[ParlTrack]

Proposal for a regulation
Article 28 – paragraph 1

1. Each controller ~~and processor~~ and, if any, the controller's representative, shall maintain documentation of ~~all processing operations~~the main categories of processing under its responsibility.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – introductory part

2. ~~The~~Such documentation shall contain ~~at least~~ the following information:

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point a

(a) the name and contact details of the controller~~, or any joint controller or processor,~~ and of the representative, if any;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point b

(b) the name and contact details of the data protection organisation or data protection officer, if any;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point c

(c) the generic purposes of the processing~~, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1)~~;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point e

~~(e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;~~deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point f

(f) where applicable, transfers of personal data to a ~~third country or an international organisation, including the identification of that~~ third country or an international organisation, and, in case of transfers referred to in point (h) of Article 44(1), ~~the documentation of appropriate~~a reference to safeguards employed;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point g (new)

(g) a general indication of the time limits for erasure ofr data retention policy applicable to the different categories of data;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 2 – point h

~~(h) the description of the mechanisms referred to in Article 22(3).~~deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 3

3. The controller ~~and the processor~~ and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 3 a (new)

3a. In the case of a group of undertakings where each data controller within the group of undertakings carries out substantively the same type of processing operation, only one set of documentation shall be kept at group level.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 3 b (new)

3b. Where a controller engages a processor, the controller shall be responsible for maintaining the documentation referred to in Article 28(1) and can require the processor to provide assistance in compiling the information.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 4 – introductory part

4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers ~~and processors~~:

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 28 – paragraph 6

6. To ensure harmonized requirements within the Union, the Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 1

1. In the case of a personal data breach~~, the controller shall without undue delay and, wh~~ which causes or is likely to cause significant adverse ~~feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to~~effect on the privacy of the data subject, the controller shall after having become aware, fully investigated and confirmed it, without undue delay, notify the super~~visory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours~~sonal data breach to the supervisory authority.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 3 – introductory part

3. The notification referred to in paragraph 1 must ~~at least~~if possible:

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 3 – point b

(b) communicate the ~~identity and~~ contact details of the ~~data protection offic~~controller or other contact point where more information can be obtained;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 3 a (new)

3a. The notification referred to in paragraph 1 shall not be required if the controller or the processor has implemented appropriate technological measures, which were applied to the data concerned by the personal data breach, such as measures which render the data unintelligible to any person who is not authorised to access it.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 4

4. The controller shall document ~~any personal~~ data breaches referred to in paragraph 1, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 31 – paragraph 6

6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 32 – paragraph 1

1. When the personal data breach causes or is likely to cause significant adverse~~ly a~~ effect on the pr~~otection of the personal data or privacy of the~~ivacy of the data subject and minimizing of the harm requires action by data subjects, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay unless this is disproportionally difficult. When communication to data subjects would risk causing further serious harm to the protection of the personal data or privacy of the data subject, the controller may, after consulting with the supervisory authority, delay communication to data subjects until such risk no longer prevails.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 32 – paragraph 3

3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall have the purpose to render the data unintelligible to any person who is not authorised to access ithem, taking into account the nature of the data, the state of the art and the cost.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 32 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 32 – paragraph 6

6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 1

1. Where processing operations present specific high degree of risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes~~, the controller or the processor acting on~~ or when the DPA decides that a privacy impact assessment is necessary, the controller~~'s behalf~~ shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 2 – introductory part

2. The following processing operations ~~in particular~~are likely to present specific high degree of risks referred to in paragraph 1:

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 2 – point a

(a) taking into account the exceptions of Article 20(2)(c) and the restrictions of Article 21, a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, or reliability ~~or behaviour~~, which is solely based on automated processing and on which ~~measure~~decisions are based that produce legal effects concerning the individual or ~~significant~~adversely affect the ~~individual~~fundamental rights of a data subject in a significantly negative manner;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 2 – point c

(c) monitoring publicly accessible areas, ~~especially w~~involving then us~~ing optic-electronic devices (video surveillance) on a large scale~~e of specific techniques such as facial recognition, or not answering to the reasonable expectations of the general public;

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 2 – point e

~~(e) other processing operations for which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2).~~deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 3

3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 4

4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 5

5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union or Member State law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 6

~~6. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.

2013/03/06
Committee: LIBE

Louis MICHEL

Proposal for a regulation
Article 33 – paragraph 7

7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

36 Amendments of Louis MICHEL related to 2011/0011(COD)

ParlTrack - 2011-2024