44 Amendments of Christel SCHALDEMOSE related to 2012/0011(COD)
Amendment 94 #
Proposal for a regulation
Recital 11
Recital 11
(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the supervisory authorities of different Member States. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises.
Amendment 98 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23 a) Following the principle of data protection by default, online services and products must initially be set on maximum protection of personal information and data without demanding any action from the data subject.
Amendment 100 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarilyshould as a principle be considered as personal data in all circumstances.
Amendment 122 #
Proposal for a regulation
Recital 40 a (new)
Recital 40 a (new)
(40 a) In general, harmonisation of the Union law as regards to data protection must not take away the possibility of Member States to practice sector specific legislation, inter alia in the field of register-based research.
Amendment 123 #
Proposal for a regulation
Recital 40 b (new)
Recital 40 b (new)
(40 b) Processing of personal data collected to another purpose can be made available for public scientific research when a scientific relevance of the processing of the collected data can be documented. Privacy by design must be taken into account when making data available for public scientific research.
Amendment 124 #
Proposal for a regulation
Recital 42
Recital 42
(42) Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, including information sent via electronical text messages or e-mail to patients regarding appointments at hospitals or clinics, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
Amendment 131 #
Proposal for a regulation
Recital 61 a (new)
Recital 61 a (new)
(61 a) The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to their ultimate deployment, use and ultimate disposal. The principle of data protection by default requires privacy settings on services and products should by default comply with the general principles of data protection, such as data minimisation and purpose limitation.
Amendment 138 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 724 hours. Where this cannot achieved within 724 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach and which is likely to lead to significant risk of harm to the data subject, thereby avoiding information overload for the data subject, should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 152 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(e a) in areas covered by Articles 153, 154 and 155 of the Treaty of the Functioning of the European Union (TFEU) regarding regulation of recruitment and conclusion and compliance of collective agreements.
Amendment 156 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether the processing takes place in the Union or not.
Amendment 161 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonablyor singled out and treated differently, by means likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Amendment 162 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, Internet Protocol addresses, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Amendment 195 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(f a) The processing of data, inter alia information of members of an organisation, which is done by the organisation in question in compliance with its statutory rules, is of outmost importance for the data controller in voluntary membership based organisations.
Amendment 214 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
4 a. Access to a given consent in regards to Article 6, paragraph 1 (a), as well as Article 9, paragraph 2 (a), can be limited in cases where internal rules of organisations regarding fraud and of crime prevention reasons, in accordance with legislation of the Member State, are enforced.
Amendment 216 #
Proposal for a regulation
Article 7 – paragraph 4 b (new)
Article 7 – paragraph 4 b (new)
4 b. This provision shall not apply to the right of the employer to process data on the basis of consent by the employee nor the right of public authorities to process data on the basis of consent by the citizen.
Amendment 217 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 1318 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology without causing unnecessary processing of data besides the purpose of the consent.
Amendment 237 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically. The procedures referred to in this Article can be procedures already established by public authorities in the Member States provided that the procedures comply with the provisions of the Regulation.
Amendment 260 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing and profiling. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Amendment 262 #
Proposal for a regulation
Article 15 – paragraph 4 a (new)
Article 15 – paragraph 4 a (new)
4 a. Subject to the necessary legal safeguards, especially in order to ensure that information are not used to take measures or decisions regarding specific persons, Member States can, in cases with no risk of violation of privacy, by law limit the rights following article 15 only if these rights are processed as part of scientific research in compliance with article 83 of this Regulation or only if these personal data are stored in the specific timeframe it takes to make statistics.
Amendment 265 #
Proposal for a regulation
Article 17 a (new)
Article 17 a (new)
Article 17 a In compliance with the data requirements of this Regulation, especially privacy by design, the provisions in paragraph 4 and 6 of this Article do not change the right of public authorities to store data to have the possibility of having documentary evidence of a given case history.
Amendment 293 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right both offline and online not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. Children can not be subject to a measure of this article.
Amendment 323 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 325 #
Proposal for a regulation
Article 23 – paragraph 1 a (new)
Article 23 – paragraph 1 a (new)
1 a. Anonymisation or pseudonymisation of personal data should be applied by the data processor where feasible and proportionate according to the purpose of processing.
Amendment 327 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing, that the settings automatically comply with the general principles of data protection of this Regulation, and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Amendment 335 #
Proposal for a regulation
Article 26 – paragraph 2 – point h a (new)
Article 26 – paragraph 2 – point h a (new)
(h a) When a processor is processing data on behalf of the controller, the processor must implement privacy by design and privacy by default.
Amendment 346 #
Proposal for a regulation
Article 28 – paragraph 4 a (new)
Article 28 – paragraph 4 a (new)
4 a. a public authority when dealing with data other than personal sensitive data as referred to in Article 9, paragraph 1, of this Regulation.
Amendment 347 #
Proposal for a regulation
Article 28 – paragraph 4 – point b
Article 28 – paragraph 4 – point b
Amendment 368 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, inter alia by identity theft or fraud, physical harm, significant humiliation or damage to reputation, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delayin a clear and concise manner without undue delay and within 72 hours.
Amendment 370 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b), (c) and (cd) of Article 31(3).
Amendment 389 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
Amendment 407 #
Proposal for a regulation
Article 73 – paragraph 1
Article 73 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in any Member State if they consider that the processing of personal data relating to them does not comply with this Regulation. This complaint must not inflict costs on the data subject.
Amendment 414 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered material or immaterial damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 426 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
Article 79 – paragraph 3 – point b
Amendment 441 #
Proposal for a regulation
Article 82 – paragraph 1
Article 82 – paragraph 1
1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. This Regulation must, in accordance with the principles of Article 5, respect collective agreements regarding decentralized regulation of the employer's data processing concluded in accordance with this Regulation.
Amendment 445 #
Proposal for a regulation
Article 83 – paragraph 3 a (new)
Article 83 – paragraph 3 a (new)
3 a. Member States can adopt specific measures to regulate the processing of personal data for historical, statistical or scientific purposes while respecting the provisions of paragraph 1 and 2 of this article as well as respecting the Charter of Fundamental Rights of the European Union.
Amendment 446 #
Proposal for a regulation
Article 83 – paragraph 3 b (new)
Article 83 – paragraph 3 b (new)
3 b. A Member State adopting specific measures according to article 83, paragraph 3a, must inform the Commission about the adopted measures prior to the date set in article 91, paragraph 2, and without undue delay inform the Commission about eventual changes at a later stage of the measures.
Amendment 468 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 473 #
Proposal for a regulation
Recital 42
Recital 42
(42) Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
Amendment 495 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
Amendment 641 #
Proposal for a regulation
Recital 125
Recital 125
(125) The processing of personal data for the purposes of historical, statistical or scientific research should, in order to be lawful, also respect other relevant legislation such as on clinical trials. This includes the use of ‘ethics committee’ in accordance with Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use.
Amendment 920 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific researchpurposes shall be lawful subject to the conditions and safeguards referred to in Article 83.
Amendment 1437 #
Proposal for a regulation
Article 17 – paragraph 3 – point c
Article 17 – paragraph 3 – point c
(c) for historical, statistical and scientific research purposes in accordance with Article 83;
Amendment 3049 #
Proposal for a regulation
Article 83 – title
Article 83 – title
Processing for historical, statistical and scientific research purposes
Amendment 3053 #
Proposal for a regulation
Article 83 – paragraph 1 – point a
Article 83 – paragraph 1 – point a
(a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subjectanonymous data;