136 Amendments of Rafał TRZASKOWSKI related to 2012/0011(COD)
Amendment 95 #
Proposal for a regulation
Recital 15
Recital 15
(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity, and which does not involve making such data accessible to an indefinite number of people. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
Amendment 99 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances., but shall be considered as one, when processed with the intention of targeting particular content at an individual or of singling that individual out for any other purpose;
Amendment 101 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be conducted, on a case-by-case basis and in accordance with technological developments, into whether identification numbers, location data, online identifiers or other specific factors as such need nomust necessarily be considered as personal data in all circumstances.
Amendment 106 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any method appropriate methoto the media used enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 108 #
Proposal for a regulation
Recital 27
Recital 27
(27) The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. ‘Main establishment of the controller’ means the place in the EU where personal data protection policy is determined, taking into account the dominant influence of that establishment over others, particularly in the case of a group of companies, as regards the implementation of rules on personal data protection and rules which have a bearing on data protection. The main establishment of the processor should be the place of its central administration in the Union.
Amendment 117 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data,all be freely given and the data subject shall not be forced to consent for processing of its data, especially where there is a clearsignificant imbalance between the data subject and the controller. This is especiallymay be the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. However, when the purpose of data processing is in the interest of the data subject and the data subject is subsequently able to withdraw consent without detriment, the consent should provide a valid legal ground for processing. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 118 #
Proposal for a regulation
Recital 34 a (new)
Recital 34 a (new)
(34 a) When personal data, processed on the basis of a data subject's consent are necessary for the provision of a service, the withdrawal of the consent can constitute the ground for the termination of a contract by the service provider. This shall apply in particular to the services which are provided free of charge to the consumers.
Amendment 120 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge free of charge. A legitimate interests pursued by controller may include: direct marketing of controller's goods and services, enforcement of the controller's claims and ensuring the security of the system, network and information. When data subject withdraws his or her consent, the controller shall be also allowed to refuse further provision of services if the processing is necessary because of the nature of the service or the functioning of the filling system. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 126 #
Proposal for a regulation
Recital 48
Recital 48
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, the criteria which may be used to determine how long the data will be stored for each purpose, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 127 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what periodthe criteria which may be used to determine for how long the data will be stored for each purpose, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 128 #
Proposal for a regulation
Recital 55
Recital 55
Amendment 129 #
Proposal for a regulation
Recital 60
Recital 60
(60) ComprehensiveOverall responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.
Amendment 132 #
Proposal for a regulation
Recital 62
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. Where joint and several liability applies, a processor which has made amends for damage done to the data subject concerned may bring an action against the controller for reimbursement if it has acted in conformity with the legal act binding it to the controller.
Amendment 134 #
Proposal for a regulation
Recital 65
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should keep a document each processing operationary record of all the processing systems and procedures for which they are responsible. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
Amendment 137 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach which would have a significant impact on the data subject has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be significantly adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as significantly adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 142 #
Proposal for a regulation
Recital 118
Recital 118
(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure. Where joint and several liability applies, a processor which has made amends for damage done to the data subject concerned may bring an action against the controller for reimbursement if it has acted in conformity with the legal act binding it to the controller.
Amendment 143 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
Amendment 144 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and toin respect of the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers46. In this context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
Amendment 145 #
Proposal for a regulation
Recital 131
Recital 131
(131) The examination procedure should be used for the adoption of specifying standard forms in relation to the consent of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and toin respect of the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism, given that those acts are of general scope.
Amendment 151 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(e a) of natural person pursuing economic activity, which identify this person on the market;
Amendment 153 #
Proposal for a regulation
Article 2 – paragraph 2 – point e b (new)
Article 2 – paragraph 2 – point e b (new)
(e b) of a natural person which are made public in the course of exercising professional duties such as name, contact details and function;
Amendment 154 #
Proposal for a regulation
Article 2 – paragraph 3
Article 2 – paragraph 3
3. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. , as well as to the specific provisions of Union law or law of Member States related to processing of data, especially with regard to legally protected interests, when they provide for a stricter protection than the provisions of this regulation;
Amendment 157 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the offerdirecting of goods or services to such data subjects in the Union, irrespective of whether these are provided free of charge in relation to the data subject or not; or
Amendment 164 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person to whom data have been disclosed by the controller, in particular by reference to an identification number, location data, online identifier or other unique identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Amendment 166 #
Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)
Article 4 – paragraph 1 – point 2 a (new)
(2 a) 'Anonymous data' means any data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject or that such attribution would require a disproportionate amount of time, cost and effort; anonymous data shall not be considered personal data.
Amendment 172 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
Amendment 176 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8 a (new)
Article 4 – paragraph 1 – point 8 a (new)
(8 a) 'profiling' means automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
Amendment 181 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘child’ means any person below the age of 183 years;
Amendment 187 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for compliance with a legal obligation to which the controller is subject or for exercising the rights of the controller.;
Amendment 202 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 215 #
Proposal for a regulation
Article 7 – paragraph 4 a (new)
Article 7 – paragraph 4 a (new)
4a. The legislation of the Member State in which a person lacking the legal capacity to act resides shall apply when determining the conditions under which consent is given or authorised by that person.
Amendment 219 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information societygoods or services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child'’s parent or custodianlegal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 221 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 229 #
Proposal for a regulation
Article 9 – paragraph 2 – point e
Article 9 – paragraph 2 – point e
(e) the processing relates to personal data which are manifestly made public by the data subject or which are freely transferred to the controller on the initiative of data subject and which are processed for the specific purpose determined by data subject and in his interest; or
Amendment 232 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 234 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
Amendment 239 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are vexatious or manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 243 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 244 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
Amendment 247 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:
Amendment 249 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
c) the criteria for determining the period for which the personal data will be stored for each purpose;
Amendment 250 #
Proposal for a regulation
Article 14 – paragraph 1 – point g
Article 14 – paragraph 1 – point g
g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by referexistence or absence tof an adequacy decision by the Commission;
Amendment 251 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
h) any further information which the controller considers necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
Amendment 257 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
(d) the period forrules according to which the personaliod for which data will be stored is determined;
Amendment 259 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.if available in a structured and commonly used format, unless otherwise requested by the data subject. This is without prejudice to the right of the controller to determine other form of handling requests for information specified in point 1 if it is justified by the necessity of verifying the identity of subject requesting such information;
Amendment 261 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. The controller shall use all reasonable measures to verify the identity of a data subject requesting access to data.
Amendment 273 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 278 #
Proposal for a regulation
Article 17 – paragraph 4 – point c
Article 17 – paragraph 4 – point c
Amendment 279 #
Proposal for a regulation
Article 17 – paragraph 4 – point d
Article 17 – paragraph 4 – point d
Amendment 280 #
Proposal for a regulation
Article 18
Article 18
Amendment 288 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned for the purposes determined in the objection.
Amendment 302 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 305 #
Proposal for a regulation
Article 20 – paragraph 2 – point c a (new)
Article 20 – paragraph 2 – point c a (new)
(c a) is carried out for the purpose of monitoring and prevention of fraud
Amendment 307 #
Proposal for a regulation
Article 20 – paragraph 2 – point c b (new)
Article 20 – paragraph 2 – point c b (new)
(c b) is carried out based on a well founded suspicion of committing a crime to the detriment of the controller, especially banks, financial and credit institutions and their clients
Amendment 308 #
Proposal for a regulation
Article 20 – paragraph 2 – point c c (new)
Article 20 – paragraph 2 – point c c (new)
(c c) is carried out for the purpose of assessing credit worthiness, assuring safety and reliability of services provided by the controller
Amendment 316 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 321 #
Proposal for a regulation
Article 22 – title
Article 22 – title
Amendment 322 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
Amendment 326 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are collected for purposes which are defined, explicit and legitimate and only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Amendment 329 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 331 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 337 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsystems and procedures under its responsibility.
Amendment 339 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The documentation shall contain at least the following information:
Amendment 348 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
Amendment 349 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
Amendment 350 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data breach.
Amendment 351 #
Proposal for a regulation
Article 30 – paragraph 3
Article 30 – paragraph 3
Amendment 352 #
Proposal for a regulation
Article 30 – paragraph 3
Article 30 – paragraph 3
Amendment 353 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
Amendment 354 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a significant personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justificationnotify the personal data breach to the supervisory authority. Data breach shall be considered significant if int cases where it is not made within 24 hoursould adversely affect privacy of the data subject.
Amendment 358 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach which significantly affects the data subject, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
Amendment 360 #
Proposal for a regulation
Recital 12
Recital 12
(12) The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of personal data, except for those pursuing economic activity, which identifies them on the market. With regard to the processing of data which concern legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should not be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.
Amendment 361 #
Proposal for a regulation
Article 31 – paragraph 3 – introductory part
Article 31 – paragraph 3 – introductory part
3. The notification referred to in paragraph 1 must at leastif possible:
Amendment 362 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
Amendment 363 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
Amendment 366 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
Amendment 372 #
Proposal for a regulation
Article 32 – paragraph 5
Article 32 – paragraph 5
Amendment 373 #
Proposal for a regulation
Article 32 – paragraph 6
Article 32 – paragraph 6
Amendment 383 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
Amendment 384 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
Amendment 385 #
Proposal for a regulation
Article 34 – paragraph 8
Article 34 – paragraph 8
Amendment 386 #
Proposal for a regulation
Article 34 – paragraph 9
Article 34 – paragraph 9
Amendment 392 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 395 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 396 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 401 #
Proposal for a regulation
Article 44 – paragraph 7
Article 44 – paragraph 7
Amendment 403 #
Proposal for a regulation
Article 51 – paragraph 2
Article 51 – paragraph 2
2. Where the processing of personal data takes place iIn the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the Member State where the main establishment of the controller or processor is situated shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice. This supervisory authority shall be obliged to cooperate with the other supervisory authorities and with the Commission, pursuant to the provisions of Chapter VII of this Regulation.
Amendment 405 #
Proposal for a regulation
Article 59 – paragraph 4
Article 59 – paragraph 4
4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
Amendment 406 #
Proposal for a regulation
Article 62 – paragraph 2
Article 62 – paragraph 2
Amendment 410 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given freely and without pressure from the controller and explicitly by any appropriate method enabling a freely given specific andn informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 412 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
Amendment 418 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. Each supervisory authority, competent in accordance with Article 51 shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 419 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the particular categories of personal data, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
Amendment 425 #
Proposal for a regulation
Article 79 – paragraph 3 – point a
Article 79 – paragraph 3 – point a
Amendment 427 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
Article 79 – paragraph 3 – point b
Amendment 430 #
Proposal for a regulation
Article 79 – paragraph 4 – introductory part
Article 79 – paragraph 4 – introductory part
4. The supervisory authority shallmay impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 433 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shallmay impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 436 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shallmay impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 438 #
Proposal for a regulation
Article 79 – paragraph 7
Article 79 – paragraph 7
Amendment 447 #
Proposal for a regulation
Article 86 – paragraph 2
Article 86 – paragraph 2
2. The delegation of powerpower to adopt delegated acts referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 447 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there isbe expressed freely and without pressure from the controller. Consent cannot be deemed as freely given when due to a clear imlack of balance between the data subject and the controller, a refusal to give consent could result in adverse financial or legal consequences for the data subject. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 449 #
Proposal for a regulation
Article 86 – paragraph 2
Article 86 – paragraph 2
2. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 450 #
Proposal for a regulation
Article 86 – paragraph 3
Article 86 – paragraph 3
3. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 452 #
Proposal for a regulation
Article 86 – paragraph 3
Article 86 – paragraph 3
3. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 453 #
Proposal for a regulation
Article 86 – paragraph 5
Article 86 – paragraph 5
5. A delegated act adopted pursuant to Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.
Amendment 454 #
Proposal for a regulation
Recital 38
Recital 38
(38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. A legitimate interest pursued by a controller may include in particular direct marketing of controller's goods and services and enforcement of the controller’s claims. When data subject withdraws his or her consent, the controller should be also allowed to refuse further provision of services if the processing is necessary because of the nature of the service or the functioning of the filling system. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
Amendment 455 #
Proposal for a regulation
Article 86 – paragraph 5
Article 86 – paragraph 5
5. A delegated act adopted pursuant to Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.
Amendment 479 #
Proposal for a regulation
Recital 48
Recital 48
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, and if not possible the criteria used to determine the data storage period, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
Amendment 485 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, and if not possible the criteria used to determine the data storage period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 692 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
Article 2 – paragraph 2 – point e a (new)
(ea) natural person pursuing economic activity, which identifies this person on the market;
Amendment 693 #
Proposal for a regulation
Article 2 – paragraph 2 – point e b (new)
Article 2 – paragraph 2 – point e b (new)
(eb) of a natural person which data are made public in the course of exercising professional duties such as name, contact details and function;
Amendment 697 #
Proposal for a regulation
Article 2 – paragraph 3 a (new)
Article 2 – paragraph 3 a (new)
3a. If the separate provisions of the European Union or the Member States law provide for more advanced protection of personal data than provided by this Regulation, these provisions shall be implemented complementarily. This applies in particular to the secrecy protected by law, e.g. bank secrecy.
Amendment 698 #
Proposal for a regulation
Article 2 – paragraph 3 b (new)
Article 2 – paragraph 3 b (new)
3b. The information disclosed in accordance with the law in national registers of economic entities is not protected under this Regulation to the extent that it identifies entities on the market.
Amendment 771 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Amendment 788 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; i. In case of a group of undertakings, it is the place of establishment of the company with the dominant position over rest of the group as regards data protection policy. If no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Unionthe same rules apply. The competent authority shall be informed by the controller and processor of the designation of a ‘main establishment’;
Amendment 861 #
Proposal for a regulation
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) processing is necessary for exercise of the right or compliance with a legal obligation to which the controller is subject;
Amendment 877 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular wherewithout prejudice to the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, processing is necessary for the purposes of the legitimate interests pursued by a controller, in particular: - direct marketing for its own and similar products and services, - the enforcement of the claims of the controller or of a third party on behalf of which the controller is acting in relation to the data subject, or for preventing or limiting damage by the data subject is a child.to the controller This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 893 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(fa) processing is necessary in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship, as well as for the purpose of entering, updating, improving, and modifying employees' data processing systems, including technical security systems designed to protect employees' data against unauthorized access by third parties, including transformation, viruses and malware;
Amendment 982 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3a. In the event that the data subject withdraws consent, the controller may refuse to provide further services if the processing of the data is vital for the provision of the service or ensuring the appropriate level of services.
Amendment 993 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is if, due to a significant imbalance between the position of the data subject and the controllercontroller and the data subject, it has not been given freely, in accordance with Article 4(8).
Amendment 1011 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 1052 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards ensuring the fundamental rights of the data subject such as right to non-discrimination; or
Amendment 1066 #
Proposal for a regulation
Article 9 – paragraph 2 – point g
Article 9 – paragraph 2 – point g
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests and fundamental rights; or
Amendment 1141 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitivf the request of the same character repeats more ctharactern once per 6 months, the controller may charge an administrative fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive characterrepetitiveness of the request.
Amendment 1166 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient with whom he stays in contractual relationship and to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.
Amendment 1196 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
(c) the period for which the personal data will be stored and if not possible the criteria used to determine this period;
Amendment 1332 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. This is without prejudice to the right of the controller to determine other form of handling requests for information specified in point 1 if it is justified by the necessity of verifying the identity of subject requesting such information.
Amendment 1342 #
Proposal for a regulation
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. The data subject shall have the right, where personal data are processed by electronic means, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which allows for further use.
Amendment 1412 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 1491 #
Proposal for a regulation
Article 18
Article 18
Amendment 1548 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person, both off-line and online, shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1564 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfiexamined or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such asincluding the right to obtain the information on the profiling criteria and the right to obtain human intervention; or
Amendment 1573 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests and fundamental rights, including the right to non- discrimination; or
Amendment 1609 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Articles14 and 145 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1, including the criteria for the processing in question and the envisaged effects of such processing on the data subject.
Amendment 1759 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons, unless its core activities, regardless the number of the employees, consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or
Amendment 2230 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.