31 Amendments of Adina VĂLEAN related to 2011/0011(COD)
Amendment 1832 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
Amendment 1842 #
Proposal for a regulation
Article 28 – paragraph 1 a (new)
Article 28 – paragraph 1 a (new)
1a. The obligation made to the controller shall not apply to SMEs processing data only as an activity ancillary to the sale of goods or services. Ancillary activity should be defined as business or non- trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
Amendment 1854 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
Article 28 – paragraph 2 – point c
Amendment 1857 #
Proposal for a regulation
Article 28 – paragraph 2 – point d
Article 28 – paragraph 2 – point d
Amendment 1859 #
Proposal for a regulation
Article 28 – paragraph 2 – point e
Article 28 – paragraph 2 – point e
Amendment 1863 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
Article 28 – paragraph 2 – point f
Amendment 1866 #
Proposal for a regulation
Article 28 – paragraph 2 – point g
Article 28 – paragraph 2 – point g
Amendment 1874 #
Proposal for a regulation
Article 28 – paragraph 2 – point h
Article 28 – paragraph 2 – point h
Amendment 1881 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
Amendment 1894 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory part
Article 28 – paragraph 4 – introductory part
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
Amendment 1906 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
Amendment 1909 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
Amendment 1919 #
Proposal for a regulation
Article 29 – paragraph 1
Article 29 – paragraph 1
1. The controller and the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph. The controller and the processor and, if any, the representative of the controller, shall make the documentation available, on the basis of a request outlining the reasons for requiring access to the documents, to the supervisory authority.
Amendment 1923 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
Amendment 1933 #
Proposal for a regulation
Article 30 – paragraph 2 a (new)
Article 30 – paragraph 2 a (new)
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by, or on behalf of a data controller or processor.
Amendment 1936 #
Proposal for a regulation
Article 30 – paragraph 3
Article 30 – paragraph 3
Amendment 1942 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
Amendment 1955 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, twhe controller shall without undue dn the breach is likely to adverselay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification toffect the protection of the personal data or the privacy of the data subject, the controller shall without undue delay notify the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hourssonal data breach to the supervisory authority.
Amendment 1964 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediatwithout undue delay after the establishmentidentification of a personal data breach that is likely to produce adverse legal effects to the protection of athe personal data breachor the privacy of the data subject.
Amendment 1972 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
Article 31 – paragraph 3 – point e
(e) describe the measures proposed or taken by the controller to address the personal data breach and/or mitigate its effects.
Amendment 1977 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
Amendment 1995 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)filing of reports.
Amendment 2015 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
Amendment 2022 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
Amendment 2026 #
Proposal for a regulation
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
1a. SMEs shall only be required to perform an impact assessment after their 3rd year of incorporation if data processing is deemed as a core activity of their business. That is, where sale or revenue from processing makes up for 50% of the SMEs revenue.
Amendment 2030 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce adverse legal effects concerning the individual or significantly affect the individualto the privacy of the data subject;
Amendment 2033 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
Amendment 2053 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
Amendment 2056 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
Amendment 2075 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
Amendment 2086 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7