers and processors irrespective whether they are established in the Union or not .
The main points in the Council position at first reading are as follows:
Principles relating to personal data processing: with a view to providing legal certainty, the Council position builds on the Directive 95/46 in specifying that processing of personal data is only lawful if at least one of the following conditions is fulfilled:
· the data subject has clearly and explicitly consented to the processing for one or more specific purposes; the Council Position provides for a specific protective regime for consent by children in relation to the offering of information society services;
· the processing is necessary for: (i) a contract; (ii) a legal obligation; (iii) protection of vital interests of the data subject or of another natural person; (iv) a task carried out in the public interest or in the exercise of official authority vested in the controller; (v) the legitimate interests pursued by a controller or by a third party.
The Council position:
· allows Member States to maintain or introduce more specific provisions which adapt the application of the rules of the regulation if personal data is processed for compliance with a legal obligation or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· provides that processing for another purpose than the one for which the personal data has been originally collected is only lawful where that further processing is compatible with the purposes for which the personal data were originally processed.
Empowerment of data subjects: the Council position provides data subjects with reinforced data protection rights and by placing obligations on controllers. The rights of the data subject encompass:
· the right to information: controllers must provide information and communication in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed to a child;
· the right of access to personal data, i.e. the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where such personal data are being processed, access to the information listed in the regulation;
· the right to rectification ;
· the right to erasure of personal data, including a "right to be forgotten" ;
· the right to restriction of processing;
· the right to data portability : data subjects have the right to receive the personal data concerning them, which they provided to a controller in a structured, commonly used, machine-readable and interoperable format and to transmit this data to another controller
· the right to object , and the right not to be subject to a decision solely based on automated processing, including profiling . It is specified that where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her.
Controller and Processor: the Council position establishes the legal framework for the responsibility and liability for any processing of personal data carried out by a controller or, on the controller's behalf, by a processor. In line with the principle of accountability, the controller is obliged to implement appropriate technical and organisational measures and be able to demonstrate the compliance of its processing operations with the regulation. The regulation lays down rules relating to the responsibilities of the controller concerning:
· impact assessments, where processing operations involve a high risk, for the rights and freedoms of individuals;
· keeping records of processing,
· data breaches,
· the designation of a Data Protection Officer, and
· codes of conducts and certification mechanisms.
Transfer of personal data to third countries or international organisations: the level of protection guaranteed by the Union must not be undermined if personal data of EU citizens are transferred outside the Union. As a general principle, any transfer of personal data to a third country or to an international organisation, may only take place if controllers and processors comply with the rules of the regulation.
Supervisory Authorities: each Member State must provide that one or more independent public authorities are responsible for monitoring the application of the regulation on their territory. Each supervisory authority and its members must act with complete independence, including with integrity, in performing the tasks and exercising the powers entrusted to that supervisory authority and its members.
European Data Protection Board: the Council position at first reading establishes the European Data Protection Board as body of the Union having legal personality with a view to ensuring a correct and consistent application of the regulation.
Remedies, liabilities and penalties: the regulation contains an elaborate set of rules that enables data subjects several avenues for remedies, including claiming compensation in case of damage as a result of infringement of the regulation.
In order to ensure compliance with the provisions of the regulation, the Council position provides that supervisory authorities can impose administrative fines , which go up to 20 million EUR or 4 % of the world-wide turnover of the infringer.
European Data Protection Supervisor (EDPS) recommendations on the EU’s options for data protection reform.
On 24 June 2015, the European Parliament, the Council and the European Commission entered co-decision negotiations on the proposed General Data Protection Regulation (GDPR), a procedure known as an informal ‘trilogue’. The three institutions are committed to dealing with the GDPR as part of the wider data protection reform package which includes the proposed directive for police and judicial activities .
This opinion updates the opinion published in March 2012 (which remains valid) to engage more directly with the positions of the co-legislators and to propose specific recommendations to assist the participants in the trilogue in reaching the right consensus on time.
A rare opportunity : the EDPS recalled that data protection reform is of central importance:
1. The EU is in the last mile of a marathon effort to reform its rules on personal information . The General Data Protection Regulation will potentially affect, for decades to come, all individuals in the EU, all organisations in the EU who process personal data and organisations outside the EU who process personal data on individuals in the EU.
2. Effective data protection empowers the individual and galvanises responsible businesses and public authorities . Laws in this area are complex and technical, requiring expert advice, in particular that of independent data protection authorities who understand the challenges of compliance. The GDPR is likely to be one of the longest in the Union’s statute book, so now the EU must aim to be selective, focus on the provisions which are really necessary and avoid detail which as an unintended consequence might unduly interfere with future technologies. The texts of each of the institutions preach clarity and intelligibility in personal data processing: so the GDPR must practice what it preaches, by being as concise and easy to understand as possible.
3. The EU needs a new deal on data protection . The rest of the world is watching closely. The quality of the new law and how it interacts with global legal systems and trends is paramount.
EDPS recommendations : the options on the table, in the form of the respective texts preferred by the Commission, Parliament and Council, each contain many worthy provisions, but each can be improved .
The recommendations are driven by three abiding concerns:
a better deal for citizens : for the EDPS, the starting point is the dignity of the individual which transcends questions of mere legal compliance. The point of reference is the principles at the core of data protection, that is, Article 8 of the Charter of Fundamental Rights. In this regard, the EDPS concentrated on the following issues: clarify the term ‘personal information’ : individuals should be able to exercise more effectively their rights with regard to any information which is able to identify or single them out, even if the information is considered ‘pseudonymised’; all data processing must be both lawful and justified : for instance: (i) personal data should only be used in ways compatible with the original purposes for collection; (ii) consent is one possible legal basis for processing, but it is necessary to prevent coercive tick boxes where there is no meaningful choice for the individual and where there is no need for data to be processed at all; (iii) the EU should not open the door for direct access by third country authorities to data located in the EU; more independent, more authoritative supervision : (i) authorities should be able to hear and to investigated complaints and claims brought by data subjects or bodies, organisations and associations; (ii) individual rights enforcement requires an effective system of liability and compensation for damage caused by the unlawful data processing.
2. Rules which will work in practice : each of the three texts demands greater clarity and simplicity from those responsible for processing personal information. Equally, technical obligations must also be concise and easily-understood if they are to be implemented properly by controllers. This implies:
effective safeguards, not procedures : the EDPS recommends a scalable approach which reduces documentation obligations on controllers into single policy on how it will comply with the regulation taking into account the risks, with compliance demonstrated transparently, whether for transfers, contracts with processors or breach notifications. It also recommends requiring notification of data breaches to the supervisory authority and data protection impact assessments only where the rights and freedoms of data subjects are at risk; a better equilibrium between public interest and personal data protection : data protection rules should not hamper historical, statistical and scientific research which is genuinely in the public interest; trusting and empowering supervisory authorities : supervisory authorities should be allowed to issue guidance to data controllers and to develop their own internal rules of procedure in the spirit of a simplified, easier application of the GDPR by one single supervisory authority (the ‘ One Stop Shop’ ) close to the citizen (‘ proximity’ ).
3. Rules which will last a generation : it is reasonable to expect a similar timeframe before the next major revision of data protection rules, perhaps not until the late 2030s . Long before this time, data-driven technologies can be expected to have converged with artificial intelligence, natural language processing and biometric systems.
These technologies are challenging the principles of data protection. A future-oriented reform must therefore be predicated on the dignity of the individual and informed by ethics. It must redress the imbalance between innovation in the protection of personal data and its exploitation, making safeguards effective in our digitised society.
Faced with these challenges, the EDPS :
considers that the reform should reverse the recent trend towards secret tracking and decision making on the basis of profiles hidden from the individual; fuller transparency from controllers is needed; strongly supports the introduction of the principles of data protection by design and by default as a means of kick-starting market-driven solutions in the digital economy; allows a direct transfer of data from one controller to another on the data subject’s request and entitling data subjects to receive a copy of the data which they themselves can transfer to another controller.
Unfinished business : the EDPS noted that the adoption of a future-oriented EU data reform package will be an impressive but nonetheless incomplete achievement.
Directive 2002/58/EC (the ‘ePrivacy Directive’) will have to be amended.
The EU requires a clear framework for the confidentiality of communications , an integral element of the right to privacy, which governs all services enabling communications, not only providers of publicly available electronic communications. This must be done by means of a legally-certain and harmonising regulation.
At a time when people’s trust in companies and governments has been shaken by revelations of mass surveillance and data breaches, the EDPS stresses that this confers considerable responsibility on EU law-makers whose decisions this year can be expected to have an impact not beyond Europe.
The Council a partial general approach on specific issues of the draft regulation setting out a general EU framework for data protection, on the understanding that:
nothing is agreed until everything is agreed and does not exclude future changes to be made to the text of the provisionally agreed Articles to ensure the overall coherence of the Regulation; it is without prejudice to any horizontal questions ; it does not mandate the presidency to engage in informal trilogues with the European Parliament on the text.
The partial general approach includes some articles which are crucial to the question of the public sector ( Article 1 (subject matter and objectives), Article 6 (lawfulness of processing), Article 21 (restrictions)) as well as chapter IX (provisions relating to specific data processing situations).
The agreed text of Articles 1, 6, paragraphs (2) (3), and 21 and of the corresponding recitals now clearly provides the framework within which Member States will be able to maintain and adopt legislation under this Regulation . The Presidency believes that the text is a balanced one, granting Member States an appropriate measure of flexibility while maintaining a coherent structure of the Regulation.
The general approach comprises Chapter XI on the provisions relating to specific data processing situations (e.g. rules governing freedom of expression and information, access to official public documents, re-use of public information, for health purposes, such as public health and social protection and the management of health care services, derogations applicable to processing personal data for historical, statistical or scientific purposes and for archiving purposes).
The question whether and how to deal with processing of personal data by the public sector in the draft General Data Protection Regulation (GDPR) is one of particular sensitivity and importance to delegations. At the informal Ministerial Meeting in Milan on 9 July 2014 an overall majority of Member States supported a Regulation as legal instrument, but the need to provide Member States with sufficient leeway to determine the data protection requirements applicable to the public sector was equally emphasised.
The “one-stop-shop” mechanism : the Council also held a debate on the "one stop shop" mechanism on the basis of a proposal presented by the Presidency. A majority of ministers endorsed the general architecture of the proposal and concluded that further technical work will need to be done in the coming months on the basis of the guidelines set out at the 2013 October and December JHA Councils:
in important transnational cases the draft Regulation should establish a one-stop shop mechanism in order to arrive at a single supervisory decision, which would be fast, ensure consistent application, provide legal certainty and reduce administrative burden; experts should explore methods for enhancing the “ proximity ” between individuals and the decision-making supervisory authority by involving the local supervisory authorities in the decision-making process; further work at technical level should include investigating the possibility of providing the European Data Protection Board in some cases with the power to adopt binding decisions regarding corrective measures.
The Council reached a partial general approach on specific aspects of the draft regulation setting out a general EU framework for data protection. The partial general approach includes chapter IV of the draft regulation (controller and processor), on the understanding that:
nothing is agreed until everything is agreed; it is without prejudice to any horizontal questions; it does not mandate the presidency to engage in informal trilogues with the European Parliament on the text.
Chapter IV was discussed intensively during the first half of 2013. Whilst at the Council meeting on 6-7 June 2013, all delegations congratulated the Irish Presidency on the very important progress achieved in this regard, a number of issues were still outstanding, in particular the need to further reduce the administrative burden/compliance costs flowing from this Regulation by sharpening the risk-based approach .
According to the approach, the likelihood and severity of the risk should be determined in function of the nature, scope, context and purposes of the data processing. Risk should be evaluated on an objective assessment , by which it is established whether data processing operations involve a high risk.
A high risk is a particular risk of prejudice to the rights and freedoms of individuals , in particular:
where data processing which could lead to physical, material or moral damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy, [breach of (…) pseudonymity], or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing and prediction of aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable individuals, in particular of children, are processed; where processing involves a large amount of personal data and affects a large number of data subjects.
The orientation prescribed that where a controller not established in the Union is processing personal data of data subjects residing in the Union, the controller should designate a representative, unless the processing it carries out is occasional and unlikely to result in a risk for the rights and freedoms of data subjects, taking into account the nature, scope, context and purposes of the processing or the controller is a public authority or body.
The representative should be explicitly designated by a written mandate of the controller to act on its behalf with regard to the latter's obligations under this Regulation. The controller or processor should maintain records regarding all categories of processing activities under its responsibility.
In assessing data security risk , consideration should be given to the risks that are presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, which may in particular lead to physical, material or moral damage.
In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller [or the processor] should be responsible for the carrying out of a data protection impact assessment to evaluate , in particular, the origin, nature, particularity and severity of this risk.
The European Parliament adopted by 621 votes to 10 with 22 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
Parliament’s position in first reading following the ordinary legislative procedure amended the Commission proposal as follows:
Territorial Scope : Parliament stated that the Regulation applied whether the processing takes place in the Union or not . It applied to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the processing activities are related to linked.
Principles relating to personal data processing : these are: (i) lawfulness, fairness and transparency; (ii) purpose limitation; (iii) data minimization; (iv) accuracy; (v) storage minimization; (vi) integrity, meaning protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; (vii) accountability.
Conditions of consent : the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data will be likely stored for each purpose, if the data are to be transferred to third parties or third countries.
Where processing is based on the data subject’s consent, Parliament confirmed that the controller should have the burden of proving that the data subject has given the consent to the processing operation.
Members added that:
provisions on the data subject’s consent which are partly in violation of this Regulation are fully void; it should be as easy to withdraw consent as to give it. The data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller. consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected.
Information provided to children, parents and legal guardians in order to express consent, including about the controller’s collection and use of personal data, should be given in a clear language appropriate to the intended audience.
The following is prohibited : the processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, and the processing of genetic or biometric data or data concerning health or sex life, administrative sanctions, judgments, criminal or suspected offences, convictions or related security measures.
General principles for data subject rights : Parliament proposed to strengthen, clarify, guarantee and where appropriate, codify these rights, which should be clear and unambiguous , and include:
the provision of clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their data, the right to obtain data, the right to object to profiling, being any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour; the right to lodge a complaint with the competent data protection authority and to bring legal proceedings as well as the right to compensation and damages resulting from an unlawful processing operation.
Such rights shall in general be exercised free of charge. The data controller shall respond to requests from the data subject within a reasonable period of time.
Standardised information policies : Parliament introduced a new Article stating that where personal data relating to a data subject are collected, the controller shall provide the data subject – in an easily visible and clearly legible way and in a language easily understood - with certain particulars listed in the text before providing information required by the Regulation.
Such particulars include: (i) whether personal data are collected beyond the minimum necessary for each specific purpose of the processing, and (ii) whether personal data are processed for purposes other than the purposes for which they were collected; (iii) whether personal data are disseminated to commercial third parties or sold or rented out; (iv) whether personal data are retained in encrypted form.
Right to erasure : Members reinforced this right by allowing the data subject to obtain from third parties the erasure of any links to, or copy or replication of, that data where one of the following grounds applies:
· a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased;
· the data has been unlawfully processed.
Where the controller has made the personal data public without a justification, it shall take all reasonable steps to have the data erased, including by third parties. The controller shall inform the data subject, where possible, of the action taken by the relevant third parties.
Profiling : Parliament clarified that all persons have the right to object to profiling . The person concerned shall be informed about the right to object to profiling in a highly visible manner.
Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity, or that results in measures which have such effect, shall be prohibited. The controller shall implement effective protection against possible discrimination resulting from profiling.
Parliament added that profiling which leads to measures producing legal effects concerning the data subject shall not be based solely or predominantly on automated processing and shall include human assessment , including an explanation of the decision reached after such an assessment.
Security of processing : such a security policy shall include the ability: (i) to ensure that the integrity of the personal data is validated; (ii) to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (iii) to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
Transfers or disclosures not authorised by Union law : a new Article provides that no judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner (without prejudice to international agreements).
Lead authority : where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, Parliament proposed that the supervisory authority of the main establishment of the controller or processor shall act as the lead authority responsible for the supervision of the processing activities of the controller or the processor in all Member States.
Administrative sanctions : to anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:
· a warning in writing in cases of first and non-intentional non-compliance;
· regular periodic data protection audits;
· a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.
If the controller or the processor is in possession of a valid "European Data Protection Seal", a fine shall only be imposed in cases of intentional or negligent incompliance.
The Council held an in-depth discussion on the proposal for a regulation setting out a general EU framework for data protection.
The discussion focused on the one-stop-shop mechanism in order to arrive at a single supervisory decision and related questions on judicial review and judicial redress .
The Council also indicated that the experts should explore methods for enhancing the “proximity” between individuals and the decision-making supervisory authority by involving the local supervisory authorities in the decision-making process.
However, during the discussions at expert level it was established that there are limits to guaranteeing proximity for data subjects while at the same time guaranteeing one-stop-shop supervision for businesses operating in the internal market. The need to reconcile these two important goals was the core issue in the debate.
The Presidency concluded that:
there are different opinions as to whether the supervisory authority of the main establishment should be given limited exclusive powers to adopt corrective measures and that work should continue at technical level; it is important that the supervisory authorities cooperate in the enforcement of data protection rules; further work at technical level should include investigating the possibility of providing the European Data Protection Board in some cases with the power to adopt binding decisions regarding corrective measures.
Delegations are invited to indicate whether they agree that the main establishment authority, acting in close cooperation with local authorities, should, in addition to some exclusive authorisation powers, also be given certain exclusive powers to adopt corrective measures.
In case there would not be sufficient support for giving certain exclusive powers to adopt corrective measures to the main establishment authority, to indicate whether they think the power to decide on corrective measures should remain in the hands of the 'local' supervisory authorities in all cases or whether they could accept that in certain serious transnational cases the European Data Protection Board be given the power to adopt binding corrective measures.
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Jan Philipp Albrecht (Greens/EFA) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The committee recommended that the Parliament’s position adopted in first reading following the ordinary legislative procedure should amend the Commission proposal. The key amendments are as follows:
Territorial Scope : the report provides that the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not . It applies to a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union.
Consent to processing : where processing is based on consent, the report confirms the controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes. It adds that:
· provisions on the data subject’s consent which are partly in violation of the Regulation are fully void;
· it shall be as easy to withdraw consent as to give it. The data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller;
· consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service.
Right to erasure: the amendment in the report reinforces the right to erasure of data by allowing the data subject the right to obtain from third parties (to whom the data have been passed) the erasure of any links to, or copy or replication of that data. It also adds that the data subject has the right to erasure where:
· a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased;
· the data has been unlawfully processed.
The controller and, where applicable, the third party shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary under certain specified grounds.
Notification requirement in the event of rectification and erasure : the controller shall communicate any rectification or erasure to each recipient to whom the data have been transferred, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests this.
Standardised information policies : a new Article states that where personal data relating to a data subject are collected, the controller shall provide the data subject with certain particulars listed in the text before providing information required by the Regulation. Such particulars include whether personal data are collected beyond the minimum necessary for each specific purpose of the processing, and whether personal data are disseminated to commercial third parties.
The data controller would also be required to inform the person about various aspects of the data processing, such as the period of storage, the recipients of the personal data and the possible existence of profiling, as well as the data subject's rights of access, rectification and erasure of the data and right to lodge a complaint with a data protection authority.
Data portability : the committee deleted the Commission’s provisions on data portability. The report provides that where personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.
Profiling: the report strengthens the data subject’s right to object to profiling . The data subject shall be informed about the right to object to profiling in a highly visible manner. Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity, or that results in measures which have such effect, shall be prohibited. The controller shall implement effective protection against possible discrimination resulting from profiling.
The committee adds that profiling which leads to measures producing legal effects concerning the data subject shall not be based solely or predominantly on automated processing and shall include human assessment, including an explanation of the decision reached after such an assessment.
Transfers or disclosures not authorised by Union law : a new Article provides that no judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner (without prejudice to international agreements). Where such a request is made of a controller, the latter must obtain prior authorisation for the transfer or disclosure by the supervisory authority. The data subjects must be informed.
A recital in the text adds that in cases where controllers or processors are confronted with conflicting compliance requirements between the jurisdiction of the Union on the one hand, and that of a third country on the other, the Commission should ensure that Union law takes precedence at all times. The Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
Lead Authority : the report provides that where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should act as the single contact point and the lead authority responsible . The lead authority, providing a one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment or its representative. The European Data Protection Board may designate the lead authority through the consistency mechanism in certain cases on the request of a competent authority. The lead authority must consult other competent supervisory authorities in an endeavour to reach a consensus. However, it shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities of the controller or processor for which it is responsible.
Data Protection Officers : the controller and the processor shall designate a data protection officer inter alia, where the processing is carried out by a legal person and relates to more than 5000 data subjects in any consecutive 12-month period.
Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject. The committee changed the criterion from the number of employees a company has (the Commission suggested at least 250), to the number of data subjects. DPOs should be appointed for at least four years in the case of employees and two in that of external contractors. The Commission proposed two years in both cases.
Data protection officers should be in a position to perform their duties and tasks independently and enjoy special protection against dismissal . Final responsibility should stay with the management of an organisation. The data protection officer should be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
Administrative sanctions : additional provisions state that to anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:
· a warning in writing in cases of first and non-intentional non-compliance;
· regular periodic data protection audits;
· a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher (the Commission proposed up to EUR1 million or 2% of annual worldwide turnover). If the controller or the processor is in possession of a valid "European Data Protection Seal", a fine shall only be imposed in cases of intentional or negligent incompliance.
The administrative sanction shall take into account certain prescribed factors including the intentional or negligent character of the infringement, the degree of co-operation with the supervisory authority, in order to remedy the infringement and the level of damage, including non-pecuniary damage, suffered by the data subjects.
The Council held an in-depth discussion on the present proposal.
To recall, the Commission presented in January 2012 a legislative package to modernise data protection rights. The package includes two legislative proposals:
· this draft regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and
· a draft directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
The “one-stop-shop” principle, together with the consistency mechanism, is one of the central pillars of the Commission proposal. According to this principle, when the processing of personal data takes place in more than one Member State, there should be one single supervisory authority responsible for monitoring the activities of the controller or processor throughout the Union and taking the related decisions. The proposal states that the authority acting as such a one-stop-shop should be the supervisory authority of the Member State in which the controller or processor has its main establishment.
The Council expressed its support for the principle that, in important transnational cases, the regulation should establish a "one-stop-shop" mechanism in order to arrive at a single supervisory decision, which should be fast, ensure consistent application, provide legal certainty and reduce administrative burden. This is an important factor to enhance the cost-efficiency of the data protection rules for international business, thus contributing to the growth of the digital economy.
The discussion focused on how to arrive at such a single decision . A majority of Member States indicated that further expert work should continue based on a model in which a single supervisory decision is taken by the “main establishment” supervisory authority, while the exclusive jurisdiction of that authority might be limited to the exercise of certain powers. Some Member States expressed their preference for the codecision mechanism, while others preferred to avoid taking any position on this point, at this stage.
The Council indicated that the experts should explore methods for enhancing the “proximity” between individuals and the decision-making supervisory authority by involving the local supervisory authorities in the decision-making process. This proximity is an important aspect of the protection of individual rights.
Another important element for increasing the consistency of the application of EU data protection rules will be to explore which powers and what role could be assigned to the European Data Protection Board (EDPB).
The Council took note of the state-of-play on the proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The choice of legal instrument was raised during the debate. Some delegations expressed their preference for a directive instead of a regulation since it allowed for more flexibility where this was needed. However, some other delegations preferred the choice of a regulation, as proposed by the Commission.
Ministers have already discussed this proposal at the informal ministerial meeting in July on the basis of three questions: the administrative burden, the need for special treatment for the public sector and the number of delegated acts.
The proposal is the subject of in-depth discussions by experts in the Working Party on Data Protection, which began under the Danish Presidency and will continue under the Irish Presidency.
EDPS Opinion on the data protection reform package
On 25 January 2012, the Commission adopted a package for reforming the EU rules on data protection, which included:
· this proposal for a Regulation containing the general rules on data protection and
· a proposal for a Directive on data protection in the law enforcement sector.
The Regulation: the EDPS welcomes the proposed Regulation, as it constitutes a huge step forward for data protection in Europe. The proposed rules will strengthen the rights of individuals and make controllers more accountable for how they handle personal data. Furthermore, the role and powers of national supervisory authorities (alone and together) are effectively reinforced.
The EDPS is particularly pleased to see that the instrument of a regulation is proposed for the general rules on data protection. The proposed Regulation would be directly applicable in the Member States and would do away with many complexities and inconsistencies stemming from the different implementing laws of the Member States currently in place.
The Directive : the EDPS is, however, seriously disappointed with the proposed Directive for data protection in the law enforcement area. He regrets that the Commission has chosen to regulate this matter in a self-standing legal instrument which provides for an inadequate level of protection, and which is greatly inferior to the proposed Regulation.
A positive element of the proposed Directive is that it covers domestic processing, and thus has a wider scope than the current Framework Decision. However, this improvement only has added value if the Directive substantially increases the level of data protection in this area, which is not the case.
The main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules. It leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust. Furthermore, the proposed instruments taken together do not fully address factual situations that fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes.
General comments on the proposed Regulation : the EDPS makes the following observations:
(1) One horizontal issue is the relationship between EU and national law. The proposed Regulation goes a long way in creating a single applicable law for data protection in the EU, however there is still more space for coexistence and interaction between EU law and national law than one might assume at first sight. The EDPS takes the view that the legislator should better acknowledge this.
(2) A second issue of general importance arises from the numerous provisions which empower the Commission to adopt delegated or implementing acts. The EDPS welcomes this approach in so far as it contributes to the consistent application of the Regulation, but has reservations about the extent to which essential legal provisions are left to delegated powers. Several of these empowerments should be reconsidered.
(3) On a detailed level, the EDPS points to the main positive elements of the proposed Regulation, which are:
· the clarification of the scope of application of the proposed Regulation;
· the enhanced transparency requirements towards the data subject and the reinforcement of the right to object;
· the general obligation for controllers to ensure and be able to demonstrate compliance with the provisions of the Regulation;
· the reinforcement of the position and role of national supervisory authorities;
· the main lines of the consistency mechanism.
The main negative elements of the proposed Regulation are:
· the new ground for exceptions to the purpose limitation principle;
· the possibilities for restricting basic principles and rights;
· the obligation for controllers to maintain documentation of all processing operations;
· the transfer of data to third countries by way of derogation;
· the role of the Commission in the consistency mechanism;
· the mandatory nature of imposing administrative sanctions.
General comments on the proposed Directive : as regards the Directive, the EDPS takes the view that the proposal, in many aspects, does not meet the requirement of a consistent and high level of data protection. It leaves all existing instruments in the area unaffected, and in many instances there is no justification whatsoever for departing from the provisions of the rules in the proposed Regulation.
The EDPS underlines that whilst the law enforcement area requires some specific rules, every departure from the general data protection rules should be duly justified based on a proper balance between the public interest in law enforcement and citizens’ fundamental rights.
The EDPS is particularly concerned regarding:
· the lack of clarity in the drafting of the principle of purpose limitation;
· the absence of any obligation on competent authorities to be able to demonstrate compliance with the Directive;
· the weak conditions for transfers to third countries;
· the unduly limited powers of supervisory authorities.
The following recommendations on the whole reform process are made:
· announce publicly the time schedule on the second stage of the reform process as soon as possible;
· incorporate the rules for EU institutions and bodies in the proposed Regulation or at least have aligned rules in force when the proposed Regulation applies;
· present as soon as possible a proposal for common rules for the Common Foreign and Security Policy, based on Article 39 TEU.
The EDPS makes a series of detailed recommendations regarding amendments to provisions in both the draft regulation and the draft directive.
PURPOSE: to protect individuals with regard to the processing of personal data and on the free movement of such data.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
BACKGROUND: t he centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters.
The current legal framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity.
This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market.
Personal data protection therefore plays a central role in the Digital Agenda for Europe , and more generally in the Europe 2020 Strategy.
Article 16(1) of Treaty on the Functioning of the European Union (TFEU) , as introduced by the Lisbon Treaty, establishes the principle that everyone has the right to the protection of personal data concerning him or her.
In 2010, the European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives. The Commission stressed in its Action Plan implementing the Stockholm Programme the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies. In its Communication on “ A comprehensive approach on personal data protection in the European Union ”, the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection. The European Parliament approved by its resolution of 6 July 2011 a report that supported the Commission’s approach to reforming the data protection framework.
This proposal further details the approach for the new legal framework for the protection of personal data in the EU as presented in its Communication on this issue .
The legal framework consists of two legislative proposals:
a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
IMPACT ASSESSMENT: the impact assessment was based on the three policy objectives of improving the internal market dimension of data protection, making the exercise of data protection rights by individuals more effective and creating a comprehensive and coherent framework covering all areas of Union competence, including police co-operation and judicial co-operation in criminal matters.
Three policy options of different degrees of intervention were assessed:
Option 1 : this option consisted of minimal legislative amendments and the use of interpretative Communications and policy support measures such as funding programmes and technical tools; Option 2 : this option comprised a set of legislative provisions addressing each of the issues identified in the analysis and Option 3 : this option was the centralisation of data protection at EU level through precise and detailed rules for all sectors and the establishment of an EU agency for monitoring and enforcement of the provisions.
The analysis of the overall impact led to the development of the preferred policy option which is based on the second option with some elements from the other two options and incorporated in the present proposal. According to the impact assessment, its implementation will lead inter alia to considerable improvements regarding legal certainty for data controllers and citizens, reduction of administrative burden, consistency of data protection enforcement in the Union, the effective possibility of individuals to exercise their data protection rights to the protection of personal data within the EU and the efficiency of data protection supervision and enforcement.
LEGAL BASIS: Article 16(2) and Article 114(1) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the proposed Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data. It protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. It main provisions are as follows:
Principles : the proposal sets out the principles relating to personal data processing. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller. It also sets out the criteria for lawful processing, which are further specified as regards the balance of interest criterion, and the compliance with legal obligations and public interest. It clarifies the conditions for consent to be valid as a legal ground for lawful processing and sets out further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them.
Rights of the data subject : the proposal introduces the obligation on controllers to provide transparent and easily accessible and understandable information. It obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined deadline, and the motivation of refusals.
In addition, the proposal:
further specifies the controller's information obligations towards the data subject, providing additional information to the data subject, including on the storage period, the right to lodge a complaint, in relation to international transfers and to the source from which the data are originating; provides the data subject's right of access to their personal data, such as to inform the data subjects of the storage period, and of the rights to rectification and to erasure and to lodge a complaint; sets out the data subject's right to rectification; provides the data subject's right to be forgotten and to erasure . It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC; introduces the data subject's right to data portability , i.e. to transfer data from one electronic processing system to and into another, without being prevented from doing so by the controller. As a precondition and in order to further improve access of individuals to their personal data, it provides the right to obtain from the controller those data in a structured and commonly used electronic format; provides for the data subject's rights to object ; concerns the data subject's right not to be subject to a measure based on profiling.
General obligations : the proposal takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance. It sets out the obligations of the controller arising from the principles of data protection by design and by default. It introduces for controllers and processors: (i) the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority; (ii) the obligation to implement appropriate measures for the security of processing; (iii) an obligation to notify personal data breaches; (iv) the obligation of controllers and processors to carry out a data protection impact assessment prior to risky processing operations.
Data protection officer : the proposal introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
Transfer of personal data to third countries or international organisations : the proposal spells out, as a general principle, that the compliance with the obligations in that chapter are mandatory for any transfers of personal data to third countries or international organisations, including onward transfers. It sets out the criteria, conditions and procedures for the adoption of an adequacy decision by the Commission. The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The proposal requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses.
Independent supervisory authorities : the proposal obliges Member States to establish supervisory authorities and to enlarge the mission of the supervisory authorities to co-operation with each other and with the Commission. It clarifies the conditions for the independence of supervisory authorities, implementing case law by the Court of Justice of the European Union.
Co-operation and consistency : the proposal introduces explicit rules on mandatory mutual assistance, including consequences for non-compliance with the request of another supervisory authority. It introduces a consistency mechanism for ensuring unity of application in relation to processing operations which may concern data subjects in several Member States.
The proposal also establishes the European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor.
The European Data Protection Board replaces the Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up under Article 29 of Directive 95/46/EC.
Remedies, liability and sanctions : the proposal provides: (i) for the right of any data subject to lodge a complaint with a supervisory authority, (ii) that the bodies, organisations or associations which may lodge a complaint on behalf of the data subject and also in case of a personal data breach independently of a data subject's complaint; (iii) for the right to a judicial remedy against a supervisory authority; (iv) the data subject may launch a court action for obliging the supervisory authority to act on a complaint; (v) the right to a judicial remedy against a controller or processor; (vi) for the introduction of common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings; (vii) for the Member States to provide for the right to compensation and lay down rules on penalties , to sanction infringements of the Directive, and to ensure their implementation.
BUDGETARY IMPLICATIONS: the specific budgetary implications of the proposal relate to the tasks allocated to the European Data Protection Supervisor as specified in the legislative financial statements accompanying this proposal. These implications require reprogramming of Heading 5 of the Financial Perspective. The total appropriations are estimated at EUR 24.339 million for 2014-2020 . The proposal has no implications on operational expenditure.
DELEGATED ACTS: this proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union.
PURPOSE: to protect individuals with regard to the processing of personal data and on the free movement of such data.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
BACKGROUND: t he centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters.
The current legal framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity.
This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market.
Personal data protection therefore plays a central role in the Digital Agenda for Europe , and more generally in the Europe 2020 Strategy.
Article 16(1) of Treaty on the Functioning of the European Union (TFEU) , as introduced by the Lisbon Treaty, establishes the principle that everyone has the right to the protection of personal data concerning him or her.
In 2010, the European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives. The Commission stressed in its Action Plan implementing the Stockholm Programme the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies. In its Communication on “ A comprehensive approach on personal data protection in the European Union ”, the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection. The European Parliament approved by its resolution of 6 July 2011 a report that supported the Commission’s approach to reforming the data protection framework.
This proposal further details the approach for the new legal framework for the protection of personal data in the EU as presented in its Communication on this issue .
The legal framework consists of two legislative proposals:
a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
IMPACT ASSESSMENT: the impact assessment was based on the three policy objectives of improving the internal market dimension of data protection, making the exercise of data protection rights by individuals more effective and creating a comprehensive and coherent framework covering all areas of Union competence, including police co-operation and judicial co-operation in criminal matters.
Three policy options of different degrees of intervention were assessed:
Option 1 : this option consisted of minimal legislative amendments and the use of interpretative Communications and policy support measures such as funding programmes and technical tools; Option 2 : this option comprised a set of legislative provisions addressing each of the issues identified in the analysis and Option 3 : this option was the centralisation of data protection at EU level through precise and detailed rules for all sectors and the establishment of an EU agency for monitoring and enforcement of the provisions.
The analysis of the overall impact led to the development of the preferred policy option which is based on the second option with some elements from the other two options and incorporated in the present proposal. According to the impact assessment, its implementation will lead inter alia to considerable improvements regarding legal certainty for data controllers and citizens, reduction of administrative burden, consistency of data protection enforcement in the Union, the effective possibility of individuals to exercise their data protection rights to the protection of personal data within the EU and the efficiency of data protection supervision and enforcement.
LEGAL BASIS: Article 16(2) and Article 114(1) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the proposed Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data. It protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. It main provisions are as follows:
Principles : the proposal sets out the principles relating to personal data processing. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller. It also sets out the criteria for lawful processing, which are further specified as regards the balance of interest criterion, and the compliance with legal obligations and public interest. It clarifies the conditions for consent to be valid as a legal ground for lawful processing and sets out further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them.
Rights of the data subject : the proposal introduces the obligation on controllers to provide transparent and easily accessible and understandable information. It obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined deadline, and the motivation of refusals.
In addition, the proposal:
further specifies the controller's information obligations towards the data subject, providing additional information to the data subject, including on the storage period, the right to lodge a complaint, in relation to international transfers and to the source from which the data are originating; provides the data subject's right of access to their personal data, such as to inform the data subjects of the storage period, and of the rights to rectification and to erasure and to lodge a complaint; sets out the data subject's right to rectification; provides the data subject's right to be forgotten and to erasure . It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC; introduces the data subject's right to data portability , i.e. to transfer data from one electronic processing system to and into another, without being prevented from doing so by the controller. As a precondition and in order to further improve access of individuals to their personal data, it provides the right to obtain from the controller those data in a structured and commonly used electronic format; provides for the data subject's rights to object ; concerns the data subject's right not to be subject to a measure based on profiling.
General obligations : the proposal takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance. It sets out the obligations of the controller arising from the principles of data protection by design and by default. It introduces for controllers and processors: (i) the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority; (ii) the obligation to implement appropriate measures for the security of processing; (iii) an obligation to notify personal data breaches; (iv) the obligation of controllers and processors to carry out a data protection impact assessment prior to risky processing operations.
Data protection officer : the proposal introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
Transfer of personal data to third countries or international organisations : the proposal spells out, as a general principle, that the compliance with the obligations in that chapter are mandatory for any transfers of personal data to third countries or international organisations, including onward transfers. It sets out the criteria, conditions and procedures for the adoption of an adequacy decision by the Commission. The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The proposal requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses.
Independent supervisory authorities : the proposal obliges Member States to establish supervisory authorities and to enlarge the mission of the supervisory authorities to co-operation with each other and with the Commission. It clarifies the conditions for the independence of supervisory authorities, implementing case law by the Court of Justice of the European Union.
Co-operation and consistency : the proposal introduces explicit rules on mandatory mutual assistance, including consequences for non-compliance with the request of another supervisory authority. It introduces a consistency mechanism for ensuring unity of application in relation to processing operations which may concern data subjects in several Member States.
The proposal also establishes the European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor.
The European Data Protection Board replaces the Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up under Article 29 of Directive 95/46/EC.
Remedies, liability and sanctions : the proposal provides: (i) for the right of any data subject to lodge a complaint with a supervisory authority, (ii) that the bodies, organisations or associations which may lodge a complaint on behalf of the data subject and also in case of a personal data breach independently of a data subject's complaint; (iii) for the right to a judicial remedy against a supervisory authority; (iv) the data subject may launch a court action for obliging the supervisory authority to act on a complaint; (v) the right to a judicial remedy against a controller or processor; (vi) for the introduction of common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings; (vii) for the Member States to provide for the right to compensation and lay down rules on penalties , to sanction infringements of the Directive, and to ensure their implementation.
BUDGETARY IMPLICATIONS: the specific budgetary implications of the proposal relate to the tasks allocated to the European Data Protection Supervisor as specified in the legislative financial statements accompanying this proposal. These implications require reprogramming of Heading 5 of the Financial Perspective. The total appropriations are estimated at EUR 24.339 million for 2014-2020 . The proposal has no implications on operational expenditure.
DELEGATED ACTS: this proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union.
Documents
- Contribution: COM(2020)0264
- Follow-up document: EUR-Lex
- Follow-up document: SWD(2020)0115
- Follow-up document: COM(2020)0264
- Follow-up document: EUR-Lex
- Document attached to the procedure: COM(2018)0043
- Document attached to the procedure: EUR-Lex
- Final act published in Official Journal: Regulation 2016/679
- Final act published in Official Journal: OJ L 119 04.05.2016, p. 0001
- Final act published in Official Journal: Corrigendum to final act 32016R0679R(02)
- Final act published in Official Journal: OJ L 127 23.05.2018, p. 0002
- Draft final act: 00017/2016/LEX
- Decision by Parliament, 2nd reading: T8-0125/2016
- Debate in Parliament: Debate in Parliament
- Committee recommendation tabled for plenary, 2nd reading: A8-0139/2016
- Commission communication on Council's position: COM(2016)0214
- Commission communication on Council's position: EUR-Lex
- Council position: 05419/1/2016
- Council position published: 05419/1/2016
- Committee draft report: PE580.501
- Contribution: COM(2012)0011
- Document attached to the procedure: 52015XX0912(01)
- Document attached to the procedure: OJ C 301 12.09.2015, p. 0001
- Debate in Council: 3354
- Debate in Council: 3336
- Commission response to text adopted in plenary: SP(2014)455
- Results of vote in Parliament: Results of vote in Parliament
- Decision by Parliament, 1st reading: T7-0212/2014
- Debate in Parliament: Debate in Parliament
- Debate in Council: 3298
- Debate in Council: 3279
- Committee report tabled for plenary, 1st reading: A7-0402/2013
- Debate in Council: 3260
- Contribution: COM(2012)0011
- Debate in Council: 3244
- Committee opinion: PE494.710
- Amendments tabled in committee: PE506.169
- Amendments tabled in committee: PE506.173
- Amendments tabled in committee: PE506.147
- Amendments tabled in committee: PE506.164
- Amendments tabled in committee: PE506.166
- Amendments tabled in committee: PE506.168
- Amendments tabled in committee: PE506.170
- Committee opinion: PE498.045
- Amendments tabled in committee: PE504.340
- Amendments tabled in committee: PE506.145
- Amendments tabled in committee: PE506.146
- Committee opinion: PE496.562
- Committee opinion: PE496.497
- Committee draft report: PE501.927
- Debate in Council: 3195
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Economic and Social Committee: opinion, report: CES1303/2012
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Document attached to the procedure: N7-0083/2012
- Document attached to the procedure: OJ C 192 30.06.2012, p. 0007
- Legislative proposal: COM(2012)0011
- Legislative proposal: EUR-Lex
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2012)0072
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SEC(2012)0073
- Legislative proposal published: COM(2012)0011
- Legislative proposal published: EUR-Lex
- Legislative proposal: COM(2012)0011 EUR-Lex
- Document attached to the procedure: EUR-Lex SEC(2012)0072
- Document attached to the procedure: EUR-Lex SEC(2012)0073
- Document attached to the procedure: N7-0083/2012 OJ C 192 30.06.2012, p. 0007
- Economic and Social Committee: opinion, report: CES1303/2012
- Committee draft report: PE501.927
- Committee opinion: PE496.497
- Committee opinion: PE496.562
- Committee opinion: PE498.045
- Amendments tabled in committee: PE504.340
- Amendments tabled in committee: PE506.145
- Amendments tabled in committee: PE506.146
- Amendments tabled in committee: PE506.147
- Amendments tabled in committee: PE506.164
- Amendments tabled in committee: PE506.166
- Amendments tabled in committee: PE506.168
- Amendments tabled in committee: PE506.170
- Amendments tabled in committee: PE506.173
- Amendments tabled in committee: PE506.169
- Committee opinion: PE494.710
- Commission response to text adopted in plenary: SP(2014)455
- Document attached to the procedure: 52015XX0912(01) OJ C 301 12.09.2015, p. 0001
- Committee draft report: PE580.501
- Council position: 05419/1/2016
- Commission communication on Council's position: COM(2016)0214 EUR-Lex
- Draft final act: 00017/2016/LEX
- Document attached to the procedure: COM(2018)0043 EUR-Lex
- Follow-up document: COM(2020)0264 EUR-Lex
- Follow-up document: EUR-Lex SWD(2020)0115
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2012)0011
- Contribution: COM(2020)0264
Activities
- Jan Philipp ALBRECHT
Plenary Speeches (6)
- 2016/11/22 Protection of individuals with regard to the processing of personal data (A8-0139/2016 - Jan Philipp Albrecht) (vote)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data (A7-0402/2013 - Jan Philipp Albrecht) (vote)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Dimitrios DROUTSAS
Plenary Speeches (3)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Ildikó GÁLL-PELCZ
Plenary Speeches (3)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) HU
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) HU
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) HU
- Judith SARGENTINI
Plenary Speeches (3)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) NL
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Zigmantas BALČYTIS
Plenary Speeches (2)
- Gianluca BUONANNO
Plenary Speeches (2)
- Nicola CAPUTO
Plenary Speeches (2)
- Anna Maria CORAZZA BILDT
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Isabelle DURANT
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Vicky FORD
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Ivan JAKOVČIĆ
Plenary Speeches (2)
- Timothy KIRKHOPE
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Marju LAURISTIN
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Baroness Sarah LUDFORD
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Notis MARIAS
Plenary Speeches (2)
- Krisztina MORVAI
Plenary Speeches (2)
- Viviane REDING
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Monika SMOLKOVÁ
Plenary Speeches (2)
- Patricija ŠULIN
Plenary Speeches (2)
- Tibor SZANYI
Plenary Speeches (2)
- Silvia-Adriana ȚICĂU
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Cecilia WIKSTRÖM
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) SV
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) SV
- Zbigniew ZALESKI
Plenary Speeches (2)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- 2016/11/22 Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
- Hugues BAYET
Plenary Speeches (1)
- Xabier BENITO ZILUAGA
Plenary Speeches (1)
- José BLANCO LÓPEZ
Plenary Speeches (1)
- Michał BONI
- Renata BRIANO
Plenary Speeches (1)
- Soledad CABEZÓN RUIZ
Plenary Speeches (1)
- Wim van de CAMP
- Alberto CIRIO
Plenary Speeches (1)
- Silvia COSTA
- Edward CZESAK
Plenary Speeches (1)
- Michel DANTIN
Plenary Speeches (1)
- Philippe DE BACKER
Plenary Speeches (1)
- Gérard DEPREZ
Plenary Speeches (1)
- Marielle BOULLIER GALLO
- Doru-Claudian FRUNZULICĂ
Plenary Speeches (1)
- Elena GENTILE
Plenary Speeches (1)
- Lidia Joanna GERINGER DE OEDENBERG
- Ana GOMES
- Tania GONZÁLEZ PEÑAS
Plenary Speeches (1)
- Nathalie GRIESBECK
Plenary Speeches (1)
- Enrique GUERRERO SALOM
Plenary Speeches (1)
- Brian HAYES
Plenary Speeches (1)
- Nadja HIRSCH
- Salvatore IACOLINO
- Petr JEŽEK
Plenary Speeches (1)
- Marc JOULAUD
Plenary Speeches (1)
- Kaja KALLAS
- Philippe JUVIN
Plenary Speeches (1)
- Barbara KAPPEL
Plenary Speeches (1)
- Patrick LE HYARIC
Plenary Speeches (1)
- Giovanni LA VIA
Plenary Speeches (1)
- Marine LE PEN
Plenary Speeches (1)
- Louis-Joseph MANSCOUR
Plenary Speeches (1)
- Andrejs MAMIKINS
Plenary Speeches (1)
- Dominique MARTIN
Plenary Speeches (1)
- Jean-Luc MÉLENCHON
Plenary Speeches (1)
- Miroslav MIKOLÁŠIK
Plenary Speeches (1)
- Louis MICHEL
Plenary Speeches (1)
- Marlene MIZZI
Plenary Speeches (1)
- Sophie MONTEL
Plenary Speeches (1)
- Renaud MUSELIER
Plenary Speeches (1)
- József NAGY
Plenary Speeches (1)
- Wojciech Michał OLEJNICZAK
- Franz OBERMAYR
- Rolandas PAKSAS
Plenary Speeches (1)
- Alojz PETERLE
Plenary Speeches (1)
- Marijana PETIR
Plenary Speeches (1)
- Salvatore Domenico POGLIESE
Plenary Speeches (1)
- Franck PROUST
Plenary Speeches (1)
- Christine REVAULT D'ALLONNES BONNEFOY
Plenary Speeches (1)
- Liliana RODRIGUES
Plenary Speeches (1)
- Virginie ROZIÈRE
Plenary Speeches (1)
- Fernando RUAS
Plenary Speeches (1)
- Lola SÁNCHEZ CALDENTEY
Plenary Speeches (1)
- Carl SCHLYTER
- Remo SERNAGIOTTO
Plenary Speeches (1)
- Branislav ŠKRIPEK
Plenary Speeches (1)
- Csaba SÓGOR
- Renato SORU
Plenary Speeches (1)
- Helga STEVENS
- Richard SULÍK
Plenary Speeches (1)
- Eleftherios SYNADINOS
Plenary Speeches (1)
- Claudia ȚAPARDEL
Plenary Speeches (1)
- Pavel TELIČKA
Plenary Speeches (1)
- Kazimierz Michał UJAZDOWSKI
- Elena VALENCIANO
Plenary Speeches (1)
- Marie-Christine VERGIAT
Plenary Speeches (1)
- Miguel VIEGAS
Plenary Speeches (1)
- Josef WEIDENHOLZER
Votes
A7-0402/2013 - Jan Philipp Albrecht - Vote unique #
Amendments | Dossier |
4027 |
2012/0011(COD)
2012/11/08
IMCO
373 amendments...
Amendment 100 #
Proposal for a regulation Recital 24 (24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other
Amendment 101 #
Proposal for a regulation Recital 24 (24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be conducted, on a case-by-case basis and in accordance with technological developments, into whether identification numbers, location data, online identifiers or other specific factors as such
Amendment 102 #
Proposal for a regulation Recital 25 (25) Consent should be given
Amendment 103 #
Proposal for a regulation Recital 25 (25) Consent should be given
Amendment 104 #
Proposal for a regulation Recital 25 (25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement
Amendment 105 #
Proposal for a regulation Recital 25 (25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the adult data subject's wishes, as specifically described in the New York Convention, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the
Amendment 106 #
Proposal for a regulation Recital 25 (25) Consent should be given explicitly by any method appropriate
Amendment 107 #
Proposal for a regulation Recital 27 (27) The main establishment of a controller in the Union, including a controller that is also a processor, should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. The main establishment of the processor that is not also a controller should be the place of its central administration in the Union.
Amendment 108 #
Proposal for a regulation Recital 27 (27) The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. ‘Main establishment of the controller’ means the place in the EU where personal data protection policy is determined, taking into account the dominant influence of that establishment over others, particularly in the case of a group of companies, as regards the implementation of rules on personal data protection and rules which have a bearing on data protection. The main establishment of the processor should be the place of its central administration in the Union.
Amendment 109 #
Proposal for a regulation Recital 29 (29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data and they are vulnerable consumers. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. In particular, child-friendly language has to be used to ensure the right of consent for children above the age of 13.
Amendment 110 #
Proposal for a regulation Recital 30 (30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed; this requires
Amendment 111 #
Proposal for a regulation Recital 30 (30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes
Amendment 112 #
Proposal for a regulation Recital 31 (31) In order for processing to be lawful, personal data
Amendment 113 #
Proposal for a regulation Recital 33 (33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. Similarly, consent should not provide a legal basis for data processing when the data subject has no different access to equivalent services. Default settings such as pre-ticked boxes, silence, or the simple use of a service do not imply consent.
Amendment 114 #
Proposal for a regulation Recital 33 a (new) Amendment 115 #
Proposal for a regulation Recital 34 (34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller.
Amendment 116 #
Proposal for a regulation Recital 34 (34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others
Amendment 117 #
Proposal for a regulation Recital 34 (34) Consent sh
Amendment 118 #
Proposal for a regulation Recital 34 a (new) (34 a) When personal data, processed on the basis of a data subject's consent are necessary for the provision of a service, the withdrawal of the consent can constitute the ground for the termination of a contract by the service provider. This shall apply in particular to the services which are provided free of charge to the consumers.
Amendment 119 #
Proposal for a regulation Recital 38 (38) The legitimate interests of a
Amendment 120 #
Proposal for a regulation Recital 38 (38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing
Amendment 121 #
Proposal for a regulation Recital 40 (40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should
Amendment 122 #
Proposal for a regulation Recital 40 a (new) (40 a) In general, harmonisation of the Union law as regards to data protection must not take away the possibility of Member States to practice sector specific legislation, inter alia in the field of register-based research.
Amendment 123 #
Proposal for a regulation Recital 40 b (new) (40 b) Processing of personal data collected to another purpose can be made available for public scientific research when a scientific relevance of the processing of the collected data can be documented. Privacy by design must be taken into account when making data available for public scientific research.
Amendment 124 #
Proposal for a regulation Recital 42 (42) Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, including information sent via electronical text messages or e-mail to patients regarding appointments at hospitals or clinics, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
Amendment 125 #
Proposal for a regulation Recital 48 (48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, the criteria and/or legal obligations which may be used as the basis for determining how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 126 #
Proposal for a regulation Recital 48 (48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, the criteria which may be used to determine how long the data will be stored for each purpose, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 127 #
Proposal for a regulation Recital 51 (51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed,
Amendment 128 #
Proposal for a regulation Recital 55 Amendment 129 #
Proposal for a regulation Recital 60 (60)
Amendment 130 #
Proposal for a regulation Recital 61 a (new) (61 a) This Regulation encourages enterprises to develop internal programmes that will identify the processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, and to put in place appropriate privacy safeguards and develop innovative privacy-by-design solutions and privacy enhancing techniques. Enterprises that can publicly demonstrate that they have embedded privacy accountability do not also require the application of the additional oversight mechanisms of prior consultation and prior authorisation.
Amendment 131 #
Proposal for a regulation Recital 61 a (new) (61 a) The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to their ultimate deployment, use and ultimate disposal. The principle of data protection by default requires privacy settings on services and products should by default comply with the general principles of data protection, such as data minimisation and purpose limitation.
Amendment 132 #
Proposal for a regulation Recital 62 (62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. Where joint and several liability applies, a processor which has made amends for damage done to the data subject concerned may bring an action against the controller for reimbursement if it has acted in conformity with the legal act binding it to the controller.
Amendment 133 #
Proposal for a regulation Recital 65 (65) In order to demonstrate compliance with this Regulation, the controller or processor should
Amendment 134 #
Proposal for a regulation Recital 65 (65) In order to demonstrate compliance with this Regulation, the controller or processor should keep a document
Amendment 135 #
Proposal for a regulation Recital 67 (67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that
Amendment 136 #
Proposal for a regulation Recital 67 (67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay
Amendment 137 #
Proposal for a regulation Recital 67 (67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that
Amendment 138 #
Proposal for a regulation Recital 67 (67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 72
Amendment 139 #
Proposal for a regulation Recital 70 a (new) (70 a) Directive 2002/58/EC (as amended by Directive 2009/136/EC) sets out personal data breach notification obligations for the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Union. Where providers of publicly available electronic communications services also provide other services, they continue to be subject to the breach notification obligations of the ePrivacy Directive, not this Regulation. Such providers should be subject to a single personal data breach notification regime for both personal data processed in connection with the provision of a publicly available electronic communications service and for any other personal data for which they are a controller.
Amendment 140 #
Proposal for a regulation Recital 97 (97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the processing activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors. By way of derogation from Article 51(2), when the processing of personal data is not mainly carried out by the main establishment, but by one of the other establishments of the controller or processor situated in the European Union, the competent supervisory authority for those processing operations shall be that of the Member State where that other establishment is situated. In keeping with the provisions of Chapter VII, this derogation shall be without prejudice to the right of the supervisory authority of the Member State where the main establishment is situated to require an additional declaration.
Amendment 141 #
Proposal for a regulation Recital 115 Amendment 142 #
Proposal for a regulation Recital 118 (118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular
Amendment 143 #
Proposal for a regulation Recital 129 (129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data;
Amendment 144 #
Proposal for a regulation Recital 130 (130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child;
Amendment 145 #
Proposal for a regulation Recital 131 (131) The examination procedure should be used for the adoption of specifying standard forms in relation to the consent of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access;
Amendment 146 #
Proposal for a regulation Recital 139 (139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other
Amendment 147 #
Proposal for a regulation Article 2 – paragraph 2 – point b Amendment 148 #
Proposal for a regulation Article 2 – paragraph 2 – point d d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity and on condition that no personal data are made accessible to an indefinite number of people;
Amendment 149 #
Proposal for a regulation Article 2 – paragraph 2 – point d a (new) da) which have been rendered anonymous within the meaning of Article 4(2a);
Amendment 150 #
Proposal for a regulation Article 2 – paragraph 2 – point e a (new) (e a) that has been rendered anonymous.
Amendment 151 #
Proposal for a regulation Article 2 – paragraph 2 – point e a (new) (e a) of natural person pursuing economic activity, which identify this person on the market;
Amendment 152 #
Proposal for a regulation Article 2 – paragraph 2 – point e a (new) (e a) in areas covered by Articles 153, 154 and 155 of the Treaty of the Functioning of the European Union (TFEU) regarding regulation of recruitment and conclusion and compliance of collective agreements.
Amendment 153 #
Proposal for a regulation Article 2 – paragraph 2 – point e b (new) (e b) of a natural person which are made public in the course of exercising professional duties such as name, contact details and function;
Amendment 154 #
Proposal for a regulation Article 2 – paragraph 3 3. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive
Amendment 155 #
Proposal for a regulation Article 3 a (new) Article 3 a This regulation applies to the processing of personal data of data subjects not residing in the Union by a controller or processor established in the Union, through their economic activities in a third country(ies)
Amendment 156 #
Proposal for a regulation Article 3 – paragraph 1 1. This Regulation applies to the processing of personal data in the context
Amendment 157 #
Proposal for a regulation Article 3 – paragraph 2 – point a (a) the
Amendment 158 #
Proposal for a regulation Article 3 – paragraph 2 – point b (b)
Amendment 159 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data
Amendment 160 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1)
Amendment 161 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly,
Amendment 162 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, Internet Protocol addresses, online identifier or to one or more factors specific
Amendment 163 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1) ‘data subject’ means an identified natural person or an identifiable natural person who can be
Amendment 164 #
Proposal for a regulation Article 4 – paragraph 1 – point 1 (1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person to whom data have been disclosed by the controller, in particular by reference to an identification number, location data, online identifier or other unique identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Amendment 165 #
Proposal for a regulation Article 4 – paragraph 1 – point 2 (2) ‘personal data’ means any information relating to a data subject; data that cannot be related to a data subject such as anonymised data or some pseudonymised data fall outside the scope of this regulation; Business Contact Information fall outside this regulation;
Amendment 166 #
Proposal for a regulation Article 4 – paragraph 1 – point 2 a (new) (2 a) 'Anonymous data' means any data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject or that such attribution would require a disproportionate amount of time, cost and effort; anonymous data shall not be considered personal data.
Amendment 167 #
Proposal for a regulation Article 4 – paragraph 1 – point 2 a (new) (2a) ‘data rendered anonymous’ means data relating to an identified natural person or a natural person who can be identified and which have been modified in such a way that this data subject cannot be identified;
Amendment 168 #
Proposal for a regulation Article 4 – paragraph 1 – point 3 – point a (new) a) 'anonymous data' shall mean information that has never related to a data subject or has been collected, altered or otherwise processed so that it cannot be attributed to a data subject.
Amendment 169 #
Proposal for a regulation Article 4 – paragraph 1 – point 3 a (new) (3 a) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
Amendment 170 #
Proposal for a regulation Article 4 – paragraph 1 – point 3 a (new) (3a) ‘profiling’ means any form of automated processing intended to evaluate certain personal aspects relating to the natural person or to analyse or predict this natural person's performance at work, economic situation, place of residence, health, personal preferences, behaviour, etc.
Amendment 171 #
Proposal for a regulation Article 4 – paragraph 1 – point 3 a (new) (3 a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort
Amendment 172 #
Proposal for a regulation Article 4 – paragraph 1 – point 5 (5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes
Amendment 173 #
Proposal for a regulation Article 4 – paragraph 1 – point 8 (8)
Amendment 174 #
Proposal for a regulation Article 4 – paragraph 1 – point 8 (8) ‘the data subject's consent’ means any freely given specific
Amendment 175 #
Proposal for a regulation Article 4 – paragraph 1 – point 8 (8) ‘the data subject's consent’ means any f
Amendment 176 #
Proposal for a regulation Article 4 – paragraph 1 – point 8 a (new) (8 a) 'profiling' means automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
Amendment 177 #
Proposal for a regulation Article 4 – paragraph 1 – point 9 (9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; strongly encrypted data, where there is evidence that the encryption key has not been compromised fall outside this legislation
Amendment 178 #
Proposal for a regulation Article 4 – paragraph 1 – point 9 (9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Amendment 179 #
Proposal for a regulation Article 4 – paragraph 1 – point 13 (13) ‘main establishment’ means
Amendment 180 #
Proposal for a regulation Article 4 – paragraph 1 – point 13 (13)
Amendment 181 #
Proposal for a regulation Article 4 – paragraph 1 – point 18 (18) ‘child’ means any person below the age of 1
Amendment 182 #
Proposal for a regulation Article 5 – paragraph 1 – point c (c) adequate, relevant, and
Amendment 183 #
Proposal for a regulation Article 5 – paragraph 1 – point c c) adequate, relevant, and
Amendment 184 #
Proposal for a regulation Article 5 – paragraph 1 – point e (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be
Amendment 185 #
Proposal for a regulation Article 6 a (new) Article 6 a The data will not be used against the data subject in a disciplinary hearing, or to blacklist, vet or bar them from employment
Amendment 186 #
Proposal for a regulation Article 6 – paragraph 1 – point c (c) processing is necessary for compliance with
Amendment 187 #
Proposal for a regulation Article 6 – paragraph 1 – point c (c) processing is necessary for compliance with a legal obligation to which the controller is subject or for exercising the rights of the controller.;
Amendment 188 #
Proposal for a regulation Article 6 – paragraph 1 – point e (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official
Amendment 189 #
Proposal for a regulation Article 6 – paragraph 1 – point f Amendment 190 #
Proposal for a regulation Article 6 – paragraph 1 – point f (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a
Amendment 191 #
Proposal for a regulation Article 6 – paragraph 1 – point f (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 192 #
Proposal for a regulation Article 6 – paragraph 1 – point f f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 193 #
Proposal for a regulation Article 6 – paragraph 1 – point f f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 194 #
Proposal for a regulation Article 6 – paragraph 1 – point f a (new) (f a) The data are collected from public registers, lists or documents accessible by everyone;
Amendment 195 #
Proposal for a regulation Article 6 – paragraph 1 – point f a (new) (f a) The processing of data, inter alia information of members of an organisation, which is done by the organisation in question in compliance with its statutory rules, is of outmost importance for the data controller in voluntary membership based organisations.
Amendment 196 #
Proposal for a regulation Article 6 – paragraph 1 – point f a (new) (f a) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
Amendment 197 #
Proposal for a regulation Article 6 – paragraph 1 – point f b (new) (f b) The processing is necessary to defend an interest, collecting evidences as judicial proofs or file an action.
Amendment 198 #
Proposal for a regulation Article 6 – paragraph 1 – point f b (new) (f b) only pseudonymous data is processed.
Amendment 199 #
Proposal for a regulation Article 6 – paragraph 3 – subparagraph 2 The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others
Amendment 200 #
Proposal for a regulation Article 6 – paragraph 4 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to
Amendment 201 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 202 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 203 #
Proposal for a regulation Article 7 – paragraph 1 1.
Amendment 204 #
Proposal for a regulation Article 7 – paragraph 2 Amendment 205 #
Proposal for a regulation Article 7 – paragraph 3 3. The data subject shall have the right to withdraw his or her consent
Amendment 206 #
Proposal for a regulation Article 7 – paragraph 3 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal or in cases where data must be processed for regulatory, anti-fraud or legal purposes. If the consent is still necessary for the execution of a contract, its withdrawal implies the willingness to terminate the contract.
Amendment 207 #
Proposal for a regulation Article 7 – paragraph 3 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where the processing of personal data is an essential element to the controllers' ability to provide adequate security in the provision of a service to the data subject, the withdrawal of consent can lead to the termination of the service.
Amendment 208 #
Proposal for a regulation Article 7 – paragraph 3 a (new) 3 a. For the processing of special categories of personal data described in Article 9, consent shall be captured by a freely given, informed and explicit statement or other clear and affirmative action, by which the data subject signifies their agreement.
Amendment 209 #
Proposal for a regulation Article 7 – paragraph 3 b (new) 3 b. Consents captured before the coming into effect of this Regulation shall remain valid after such coming into effect.
Amendment 210 #
Proposal for a regulation Article 7 – paragraph 4 Amendment 211 #
Proposal for a regulation Article 7 – paragraph 4 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller; on the labour market there is not considered to be a significant imbalance between employer and employee.
Amendment 212 #
Proposal for a regulation Article 7 – paragraph 4 a (new) Amendment 213 #
Proposal for a regulation Article 7 – paragraph 4 a (new) 4 a. The execution of a contract or the provision of a service may not be made dependent on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service according to Article 6 (1) (b).
Amendment 214 #
Proposal for a regulation Article 7 – paragraph 4 a (new) 4 a. Access to a given consent in regards to Article 6, paragraph 1 (a), as well as Article 9, paragraph 2 (a), can be limited in cases where internal rules of organisations regarding fraud and of crime prevention reasons, in accordance with legislation of the Member State, are enforced.
Amendment 215 #
Proposal for a regulation Article 7 – paragraph 4 a (new) 4a. The legislation of the Member State in which a person lacking the legal capacity to act resides shall apply when determining the conditions under which consent is given or authorised by that person.
Amendment 216 #
Proposal for a regulation Article 7 – paragraph 4 b (new) 4 b. This provision shall not apply to the right of the employer to process data on the basis of consent by the employee nor the right of public authorities to process data on the basis of consent by the citizen.
Amendment 217 #
Proposal for a regulation Article 8 – paragraph 1 1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the
Amendment 218 #
Proposal for a regulation Article 8 – paragraph 1 1. For the purposes of this Regulation, in relation to the offering of
Amendment 219 #
Proposal for a regulation Article 8 – paragraph 1 1. For the purposes of this Regulation, in relation to the offering of
Amendment 220 #
Proposal for a regulation Article 8 – paragraph 1 a (new) 1 a. The information provided in order to express the consent should be given in a clear and age-appropriate language, in a way that would be easy to understand for the child above the age of 13;
Amendment 221 #
Proposal for a regulation Article 8 – paragraph 3 Amendment 222 #
Proposal for a regulation Article 8 – paragraph 3 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1.
Amendment 223 #
Proposal for a regulation Article 8 – paragraph 4 a (new) 4 a. Paragraphs 1,2, and 3 shall not apply where the processing of personal data of a child concerns health data and where the Member State law in the field of health and social care prioritises the competence of an individual over physical age.
Amendment 224 #
Proposal for a regulation Article 9 – paragraph 1 1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, significant social problems, private information and the processing of genetic data or data concerning health or sex life or criminal convictions or related security
Amendment 225 #
Proposal for a regulation Article 9 – paragraph 1 1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership and activities, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
Amendment 226 #
Proposal for a regulation Article 9 – paragraph 2 – point a (a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject. In particular, this would include safeguards to prevent the blacklisting of workers, for example in relation to their trade union activities or health and safety representative roles; or
Amendment 227 #
Proposal for a regulation Article 9 – paragraph 2 – point b (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law
Amendment 228 #
Proposal for a regulation Article 9 – paragraph 2 – point d (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, organizations on the labour market or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
Amendment 229 #
Proposal for a regulation Article 9 – paragraph 2 – point e (e) the processing relates to personal data which are manifestly made public by the data subject or which are freely transferred to the controller on the initiative of data subject and which are processed for the specific purpose determined by data subject and in his interest; or
Amendment 230 #
Proposal for a regulation Article 9 – paragraph 2 – point j (j) processing of data relating to criminal convictions or related security measures is carried out either under the
Amendment 231 #
Proposal for a regulation Article 9 – paragraph 2 – point j a (new) Amendment 232 #
Proposal for a regulation Article 9 – paragraph 3 Amendment 233 #
Proposal for a regulation Article -11 (new) Article -11 General principles for data subject rights 1. The basis of data protection are clear and unambiguous rights for the data subject with respect to the data controller. The provisions of this Regulation aim to strengthen, clarify, guarantee and where appropriate, codify, these rights. 2. Such rights include, inter alia, the provision of clear, easily understood information regarding the data controller's policies for data subject access, rectification and erasure to their data, the right to data portability and the right to object to profiling; that such rights in general must be exercised free of charge and that the data controller will undertake requests from the data subject within a reasonable period of time.
Amendment 234 #
Proposal for a regulation Article 11 – paragraph 2 2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language,
Amendment 235 #
Proposal for a regulation Article 11 – paragraph 2 a (new) 2 a. Information for data subjects shall be provided in a format offering data subjects the information needed to understand their position and make decisions in an appropriate way. Full information shall be available on request. Therefore the controller shall provide transparency in information and communication in his data protection policies through an easily understandable icon-based mode of description for the different steps of data-processing.
Amendment 236 #
Proposal for a regulation Article 11 – paragraph 2 b (new) 2 b. The Commission may lay down technical standards for the purpose of further specifying the mode of description laid down in paragraph 3 concerning e.g. the processing, storage duration, transfer or deletion of data by establishing icons or other instruments in order to provide information in a standardised way. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87 (2).
Amendment 237 #
Proposal for a regulation Article 12 – paragraph 1 1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically. The procedures referred to in this Article can be procedures already established by public authorities in the Member States provided that the procedures comply with the provisions of the Regulation.
Amendment 238 #
Proposal for a regulation Article 12 – paragraph 2 2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to
Amendment 239 #
Proposal for a regulation Article 12 – paragraph 4 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are vexatious or manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 240 #
Proposal for a regulation Article 12 – paragraph 4 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action
Amendment 241 #
Proposal for a regulation Article 12 – paragraph 4 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request. The controller may charge a nominal fee set by the law of the Member State to which the controller is subject for providing the information or taking the action requested if the controller is a credit reference agency responding to a request from a consumer for access their credit file.
Amendment 242 #
Proposal for a regulation Article 12 – paragraph 4 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular
Amendment 243 #
Proposal for a regulation Article 12 – paragraph 5 Amendment 244 #
Proposal for a regulation Article 12 – paragraph 6 Amendment 245 #
Proposal for a regulation Article 13 – paragraph 1 The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed
Amendment 246 #
Proposal for a regulation Article 14 a (new) Article 14 a The controller must ensure that sufficient documentation for a data subject's identity has been received, when the data subject enforces the rights referred to in articles 14-19 in this regulation.
Amendment 247 #
Proposal for a regulation Article 14 – paragraph 1 – introductory part 1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with
Amendment 248 #
Proposal for a regulation Article 14 – paragraph 1 – point c c) the criteria and/or legal requirements for determining the period for which the personal data will be stored;
Amendment 249 #
Proposal for a regulation Article 14 – paragraph 1 – point c c) the criteria for determining the period for which the personal data will be stored for each purpose;
Amendment 250 #
Proposal for a regulation Article 14 – paragraph 1 – point g g) where applicable, that the controller intends to transfer to a third country or international organisation and
Amendment 251 #
Proposal for a regulation Article 14 – paragraph 1 – point h h) any further information which the controller considers necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
Amendment 252 #
Proposal for a regulation Article 14 – paragraph 3 3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate. This would include data sourced from a third party illegally and passed on to the controller.
Amendment 253 #
Proposal for a regulation Article 14 – paragraph 5 – point b Amendment 254 #
Proposal for a regulation Article 14 – paragraph 5 – point b Amendment 255 #
Proposal for a regulation Article 14 – paragraph 5 – point b (b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or
Amendment 256 #
Proposal for a regulation Article 15 – paragraph 1 – introductory part 1. The data subject shall have the right to obtain from the controller at any time, on request and by paying the cost of extracting the information, confirmation as to whether or not personal data relating to the data subject are being processed in order to be aware and verify the lawfulness of the processing. Where such personal data are being processed, the controller shall provide the following information:
Amendment 257 #
Proposal for a regulation Article 15 – paragraph 1 – point d (d) the
Amendment 258 #
Proposal for a regulation Article 15 – paragraph 1 – point h a (new) (h a) where applicable, where data is collected and processed in exchange for the provision of free services, the controller's value estimate of the subject's processed data.
Amendment 259 #
Proposal for a regulation Article 15 – paragraph 2 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form,
Amendment 260 #
Proposal for a regulation Article 15 – paragraph 2 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing and profiling. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Amendment 261 #
Proposal for a regulation Article 15 – paragraph 2 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. The controller shall use all reasonable measures to verify the identity of a data subject requesting access to data.
Amendment 262 #
Proposal for a regulation Article 15 – paragraph 4 a (new) 4 a. Subject to the necessary legal safeguards, especially in order to ensure that information are not used to take measures or decisions regarding specific persons, Member States can, in cases with no risk of violation of privacy, by law limit the rights following article 15 only if these rights are processed as part of scientific research in compliance with article 83 of this Regulation or only if these personal data are stored in the specific timeframe it takes to make statistics.
Amendment 263 #
Proposal for a regulation Article 16 – paragraph 1 a (new) Paragraph 1 shall not apply to pseudonymous data.
Amendment 265 #
Proposal for a regulation Article 17 a (new) Article 17 a In compliance with the data requirements of this Regulation, especially privacy by design, the provisions in paragraph 4 and 6 of this Article do not change the right of public authorities to store data to have the possibility of having documentary evidence of a given case history.
Amendment 266 #
Proposal for a regulation Article 17 – paragraph 1 a (new) 1 a. The right to erasure shall not apply when the retention of personal data is necessary for the performance of a contract between an organisation and the data subject, or when there is a regulatory requirement to retain this data, or for fraud prevention purposes;
Amendment 267 #
Proposal for a regulation Article 17 – paragraph 1 – point a Amendment 268 #
Proposal for a regulation Article 17 – paragraph 1 – point a (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and the legal mandatory retention period has expired;
Amendment 269 #
Proposal for a regulation Article 17 – paragraph 1 – point a (a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and when the data controller has no legal or regulatory ground to retain the data;
Amendment 270 #
Proposal for a regulation Article 17 – paragraph 1 – point b (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired
Amendment 271 #
Proposal for a regulation Article 17 – paragraph 1 – point c (c) the data subject objects to the processing of personal data pursuant to
Amendment 272 #
Proposal for a regulation Article 17 – paragraph 1 – point d Amendment 273 #
Proposal for a regulation Article 17 – paragraph 2 Amendment 274 #
Proposal for a regulation Article 17 – paragraph 2 2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform those third parties which are processing such data contractually on behalf of the controller, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, some pseudonymised data and publicly unavailable or unreadable data are excepted
Amendment 275 #
Proposal for a regulation Article 17 – paragraph 2 2. Where the controller referred to in paragraph 1 has made the personal data public without the consent of the data subject, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication
Amendment 276 #
Proposal for a regulation Article 17 – paragraph 2 a (new) 2a. The controller referred to in paragraph 1 shall inform the data subject of the action taken in response to their request by the third parties referred to in paragraph 2.
Amendment 277 #
Proposal for a regulation Article 17 – paragraph 3 – point e a (new) (e a) for prevention or detection of fraud, confirming identity, and/or determining creditworthiness, or ability to pay.
Amendment 278 #
Proposal for a regulation Article 17 – paragraph 4 – point c Amendment 279 #
Proposal for a regulation Article 17 – paragraph 4 – point d Amendment 280 #
Proposal for a regulation Article 18 Amendment 281 #
Proposal for a regulation Article 18 – paragraph 1 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing
Amendment 282 #
Proposal for a regulation Article 18 – paragraph 1 1. The data subject shall have the right, where personal data are processed by
Amendment 283 #
Proposal for a regulation Article 18 – paragraph 2 Amendment 284 #
Proposal for a regulation Article 18 – paragraph 3 3. The
Amendment 285 #
Proposal for a regulation Article 19 – paragraph 1 1.
Amendment 286 #
Proposal for a regulation Article 19 – paragraph 1 1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates
Amendment 287 #
Proposal for a regulation Article 19 – paragraph 2 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered
Amendment 288 #
Proposal for a regulation Article 19 – paragraph 3 3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned for the purposes determined in the objection.
Amendment 289 #
Proposal for a regulation Article 19 – paragraph 3 a (new) 3 a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 290 #
Proposal for a regulation Article 20 – title Measures based on
Amendment 291 #
Proposal for a regulation Article 20 – paragraph 1 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural
Amendment 292 #
Proposal for a regulation Article 20 – paragraph 1 1. Every natural person shall have the right, both offline and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 293 #
Proposal for a regulation Article 20 – paragraph 1 1. Every natural person shall have the right both offline and online not to be subject to a measure
Amendment 294 #
Proposal for a regulation Article 20 – paragraph 1 1.
Amendment 295 #
Proposal for a regulation Article 20 – paragraph 2 Amendment 296 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1
Amendment 297 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 298 #
Proposal for a regulation Article 20 – paragraph 2 a (new) 2 a. In any case, children should not be subject to measures of profiling, as referred to in paragraph 1;
Amendment 299 #
Proposal for a regulation Article 20 – paragraph 2 – point a (a) is
Amendment 300 #
Proposal for a regulation Article 20 – paragraph 2 – point a a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention, and the right to information on the structure and architecture of the system used and the implications of profiling; or
Amendment 301 #
Proposal for a regulation Article 20 – paragraph 2 – point b (b) is
Amendment 302 #
Proposal for a regulation Article 20 – paragraph 2 – point b (b) is
Amendment 303 #
Proposal for a regulation Article 20 – paragraph 2 – point b (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or
Amendment 304 #
Proposal for a regulation Article 20 – paragraph 2 – point c (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.
Amendment 305 #
Proposal for a regulation Article 20 – paragraph 2 – point c a (new) (c a) is carried out for the purpose of monitoring and prevention of fraud
Amendment 306 #
Proposal for a regulation Article 20 – paragraph 2 – point c a (new) (c a) is carried out to prevent or detect fraud, confirm identity and/or to determine creditworthiness or ability to pay, in each case when suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtained human intervention.
Amendment 307 #
Proposal for a regulation Article 20 – paragraph 2 – point c b (new) (c b) is carried out based on a well founded suspicion of committing a crime to the detriment of the controller, especially banks, financial and credit institutions and their clients
Amendment 308 #
Proposal for a regulation Article 20 – paragraph 2 – point c c (new) (c c) is carried out for the purpose of assessing credit worthiness, assuring safety and reliability of services provided by the controller
Amendment 309 #
Proposal for a regulation Article 20 – paragraph 3 Amendment 310 #
Proposal for a regulation Article 20 – paragraph 3 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not
Amendment 311 #
Proposal for a regulation Article 20 – paragraph 3 a (new) Amendment 312 #
Proposal for a regulation Article 20 – paragraph 3 a (new) 3a. Profiling ‘whether intentional or not’ shall be prohibited if the data collected could lead to discrimination against individuals and affect sensitive personal areas – such as information and data on gender, provenance, political and religious beliefs, membership of parties and clubs, sexual orientation, etc.
Amendment 313 #
Proposal for a regulation Article 20 – paragraph 3 b (new) 3 b. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be used to identify or individualise children.
Amendment 314 #
Proposal for a regulation Article 20 – paragraph 4 Amendment 315 #
Proposal for a regulation Article 20 – paragraph 4 4. In the cases referred to in paragraph 2, the information to be provided by the controller under Articles 14 and 15 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject, as well as the access to the logic underpinning the data undergoing processing.
Amendment 316 #
Proposal for a regulation Article 20 – paragraph 5 Amendment 317 #
Proposal for a regulation Article 20 – paragraph 5 Amendment 318 #
Proposal for a regulation Article 20 – paragraph 5 5.
Amendment 319 #
Proposal for a regulation Article 20 – paragraph 5 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2. In doing so, the Commission should above all work closely with representatives from data protection organisations.
Amendment 320 #
Proposal for a regulation Article 21 – paragraph 2 2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least as to the aim of the processing, the objectives to be pursued by the processing and the determination of the controller.
Amendment 321 #
Proposal for a regulation Article 22 – title Amendment 322 #
Proposal for a regulation Article 22 – paragraph 4 Amendment 323 #
Proposal for a regulation Article 23 – paragraph 1 1. Having regard to the state of the art
Amendment 324 #
Proposal for a regulation Article 23 – paragraph 1 1.
Amendment 325 #
Proposal for a regulation Article 23 – paragraph 1 a (new) 1 a. Anonymisation or pseudonymisation of personal data should be applied by the data processor where feasible and proportionate according to the purpose of processing.
Amendment 326 #
Proposal for a regulation Article 23 – paragraph 2 2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are collected for purposes which are defined, explicit and legitimate and only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Amendment 327 #
Proposal for a regulation Article 23 – paragraph 2 2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing, that the settings automatically comply with the general principles of data protection of this Regulation, and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Amendment 328 #
Proposal for a regulation Article 23 – paragraph 2 2.
Amendment 329 #
Proposal for a regulation Article 23 – paragraph 3 Amendment 330 #
Proposal for a regulation Article 23 – paragraph 3 Amendment 331 #
Proposal for a regulation Article 23 – paragraph 4 Amendment 332 #
Proposal for a regulation Article 23 – paragraph 4 Amendment 333 #
Proposal for a regulation Article 26 – paragraph 1 1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
Amendment 334 #
Proposal for a regulation Article 26 – paragraph 2 – point d Amendment 335 #
Proposal for a regulation Article 26 – paragraph 2 – point h a (new) (h a) When a processor is processing data on behalf of the controller, the processor must implement privacy by design and privacy by default.
Amendment 336 #
Proposal for a regulation Article 26 – paragraph 3 a (new) 3 a. The controller is deemed to have fulfilled the obligations set out in paragraph 1 when choosing a processor who has voluntarily self-certified or voluntarily obtained a certification, seal or mark pursuant to Articles 38 or 39 of this Regulation showing the implementation of appropriate standard technical and organizational measures in response to the requirements set out in this Regulation.
Amendment 337 #
Proposal for a regulation Article 28 – paragraph 1 1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing
Amendment 338 #
Proposal for a regulation Article 28 – paragraph 1 1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of
Amendment 339 #
Proposal for a regulation Article 28 – paragraph 2 – introductory part 2. The documentation shall contain
Amendment 340 #
Proposal for a regulation Article 28 – paragraph 2 – introductory part 2. The core documentation shall contain at least the following information:
Amendment 341 #
Proposal for a regulation Article 28 – paragraph 2 – point c (c) the
Amendment 342 #
Proposal for a regulation Article 28 – paragraph 2 – point d d
Amendment 343 #
Proposal for a regulation Article 28 – paragraph 2 – point e Amendment 344 #
Proposal for a regulation Article 28 – paragraph 2 – point f (f) where applicable, transfers of personal data to a
Amendment 345 #
Proposal for a regulation Article 28 – paragraph 2 – point g Amendment 346 #
Proposal for a regulation Article 28 – paragraph 4 a (new) 4 a. a public authority when dealing with data other than personal sensitive data as referred to in Article 9, paragraph 1, of this Regulation.
Amendment 347 #
Proposal for a regulation Article 28 – paragraph 4 – point b Amendment 348 #
Proposal for a regulation Article 28 – paragraph 5 Amendment 349 #
Proposal for a regulation Article 28 – paragraph 6 Amendment 350 #
Proposal for a regulation Article 30 – paragraph 2 2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against
Amendment 351 #
Proposal for a regulation Article 30 – paragraph 3 Amendment 352 #
Proposal for a regulation Article 30 – paragraph 3 Amendment 353 #
Proposal for a regulation Article 30 – paragraph 4 Amendment 354 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a significant personal data breach, the controller shall without undue delay
Amendment 355 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall without undue delay
Amendment 356 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach
Amendment 357 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72
Amendment 358 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach which significantly affects the data subject, the controller shall, without undue delay
Amendment 359 #
Proposal for a regulation Article 31 – paragraph 1 1.
Amendment 360 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall, without undue delay
Amendment 361 #
Proposal for a regulation Article 31 – paragraph 3 – introductory part 3. The notification referred to in paragraph 1 must
Amendment 362 #
Proposal for a regulation Article 31 – paragraph 5 Amendment 363 #
Proposal for a regulation Article 31 – paragraph 6 Amendment 364 #
Proposal for a regulation Article 32 – paragraph 1 1.
Amendment 365 #
Proposal for a regulation Article 32 – paragraph 1 1. When the personal data breach is likely to have a serious adverse
Amendment 366 #
Proposal for a regulation Article 32 – paragraph 1 1. When the personal data breach is likely to adversely affect
Amendment 367 #
Proposal for a regulation Article 32 – paragraph 1 1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject with
Amendment 368 #
Proposal for a regulation Article 32 – paragraph 1 1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, inter alia by identity theft or fraud, physical harm, significant humiliation or damage to reputation, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject
Amendment 369 #
Proposal for a regulation Article 32 – paragraph 1 – subparagraph 1 (new) Exemptions from data breach provisions should be awarded where sophisticated encryption is used or if measures are taken to adequately compensate those affected.
Amendment 370 #
Proposal for a regulation Article 32 – paragraph 2 2. The communication to the data subject
Amendment 371 #
Proposal for a regulation Article 32 – paragraph 3 3. The communication of a personal data breach to the data subject shall not be required if the data breach does not have significant risk of harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Amendment 372 #
Proposal for a regulation Article 32 – paragraph 5 Amendment 373 #
Proposal for a regulation Article 32 – paragraph 6 Amendment 374 #
Proposal for a regulation Article 33 – paragraph 1 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, or where processing takes place as a public sector infrastructure project the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Amendment 375 #
Proposal for a regulation Article 33 – paragraph 1 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, unless the activities concerned do not present a risk to the privacy of the data subject.
Amendment 376 #
Proposal for a regulation Article 33 – paragraph 2 – introductory part 2. The following processing operations
Amendment 377 #
Proposal for a regulation Article 33 – paragraph 2 – point b (b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
Amendment 378 #
Proposal for a regulation Article 33 – paragraph 3 3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking
Amendment 379 #
Proposal for a regulation Article 33 – paragraph 4 Amendment 380 #
Proposal for a regulation Article 33 – paragraph 4 Amendment 381 #
Proposal for a regulation Article 33 – paragraph 5 Amendment 382 #
Proposal for a regulation Article 33 – paragraph 5 5. Where the controller is a public authority or body or where the data is processed by another body which has been entrusted with the responsibility of delivering public service tasks, and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
Amendment 383 #
Proposal for a regulation Article 33 – paragraph 6 Amendment 384 #
Proposal for a regulation Article 33 – paragraph 7 Amendment 385 #
Proposal for a regulation Article 34 – paragraph 8 Amendment 386 #
Proposal for a regulation Article 34 – paragraph 9 Amendment 387 #
Proposal for a regulation Article 35 – paragraph 1 – introductory part 1. The controller and the processor sh
Amendment 388 #
Proposal for a regulation Article 35 – paragraph 1 – introductory part 1. The controller and the processor shall involve the respective works council in designat
Amendment 389 #
Proposal for a regulation Article 35 – paragraph 1 – point b Amendment 390 #
Proposal for a regulation Article 35 – paragraph 1 – point b Amendment 391 #
Proposal for a regulation Article 35 – paragraph 5 5. The controller or processor shall
Amendment 392 #
Proposal for a regulation Article 35 – paragraph 7 Amendment 393 #
Proposal for a regulation Article 35 – paragraph 7 7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms.
Amendment 394 #
Proposal for a regulation Article 35 – paragraph 7 7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During and after their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. A higher level of protection against dismissal must apply for the data protection officer.
Amendment 395 #
Proposal for a regulation Article 35 – paragraph 10 10. Data subjects shall have the right to contact the data protection officer on all issues related to
Amendment 396 #
Proposal for a regulation Article 35 – paragraph 11 Amendment 397 #
Proposal for a regulation Article 36 – paragraph 2 2.
Amendment 398 #
Proposal for a regulation Article 42 – paragraph 1 1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.
Amendment 399 #
Proposal for a regulation Article 42 – paragraph 2 – point c a (new) (c a) standard data protection clauses, as adopted according to points (a) and (b), between the data controller or data processor and the recipient of data situated in a third country, which may include standard terms for onward transfers to a recipient situated in a third country;
Amendment 400 #
Proposal for a regulation Article 44 – paragraph 1 – point h (h) the transfer is necessary for the
Amendment 401 #
Proposal for a regulation Article 44 – paragraph 7 Amendment 402 #
Proposal for a regulation Article 51 – paragraph 1 a (new) 1a. In the event of a complaint by a data subject or a body, organisation or association referred to in Article 73(2), the supervisory authority responsible shall be that of the Member State in which the complaint was made. That authority shall be competent to take action on the complaint. It shall also be competent to supervise the controller’s processing activities or those of a processor, without prejudice to paragraph 2.
Amendment 403 #
Proposal for a regulation Article 51 – paragraph 2 2.
Amendment 404 #
Proposal for a regulation Article 51 – paragraph 2 a (new) 2a. By derogation from Article 51(2), when the processing of personal data is not mainly carried out by the main establishment but by one of the other establishments of the controller or processor situated in the European Union, the competent supervisory authority for those processing operations shall be that of the Member State where that other establishment is situated. However, and without prejudice to the provisions of Chapter VII of this Regulation, the main establishment shall make an additional declaration to the competent supervisory authority of the Member State where it is situated, should that authority so require.
Amendment 405 #
Proposal for a regulation Article 59 – paragraph 4 4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification.
Amendment 406 #
Proposal for a regulation Article 62 – paragraph 2 Amendment 407 #
Proposal for a regulation Article 73 – paragraph 1 1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in any Member State if they consider that the processing of personal data relating to them does not comply with this Regulation. This complaint must not inflict costs on the data subject.
Amendment 408 #
Proposal for a regulation Article 73 – paragraph 2 Amendment 409 #
Proposal for a regulation Article 73 – paragraph 2 2. Any body, organisation or association
Amendment 410 #
Proposal for a regulation Article 74 – paragraph 1 1. Each natural or legal person, including each data controller and data processor, shall have the right to a judicial remedy against decisions of a supervisory authority concerning or affecting them.
Amendment 411 #
Proposal for a regulation Article 74 – paragraph 4 Amendment 412 #
Proposal for a regulation Article 76 – paragraph 1 Amendment 413 #
Proposal for a regulation Article 76 – paragraph 1 1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74, 75 and 7
Amendment 414 #
Proposal for a regulation Article 77 – paragraph 1 1. Any person who has suffered material or immaterial damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 415 #
Proposal for a regulation Article 77 – paragraph 1 1. Any person who has suffered damage as a result of an unlawful processing operation, including blacklisting, or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered and for any emotional injury.
Amendment 416 #
Proposal for a regulation Article 78 – paragraph 2 a (new) 2 a. Any person or enterprise that is known to have infringed the provisions of this regulation, for example by illegally accessing employees' personal data to blacklist them or bar them from employment, should be excluded from receiving EU grants and funding and from taking part in calls for tender for other public procurement contracts at EU, national or public authority level until all legal proceedings are proven to be completed and all compensation has been paid in full to all victims.
Amendment 417 #
Proposal for a regulation Article 79 – paragraph 1 1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 418 #
Proposal for a regulation Article 79 – paragraph 1 1.
Amendment 419 #
Proposal for a regulation Article 79 – paragraph 2 2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the particular categories of personal data, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
Amendment 420 #
Proposal for a regulation Article 79 – paragraph 2 2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the data in issue, the intentional or negligent character of the infringement, the degree of harm or risk of harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the
Amendment 421 #
Proposal for a regulation Article 79 – paragraph 2 a (new) 2 a. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; (iii) violations that are deliberate, serious and likely to cause substantial damage; (iv) a data protection impact assessment has not been undertaken; (v) a data protection officer has not been appointed.
Amendment 422 #
Proposal for a regulation Article 79 – paragraph 2 b (new) 2 b. Mitigating factors which support administrative fines at the lower limits established in paragraphs 4 to 6 shall include: (i) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (iii) immediate termination of the violation upon knowledge; (iv) co-operation with any enforcement processes; (v) a data protection impact assessment has been undertaken; (vi) a data protection officer has been appointed.
Amendment 423 #
Proposal for a regulation Article 79 – paragraph 3 – introductory part 3.
Amendment 424 #
Proposal for a regulation Article 79 – paragraph 3 a (new) 3 a. In case of full compliance with this regulation no sanction shall be imposed
Amendment 425 #
Proposal for a regulation Article 79 – paragraph 3 – point a Amendment 426 #
Proposal for a regulation Article 79 – paragraph 3 – point b Amendment 427 #
Proposal for a regulation Article 79 – paragraph 3 – point b Amendment 428 #
Proposal for a regulation Article 79 – paragraph 4 Amendment 429 #
Proposal for a regulation Article 79 – paragraph 4 – introductory part 4. The supervisory authority shall impose a fine up to 250 000 EUR,
Amendment 430 #
Proposal for a regulation Article 79 – paragraph 4 – introductory part 4. The supervisory authority
Amendment 432 #
Proposal for a regulation Article 79 – paragraph 5 – introductory part 5. The supervisory authority shall impose a fine up to 500 000 EUR,
Amendment 433 #
Proposal for a regulation Article 79 – paragraph 5 – introductory part 5. The supervisory authority
Amendment 435 #
Proposal for a regulation Article 79 – paragraph 6 – introductory part 6. The supervisory authority shall impose a fine up to 1 000 000 EUR or,
Amendment 436 #
Proposal for a regulation Article 79 – paragraph 6 – introductory part 6. The supervisory authority
Amendment 437 #
Proposal for a regulation Article 79 – paragraph 6 – point a a (new) (a a) uses employees' or potential employees' personal data to blacklist them, vet them or bar them from access to future employment
Amendment 438 #
Proposal for a regulation Article 79 – paragraph 7 Amendment 439 #
Proposal for a regulation Article 81 – paragraph 1 – point c (c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services
Amendment 440 #
Proposal for a regulation Article 82 – paragraph 1 1. Within the limits of this Regulation, Member States may adopt by law or collective agreement among employers and employees specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, criminal conviction and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Amendment 441 #
Proposal for a regulation Article 82 – paragraph 1 1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. This Regulation must, in accordance with the principles of Article 5, respect collective agreements regarding decentralized regulation of the employer's data processing concluded in accordance with this Regulation.
Amendment 442 #
Proposal for a regulation Article 82 – paragraph 1 1.
Amendment 443 #
Proposal for a regulation Article 82 – paragraph 2 Amendment 444 #
Proposal for a regulation Article 82 – paragraph 3 3. Th
Amendment 445 #
Proposal for a regulation Article 83 – paragraph 3 a (new) 3 a. Member States can adopt specific measures to regulate the processing of personal data for historical, statistical or scientific purposes while respecting the provisions of paragraph 1 and 2 of this article as well as respecting the Charter of Fundamental Rights of the European Union.
Amendment 446 #
Proposal for a regulation Article 83 – paragraph 3 b (new) 3 b. A Member State adopting specific measures according to article 83, paragraph 3a, must inform the Commission about the adopted measures prior to the date set in article 91, paragraph 2, and without undue delay inform the Commission about eventual changes at a later stage of the measures.
Amendment 447 #
Proposal for a regulation Article 86 – paragraph 2 2. The
Amendment 448 #
Proposal for a regulation Article 86 – paragraph 2 2. The delegation of power referred to in
Amendment 449 #
Proposal for a regulation Article 86 – paragraph 2 2. The delegation of power referred to in Article 6(5), Article 8(3),
Amendment 450 #
Proposal for a regulation Article 86 – paragraph 3 3. The delegation of power referred to in
Amendment 451 #
Proposal for a regulation Article 86 – paragraph 3 3. The delegation of power referred to in
Amendment 452 #
Proposal for a regulation Article 86 – paragraph 3 3. The delegation of power referred to in Article 6(5), Article 8(3),
Amendment 453 #
Proposal for a regulation Article 86 – paragraph 5 5. A delegated act adopted pursuant to
Amendment 454 #
Proposal for a regulation Article 86 – paragraph 5 5. A delegated act adopted pursuant to
Amendment 455 #
Proposal for a regulation Article 86 – paragraph 5 5. A delegated act adopted pursuant to Article 6(5), Article 8(3),
Amendment 456 #
Proposal for a regulation Article 86 – paragraph 5 a (new) 5a. When adopting the acts referred to in this article, the Commission shall promote technological neutrality.
Amendment 457 #
Proposal for a regulation Article 89 – paragraph 1 a (new) 1 a. In relation to natural or legal persons who are under obligations to report personal data breaches under Directive 2002/58/EC as amended by Directive 2009/136/EC in relation to the processing of personal data in connection with the provision of publicly available electronic communications services, this Regulation shall not impose additional obligations in relation to the process of notifying a personal data breach to the supervisory authority and in relation to the process of communicating a personal data breach to the data subjects. Such a natural or legal person shall notify personal data breaches affecting all personal data for which it is a controller in accordance with the personal data breach notification process set out in Directive 2002/58/EC as amended by Directive 2009/136/EC.
Amendment 458 #
Proposal for a regulation Article 89 – paragraph 2 2. Article 1(2), Article 2(c) and Article 9 of Directive 2002/58/EC shall be deleted.
Amendment 459 #
Proposal for a regulation Article 90 – paragraph 1 a (new) Delegated acts and Implementing acts adopted by the Commission should be evaluated by the Parliament and the Council every second year.
Amendment 87 #
Proposal for a regulation Recital 2 (2) The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data.
Amendment 88 #
Proposal for a regulation Recital 4 (4) The process of economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows. The exchange of data between economic and social, public and private actors across the Union increased. National authorities in the
Amendment 89 #
Proposal for a regulation Recital 6 (6) These developments require building a strong and more coherent data protection framework in the Union, backed by strong enforcement of legislation protecting personal data, given the importance to create the trust that will allow the digital economy to develop across the internal market. Individuals should have control of their own personal data and legal and practical certainty for individuals, economic operators and public authorities should be reinforced.
Amendment 90 #
Proposal for a regulation Recital 6 a (new) (6 a) A proper balance between protection of privacy and respect of the single market has to be ensured. Data protection rules should not undermine competitiveness, innovation and new technology.
Amendment 91 #
Proposal for a regulation Recital 7 (7) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may
Amendment 92 #
Proposal for a regulation Recital 8 (8) In order to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Harmonisation should allow Member States to adopt in their national law provisions preventing any potential degradation in the level of personal data protection in Member States where the law provides more stringent protection.
Amendment 93 #
Proposal for a regulation Recital 11 (11)
Amendment 94 #
Proposal for a regulation Recital 11 (11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized
Amendment 95 #
Proposal for a regulation Recital 15 (15) This Regulation should not apply to processing of personal data by a
Amendment 96 #
Proposal for a regulation Recital 21 Amendment 97 #
Proposal for a regulation Recital 21 a (new) (21 a) Clear proof that the behaviour of physical persons is being monitored in order to analyse or to predict their personal preferences, behaviour, habits and attitudes is provided by search engines that derive part of their revenue from targeted advertising, exploiting the collection of personal data of their visitors or the analysis of their profile and they should fall clearly within the scope of the Directive. The same should apply to social networks and websites that offer server space and, in some cases, software storage, which also could collect user data for commercial purposes.
Amendment 98 #
Proposal for a regulation Recital 23 a (new) (23 a) Following the principle of data protection by default, online services and products must initially be set on maximum protection of personal information and data without demanding any action from the data subject.
Amendment 99 #
Proposal for a regulation Recital 24 (24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances
source: PE-500.411
2012/11/29
JURI
380 amendments...
Amendment 100 #
Proposal for a regulation Article 2 – paragraph 2 – point b Amendment 101 #
Proposal for a regulation Article 2 – paragraph 2 – point e a (new) (ea) by competent authorities for the purposes of producing and disseminating official statistics entrusted to them;
Amendment 102 #
Proposal for a regulation Article 2 – paragraph 2 – point e a (new) (ea) that has been rendered anonymous.
Amendment 103 #
Proposal for a regulation Article 2 – paragraph 2 – point e b (new) (eb) by competent authorities for the purposes of drawing up electoral rolls.
Amendment 104 #
Proposal for a regulation Article 3 a (new) Article 3a This Regulation applies to the processing of personal data of data subjects not residing in the Union by a controller or processor established in the Union, through their economic activities in a third country(ies).
Amendment 105 #
Proposal for a regulation Article 4 – point 1 (1) ‘data subject
Amendment 106 #
Proposal for a regulation Article 4 – point 1 (1) 'data subject' means an identified natural person or a
Amendment 107 #
Proposal for a regulation Article 4 – point 1 (1)
Amendment 108 #
Proposal for a regulation Article 4 – point 2 a (new) Amendment 109 #
Proposal for a regulation Article 4 – point 2 a (new) (2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that, of itself, it cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution;
Amendment 110 #
Proposal for a regulation Article 4 – point 3 (3)
Amendment 111 #
Proposal for a regulation Article 4 – point 3 a (new) (3a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time expense;
Amendment 112 #
Proposal for a regulation Article 4 – point 3 a (new) (3a) 'profiling' means any form of automated processing intended to evaluate, or generate data about, aspects relating to natural persons or to analyse or predict a natural person's performance at work, economic situation, location, health, preferences, reliability, behaviour or personality;
Amendment 113 #
Proposal for a regulation Article 4 – point 5 (5)
Amendment 114 #
Proposal for a regulation Article 4 – point 8 (8)
Amendment 115 #
Proposal for a regulation Article 4 – point 8 (8)
Amendment 116 #
Proposal for a regulation Article 4 – point 9 (9)
Amendment 117 #
Proposal for a regulation Article 4 – point 10 (10) ‘genetic data’ means
Amendment 118 #
Proposal for a regulation Article 4 – point 13 (13) ‘main establishment’ means as regards the controller, including a controller that is also a processor, the place of its establishment in the Union where
Amendment 119 #
Proposal for a regulation Article 4 – point 13 (13)
Amendment 120 #
Proposal for a regulation Article 4 – point 13 (13) ‘main establishment’
Amendment 121 #
Proposal for a regulation Article 4 – point 13 (13) ‘main establishment’ means
Amendment 122 #
Proposal for a regulation Article 4 – point 13 (13) ‘main establishment’ means as regards the controller
Amendment 123 #
Proposal for a regulation Article 4 – point 19 a (new) Amendment 124 #
Proposal for a regulation Article 4 – point 19 a (new) (19a) 'competent supervisory authority' means a supervisory authority with exclusive competence to supervise the processing activities of the controller or processor in accordance with Article 51(2);
Amendment 125 #
Proposal for a regulation Article 4 – point 19 b (new) (19b) ‘electoral rolls’ means personal data, and data relating to the place of residence, of persons entitled to vote;
Amendment 126 #
Proposal for a regulation Article 4 – point 19 c (new) (19c) ‘information society services’ means services provided at the recipient’s individual request, at a distance, and by electronic means, that is to say, the service is sent initially and received at its destination by means of electronic equipment for the processing, including digital compression, and storage of data and is transmitted, conveyed, and received entirely by wire, by radio, by optical means, or by any other electromagnetic means.
Amendment 127 #
Proposal for a regulation Article 5 – point c (c) adequate, relevant, and
Amendment 128 #
Proposal for a regulation Article 5 – point c (c) adequate, relevant, and
Amendment 129 #
Proposal for a regulation Article 5 – point d (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Amendment 130 #
Proposal for a regulation Article 5 – point e (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 131 #
Proposal for a regulation Article 5 – point e (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical, aggregated or
Amendment 132 #
Proposal for a regulation Article 5 – point e (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Amendment 133 #
Proposal for a regulation Article 5 – point f Amendment 134 #
Proposal for a regulation Article 6 – paragraph 1 – point a a) the data subject has freely and consciously given consent to the processing of their personal data for one or more specific purposes;
Amendment 135 #
Proposal for a regulation Article 6 – paragraph 1 – point f Amendment 136 #
Proposal for a regulation Article 6 – paragraph 1 – point f (f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental
Amendment 137 #
Proposal for a regulation Article 6 – paragraph 1 – point f (f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party to whom the data are to be communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 138 #
Proposal for a regulation Article 6 – paragraph 1 – point f f) processing is necessary for the purposes
Amendment 139 #
Proposal for a regulation Article 6 – paragraph 1 – point f a (new) (fa) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
Amendment 140 #
Proposal for a regulation Article 6 – paragraph 1 – point f b (new) (fb) only pseudonymous data is processed.
Amendment 141 #
Proposal for a regulation Article 6 – paragraph 1 – subparagraph 1 a (new) The EDPB should set up a list of common criteria to be met for further processing to be considered compatible with the one for which personal data have been originally collected.
Amendment 142 #
Proposal for a regulation Article 6 – paragraph 3 – subparagraph 2 Amendment 143 #
Proposal for a regulation Article 6 – paragraph 3 – subparagraph 2 a (new) In the case referred to in paragraph 1(f), the data controller shall clearly and separately notify the data subject of such processing. The data controller shall also indicate and publish the reasons which led him to believe that his legitimate interest took precedence over the primacy of the data subject's fundamental rights and freedoms.
Amendment 144 #
Proposal for a regulation Article 6 – paragraph 4 4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points
Amendment 145 #
Proposal for a regulation Article 6 – paragraph 5 Amendment 146 #
Proposal for a regulation Article 6 a (new) Article 6a The data will not be used against the data subject in a disciplinary hearing, or to blacklist, vet or bar him or her from employment.
Amendment 147 #
Proposal for a regulation Article 7 – paragraph 1 1. The controller shall bear the burden of proof for the data subject's explicit consent to the processing of their personal data for specified purposes.
Amendment 148 #
Proposal for a regulation Article 7 – paragraph 2 2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be
Amendment 149 #
Proposal for a regulation Article 7 – paragraph 3 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where the processing of personal data is an essential element to the controllers' ability to provide adequate security in the provision of a service to the data subject, the withdrawal of consent can lead to the termination of the service.
Amendment 150 #
Proposal for a regulation Article 7 – paragraph 3 a (new) 3a. In the event that the data subject withdraws his consent, the controller may refuse to provide further services to the data subject if the processing of the data is vital for the provision of the service or for ensuring that the characteristics of the service are maintained.
Amendment 151 #
Proposal for a regulation Article 7 – paragraph 4 Amendment 152 #
Proposal for a regulation Article 7 – paragraph 4 Amendment 153 #
Proposal for a regulation Article 7 – paragraph 4 4. Consent shall not provide a legal basis for the processing, where there is a significant, imbalance between the position of the data subject and the controller, which results in a lack of freedom in the provision of consent.
Amendment 154 #
Proposal for a regulation Article 7 – paragraph 4 – subparagraph 1 a (new) Where the collection and processing of the personal data is purely for commercial purposes, the data subject must be paid a fee for agreeing that the processing be performed. The data subject may not renounce his right to receive that fee.
Amendment 155 #
Proposal for a regulation Article 7 – paragraph 4 – subparagraph 1 b (new) The Commission shall be empowered to adopt delegated acts in accordance with Article 86 with a view to establishing the amount, nature and arrangements for payment of the fee to data subjects who agree to their personal data being processed for commercial purposes.
Amendment 156 #
Proposal for a regulation Article 8 – paragraph 1 1. For the purposes of this Regulation, in
Amendment 157 #
Proposal for a regulation Article 8 – paragraph 1 1. For the purposes of this Regulation,
Amendment 158 #
Proposal for a regulation Article 8 – paragraph 4 a (new) 4a. Paragraphs 1, 2 and 3 shall not apply where the processing of personal data of a child concerns health data and where the Member State law in the field of health and social care prioritises the competence of an individual over physical age.
Amendment 159 #
Proposal for a regulation Article 8 – paragraph 4 a (new) 4a. Paragraphs 1, 2 and 3 shall not apply where the processing of personal data of a child concerns health data and where the Member State law in the field of health and social care prioritises the maturity and competence of an individual over physical age.
Amendment 160 #
Proposal for a regulation Article 9 – paragraph 1 1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership and activities, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited. In particular, this would include safeguards to prevent the blacklisting of workers, for example in relation to their trade union activities or health and safety representative roles.
Amendment 161 #
Proposal for a regulation Article 9 – paragraph 2 – point f (f) processing is necessary for the establishment, exercise or defence of
Amendment 162 #
Proposal for a regulation Article 9 – paragraph 2 – point g (g) processing is necessary for the performance of a task carried out in the public interest, on the basis of international conventions to which the Union or a Member State is a party, Union
Amendment 163 #
Proposal for a regulation Article 9 – paragraph 2 – point i (i) processing is necessary for historical, statistical or scientific research purposes or for preliminary official or administrative investigation to determine biological parentage, subject to the conditions and safeguards referred to in Article 83; or
Amendment 164 #
Proposal for a regulation Article 9 – paragraph 2 – point j (j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A
Amendment 165 #
Proposal for a regulation Article 9 – paragraph 3 Amendment 166 #
Proposal for a regulation Article 10 If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to
Amendment 167 #
Proposal for a regulation Article 11 – paragraph 1 1. The controller shall
Amendment 168 #
Proposal for a regulation Article 11 – paragraph 2 2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language
Amendment 169 #
Proposal for a regulation Article 12 – paragraph 1 1. The controller shall
Amendment 170 #
Proposal for a regulation Article 12 – paragraph 2 2. The controller shall inform the data subject without delay and, at the latest within
Amendment 171 #
Proposal for a regulation Article 12 – paragraph 4 4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular
Amendment 172 #
Proposal for a regulation Article 14 – paragraph 1 – point a (a)
Amendment 173 #
Proposal for a regulation Article 14 – paragraph 1 – point b (b) the purposes of the processing for which the personal data are intended,
Amendment 174 #
Proposal for a regulation Article 14 – paragraph 1 – point b (b) the purposes of the processing for which the personal data are intended
Amendment 175 #
Proposal for a regulation Article 14 – paragraph 1 – point b b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); and, where the processing is purely for commercial purposes, the amount, nature and arrangements for payment of the fee to data subjects who agree to their personal data being processed;
Amendment 176 #
Proposal for a regulation Article 14 – paragraph 1 – point c (c) where possible, the period for which the personal data will be stored;
Amendment 177 #
Proposal for a regulation Article 14 – paragraph 1 – point c c) the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
Amendment 178 #
Proposal for a regulation Article 14 – paragraph 1 – point e (e) the right to lodge a complaint to the supervisory
Amendment 179 #
Proposal for a regulation Article 14 – paragraph 1 – point e (e) the right to lodge a complaint to the supervisory
Amendment 180 #
Proposal for a regulation Article 14 – paragraph 3 3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate, except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
Amendment 181 #
Proposal for a regulation Article 14 – paragraph 3 3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate. This would include data sourced from a third party illegally and passed on to the controller.
Amendment 182 #
Proposal for a regulation Article 14 – paragraph 4 – point a (a) in general at the time when the personal data are obtained from the data subject or as soon as possible where the above is not feasible, demands undue effort, or reduces the safeguards enjoyed by the data subject; or
Amendment 183 #
Proposal for a regulation Article 14 – paragraph 4 – point b (b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the
Amendment 184 #
Proposal for a regulation Article 14 – paragraph 5 – point b Amendment 185 #
Proposal for a regulation Article 14 – paragraph 5 – point b (b) the data are not collected from the data subject and the provision of such information proves impossible or would
Amendment 186 #
Proposal for a regulation Article 14 – paragraph 7 Amendment 187 #
Proposal for a regulation Article 15 – paragraph 1 – introductory wording 1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. If the controller is processing a large number of files relating to the data subject, it may ask the data subject to specify in the necessary detail, before the information is supplied, which file or files, or what particular fields of activity, are covered by the data subject’s request. Where such personal data are being processed, the controller shall provide the following information:
Amendment 188 #
Proposal for a regulation Article 15 – paragraph 1 – point d d) the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period;
Amendment 189 #
Proposal for a regulation Article 15 – paragraph 1 – point h (h) the
Amendment 190 #
Proposal for a regulation Article 15 – paragraph 1 – point h a (new) (ha) where applicable, where data is collected and processed in exchange for the provision of free services, the controller's value estimate of the subject's processed data.
Amendment 191 #
Proposal for a regulation Article 15 – paragraph 1 – point h a (new) (ha) in the case of measures based on profiles, meaningful information about the logic used in the profiling;
Amendment 192 #
Proposal for a regulation Article 15 – paragraph 2 Amendment 193 #
Proposal for a regulation Article 15 – paragraph 2 2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. The controller shall verify the identity of a data subject requesting access to data within the limits of Articles 5 to 10 of this Regulation.
Amendment 194 #
Proposal for a regulation Article 16 – paragraph 1 a (new) Paragraph 1 shall not apply to pseudonymous data.
Amendment 196 #
Proposal for a regulation Article 17 – paragraph 1 – point a Amendment 197 #
Proposal for a regulation Article 17 – paragraph 1 – point b (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired
Amendment 198 #
Proposal for a regulation Article 17 – paragraph 1 – point d Amendment 199 #
Proposal for a regulation Article 17 – paragraph 1 – point d a (new) da) there shall be no legal basis for the processing of data other than the consent of the data subject.
Amendment 200 #
Proposal for a regulation Article 17 – paragraph 1 a (new) 1a. The right to erasure shall not apply when the retention of personal data is necessary for the performance of a contract between an organisation and the data subject, or when there is a regulatory requirement to retain this data, or for fraud prevention purposes.
Amendment 201 #
Proposal for a regulation Article 17 – paragraph 1 a (new) 1a. Credit institutions that retain data for the following grounds shall be exempt from the requirements of this Article: - risk management purposes; - fulfilment of EU and international supervisory and compliance requirements; - market abuse purposes.
Amendment 202 #
Proposal for a regulation Article 17 – paragraph 2 Amendment 203 #
Proposal for a regulation Article 17 – paragraph 2 Amendment 204 #
Proposal for a regulation Article 17 – paragraph 2 2. Where the controller referred to in paragraph 1 has
Amendment 205 #
Proposal for a regulation Article 17 – paragraph 3 – point a (a) for exercising the right of freedom of expression in accordance with Article 80; or when providing an information society service to facilitate the accessing of such expression.
Amendment 206 #
Proposal for a regulation Article 17 – paragraph 3 – point b (b) for healthcare purposes or for reasons of public interest in the area of public health in accordance with Article 81;
Amendment 207 #
Proposal for a regulation Article 17 – paragraph 3 – point d (d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject under Union law; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
Amendment 208 #
Proposal for a regulation Article 17 – paragraph 3 – point e (e) in the cases referred to in paragraph 4. In the cases referred to in points (a) to (d), the data subject may exercise the right to object to the establishment of links or creation of copies or replications of their personal data. The viability of this right shall be resolved in the light of all the circumstances involved in the case, whilst making efforts not to frustrate the specific basis for the retention of data.
Amendment 209 #
Proposal for a regulation Article 17 – paragraph 9 Amendment 210 #
Proposal for a regulation Article 18 – paragraph 1 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured
Amendment 211 #
Proposal for a regulation Article 18 – paragraph 1 1. The data subject shall have the right, where personal data are processed by electronic means
Amendment 212 #
Proposal for a regulation Article 18 – paragraph 2 – subparagraph 1 a The controller from whom the personal data are withdrawn shall delete those data, unless their continued processing is covered by another legal provision in force. Union and Member State laws may regulate cases where there is a legal obligation to store data, based on objectives of public interest proportionate to the aim pursued, and respecting the essence of the right to the protection of personal data.
Amendment 213 #
Proposal for a regulation Article 18 – paragraph 3 3. The
Amendment 214 #
Proposal for a regulation Article 19 – paragraph 1 1. The data subject shall have the right to object
Amendment 215 #
Proposal for a regulation Article 19 – paragraph 2 2. Where personal data are processed for
Amendment 216 #
Proposal for a regulation Article 19 – paragraph 3 3. Where an objection is upheld pursuant to paragraph
Amendment 217 #
Proposal for a regulation Article 19 – paragraph 3 a (new) 3a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 218 #
Proposal for a regulation Article 20 – title Measures based on
Amendment 219 #
Proposal for a regulation Article 20 – paragraph 1 1.
Amendment 220 #
Proposal for a regulation Article 20 – paragraph 1 1. Every
Amendment 221 #
Proposal for a regulation Article 20 – paragraph 1 1. Every natural person shall have the right, both off-line and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 222 #
Proposal for a regulation Article 20 – paragraph 2 Amendment 223 #
Proposal for a regulation Article 20 – paragraph 2 – introductory part 2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 224 #
Proposal for a regulation Article 20 – paragraph 2 – point a (a) is
Amendment 225 #
Proposal for a regulation Article 20 – paragraph 2 – point b (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or
Amendment 226 #
Proposal for a regulation Article 20 – paragraph 2 – point b (b) is
Amendment 227 #
Proposal for a regulation Article 20 – paragraph 2 – point c (c) is
Amendment 228 #
Proposal for a regulation Article 20 – paragraph 2 – point c (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.
Amendment 229 #
Proposal for a regulation Article 20 – paragraph 2 – point c (c) is based on
Amendment 230 #
Proposal for a regulation Article 20 – paragraph 3 Amendment 231 #
Proposal for a regulation Article 20 – paragraph 3 3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not
Amendment 232 #
Proposal for a regulation Article 20 – paragraph 3 a (new) 3a. Profiling that (whether intentionally or otherwise) has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation, or that (whether intentionally or otherwise) results in measures which have such effect, shall be prohibited.
Amendment 233 #
Proposal for a regulation Article 20 – paragraph 3 b (new) 3b. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be used to identify or individualise children.
Amendment 234 #
Proposal for a regulation Article 20 – paragraph 4 Amendment 235 #
Proposal for a regulation Article 20 – paragraph 4 4. In the cases referred to in paragraph 2, the information to be provided by the controller under Articles 14 and 15 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject, as well as the access to the logic underpinning the data undergoing processing.
Amendment 236 #
Proposal for a regulation Article 20 – paragraph 5 Amendment 237 #
Proposal for a regulation Article 20 – paragraph 5 Amendment 238 #
Proposal for a regulation Article 20 – paragraph 5 5.
Amendment 239 #
Proposal for a regulation Article 22 – paragraph 1 1. The controller
Amendment 240 #
Proposal for a regulation Article 22 – paragraph 2 – introductory wording 2. The measures provided for in paragraph 1 shall in
Amendment 241 #
Proposal for a regulation Article 22 – paragraph 2 – introductory wording 2. The measures provided for in paragraph 1
Amendment 242 #
Proposal for a regulation Article 22 – paragraph 2 – point e (e) designating a data protection officer pursuant to Article 35(1), or the obligation and maintenance of certification in accordance with the certification policies defined by the Commission.
Amendment 243 #
Proposal for a regulation Article 22 – paragraph 4 Amendment 244 #
Proposal for a regulation Article 23 – paragraph 1 1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement
Amendment 245 #
Proposal for a regulation Article 23 – paragraph 1 1.
Amendment 246 #
Proposal for a regulation Article 23 – paragraph 1 1. Having regard to the state of the art, current technical knowledge and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 247 #
Proposal for a regulation Article 23 – paragraph 2 2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are n
Amendment 248 #
Proposal for a regulation Article 23 – paragraph 2 2.
Amendment 249 #
Proposal for a regulation Article 23 – paragraph 3 Amendment 250 #
Proposal for a regulation Article 23 – paragraph 3 Amendment 251 #
Proposal for a regulation Article 23 – paragraph 4 Amendment 252 #
Proposal for a regulation Article 23 – paragraph 4 Amendment 253 #
Proposal for a regulation Article 24 Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. To ensure that data subjects may exercise their right to object to this arrangement, it must be documented and data subjects must have been notified in advance; otherwise, the above rights may be exercised in full in relation to any of the controllers, who shall be responsible for ensuring that the conditions laid down by law are fully complied with.
Amendment 254 #
Proposal for a regulation Article 24 Where a controller determines the purposes
Amendment 255 #
Proposal for a regulation Article 25 – paragraph 2 – point a Amendment 256 #
Proposal for a regulation Article 25 – paragraph 2 – point b Amendment 257 #
Proposal for a regulation Article 25 – paragraph 2 – point b (b) an enterprise employing fewer than 250 persons, unless the processing carried out by that enterprise is considered high risk by the supervisory authorities, taking account of its characteristics, the type of data or the number of people affected; or
Amendment 258 #
Proposal for a regulation Article 25 – paragraph 2 – point d d
Amendment 259 #
Proposal for a regulation Article 26 – paragraph 1 1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
Amendment 260 #
Proposal for a regulation Article 26 – paragraph 2 – introductory wording 2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller, which shall be documented in a form of which a record can be kept, and stipulating in particular that the processor shall:
Amendment 261 #
Proposal for a regulation Article 26 – paragraph 2 – point d Amendment 262 #
Proposal for a regulation Article 26 – paragraph 3 Amendment 263 #
Proposal for a regulation Article 26 – paragraph 3 a (new) 3a. The controller is deemed to have fulfilled the obligations set out in paragraph 1 when choosing a processor who has voluntarily self-certified or voluntarily obtained a certification, seal or mark pursuant to Articles 38 or 39 of this Regulation showing the implementation of appropriate standard technical and organizational measures in response to the requirements set out in this Regulation.
Amendment 264 #
Proposal for a regulation Article 26 – paragraph 4 4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24, without prejudice to the responsibility which the controller may have occurred in relation to compliance with their obligations.
Amendment 265 #
Proposal for a regulation Article 26 – paragraph 5 Amendment 266 #
Proposal for a regulation Article 28 – paragraph 1 1. Each controller and processor and, if any, the controller's representative, shall
Amendment 267 #
Proposal for a regulation Article 28 – paragraph 1 1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of
Amendment 268 #
Proposal for a regulation Article 28 – paragraph 1 a (new) 1a. The obligation provided for in paragraph 1 shall not apply to SMEs who process data only as an activity ancillary to the sale of goods and services.
Amendment 269 #
Proposal for a regulation Article 28 – paragraph 2 – introductory wording 2.
Amendment 270 #
Proposal for a regulation Article 28 – paragraph 2 – introductory wording 2. The core documentation shall contain at least the following information:
Amendment 271 #
Proposal for a regulation Article 28 – paragraph 2 – point b Amendment 272 #
Proposal for a regulation Article 28 – paragraph 2 – point c (c) the
Amendment 273 #
Proposal for a regulation Article 28 – paragraph 2 – point f (f) where applicable, transfers of personal data to a
Amendment 274 #
Proposal for a regulation Article 28 – paragraph 2 – point g (g) a general indication of the time limits for erasure of the different categories of data, wherever possible;
Amendment 275 #
Proposal for a regulation Article 28 – paragraph 4 Amendment 276 #
Proposal for a regulation Article 28 – paragraph 4 – introductory wording 4. The obligations referred to in paragraph
Amendment 277 #
Proposal for a regulation Article 28 – paragraph 5 5. The Commission shall
Amendment 278 #
Proposal for a regulation Article 28 – paragraph 6 6. The Commission
Amendment 279 #
Proposal for a regulation Article 29 – paragraph 1 1. The controller and, where appropriate, the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph.
Amendment 280 #
Proposal for a regulation Article 29 – paragraph 2 Amendment 281 #
Proposal for a regulation Article 30 – paragraph 3 Amendment 282 #
Proposal for a regulation Article 30 – paragraph 4 – subparagraph 1 Amendment 283 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach
Amendment 284 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall, without undue delay
Amendment 285 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72
Amendment 286 #
Proposal for a regulation Article 31 – paragraph 1 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72
Amendment 287 #
Proposal for a regulation Article 31 – paragraph 1 – subparagraph 1 a (new) Cases in which it is probable that a breach of personal data protection will have a negative impact on the data subject’s privacy shall be deemed serious breaches.
Amendment 288 #
Proposal for a regulation Article 31 – paragraph 2 2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach referred to in paragraph 1.
Amendment 289 #
Proposal for a regulation Article 31 – paragraph 2 – subparagraph 1 a (new) The communication of a personal data breach to the data subject shall not be required if the controller has implemented appropriate protection measures, and if those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Amendment 290 #
Proposal for a regulation Article 31 – paragraph 3 – introductory wording 3. The notification
Amendment 291 #
Proposal for a regulation Article 31 – paragraph 4 4. The controller shall document any personal data breaches referred to in paragraph 1 of this article, comprising the facts surrounding the breach, its effects and the remedial action taken.
Amendment 292 #
Proposal for a regulation Article 31 – paragraph 4 – subparagraph 1 a (new) The supervisory authority shall maintain a public register of reported breaches.
Amendment 293 #
Proposal for a regulation Article 31 – paragraph 5 Amendment 294 #
Proposal for a regulation Article 31 – paragraph 6 6. The Commission may lay down the standard format of
Amendment 295 #
Proposal for a regulation Article 32 – paragraph 4 – subparagraph 1 a Those concerned shall not be notified in cases where this could clearly obstruct current investigations or hinder or delay measures to resolve the security breach. More detailed provision for such eventualities may be made under EU law and Member State legislation, the objective being at all times to uphold the public interest and comply with the spirit of data protection law.
Amendment 296 #
Proposal for a regulation Article 32 – paragraph 5 Amendment 297 #
Proposal for a regulation Article 33 – paragraph 1 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller
Amendment 298 #
Proposal for a regulation Article 33 – paragraph 1 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, unless the activities concerned do not present a risk to the privacy of the data subject.
Amendment 299 #
Proposal for a regulation Article 33 – paragraph 5 5. Where the controller is a public authority or body or where the data is processed by another body which has been entrusted with the responsibility of delivering public service tasks, and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
Amendment 300 #
Proposal for a regulation Article 33 – paragraph 6 Amendment 301 #
Proposal for a regulation Article 34 – paragraph 1 1. The controller or the processor as the case may be shall, if they have not recruited a data protection officer for their organisation or obtained or adequate and valid certification for the processing of high-risk data, obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument
Amendment 302 #
Proposal for a regulation Article 34 – paragraph 2 – introductory wording 2. The controller or processor acting on the controller's behalf shall, if they have not recruited a data protection officer for their organisation or obtained or adequate and valid certification for the processing of high-risk data, consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Amendment 303 #
Proposal for a regulation Article 34 – paragraph 7 Amendment 304 #
Proposal for a regulation Article 35 – paragraph 1 – introductory wording 1. The controller and the processor
Amendment 305 #
Proposal for a regulation Article 35 – paragraph 1 – introductory wording 1. The controller and the processor sh
Amendment 306 #
Proposal for a regulation Article 35 – paragraph 1 – introductory wording 1. The controller and the processor shall, with the consent of the workplace representation, designate a data protection officer in any case where:
Amendment 307 #
Proposal for a regulation Article 35 – paragraph 1 – point a Amendment 308 #
Proposal for a regulation Article 35 – paragraph 1 – point b Amendment 309 #
Proposal for a regulation Article 35 – paragraph 1 – point b Amendment 310 #
Proposal for a regulation Article 35 – paragraph 1 – point b b) the processing is carried out by an enterprise employing
Amendment 311 #
Proposal for a regulation Article 35 – paragraph 1 – point b b) the processing is carried out by an enterprise
Amendment 312 #
Proposal for a regulation Article 35 – paragraph 1 – point c Amendment 313 #
Proposal for a regulation Article 35 – paragraph 1 a (new) 1a. SME controllers and processors shall designate a data protection officer only where the SMEs' core activities consist of data processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
Amendment 314 #
Proposal for a regulation Article 35 – paragraph 2 2.
Amendment 315 #
Proposal for a regulation Article 35 – paragraph 2 – subparagraph 1 a (new) 1 a. If the undertakings in this group are located in more than one Member State, a data protection officer shall be appointed in each of these Member States where the conditions set out in paragraph 1(b) and (c) are met.
Amendment 316 #
Proposal for a regulation Article 35 – paragraph 4 4.
Amendment 317 #
Proposal for a regulation Article 35 – paragraph 5 5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in
Amendment 318 #
Proposal for a regulation Article 35 – paragraph 7 7.
Amendment 319 #
Proposal for a regulation Article 35 – paragraph 11 Amendment 320 #
Proposal for a regulation Article 36 – paragraph 2 2. The controller or processor shall ensure that the data protection officer performs the duties and tasks in
Amendment 321 #
Proposal for a regulation Article 36 – paragraph 3 3. The controller or the processor shall support the data protection officer in performing the tasks and, when necessary, shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 322 #
Proposal for a regulation Article 37 – paragraph 1 – point a (a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation
Amendment 323 #
Proposal for a regulation Article 37 – paragraph 1 – point d |