Activities of Axel VOSS related to 2012/0011(COD)
Legal basis opinions (0)
Amendments (310)
Amendment 366 #
Proposal for a regulation
Recital 15
Recital 15
(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus or a private sale and without any connection with a professional or commercial activity. The exemption should also not apply to controllers or processors which provide the means for processing, irrespective of the number of personals the data for such personal or domestic activitiesare made available to.
Amendment 370 #
Proposal for a regulation
Recital 15 a (new)
Recital 15 a (new)
(15a) This Regulation should not apply to processing personal data by small enterprises which are using personal data exclusively for its own business such as offers and invoices. If there is no risk for the processed personal data that no one else than the enterprise itself is handling the data there is no need for an additional protection than securing the data for access. This exemption should not apply for Articles 15, 16 and 17.
Amendment 396 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
Amendment 400 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be undertaken, on a case-by-case basis and in accordance with technological developments, of whether identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 413 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The information provided in order for children to express the consent should be given in a clear and age-appropriate language, in a way that it would be easy to understand for a child above the age of 13.
Amendment 414 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method within the context of the product or the service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This nevertheless leaves the provisions of 2002/58/EC untouched which state that under certain circumstances consent can be expressed via appropriate settings in the user’s device. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 420 #
Proposal for a regulation
Recital 26
Recital 26
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject including genetic information; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; informationpersonal data derived from the testing or examination of a body part or, bodily substance, including or biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
Amendment 423 #
Proposal for a regulation
Recital 27
Recital 27
(27) TWhere a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administrationA group of undertakings may nominate a single main establishment in the Union.
Amendment 425 #
Proposal for a regulation
Recital 29
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data and they are also vulnerable consumers. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. In particular, child-friendly language should be used to ensure the right of consent for children above the age of 13.
Amendment 427 #
Proposal for a regulation
Recital 29
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual isSuch protection is particularly important in the context of social networks. For the purpose of this regulation a child should be defined as an individual under the age of 18. Where data processing is based on the data subject’s consent in relation to the offering of information society services directly to a child, this Re regulation should take differentiate between children abover the definition laid down by the UN Convention on the Rights ofage of 13 and children under the age of 13 who require a higher level of protection to the extent that consent is given or authorised by the Cchild’s parent or custodian.
Amendment 435 #
Proposal for a regulation
Recital 31
Recital 31
(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation. The allowance of a controller to process personal data should include the allowance to process personal data with other joint controllers and to allow personal data to be processed by a processor established in or outside the European Union.
Amendment 443 #
Proposal for a regulation
Recital 34
Recital 34
Amendment 449 #
Proposal for a regulation
Recital 36
Recital 36
(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association. The data processing may also be performed on the basis of agreements under collective labour law. Agreements under collective labour law are agreements concluded between employers or their representatives and representatives of employees or between these parties and a State entity at national, sectoral or firm level.
Amendment 455 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 458 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 467 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 470 #
Proposal for a regulation
Recital 41
Recital 41
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of entering into or performance of a contract with the data subject or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Amendment 483 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what periodthe criteria which may be used to determine for how long the data will be stored for each purpose, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 496 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
Amendment 497 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
Amendment 498 #
Proposal for a regulation
Recital 53 a (new)
Recital 53 a (new)
(53a) A data subject should always have the option to give broad consent for his or her data to be used for historical, statistical or scientific research purposes, and to withdraw consent at any time.
Amendment 513 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Amendment 515 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Amendment 524 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Amendment 525 #
Proposal for a regulation
Recital 62 a (new)
Recital 62 a (new)
(62a) Exchanges of data between the entity responsible and a party processing data under contract do not constitute communication of data which is subject to the further preconditions for admissibility laid down in the regulation. The joint responsibility arising from a contractual agreement and the uniform level of protection created thereby guarantees careful treatment of personal data. Entities responsible and parties processing data under contract should therefore not be regarded as recipients.
Amendment 532 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 537 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hoursa reasonable time period, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 557 #
Proposal for a regulation
Recital 74 a (new)
Recital 74 a (new)
(74a) The data protection organisation or the data protection officer monitors the processing of personal data by the controller and the processor in order to advise the controller and the processor on compliance with this Regulation; he or she thereby should assist in ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.
Amendment 558 #
Proposal for a regulation
Recital 74 b (new)
Recital 74 b (new)
(74b) Data protection organisations or data protection officers act independently, which means that they do not receive instructions as regards the exercise of their function as authority assigned for data protection. The data protection organisation or the data protection officer should directly report to the management of the controller or the processor.
Amendment 572 #
Proposal for a regulation
Recital 77
Recital 77
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services. After a certification procedure certified enterprises would be classified in having sufficient data protection guarantees installed for appropriate technical security and organisational measures and procedures regarding the requirements of this Regulation to ensure the protection of the right of the data subject.
Amendment 584 #
Proposal for a regulation
Recital 87
Recital 87
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cwhich should include international data transfers on the baseis of international data transfers betweenagreements or arrangements to third country authorities for example such as competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, between bodies responsible for fighting fraud in sports, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer should be to be carried out.
Amendment 610 #
Proposal for a regulation
Recital 112
Recital 112
Amendment 615 #
Proposal for a regulation
Recital 114
Recital 114
Amendment 620 #
Proposal for a regulation
Recital 118
Recital 118
(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure.
Amendment 630 #
Proposal for a regulation
Recital 121
Recital 121
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
Amendment 632 #
Proposal for a regulation
Recital 123 a (new)
Recital 123 a (new)
(123a) The processing of personal data concerning health, as a special category of data, may be necessary for reasons of historical, statistical or scientific research. Therefore this Regulation should ensure that the harmonisation of conditions provided for the processing of personal data concerning health, subject to specific and suitable safeguards so as to protect the fundamental rights and the personal data of individuals, do not act as a barrier to translational, clinical and public health research.
Amendment 633 #
Proposal for a regulation
Recital 124
Recital 124
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order to regulate the processing of employees’' personal data in the employment context, Member States should be able, within the limits of this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector. By virtue of collective agreements (wage agreements, company agreements and agreements with committees of senior staff), the provisions of the regulation may be disregarded.
Amendment 656 #
Proposal for a regulation
Recital 134
Recital 134
(134) Directive 95/46/EC should be repealed by this Regulation. However, Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC should remain in force. This should be also valid for international agreements or arrangements between the EU or a Member state with a third country especially when Directive 95/46/EC was already in force.
Amendment 668 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 674 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest in the course of its own exclusively personal or householdfor a purpose which cannot be attributed either to his trade or to his self-employed professional activity;
Amendment 678 #
Proposal for a regulation
Article 2 – paragraph 2 – point d a (new)
Article 2 – paragraph 2 – point d a (new)
(da) by small enterprises in the course of its own exclusively activity and strict and exclusively internal use.
Amendment 684 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) for historical, statistical and scientific research purposes;
Amendment 690 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) by churches and religious associations or communities;
Amendment 694 #
Proposal for a regulation
Article 2 – paragraph 2 – point e b (new)
Article 2 – paragraph 2 – point e b (new)
(eb) made by the employer as part of the treatment of employee personal data in the employment context;
Amendment 696 #
Proposal for a regulation
Article 2 – paragraph 2 – point e c (new)
Article 2 – paragraph 2 – point e c (new)
(ec) which have been rendered anonymous;
Amendment 701 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. This Regulation applies to the processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union.
Amendment 707 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the offering of goods orand services in the Union to such data subjects, in the Unioncluding services provided without financial costs to the individual; or
Amendment 710 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. This Regulation applies to the processing of personal data by a controller which is not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
Amendment 717 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and who is not acting in his/her professional capacity;
Amendment 730 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2a) ‘pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort;
Amendment 734 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 b (new)
Article 4 – paragraph 1 – point 2 b (new)
(2b) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data;
Amendment 736 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 c (new)
Article 4 – paragraph 1 – point 2 c (new)
(2c) ‘identification number’ means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual;
Amendment 748 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 765 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
Amendment 774 #
Proposal for a regulation
Article 4 – paragraph 1 – point 10
Article 4 – paragraph 1 – point 10
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal developmentinformation on the hereditary characteristics, or alteration thereof, of an identified or identifiable person, obtained through nucleic acid analysis;
Amendment 786 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and meansthe location as determined by the data controller or data processor on the basis of the following transparent and objective criteria: the location of the pgrocessing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities ofup’s European headquarters, or, the location of the company within the group with delegated data protection responsibilities, or, the location of the company which is best placed (in terms of management function, administrative capability etc) to address and establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Unionnforce the rules as set out in this Regulation, or, the place where the main decisions as to the purposes of processing are taken for the regional group;
Amendment 790 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13 a (new)
Article 4 – paragraph 1 – point 13 a (new)
(13a) ‘competent supervisory authority’ means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Article 51(2), (3) and (4);
Amendment 793 #
Proposal for a regulation
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mayshall be addressed by anythe competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
Amendment 795 #
Proposal for a regulation
Article 4 – paragraph 1 – point 17
Article 4 – paragraph 1 – point 17
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings in or outside the Union;
Amendment 797 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
Amendment 802 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19
Article 4 – paragraph 1 – point 19
(19) ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 46Does not affect the English version.
Amendment 803 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘financial crime’ means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
Amendment 807 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘blocking’ means marking stored personal data in order to restrict their further processing;
Amendment 828 #
Proposal for a regulation
Article 5 – paragraph 1 – point d
Article 5 – paragraph 1 – point d
(d) accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay;
Amendment 832 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
Amendment 845 #
Proposal for a regulation
Article 5 – paragraph 1 – point f
Article 5 – paragraph 1 – point f
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation. , if required to do so, demonstrate compliance of the controller’s processing with the provisions of this Regulation to the supervisory authority having competence under Article 51(2).
Amendment 856 #
Proposal for a regulation
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) processing is necessary for the performance of a contractr execution of a contract or of collective agreements and company- level agreements, to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Amendment 857 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subjectr contractual obligation based in Union or national law of a Member State, regulatory rule, guidance, industry code of practice, either domestically or internationally or for a permission of supervisory requirement or a different legal rule to which the controller is subject including the requirements of supervisory authorities;
Amendment 864 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller, the group of companies of which the controller is a member or any other member of that group of companies is subject;
Amendment 867 #
Proposal for a regulation
Article 6 – paragraph 1 – point d a (new)
Article 6 – paragraph 1 – point d a (new)
(da) processing of data necessary to ensure network and information security;
Amendment 869 #
Proposal for a regulation
Article 6 – paragraph 1 – point e
Article 6 – paragraph 1 – point e
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or the third party to whom the data is transferred;
Amendment 878 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply tosuch as in the case of processing data pertaining to a child. The interest or fundamental rights and freedoms of the data subject shall not override processing carried out by public authorities in the performance of their tasks.
Amendment 890 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) the data are collected from public registers lists or documents accessible by everyone;
Amendment 894 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(fb) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice;
Amendment 898 #
Proposal for a regulation
Article 6 – paragraph 1 – point f c (new)
Article 6 – paragraph 1 – point f c (new)
(fc) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3);
Amendment 900 #
Proposal for a regulation
Article 6 – paragraph 1 – point f d (new)
Article 6 – paragraph 1 – point f d (new)
(fd) processing is necessary for the purpose of anonymisation or pseudonymisation of personal data;
Amendment 901 #
Proposal for a regulation
Article 6 – paragraph 1 – point f e (new)
Article 6 – paragraph 1 – point f e (new)
(fe) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to Article 38c;
Amendment 921 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 922 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 927 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
(ba) international conventions to which the Union or a Member State is a party.
Amendment 931 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 a (new)
Article 6 – paragraph 3 – subparagraph 1 a (new)
These provisions may regulate details of the lawfulness of processing, particularly as regards data controllers, the purpose of processing and purpose limitation, the nature of the data and the data subjects, processing measures and procedures, recipients, and the duration of storage.
Amendment 945 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Amendment 964 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 966 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 970 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. If the data subject's consent is to be given in the context of a written or an electronic declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
Amendment 988 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 1013 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, without prejudice of Article 6(1). The controller shall make reasonable efforts to obtain verifiable consentprovide notice and obtain meaningful, verifiable consent (e.g. by obtaining the consent from the email address of the parent or the custodian), taking into consideration available technology.
Amendment 1014 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1a. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 18 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, using the parent or custodian's email address. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 1015 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
1a. The information provided in order to express the consent should be given in a clear and age-appropriate language, in a way that would be easy to understand for the child above the age of 13 years.
Amendment 1017 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
Article 8 – paragraph 1 b (new)
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
Amendment 1018 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
Article 8 – paragraph 1 b (new)
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
Amendment 1019 #
Proposal for a regulation
Article 8 – paragraph 1 c (new)
Article 8 – paragraph 1 c (new)
1c. Where services referred to in paragraph 1 are particularly appropriate and suitable for a child and have been notified and are controlled by the relevant national authorities, the requirements referred to in paragraph 1 do not apply.
Amendment 1022 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 1026 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 1039 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions, criminal offences, including offences and matters which have not lead to conviction, significant social problems, or related security measures shall be prohibited.
Amendment 1048 #
Proposal for a regulation
Article 9 – paragraph 2 – point a a (new)
Article 9 – paragraph 2 – point a a (new)
(aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Amendment 1049 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law or collective agreements on the labour market in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or
Amendment 1062 #
Proposal for a regulation
Article 9 – paragraph 2 – point f
Article 9 – paragraph 2 – point f
(f) processing is necessary for the establishment, exercise or defence of legal claims or the legally justified fulfilment of claims of third parties affected; or
Amendment 1069 #
Proposal for a regulation
Article 9 – paragraph 2 – point h
Article 9 – paragraph 2 – point h
(h) processing of data concerning health is necessary for health purposes, including for historical, statistical or scientific research and subject to the conditions and safeguards referred to in Article 81; or
Amendment 1073 #
Proposal for a regulation
Article 9 – paragraph 2 – point h a (new)
Article 9 – paragraph 2 – point h a (new)
(ha) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3) and the processing is necessary for the purpose of the legitimate interest pursued by the controller or a third party.
Amendment 1084 #
Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)
Article 9 – paragraph 2 – point j a (new)
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
Amendment 1086 #
Proposal for a regulation
Article 9 – paragraph 2 – point j b (new)
Article 9 – paragraph 2 – point j b (new)
(jb) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to in Article 38c.
Amendment 1088 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 1103 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller or a processor to identify a natural person, in particular when rendered anonymous or pseudononymous the controller shall not be obliged to process or acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 1127 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Amendment 1148 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 1156 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
Amendment 1164 #
Proposal for a regulation
Article 13 – title
Article 13 – title
Amendment 1176 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
Amendment 1180 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
Amendment 1189 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
Amendment 1193 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
Amendment 1201 #
Proposal for a regulation
Article 14 – paragraph 1 – point d
Article 14 – paragraph 1 – point d
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject orand to object to the processing of such personal data;
Amendment 1203 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
Article 14 – paragraph 1 – point e
Amendment 1215 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
Amendment 1222 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
Amendment 1226 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
Amendment 1238 #
Proposal for a regulation
Article 14 – paragraph 4 – point b
Article 14 – paragraph 4 – point b
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed; or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
Amendment 1248 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
Amendment 1250 #
Proposal for a regulation
Article 14 – paragraph 5 – point c
Article 14 – paragraph 5 – point c
(c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
Amendment 1253 #
Proposal for a regulation
Article 14 – paragraph 5 – point d
Article 14 – paragraph 5 – point d
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.; or
Amendment 1262 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources; or
Amendment 1266 #
Proposal for a regulation
Article 14 – paragraph 5 – point d b (new)
Article 14 – paragraph 5 – point d b (new)
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
Amendment 1268 #
Proposal for a regulation
Article 14 – paragraph 5 – point d c (new)
Article 14 – paragraph 5 – point d c (new)
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
Amendment 1279 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1296 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. TOnly the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
Amendment 1311 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
(d) if known the period for which the personal data will be stored;
Amendment 1324 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
Amendment 1345 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. Successors in right and title must be able to exercise the right of access to data in the event of the death of the data subject.
Amendment 1357 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the contentdata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable ofn the personal data referbasis of such data or identification would required to in point (g) of paragraph 1he controller to undo the process of pseudonymisation.
Amendment 1358 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
Article 15 – paragraph 3 a (new)
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
Amendment 1376 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
Amendment 1377 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
Successors in right and title must be able to exercise the right of rectification in the event of the death of the data subject.
Amendment 1381 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 1385 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a childitself, where one of the following grounds applies:
Amendment 1392 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and the legally mandatory minimum retention period has expired;
Amendment 1407 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. Successors in right and title must be able to exercise the right of erasure in the event of the death of the data subject.
Amendment 1420 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, pseudonymised data and encrypted data are exempted, where compliance with this provision would require the controller to undo the process of anonymisation, pseudonymisation or encryption.
Amendment 1430 #
Proposal for a regulation
Article 17 – paragraph 3 – point b
Article 17 – paragraph 3 – point b
(b) for rheasons of public interest in the area of public health in accordance with Article 81lth proposes in accordance with Article 81 and for maintaining medical records and other health research purposes;
Amendment 1440 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
Article 17 – paragraph 3 – point d
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursuedcontract to which the data subject is party or for compliance with a legal obligation or other requirements of a supervisory body or other legal requirements to retain the personal data by Union or Member State law to which the controller is subject;
Amendment 1446 #
Proposal for a regulation
Article 17 – paragraph 3 – point e a (new)
Article 17 – paragraph 3 – point e a (new)
(ea) for prevention or detection of fraud or other financial crime, confirming identity or determining creditworthiness.
Amendment 1454 #
Proposal for a regulation
Article 17 – paragraph 4 – introductory part
Article 17 – paragraph 4 – introductory part
4. Instead of erasure, the controller shall restrict processing of personal datadata shall be blocked where:
Amendment 1458 #
Proposal for a regulation
Article 17 – paragraph 4 – point b
Article 17 – paragraph 4 – point b
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof or for compliance with legal record obligations;
Amendment 1465 #
Proposal for a regulation
Article 17 – paragraph 4 – point d a (new)
Article 17 – paragraph 4 – point d a (new)
(da) or, on account of the particular type of storage, erasure would be impossible or would involve disproportionate efforts.
Amendment 1468 #
Proposal for a regulation
Article 17 – paragraph 5
Article 17 – paragraph 5
5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof or for compliance with legal record obligations, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.
Amendment 1492 #
Proposal for a regulation
Article 18
Article 18
Amendment 1537 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information. This right shall include a right to object to the collection and use of personal data obtained through online tracking of the data subject's preferences and behaviour across websites. Where a data subject expresses this right to object through technical means, such as a browser setting, controllers and processors shall respect such objection, consistent with technical industry standards, and must obtain the consent of the data subject to process personal data derived from online tracking for marketing purposes. Consent to online tracking shall enable persistent online tracking across all websites unless such consent is subsequently revoked by the data subject.
Amendment 1540 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. Where an objection is upheld pursuant to paragraphs 1, 2 and 2,3a the controller shall no longer use or otherwise process the personal data concerned.
Amendment 1543 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3a. Where pseudonymised data is processed pursuant to Article 6(1) the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 1549 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every ndatural persona subject shall have the right not to be subject to a measureprocessing of personal data which produces adverse legal effects concerning this ndatural person or significanta subject or comparably affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this ndatural persona subject or to analyse or predict in particular the ndatural persona subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1572 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State lawlegal basis which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 1585 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
Article 20 – paragraph 2 – point c a (new)
(ca) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Article19(3a) shall apply correspondingly.
Amendment 1598 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. unless the data subject has given consent.
Amendment 1603 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. In any case, children should not be subject to measures of profiling, as referred to in paragraph 1.
Amendment 1616 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 1619 #
Proposal for a regulation
Article 21 – title
Article 21 – title
Amendment 1624 #
Proposal for a regulation
Article 21 – paragraph 1 – introductory part
Article 21 – paragraph 1 – introductory part
1. Union or Member State law may extend or restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such an extension or restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
Amendment 1626 #
Proposal for a regulation
Article 21 – paragraph 1 – point a a(new)
Article 21 – paragraph 1 – point a a(new)
(aa) national security;
Amendment 1627 #
Proposal for a regulation
Article 21 – paragraph 1 – point a b (new)
Article 21 – paragraph 1 – point a b (new)
(ab) defence;
Amendment 1630 #
Proposal for a regulation
Article 21 – paragraph 1 – point b a (new)
Article 21 – paragraph 1 – point b a (new)
(ba) in cases where pseudonymised data is used;
Amendment 1687 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
Amendment 1701 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
Amendment 1711 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and, the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Notwithstanding, the controller should only be burdened with measures that are proportionate to the risk of data processing reflected by the nature of the personal data to be processed.
Amendment 1723 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefSuch measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security (b) follow the principle of technology, service and business model neutrality (c) be based on global industry-led efforts and standards (d) take due account of inite number of individualrnational developments.
Amendment 1734 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 1750 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
Amendment 1778 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation and shall provide for the following:
Amendment 1784 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
Article 26 – paragraph 2 – point d
Amendment 1788 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
Article 26 – paragraph 2 – point e
Amendment 1792 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
Article 26 – paragraph 2 – point f
Amendment 1796 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
Article 26 – paragraph 2 – point g
Amendment 1804 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
Article 26 – paragraph 2 – point h
(h) make available to the controller and the supervisory authority on request all information necessary to control compliance with the obligations laid down in this Article.
Amendment 1807 #
Proposal for a regulation
Article 26 – paragraph 3
Article 26 – paragraph 3
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2. In this case the requirements of Chapter II are complied for the processor if the controller complies the requirements.
Amendment 1821 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 2116 #
Proposal for a regulation
Article 34 – paragraph 3
Article 34 – paragraph 3
3. Where the competent supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
Amendment 2135 #
Proposal for a regulation
Article 34 – paragraph 8
Article 34 – paragraph 8
Amendment 2142 #
Proposal for a regulation
Article 35 – title
Article 35 – title
Designation of the data protection organisation or data protection officer
Amendment 2148 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
Amendment 2179 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from the use of this data. In relation to data protection, dataprocessing activities which do not represent more than 50% of companies’ turnover shall be considered ancillary.
Amendment 2188 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection organisation or data protection officer.
Amendment 2193 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer. A corporate group may also appoint a single data protection officer for one or more processing operations by several organisations within it.
Amendment 2196 #
Proposal for a regulation
Article 35 – paragraph 2 a (new)
Article 35 – paragraph 2 a (new)
2a. In the case referred to in paragraph 1(b) Articles 33 and 34 do not apply.
Amendment 2197 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
Amendment 2205 #
Proposal for a regulation
Article 35 – paragraph 4
Article 35 – paragraph 4
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection organisation or a data protection officer.
Amendment 2208 #
Proposal for a regulation
Article 35 – paragraph 4 a(new)
Article 35 – paragraph 4 a(new)
4a. Where the controller belongs to a professional body or a body of controllers from the same sector, he may appoint a data protection officer duly mandated by the body concerned.
Amendment 2210 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The controller or processor shall designate the data protection organisation or data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
Amendment 2216 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
Amendment 2219 #
Proposal for a regulation
Article 35 – paragraph 6 a (new)
Article 35 – paragraph 6 a (new)
6a. The data protection officer can either be an employee of the controller or processor or he/she can likewise be an external service provider.
Amendment 2221 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 2229 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years at a suitable hierarchical level. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
Amendment 2234 #
Proposal for a regulation
Article 35 – paragraph 8
Article 35 – paragraph 8
Amendment 2240 #
Proposal for a regulation
Article 35 – paragraph 9
Article 35 – paragraph 9
9. The controller or the processor shall communicate the name and contact details of the data protection organisation or the data protection officer to the supervisory authority and to the public.
Amendment 2242 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection organisation or the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 2248 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 2253 #
Proposal for a regulation
Article 36 – title
Article 36 – title
Position of the data protection organisation or the data protection officer
Amendment 2254 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection organisation or the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
Amendment 2260 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exerciserganisation ofr the function. The data protection officer shall directly report to the management of the controller or the processorperforms the duties and tasks independently.
Amendment 2272 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection organisation or the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 2281 #
Proposal for a regulation
Article 36 – paragraph 3 a (new)
Article 36 – paragraph 3 a (new)
3a. The controller or the processor shall designate a data protection organisation or a data protection officer for an initial period of at least two years in case of a data protection organisation and for an initial period of at least four years in case of a data protection officer, as long as he/she is not an external service provider. In the least case the period for data protection organisations shall apply. The data protection organisations or data protection officers may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. These provisions do not apply in case of the voluntary engagement of a data protection organisation or a data protection officer as laid out in Article 38a of this Regulation.
Amendment 2284 #
Proposal for a regulation
Article 36 – paragraph 3 b (new)
Article 36 – paragraph 3 b (new)
3b. The data protection organisation or the data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract. The designation as a data protection organisation or a data protection officer does not necessarily require fulltime occupation of the respective organisation or employee.
Amendment 2287 #
Proposal for a regulation
Article 37 – title
Article 37 – title
Tasks of the data protection organisation or the data protection officer
Amendment 2288 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
Amendment 2293 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) to raise awareness, to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
Amendment 2299 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under thisincompliance with the Regulation;
Amendment 2308 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
(e) to develop processes to monitor the, documentation, notificationy and communication ofe personal data breaches pursuant to Articles 31 and 32;
Amendment 2313 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
(f) to develop processes that monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
Amendment 2317 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the competence of the data protection organisation or the data protection officer's competencer, co-operating with the supervisory authority at the latter's request or on the own initiative of the data protection organisation or the data protection officer's own initiative;
Amendment 2324 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
Amendment 2330 #
Proposal for a regulation
Chapter 4 – section 5 – title
Chapter 4 – section 5 – title
SELF-REGULATION, BINDING CORPORATE RULES, CODES OF CONDUCT AND CERTIFICATION
Amendment 2331 #
Proposal for a regulation
Article 38
Article 38
Amendment 2340 #
Proposal for a regulation
Article 38 – paragraph 4
Article 38 – paragraph 4
Amendment 2348 #
Proposal for a regulation
Article 38 a (new)
Article 38 a (new)
Article 38a Promoting Self-Regulation 1. The Member States, the national and European supervisory authorities and the Commission shall encourage self- regulation instruments like binding corporate rules, code of conducts and certification or - in cases of companies which do not fall under the provision of Article 35 - the feature of the voluntarily designation of a data protection organisation or a data protection officer. 2. Single undertakings, multicorporate enterprises, industries, professional associations and other associations of every kind which represent specific groups of controllers or processors may submit drafts of the self-regulation instruments in paragraph 1. If the self- regulation instrument should only apply in a Member State the national supervisory authority in that Member State can be asked to confirm the compliance with this regulation. If the self-regulation instrument should apply in all Member States of the EU the European Data Protection Board can be asked to confirm the compliance with this Regulation. The national supervisory authority or the European Data Protection Board shall examine the compatibility of the submitted drafts with the applicable law on this data protection Regulation. If there is no reaction in a 3- month-period the self-regulation instrument is classified as in compliance with this Regulation. 3. If the self-regulation instrument provides an adequate proceeding in data protection issues of this Regulation, Article 14 (Information to the data subject), Article 28 (documentation), Article 33 (data protection impact assessment) and Article 34 (prior authorisation and prior consultation) shall not apply.
Amendment 2349 #
Proposal for a regulation
Article 38 b (new)
Article 38 b (new)
Amendment 2350 #
Proposal for a regulation
Article 38 c (new)
Article 38 c (new)
Article 38c Codes of conduct 1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to: (a) fair and transparent data processing; (b) the collection of data; (c) the information of the public and of data subjects; (d) requests of data subjects in exercise of their rights; (e) information and protection of children; (f) transfer of data to third countries or international organisations; (g) mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75. 2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts. 3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. 4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2). 5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.
Amendment 2352 #
Proposal for a regulation
Article 39 – paragraph 1
Article 39 – paragraph 1
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations. The responsibility for a corresponding certification act should be transferred to independent and qualified auditors. Such an auditor shall be: (a) accredited by a national supervisory authority; and (b) be responsible for the rewarding process of a corresponding privacy certificate; and (c) liable for consequences resulting in the inadequate reward of the data protection certificate.
Amendment 2367 #
Proposal for a regulation
Article 39 – paragraph 2
Article 39 – paragraph 2
2. The Commission shall be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. The Commission shall also be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further defining the accreditation requirements for auditors.
Amendment 2382 #
Proposal for a regulation
Chapter 5 – title
Chapter 5 – title
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES, GROUP OF UNDERTAKINGS OR INTERNATIONAL ORGANISATIONS
Amendment 2383 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country, internal of a group of undertakings or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country, in a group of undertakings or an international organisation to another third country or to another international organisation.
Amendment 2389 #
Proposal for a regulation
Article 41 – paragraph 1
Article 41 – paragraph 1
1. A transfer may take place where international agreements or arrangements between the EU or a Member State with a third country are in force or the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
Amendment 2407 #
Proposal for a regulation
Article 41 – paragraph 6 a (new)
Article 41 – paragraph 6 a (new)
6a. The adequacy decision by the Commission pursuant to this Article may be reconsidered when the level of protection in the third country are not longer exist.
Amendment 2414 #
Proposal for a regulation
Article 41 – paragraph 8 a (new)
Article 41 – paragraph 8 a (new)
8a. International agreements or arrangements between the EU or a Member state with a third country are considered as adequate in the sense of this article.
Amendment 2416 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country, to a branch abroad of a group of undertakings or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
Amendment 2421 #
Proposal for a regulation
Article 42 – paragraph 2 – point a
Article 42 – paragraph 2 – point a
(a) binding corporate rules in accordance with Article 438b; or
Amendment 2426 #
Proposal for a regulation
Article 42 – paragraph 2 – point b
Article 42 – paragraph 2 – point b
(b) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
Amendment 2429 #
Proposal for a regulation
Article 42 – paragraph 2 – point c
Article 42 – paragraph 2 – point c
(c) standard data protection clauses, between the controller or processor and the recipient, that can be a sub-processor, of the data outside the Union, which may include standard terms for onward transfers outside the Union, adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
Amendment 2434 #
Proposal for a regulation
Article 42 – paragraph 2 – point d a (new)
Article 42 – paragraph 2 – point d a (new)
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
Amendment 2439 #
Proposal for a regulation
Article 42 – paragraph 2 – point d b (new)
Article 42 – paragraph 2 – point d b (new)
(db) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
Amendment 2446 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c), (d), (da) or (cdb) of paragraph 2 shall not require any further authorisation.
Amendment 2451 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) or (da) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
Amendment 2454 #
Proposal for a regulation
Article 42 – paragraph 4 a (new)
Article 42 – paragraph 4 a (new)
4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to the relevant provisions in paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
Amendment 2455 #
Proposal for a regulation
Article 42 – paragraph 4 b (new)
Article 42 – paragraph 4 b (new)
Amendment 2465 #
Proposal for a regulation
Article 43
Article 43
Amendment 2467 #
Proposal for a regulation
Article 43 – paragraph 1 – introductory part
Article 43 – paragraph 1 – introductory part
1. AThe competent supervisory authority shall in accordance with the consistency mechanism set out in Arauthorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multicple 58 approve binding corporate rulesintracompany international transfers in and out of Europe, provided that they:
Amendment 2472 #
Proposal for a regulation
Article 43 – paragraph 1 – point a
Article 43 – paragraph 1 – point a
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
Amendment 2478 #
Proposal for a regulation
Article 43 – paragraph 2 – point a
Article 43 – paragraph 2 – point a
(a) the structure and contact details of the group of undertakings and its members, and their external subcontractors;
Amendment 2480 #
Proposal for a regulation
Article 43 – paragraph 2 – point b
Article 43 – paragraph 2 – point b
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and where appropriate the identification of the third country or countries in question;
Amendment 2490 #
Proposal for a regulation
Article 43 a (new)
Article 43 a (new)
Article 43a Transfers by way of binding corporate rules The provisions of Article 38b shall apply accordingly.
Amendment 2492 #
Proposal for a regulation
Article 44 – title
Article 44 – title
Amendment 2495 #
Proposal for a regulation
Article 44 – paragraph 1 – introductory part
Article 44 – paragraph 1 – introductory part
1. In the absence of an adequacy decision pursuant to Article 41; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
Amendment 2504 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
Amendment 2507 #
Proposal for a regulation
Article 44 – paragraph 1 – point h a (new)
Article 44 – paragraph 1 – point h a (new)
(ha) the transfer is necessary for the purposes of the legitimate interests of the data subject especially when required or necessary for the entry of the third country.
Amendment 2519 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject, or in applicable international agreements or arrangements.
Amendment 2526 #
Proposal for a regulation
Article 44 – paragraph 7
Article 44 – paragraph 7
Amendment 2543 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Each Member State shall provide that one or more publica lead public supervisory authorities arey responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
Amendment 2547 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
1. The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it, notwithstanding co-operative and consistency arrangements related to Chapter VII of this Regulation and within the legal and administrative limits of the own Member State.
Amendment 2573 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Amendment 2578 #
Proposal for a regulation
Article 51 – paragraph 1
Article 51 – paragraph 1
1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation. Data processing by a public authority are supervised only by the supervisory authority of that Member State.
Amendment 2583 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller Regulation applies by virtue of Article 3(1), the competent supervisory a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States,uthority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation. This provision also apply for legal entities of a group of undertakings, where these undertakings are located in more than one Member State.
Amendment 2590 #
Proposal for a regulation
Article 51 – paragraph 2 a (new)
Article 51 – paragraph 2 a (new)
2a. Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
Amendment 2592 #
Proposal for a regulation
Article 51 – paragraph 2 b (new)
Article 51 – paragraph 2 b (new)
2b. Where the Regulation applies to several controllers and/ or processors with the same group of undertakings by virtue of Article 3(1) and (2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
Amendment 2596 #
Proposal for a regulation
Article 51 – paragraph 3
Article 51 – paragraph 3
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity and not competent to supervise processing operations of controllers bound by obligations of professional secrecy.
Amendment 2601 #
Proposal for a regulation
Article 52 – paragraph 1 – point b
Article 52 – paragraph 1 – point b
(b) hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
Amendment 2612 #
Proposal for a regulation
Article 52 – paragraph 2 a (new)
Article 52 – paragraph 2 a (new)
2a. Each supervisory authority shall together with the European Data Protection Board promote the awareness for controllers and processors on risks, rules, safeguards and rights in relation to the processing of personal data. This includes a register of sanctions and breaches. The register should enrol both all warnings and sanctions as detailed as possible and the resolving of breaches.
Amendment 2615 #
Proposal for a regulation
Article 52 – paragraph 3
Article 52 – paragraph 3
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
Amendment 2619 #
Proposal for a regulation
Article 53 – paragraph 1 – introductory part
Article 53 – paragraph 1 – introductory part
1. EachPursuant to Article 51 the competent supervisory authority shall have the power:
Amendment 2621 #
Proposal for a regulation
Article 53 – paragraph 1 – point d
Article 53 – paragraph 1 – point d
(d) to ensure the compliance with prior authorisations and prior consultations referred to in Article 34;
Amendment 2624 #
Proposal for a regulation
Article 53 – paragraph 1 – point j a (new)
Article 53 – paragraph 1 – point j a (new)
(ja) to inform the controller and/or the processor of the judicial remedies available against its decision.
Amendment 2628 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Article 53 – paragraph 2 – subparagraph 1 – introductory part
Amendment 2634 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
3. EachPursuant to Article 51 the competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
Amendment 2636 #
Proposal for a regulation
Article 53 – paragraph 4
Article 53 – paragraph 4
4. EachPursuant to Article 51 the competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
Amendment 2641 #
Proposal for a regulation
Article 54 a (new)
Article 54 a (new)
Amendment 2644 #
Proposal for a regulation
Article 55 – paragraph 1
Article 55 – paragraph 1
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operations. The leading supervisory authority according to Article 51(2) ensures the coordination with the relevant authorities involved and acts as central contact point for the controller and processor.
Amendment 2647 #
Proposal for a regulation
Article 55 – paragraph 2
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations contrary to this Regulation.
Amendment 2650 #
Proposal for a regulation
Article 55 – paragraph 4 a (new)
Article 55 – paragraph 4 a (new)
4a. In cases covered by Article 55(4), the admissibility of the measure to which the request for assistance relates shall be determined in accordance with the law of the requesting authority; the lawfulness of providing assistance shall be determined in accordance with the law of the requested authority;
Amendment 2651 #
Proposal for a regulation
Article 55 – paragraph 6
Article 55 – paragraph 6
6. Supervisory authorities shall supply the information requested by other supervisory authorities by electronic means and within the shortest possible period of time, using a standardised format. Both the request and the electronic transfer of information shall be made using the Internal Market Information System.
Amendment 2652 #
Proposal for a regulation
Article 55 – paragraph 7
Article 55 – paragraph 7
7. No fee shall be charged to the requesting supervisory authority for any action taken following a request for mutual assistance.
Amendment 2653 #
Proposal for a regulation
Article 55 – paragraph 8
Article 55 – paragraph 8
8. Where a supervisory authority does not act within one month of the time limit referred to in paragraph 2 on request of another supervisory authority, the requesting supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1) and shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57. Where no definitive measure is yet possible because the assistance is not yet completed, the requesting supervisory authority may take interim measures under Article 53 in the territory of its Member State.
Amendment 2655 #
Proposal for a regulation
Article 55 – paragraph 10
Article 55 – paragraph 10
Amendment 2660 #
Proposal for a regulation
Article 56 – paragraph 4
Article 56 – paragraph 4
4. Supervisory authorities shall lay down the practical aspects of specific co- operation actions in their rules of procedure. The rules of procedures shall be made public in the Official Journal of the European Union.
Amendment 2664 #
Proposal for a regulation
Article 58 – paragraph 1
Article 58 – paragraph 1
1. Before athe competent supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
Amendment 2666 #
Proposal for a regulation
Article 58 – paragraph 2 – point a
Article 58 – paragraph 2 – point a
(a) relates to processing activities of personal data which are related to the offering of goods or services to data subjects in several Member States, or to when the mconitoring of their behaviour; ortroller or processor outside of the Union does not name a representative in the territory of the Union;
Amendment 2668 #
Proposal for a regulation
Article 58 – paragraph 2 – point f
Article 58 – paragraph 2 – point f
(f) aims to approve binding corporate rules within the meaning of Article 438b.
Amendment 2669 #
Proposal for a regulation
Article 58 – paragraph 2 – point f a (new)
Article 58 – paragraph 2 – point f a (new)
(fa) permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3).
Amendment 2671 #
Proposal for a regulation
Article 58 – paragraph 3
Article 58 – paragraph 3
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisorythe competent authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
Amendment 2674 #
Proposal for a regulation
Article 58 – paragraph 4
Article 58 – paragraph 4
4. In order to ensure correct and consistent application of this Regulation, the Commission may, acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
Amendment 2675 #
Proposal for a regulation
Article 58 – paragraph 6
Article 58 – paragraph 6
6. The chair of the European Data Protection Board shall immediatwithout undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair of the European Data Protection Board shall provide translations of relevant information, where necessary.
Amendment 2681 #
Proposal for a regulation
Article 58 – paragraph 8
Article 58 – paragraph 8
8. The competent supervisory authority referred to in paragraph 1 and the supervisory authority competent under Article 51 shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
Amendment 2713 #
Proposal for a regulation
Article 61 – paragraph 1
Article 61 – paragraph 1
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to, the Commission and the controller or processor concerned.
Amendment 2715 #
Proposal for a regulation
Article 61 – paragraph 2
Article 61 – paragraph 2
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may, it shall request an urgent opinion of the European Data Protection Board, giving reasons for the requesting such opinion, including for the urgency of final measures.
Amendment 2721 #
Proposal for a regulation
Article 62 – paragraph 1 – subparagraph 1 – point a
Article 62 – paragraph 1 – subparagraph 1 – point a
Amendment 2737 #
Proposal for a regulation
Article 66 – paragraph 1 – introductory part
Article 66 – paragraph 1 – introductory part
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission or other stakeholders, in particular:
Amendment 2741 #
Proposal for a regulation
Article 66 – paragraph 1 – point b
Article 66 – paragraph 1 – point b
(b) examine, on its own initiative or on request of one of its members or on request of the Commission, the Commission or other stakeholders, any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
Amendment 2757 #
Proposal for a regulation
Article 66 – paragraph 4 a (new)
Article 66 – paragraph 4 a (new)
4a. Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in Article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
Amendment 2763 #
Proposal for a regulation
Article 69 – paragraph 2
Article 69 – paragraph 2
2. The term of office of the chair and of the deputy chairpersons shall be five years and be renewable. Their appointment may be revoked by a decision of the European Parliament adopted by a two-thirds majority of the votes cast, representing a majority of its component Members.
Amendment 2779 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
Amendment 2789 #
Proposal for a regulation
Article 73 – paragraph 3
Article 73 – paragraph 3
Amendment 2796 #
Proposal for a regulation
Article 74 – paragraph 1
Article 74 – paragraph 1
1. Each controller, processor or other natural or legal person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.
Amendment 2813 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
Amendment 2825 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 2830 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, notwithstanding the contractual agreement they might have concluded according to Article 24.
Amendment 2837 #
Proposal for a regulation
Article 77 – paragraph 3
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
Amendment 2861 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to: (a) the nature, gravity and duration of the breach,; (b) the intentional or negligent character of the infringement,; (c) the particular categories of personal data; (d) the degree of responsibility of the natural or legal person and of previous breaches by this person,; (e) the degree of responsibility for data protection by technical and organisational measures and procedures especially pursuant to Articles 35, 38a, 38b, 38c, 39; (f) the technical and organisational measures and procedures implemented pursuant to Article 23; and (g) the degree of co-operation with the supervisory authority in order to remedy the breach.
Amendment 2874 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non- compliance with this Regulation, a warning in writing may be given annd if there is no data subject affected the supervisory authority shall find an agreement with the controller or processor concerned nto sanction imposed, where: (a) a natural person is processing personal datresolve the non- compliance with this Regulation without a written warning or imposing a sanction. In case of a serious non-compliance with this Regulation, the supervisory authority should give at first a writhout a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activititen warning including supposed measures to resolve the data breaches within a reasonable time without imposing a sanction. The supervisory authority may only impose a fine with regard to paragraph 2 of up to EUR 1 000 000 or, in the case of a company, of up to 2 % of its annual worldwide turnover, for not resolving the data breaches with measures given in a written warning or for repeated, deliberate breaches.
Amendment 2876 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
Amendment 2886 #
Proposal for a regulation
Article 79 – paragraph 4
Article 79 – paragraph 4
Amendment 2897 #
Proposal for a regulation
Article 79 – paragraph 5
Article 79 – paragraph 5
Amendment 2917 #
Proposal for a regulation
Article 79 – paragraph 6
Article 79 – paragraph 6
Amendment 2942 #
Proposal for a regulation
Article 79 – paragraph 7
Article 79 – paragraph 7
Amendment 2959 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the Chapter II (general principles in), Chapter II, I (the rights of the data subject in), Chapter III, onV (the controller and processor in), Chapter IV, on the V (transfer of personal data to third countries and international organisations in), Chapter V, the independent I (supervisory authorities in), Chapter VI and on I (co-operation and consistency in) and Articles 73, 74, 76 and 79 of Chapters VII forI (legal remedies, liability and penalties) and X shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
Amendment 2964 #
Proposal for a regulation
Article 80 – paragraph 2
Article 80 – paragraph 2
Amendment 2978 #
Proposal for a regulation
Article 81 – paragraph 1 – point c
Article 81 – paragraph 1 – point c
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system and the provision of health services.
Amendment 2990 #
Proposal for a regulation
Article 81 – paragraph 3
Article 81 – paragraph 3
Amendment 3001 #
Proposal for a regulation
Article 82
Article 82
Amendment 3050 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, pPersonal data may be processed for historical, statistical or scientific research purposes only if:
Amendment 3058 #
Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)
Article 83 – paragraph 1 – point b a (new)
(ba) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
Amendment 3076 #
Proposal for a regulation
Article 83 – paragraph 2 a (new)
Article 83 – paragraph 2 a (new)
2a. Where the data subject is required to give his/her consent for the processing of medical data exclusively for public health research purposes, the option of broad consent may be available to the data subject for the purposes of epidemiological, translational and clinical research. Where personal data is collected for statistical and public health purposes, such data should be made anonymous immediately after the end of data collection, checking or matching operations, except if the identification data remain necessary for statistical, and public health purposes such as epidemiological, translational and clinical research.
Amendment 3082 #
Proposal for a regulation
Article 83 – paragraph 2 – point a
Article 83 – paragraph 2 – point a
(a) the data subject has given consent, subject to the conditions laid down in Article 7; or
Amendment 3087 #
Proposal for a regulation
Article 83 – paragraph 3
Article 83 – paragraph 3
Amendment 3098 #
Proposal for a regulation
Article 84 – paragraph 1
Article 84 – paragraph 1
1. Within the limits of this Regulation, Member States mayshall adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.
Amendment 3127 #
Proposal for a regulation
Article 89 – paragraph 2
Article 89 – paragraph 2
2. Article 1(2), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.