46 Amendments of Sophia IN 'T VELD related to 2012/0011(COD)
Amendment 362 #
Proposal for a regulation
Recital 14
Recital 14
(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/2001, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
Amendment 365 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14a) Without prejudice to the limitations of the material scope of this Regulation, this Regulation should apply to the processing of personal data by third country authorities for the purpose of intelligence gathering and surveillance within the territory of the EEA by means of extraterritorial jurisdiction.
Amendment 452 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller may provide a legal basis for processing, in a restrictive way, when no other legal grounds for processing apply and provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 482 #
Proposal for a regulation
Recital 48 a (new)
Recital 48 a (new)
(48a) The controller or processor should publish information on how often personal data has been requested by police and justice authorities, from which countries these requests originated, and how often those requests were fully or partially refused.
Amendment 591 #
Proposal for a regulation
Recital 89
Recital 89
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred, to the extent that the processing is not massive, not repetitive and not structural.
Amendment 593 #
Proposal for a regulation
Recital 90
Recital 90
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be theIn cases where the disclosure is necessary fcontrollers or processors an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated actre confronted with conflicting compliance requirements between the jurisdiction of the EU on the one hand, and that of a third country on the other, the Commission should ensure that EU law takes precedence at all times. The Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
Amendment 600 #
Proposal for a regulation
Recital 98
Recital 98
(98) The competent authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment. In case of uncertainty regarding the main establishment, the determination of the main establishment of a controller or a processor should be dealt with within the consistency mechanism at the request of a supervisory authority.
Amendment 609 #
Proposal for a regulation
Recital 110 a (new)
Recital 110 a (new)
(110a) The European Data Protection Board should work in a transparent way and, where possible and appropriate, consult stakeholders when developing specifications, opinions, guidelines or any other output on the basis of this Regulation.
Amendment 647 #
Proposal for a regulation
Recital 128
Recital 128
Amendment 666 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 714 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, an identification numbercode, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or, social identityor gender identity or sexual orientation of that person;
Amendment 784 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; the location of the controller’s headquarters is given priority in cases where it is not clear where the main decisions as to the purposes, conditions and means of the processing are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;
Amendment 806 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘cloud service’ means the provision to the public of data processing or storage services using shared remote resources by means of an electronic communications network;
Amendment 879 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasksLegitimate interest as a legal ground for processing can only be applied in a restrictive way, to the extent that it is strictly necessary for the purpose of the legitimate interest, and when no other legal ground is available for the specific purpose. The data controller shall in that case inform the data subject explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.
Amendment 902 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1a. The European Data Protection Board shall be entrusted with the task of further specifying when processing is justified for the purpose of the legitimate interests pursued by a controller as referred to in paragraph 1, and when the legitimate interest of the controller is overridden by the interests or fundamental rights and freedoms of the data subject.
Amendment 1075 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of officialand permission of the supervisory authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights and interests of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 1451 #
Proposal for a regulation
Article 17 – paragraph 3 – subparagraph 1 a (new)
Article 17 – paragraph 3 – subparagraph 1 a (new)
When the controller no longer exists, has disappeared or cannot be identified or contacted, the data subject has the right to obtain the erasure of personal data relating to him or her from third parties that process that personal data, where the same grounds apply as in Article 17(1).
Amendment 1550 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces a legal effects concerning this natural person or significantly affects this natural person, and which is based solely or predominantly on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. Such automated processing may include the application of web analysing tools, tracking for assessing user behaviour, the creation of motion profiles by mobile applications, or the creation of personal profiles by social networks.
Amendment 1561 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
(a) is carried out in the course of the entering into, ornecessary for the performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where to which the data subject is a party, or for the implementation of pre- contractual measures taken at the request of the data subject, provided that suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
Amendment 1577 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.
Amendment 1595 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely oninclude or generate any data that fall under the special categories of personal data referred to in Article 9, without prejudice to the exceptions listed in Article 9(2).
Amendment 1600 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. Profiling on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity that has a negative effect on individuals shall be prohibited.
Amendment 1617 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and conditions for suitable measures to safeguard the data subject's fundamental rights regarding the provisions of this Article, and the legitimate interests referred to in paragraph 2.
Amendment 2153 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate or contract externally a data protection officer in any case where:
Amendment 2160 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
Amendment 2257 #
Proposal for a regulation
Article 36 – paragraph 1 a (new)
Article 36 – paragraph 1 a (new)
1a. The data protection officer shall report directly to the company board, which is ultimately responsible and accountable for the compliance with the provisions of this Regulation.
Amendment 2329 #
Proposal for a regulation
Article 37 a (new)
Article 37 a (new)
Article 37a COMPANY BOARD RESPONSABILITY The controller and the processor shall designate a company board member who shall bear the final responsibility for the compliance with the provisions of this Regulation.
Amendment 2448 #
Proposal for a regulation
Article 42 – paragraph 3 a (new)
Article 42 – paragraph 3 a (new)
3a. The appropriate safeguards referred to in paragraph 2 shall include the requirement that litigation on safeguards against third country government surveillance or information requests by third country authorities takes place under the jurisdiction of the Member State of the main establishment of the controller or processor concerned.
Amendment 2460 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Amendment 2493 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place, to the extent that the processing is not massive, not repetitive and not structural, only on condition that:
Amendment 2497 #
Proposal for a regulation
Article 44 – paragraph 1 – point a
Article 44 – paragraph 1 – point a
(a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; orand
Amendment 2498 #
Proposal for a regulation
Article 44 – paragraph 1 – point d
Article 44 – paragraph 1 – point d
Amendment 2516 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
Amendment 2527 #
Proposal for a regulation
Article 44 – paragraph 7
Article 44 – paragraph 7
Amendment 2531 #
Proposal for a regulation
Article 44 a (new)
Article 44 a (new)
Article 44a Transfers to cloud services under third country jurisdiction The transfer of personal data to cloud services under the jurisdiction of a third country shall be prohibited, unless: (a) one of the legal grounds for transfer of personal data to third countries listed in this Chapter is applied; and (b) the data subject has given consent; and (c) the consent has been given by the data subject after having been informed in clear, unambiguous and warning language through a separate and prominently visible reference to: (i) the possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities; and (ii) the risk that the protection of personal data and fundamental rights provided by Union and Member State law cannot be guaranteed, despite the legal basis of the transfer.
Amendment 2533 #
Proposal for a regulation
Article 45 – paragraph 1 – point a
Article 45 – paragraph 1 – point a
(a) develop effective international co- operation mechanisms to facilitatensure the enforcement of legislation for the protection of personal data;
Amendment 2534 #
Proposal for a regulation
Article 45 – paragraph 1 – point d a (new)
Article 45 – paragraph 1 – point d a (new)
(da) clarify and resolve jurisdictional conflicts with third countries.
Amendment 2629 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – point a
Article 53 – paragraph 2 – subparagraph 1 – point a
(a) access to all personal data and to all documents and information necessary for the performance of its duties;
Amendment 2746 #
Proposal for a regulation
Article 66 – paragraph 1 – point g a (new)
Article 66 – paragraph 1 – point g a (new)
(ga) provide assistance or litigate on behalf of the supervisory authority, at the request of that supervisory authority, when the resources of the supervisory authority are insufficient to effectively take up a case before any court;
Amendment 2750 #
Proposal for a regulation
Article 66 – paragraph 1 – point g b (new)
Article 66 – paragraph 1 – point g b (new)
(gb) The European Data Protection Board shall work in a transparent way and, where appropriate, consult stakeholders when developing specifications, opinions, guidelines or other output on the basis of this Regulation.
Amendment 2771 #
Proposal for a regulation
Article 71 a (new)
Article 71 a (new)
Amendment 2844 #
Proposal for a regulation
Article 79 – title
Article 79 – title
Amendment 2948 #
Proposal for a regulation
Article 79 – paragraph 7 a (new)
Article 79 – paragraph 7 a (new)
7a. The Commission shall bring forward a legislative proposal for the purpose of specifying the criteria and requirements for the joint and several liability of the board of the controller and the processor, and in particular the board member referred to in Article 37a, in cases of non- compliance with the provisions of this Regulation within one year after the entry into force of this Regulation.
Amendment 2949 #
Proposal for a regulation
Article 79 – paragraph 7 b (new)
Article 79 – paragraph 7 b (new)
7b. The Commission shall bring forward a legislative proposal for the purpose of specifying the criteria and requirements for administrative and criminal sanctions against the board, in particular the board member referred to in Article 37a, in cases of non-compliance with the provisions of this Regulation causing, or having caused, damage to data subjects, within one year after the entry into force of this Regulation.
Amendment 2950 #
Proposal for a regulation
Article 79 – paragraph 7 c (new)
Article 79 – paragraph 7 c (new)
7c. The Commission shall bring forward a legislative proposal for the purpose of specifying the conditions and criteria to guarantee the legal protection of whistleblowers within one year after the entry into force of this Regulation.
Amendment 3100 #
Proposal for a regulation
Article 85
Article 85