BETA

30 Amendments of Birgit SIPPEL related to 2013/0256(COD)

Amendment 205 #
Proposal for a regulation
Recital 20
(20) Whilst the processing of personal data at Eurojust fallFollowing the adoption in April 2016 of Regulation (EU) 2016/679 ('the General Data Protection Regulation') and Directive (EU) 2016/680 ('the Police Directive), the Commission has proposed a Regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies uander on the scope offree movement of such data (COM (2017)8 final) which will repeal current Regulation (EC) 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data13 , t. The processing of personal data by the Member State's authoritiesat Eurojust and the transfer of such data toby Eurojust arshould fall under the scovered by the Council of Europe Convention 108 [to be replaced by the relevant Directive in force pe of the revised Regulation repealing Regulation (EC) 45/2001. The processing of personal data by the Member State's authorities and the transfer of such data the moment of adoption]. o Eurojust are covered by the 'Police Directive'. _________________ 13 OJ L 8, 12.1.2001, p. 1
2017/09/05
Committee: LIBE
Amendment 206 #
Proposal for a regulation
Recital 21
(21) When Eurojust transfers personal data to an authority of a third country or to an international organisation or Interpol by virtue of an international agreement concluded pursuant to Article 218 of the Treaty the adequate safeguards adduced with respect to the protection of privacy and fundamental rights and freedoms of individuals have to ensure that the data protection provisions of this Regulation are complied with.deleted
2017/09/05
Committee: LIBE
Amendment 211 #
Proposal for a regulation
Recital 25 a (new)
(25a) Specifically as regards the European Public Prosecutor’s Office (‘EPPO’), Eurojust should retain a residual competence for offences laid down in the PIF Directive, where the EPPO is not competent; where the EPPO is competent but does not exercise its competence; where Member States which are not participating in the EPPO seek support from Eurojust, and where the EPPO itself seeks the support of Eurojust. In addition, an ongoing competence for Eurojust in respect of offences for which the EPPO will ultimately be competent should be ensured, until such time as the EPPO is set up and has assumed the tasks conferred on it in Regulation [implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office].
2017/09/05
Committee: LIBE
Amendment 227 #
Proposal for a regulation
Article 3 – paragraph 1
1. Eurojust’s competence shall cover the forms of crime listed in Annex 1. However, its competence shall not include the crimes for which the European Public Prosecutor's Office is competenUntil the date when the European Public Prosecutor’s Office (‘EPPO’) has assumed its investigative and prosecutorial tasks conferred on it in accordance with Article 75 of Regulation implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office, Eurojust’s competence shall cover the criminal offences listed in Annex 1. However, from the date the EPPO assumes its tasks, Eurojust shall only be competent in cases where the EPPO is competent but does not exercise its competence; where Member States which are not participating the EPPO seek support from Eurojust, and where the EPPO itself seeks the support of Eurojust.
2017/09/05
Committee: LIBE
Amendment 230 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
1 a. Eurojust shall remain competent: (a) for offences laid down in Directive EU/2017/1371 of the European Parliament and of the Council of 5 July 2017 on the Fight against Fraud to the Union’s Financial Interests by means of Criminal Law (‘the PIF Directive’), insofar as the EPPO is not competent or does not exercise its competence; (b) in cases regarding offences laid down in the PIF Directive, for requests from Member States which are not participating in the EPPO; (c) in cases involving both participating Member States and Member States which are not participating in the EPPO, for requests from those Member States which are not participating in the EPPO and for requests from the EPPO itself.
2017/09/05
Committee: LIBE
Amendment 320 #
Proposal for a regulation
Chapter 4 – title
PROCESSING OF INFORMATIONDATA PROTECTION SAFEGUARDS
2017/09/05
Committee: LIBE
Amendment 322 #
Proposal for a regulation
Article 27
[...]deleted
2017/09/05
Committee: LIBE
Amendment 330 #
Proposal for a regulation
Article 27 a (new)
Article 27 a General data protection principles 1. Personal data shall be: (a) processed fairly and lawfully ('lawfulness and fairness'); (b) collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes. Further processing of personal data for historical, statistical or scientific research purposes shall not be considered incompatible provided that Eurojust provides appropriate safeguards, in particular to ensure that data are not processed for any other purposes ('purpose limitation'); (c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); (d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); (e) kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed ('storage limitation'); and (f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'); 2. Eurojust shall be responsible for, and be able to demonstrate compliance with paragraph 1 ('accountability') when processing personal data wholly or partly by automated means and when processing other than by automated means personal data which form part of a filing system or are intended to form part of a filing System. 3. Eurojust shall make publicly available a document setting out in an intelligible form the provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects.
2017/09/05
Committee: LIBE
Amendment 332 #
Proposal for a regulation
Article 27 b (new)
Article 27 b Processing of Administrative personal data 1. Regulation (EC) No 45/2001 applies to all administrative personal data held by Eurojust. 2. Eurojust shall determine the retention periods for administrative personal data in the data protection provisions of its rules of procedure.
2017/09/05
Committee: LIBE
Amendment 333 #
Proposal for a regulation
Article 28
[...]deleted
2017/09/05
Committee: LIBE
Amendment 338 #
Proposal for a regulation
Article 28 a (new)
Article 28 a Lawfulness of processing Processing shall be lawful only if and to the extent that processing is necessary for the performance of a task carried out by Eurojust and that it is based on Union law.
2017/09/05
Committee: LIBE
Amendment 339 #
Proposal for a regulation
Article 28 b (new)
Article 28 b Distinction between different categories of data subjects Eurojust shall, where applicable and as far as possible, make a clear distinction between personal data of different categories of data subjects, such as: (a) persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence; (b) persons convicted of a criminal offence; (c) victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that they could be the victim of a criminal offence; and (d) other parties to a criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, persons who can provide information on criminal offences, or contacts or associates of one of the persons referred to in points (a) and (b).
2017/09/05
Committee: LIBE
Amendment 340 #
Proposal for a regulation
Article 28 c (new)
Article 28 c Distinction between personal data and verification of quality of personal data 1. Eurojust shall distinguish, as far as possible, personal data based on facts from personal data based on personal assessments. 2. Eurojust shall process personal data in such a way that it can be established which authority provided the data or where the data has been retrieved from. 3. Eurojust shall take all reasonable steps to ensure that personal data which are inaccurate, incomplete or no longer up to date are not transmitted or made available. To that end, Eurojust shall, as far as practicable, verify the quality of personal data before they are transmitted or made available. As far as possible, in all transmissions of personal data, it shall add necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of personal data, and the extent to which they are up to date shall be added. 4. If it emerges that incorrect personal data have been transmitted or personal data have been unlawfully transmitted, the recipient shall be notified without delay. In such a case, the personal data shall be rectified or erased or processing shall be restricted.
2017/09/05
Committee: LIBE
Amendment 341 #
Proposal for a regulation
Article 28 d (new)
Article 28 d Specific processing conditions 1. When Eurojust provides for specific conditions for processing, it shall inform the recipient of such personal data of those conditions and the requirement to comply with them. 2. Eurojust shall comply with specific processing conditions for processing provided by a national authority in accordance with Article 9 (3) and (4) of Directive (EU) 2016/680.
2017/09/05
Committee: LIBE
Amendment 342 #
Proposal for a regulation
Article 28 e (new)
Article 28 e Transmission of personal data to other Union institutions and bodies 1. Eurojust shall only transmit personal data to other Union institutions and bodies if the data are necessary for the legitimate performance of tasks covered by the competence of other Union institutions and bodies. 2. Where personal data are transmitted following a request from the other Union institution or body, both the controller and the recipient shall bear the responsibility for the legitimacy of this transfer. 3. Eurojust shall be required to verify the competence of the other Union institution or body and to make a provisional evaluation of the necessity for the transmission. If doubts arise as to this necessity, Eurojust shall seek further information from the recipient. 4. Other Union institutions and bodies shall ensure that the necessity for the transmission can be subsequently verified. 5. Other Union institutions and bodies shall process the personal data only for the purposes for which they were transmitted.
2017/09/05
Committee: LIBE
Amendment 343 #
Proposal for a regulation
Article 28 f (new)
Article 28 f Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, personal data concerning health or personal data concerning a natural person's sex life or sexual orientation shall be allowed only where strictly necessary for the performance of tasks of Eurojust, subject to appropriate safeguards for the rights and freedoms of the data subject and only if they supplement other operational personal data already processed by Eurojust. 2. The data protection officer shall be informed immediately of recourse to this Article.
2017/09/05
Committee: LIBE
Amendment 344 #
Proposal for a regulation
Article 28 g (new)
Article 28 g Automated individual decision-making, including profiling The data subject shall have the right not to be subject to a decision of Eurojust based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.
2017/09/05
Committee: LIBE
Amendment 345 #
Proposal for a regulation
Article 28 h (new)
Article 28 h Information to be made available or given to the data subject 1. Eurojust shall make available to the data subject at least the following information: (a) the identity and the contact details of the Union agency or mission; (b) the contact details of the data protection officer; (c) the purposes of the processing for which the personal data are intended; (d) the right to lodge a complaint with the European Data Protection Supervisor and its contact details; (e) the existence of the right to request from Eurojust access to and rectification or erasure of personal data and restriction of processing of the personal data concerning the data subject. 2. In addition to the information referred to in paragraph 1, Eurojust shall give to the data subject, in specific cases, the following further information to enable the exercise of his or her rights: (a) the legal basis for the processing; (b) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; (c) where applicable, the categories of recipients of the personal data, including in third countries or international organisations; (d) where necessary, further information, in particular where the personal data are collected without the knowledge of the data subject. 3. Eurojust may delay, restrict or omit the provision of the information to the data subject pursuant to paragraph 2 to the extent that, and for as long as, such a measure is provided for by a legal act adopted on the basis of the Treaties [or by an internal rule of Eurojust] and constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the objectives of the common foreign and security policy of the Union; (f) protect the rights and freedoms of others.
2017/09/05
Committee: LIBE
Amendment 346 #
Proposal for a regulation
Article 28 i (new)
Article 28 i Right of access by the data subject The data subject shall have the right to obtain from Eurojust confirmation as to whether or not personal data concerning that subject are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of and legal basis for the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from Eurojust rectification or erasure of personal data or restriction of processing of personal data concerning the data subject; (f) the right to lodge a complaint with the European Data Protection Supervisor and his or her contact details; communication of the personal data undergoing processing and of any available information as to their origin.
2017/09/05
Committee: LIBE
Amendment 347 #
Proposal for a regulation
Article 28 j (new)
Article 28 j Limitations to the right of access 1. Eurojust may restrict, wholly or partly, the data subject’s right of access to the extent that, and for as long as, such a partial or complete restriction is provided for by a legal act adopted on the basis of the Treaties [or by an internal rule of Eurojust] and constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the objectives of the common foreign and security policy of the Union; (f) protect the rights and freedoms of others. 2. In the cases referred to in paragraph 1, Eurojust shall inform the data subject, without undue delay, in writing of any refusal or restriction of access and of the reasons for the refusal or the restriction. Such information may be omitted where the provision thereof would undermine a purpose under paragraph 1. Eurojust shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or seeking a judicial remedy in the Court of Justice of the European Union. 3. Eurojust shall document the factual or legal reasons on which the decision is based. That information shall be made available to the European Data Protection Supervisor on request.
2017/09/05
Committee: LIBE
Amendment 348 #
Proposal for a regulation
Article 28 k (new)
Article 28 k Right to rectification or erasure of personal data and restriction of processing 1. The data subject shall have the right to obtain from Eurojust without undue delay the rectification of inaccurate personal data relating to that subject. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. 2. Eurojust shall erase personal data without undue delay and the data subject shall have the right to obtain from it the erasure of personal data concerning that subject without undue delay where processing infringes Articles 27a, 28a or 28d, or where personal data must be erased in order to comply with a legal obligation to which it is subject. 3. Instead of erasure, Eurojust shall restrict processing where: (a) the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or (b) the personal data must be maintained for the purposes of evidence. Where processing is restricted pursuant to point (a) of the first subparagraph, Eurojust shall inform the data subject before lifting the restriction of processing. 4. Eurojust shall inform the data subject in writing of any refusal of rectification or erasure of personal data or restrict processing and of the reasons for the refusal. Eurojust may restrict, wholly or partly, the obligation to provide such information to the extent that such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security of the Member States; (d) protect national security of the Member States; (e) protect the objectives of the common foreign and security policy of the Union; (f) protect the rights and freedoms of others. 5. Eurojust shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or seeking a judicial remedy from the Court of Justice of the European Union. 6. Eurojust shall communicate the rectification of inaccurate personal data to the competent authority from which the inaccurate personal data originate. 7. Eurojust shall, where personal data has been rectified or erased or processing has been restricted pursuant to paragraphs 1, 2 and 3, notify the recipients and inform them that they have to rectify or erase the personal data or restrict processing of the personal data under their responsibility.
2017/09/05
Committee: LIBE
Amendment 349 #
Proposal for a regulation
Article 28 l (new)
Article 28 l Exercise of rights by the data subject and verification by the European Data Protection Supervisor 1. In the cases referred to in Articles 28h(3), 28i and 28k(4), the rights of the data subject may also be exercised through the European Data Protection Supervisor. 2. Eurojust shall inform the data subject of the possibility of exercising his or her rights through the European Data Protection Supervisor pursuant to paragraph 1. 3. Where the right referred to in paragraph 1 is exercised, the European Data Protection Supervisor shall at least inform the data subject that all necessary verifications or a review by it have taken place. The European Data Protection Supervisor shall also inform the data subject of his or her right to seek a judicial remedy in the Court of Justice of the European Union.
2017/09/05
Committee: LIBE
Amendment 350 #
Proposal for a regulation
Article 28 m (new)
Article 28 m Logging 1. Eurojust shall keep logs for any of the following processing operations in automated processing systems: collection, alteration, consultation, disclosure including transfers, combination and erasure. The logs of consultation and disclosure shall make it possible to establish the justification for, and the date and time of, such operations, the identification of the person who consulted or disclosed personal data, and, as far as possible, the identity of the recipients of such personal data. 2. The logs shall be used solely for verification of the lawfulness of processing, self-monitoring, ensuring the integrity and security of the personal data, and for criminal proceedings. Such logs shall be deleted after three years, unless they are required for on-going control. 3. Eurojust shall make the logs available to the European Data Protection Supervisor on request.
2017/09/05
Committee: LIBE
Amendment 351 #
Proposal for a regulation
Article 28 n (new)
Article 28 n Transfers to third countries and international organisations subject to appropriate safeguards 1. In the absence of an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 or Article 36 of Directive (EU) 2016/680, Eurojust may transfer personal data to a third country or an international organisation where: (a) appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or (b) it has assessed all the circumstances surrounding the transfer of personal data and conclude that appropriate safeguards exist with regard to the protection of personal data. 2. Eurojust shall inform the European Data Protection Supervisor about categories of transfers under point (b) of paragraph 1. 3. When a transfer is based on point (b) of paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.
2017/09/05
Committee: LIBE
Amendment 352 #
Proposal for a regulation
Article 28 o (new)
Article 28 o Derogations for specific situations 1. In the absence of an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 or Article 36 of Directive (EU) 2016/680, or of appropriate safeguards pursuant to Article 28n, Eurojust may transfer personal data to a third country or an international organisation only on the condition that the transfer is necessary: (a) in order to protect the vital interests of the data subject or another person; (b) to safeguard legitimate interests of the data subject; (c) for the prevention of an immediate and serious threat to public security of a Member State or a third country; or (d) in individual cases for the performance of its tasks, unless it determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer. 2. Where a transfer is based on paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, and information about the receiving competent authority, about the justification for the transfer and about the personal data transferred.
2017/09/05
Committee: LIBE
Amendment 358 #
Proposal for a regulation
Article 32
Modalities regarding the exercise of the 1. Any data subject wishing to exercise the right of access to personal data may make a request to that effect free of charge to the authority appointed for this purpose in the Member State of their choice. That authority shall refer the request to Eurojust without delay and in any case within one month of receipt. 2. The request shall be answered by Eurojust without undue delay and in any case within three months of its receipt by Eurojust. 3. The competent authorities of the Member States concerned shall be consulted by Eurojust on a decision to be taken. A decision on access to data shall be conditional upon close cooperation between Eurojust and the Member States directly concerned by the communication of such data. In any case in which a Member State objects to Eurojust’s proposed response, it shall notify Eurojust of the reasons for its objection. 4. When the right of access is restricted in accordance with Article 20(1) of Regulation (EC) No 45/2001, Eurojust shall inform the data subject in accordance with Article 20(3) of that Regulation in writing. The information about the principal reasons may be omitted where the provision of such information would deprive the restriction of its effect. The data subject shall at least be informed that all necessary verifications by the European Data Protection Supervisor have taken place. 5. Eurojust shall document the grounds for omitting the communication of the principal reasons on which the restriction referred to in paragraph 4 is based. 6. The national members concerned by the request shall deal with it and reach a decision on Eurojust’s behalf. The request shall be dealt with in full within three months of receipt. Where the members are not in agreement, they shall refer the matter to the College, which shall take its decision on the request by a two-thirds majority. 7. When in application of Article 46 and 47 of Regulation (EC) No 45/2001, the European Data Protection Supervisor checks the lawfulness of the processing performed by Eurojust, he or she shall inform the data subject at least that all necessary verifications by the European Data Protection Supervisor have taken place.Article 32 deleted right of access
2017/09/05
Committee: LIBE
Amendment 362 #
Proposal for a regulation
Article 33
Right to rectification, erasure and restrictions on processing 1. If the personal data that have to be rectified, erased or whose processing has to be restricted in accordance with Articles 14, 15 or 16 of Regulation (EC) No 45/2001 have been provided to Eurojust by third countries, international organisations, private parties, private persons or are the results of Eurojust's own analyses, Eurojust shall rectify, erase or restrict the processing of such data. 2. If the personal data that have to be rectified, erased or whose processing has to be restricted in accordance with Article 14, 15 and 16 of Regulation (EC) No 45/2001 have been provided directly to Eurojust by Member States, Eurojust shall rectify, erase or restrict the processing of such data in collaboration with Member States. 3. If incorrect data were transmitted by another appropriate means or if the errors in the data supplied by Member States are due to faulty transfer or were transmitted in breach of this Regulation or if they result from their being input, taken over or stored in an incorrect manner or in breach of this Regulation by Eurojust, Eurojust shall rectify or erase the data in collaboration with the Member States concerned. 4. In the cases referred to in Articles 14, 15 or 16 of Regulation (EC) No 45/2001, all addressees of such data shall be notified forthwith in accordance with Article 17 of Regulation (EC) No 45/2001. In accordance with rules applicable to them, the addressees shall then rectify, erase or restrict the processing of those data in their systems. 5. Eurojust shall inform the data subject in writing without undue delay and in any case within three months of the receipt of the request that data concerning him or her have been rectified, erased or their processing restricted. 6. Eurojust shall inform the data subject in writing on any refusal of rectification, of erasure or of restrictions to the processing, and the possibility of lodging a complaint with the European Data Protection Supervisor and seeking a judicial remedy.Article 33 deleted
2017/09/05
Committee: LIBE
Amendment 377 #
Proposal for a regulation
Chapter 4 a (new)
CHAPTER IV a - PROCESSING OF OPERATIONAL PERSONAL DATA Or. en (The amendment should be placed after Article 28)
2017/09/05
Committee: LIBE
Amendment 400 #
Proposal for a regulation
Article 44
Transfer of personal data to Union bodies Subject to any possible restrictions pursuant to Article 21(8) Eurojust may directly transfer personal data to Union bodies or agencies in so far as it is necessary for the performance of its tasks or those of the recipient Union body or agency.Article 44 deleted or agencies
2017/09/05
Committee: LIBE
Amendment 403 #
Proposal for a regulation
Article 45
[...]deleted
2017/09/05
Committee: LIBE