Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) - Main contents
Contents
| Document date | 08-07-2015 |
|---|---|
| Publication date | 10-07-2015 |
| Reference | 10391/15 |
| From | Presidency |
| External link | original article |
| Original document in PDF |  |
Council of the European Union
Brussels, 8 July 2015
PUBLIC
(OR. en)
10391/15
Interinstitutional File:
2012/0011 (COD) i LIMITE
DATAPROTECT 111 JAI 513 MI 425 DIGIT 54 DAPIX 117 FREMP 146 COMIX 304 CODEC 958
NOTE
From: Presidency
To: Working Group on Information Exchange and Data Protection (DAPIX)
Subject: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection
Regulation)
Delegations will find in annex the 4 column table on the General Data Protection Regulation which
comprises the Commission proposal, the first reading Position of the European Parliament and the
General Approach of the Council.
The markings in this table are to be read as follows:
– Second column with first reading Position of the European Parliament: new text is marked in
bold italics; deleted parts of the text are marked in strikethrough, text identical with the
Commission proposal is marked - with a diagonal line in the box.
– Third column with General Approach of the Council: new text is marked in bold italics; deleted
parts of the text are marked in strikethrough, parts of the text that have been moved up or down
are marked in bold.
– Fourth column: the diagonal line in the box indicates that the text is identical for all three
institutions.
COM (2012)0011 i EP Position / First Reading Council General Approach Comments / compromise (15/06/2015) suggestions
Proposal for a Proposal for a Proposal for a
REGULATION OF THE REGULATION OF THE REGULATION OF THE
EUROPEAN PARLIAMENT AND EUROPEAN PARLIAMENT AND EUROPEAN PARLIAMENT AND
OF THE COUNCIL OF THE COUNCIL OF THE COUNCIL
Having regard to the Treaty on the Having regard to the Treaty on the Having regard to the Treaty on the
Functioning of the European Union, Functioning of the European Union, Functioning of the European Union,
and in particular Article 16(2) and and in particular Article 16(2) and and in particular Article 16(2) and
Article 114(1) thereof, Article 114(1) thereof, Article 114(1) thereof,
Having regard to the proposal from Having regard to the proposal from Having regard to the proposal from
the European Commission, the European Commission, the European Commission,
After transmission of the draft After transmission of the draft After transmission of the draft
legislative act to the national legislative act to the national legislative act to the national
Parliaments, parliaments, Parliaments,
DGD 2C LIMITE EN
Having regard to the opinion of the Having regard to the opinion of the Having regard to the opinion of the
European Economic and Social European Economic and Social European Economic and Social
Committee 1 , Committee 1 , Committee 1,
1 OJ C , , p. . 1 OJ C 229, 31.7.2012, p. 90. 1 OJ C , , p. .
After consulting the Committee of the Regions,
After consulting the European Data After consulting Having regard to After consulting the European Data
Protection Supervisor 2 , the opinion of the European Data Protection Supervisor 2 ,
Protection Supervisor 2
2 OJ C , , p. 2 OJ C , , p.
2 OJ C 192, 30.6.2012, p. 7.
Acting in accordance with the Acting in accordance with the Acting in accordance with the
ordinary legislative procedure ordinary legislative procedure 3 ordinary legislative procedure,
3 Position of the European
Parliament of 12 March 2014.
DGD 2C LIMITE EN
Whereas: Whereas: Whereas:
(1) The protection of natural (1) The protection of natural (1) The protection of natural persons in relation to the persons in relation to the processing persons in relation to the processing of personal data is a of personal data is a fundamental processing of personal data is a fundamental right. Article 8(1) of right. Article 8(1) of the Charter of fundamental right. Article 8(1) of the Charter of Fundamental Rights Fundamental Rights of the the Charter of Fundamental Rights of the European Union and Article European Union ('Charter') and of the European Union and Article 16(1) of the Treaty lay down that Article 16(1) of the Treaty lay 16(1) of the Treaty lay down that everyone has the right to the down that everyone has the right to everyone has the right to the protection of personal data the protection of personal data protection of personal data concerning him or her. concerning him or her. concerning him or her.
(2) The processing of personal data (2) The processing of personal data (2) The processing of personal data is designed to serve man; the is designed to serve man; the is designed to serve man; the principles and rules on the principles and rules on the principles and rules on the protection of individuals with protection of individuals with protection of individuals with regard to the processing of their regard to the processing of their regard to the processing of their personal data should, whatever the personal data should, whatever the personal data should, whatever the nationality or residence of natural nationality or residence of natural nationality or residence of natural persons, respect their fundamental persons, respect their fundamental persons, respect their fundamental rights and freedoms, notably their rights and freedoms, notably their rights and freedoms, notably their right to the protection of personal right to the protection of personal right to the protection of personal data. It should contribute to the data. It should contribute to the data. It should contribute to the accomplishment of an area of accomplishment of an area of accomplishment of an area of freedom, security and justice and of freedom, security and justice and of freedom, security and justice and of an economic union, to economic an economic union, to economic an economic union, to economic and social progress, the and social progress, the and social progress, the strengthening and the convergence strengthening and the convergence strengthening and the convergence of the economies within the of the economies within the internal of the economies within the internal internal market, and the well-being market, and the well-being of market, and the well-being of of individuals. individuals. individuals.
DGD 2C LIMITE EN
(3) Directive 95/46/EC i of the (3) Directive 95/46/EC i of the (3) Directive 95/46/EC i of the European Parliament and of the European Parliament and of the European Parliament and of the Council of 24 October 1995 on the Council 1 of 24 October 1995 on the Council of 24 October 1995 on the protection of individuals with protection of individuals with protection of individuals with regard to the processing of personal regard to the processing of personal regard to the processing of personal data and on the free movement of data and on the free movement of data and on the free movement of
such data 1 seeks to harmonise the such data 2 seeks to harmonise the such data 3 seeks to harmonise the
protection of fundamental rights protection of fundamental rights protection of fundamental rights and freedoms of natural persons in and freedoms of natural persons in and freedoms of natural persons in respect of processing activities and respect of processing activities and respect of processing activities and to guarantee the free flow of to guarantee the free flow of to guarantee the free flow of personal data between Member personal data between Member personal data between Member States. States. States.
1 Directive 95/46/EC i of the
European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
(3a) The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation
1 OJ L 281, 23.11.1995, p. 31.
2 OJ L 281, 23.11.1995, p. 31.
3 OJ L 281, 23.11.1995, p. 31.
DGD 2C LIMITE EN
respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
DGD 2C LIMITE EN
(4) The economic and social (4) The economic and social (4) The economic and social integration resulting from the integration resulting from the integration resulting from the functioning of the internal market functioning of the internal market functioning of the internal market has led to a substantial increase in has led to a substantial increase in has led to a substantial increase in cross-border flows. The exchange cross-border flows. The exchange cross-border flows. The exchange of data between economic and of data between economic and of data between economic and social, public and private actors social, public and private actors social, public and private actors, across the Union increased. across the Union increased. including individuals and
National authorities in the Member National authorities in the Member undertakings across the Union has
States are being called upon by States are being called upon by increased. National authorities in
Union law to co-operate and Union law to co-operate and the Member States are being called exchange personal data so as to be exchange personal data so as to be upon by Union law to co-operate able to perform their duties or carry able to perform their duties or carry and exchange personal data so as to out tasks on behalf of an authority out tasks on behalf of an authority be able to perform their duties or in another Member State. in another Member State. carry out tasks on behalf of an
authority in another Member State.
DGD 2C LIMITE EN
(5) Rapid technological (5) Rapid technological (5) Rapid technological developments and globalisation developments and globalisation developments and globalisation have brought new challenges for have brought new challenges for have brought new challenges for the protection of personal data. The the protection of personal data. The the protection of personal data. The scale of data sharing and collecting scale of data sharing and collecting scale of data sharing and collecting has increased spectacularly. has increased spectacularly. has increased spectacularly.
Technology allows both private Technology allows both private Technology allows both private companies and public authorities to companies and public authorities to companies and public authorities to make use of personal data on an make use of personal data on an make use of personal data on an unprecedented scale in order to unprecedented scale in order to unprecedented scale in order to pursue their activities. Individuals pursue their activities. Individuals pursue their activities. Individuals increasingly make personal increasingly make personal increasingly make personal information available publicly and information available publicly and information available publicly and globally. Technology has globally. Technology has globally. Technology has transformed both the economy and transformed both the economy and transformed both the economy and social life, and requires to further social life, and requires to further social life, and requires to should facilitate the free flow of data facilitate the free flow of data further facilitate the free flow of within the Union and the transfer to within the Union and the transfer to data within the Union and the third countries and international third countries and international transfer to third countries and organisations, while ensuring an organisations, while ensuring an international organisations, while high level of the protection of high level of the protection of ensuring a high level of the personal data. personal data. protection of personal data.
DGD 2C LIMITE EN
(6) These developments require (6) These developments require (6) These developments require building a strong and more coherent building a strong and more coherent building a strong and more coherent data protection framework in the data protection framework in the data protection framework in the Union, backed by strong Union, backed by strong Union, backed by strong enforcement, given the importance enforcement, given the importance enforcement, given the importance to create the trust that will allow the to create the trust that will allow the to of create creating the trust that digital economy to develop across digital economy to develop across will allow the digital economy to the internal market. Individuals the internal market. Individuals develop across the internal market. should have control of their own should have control of their own Individuals should have control of personal data and legal and personal data and legal and their own personal data and legal practical certainty for individuals, practical certainty for individuals, and practical certainty for economic operators and public economic operators and public individuals, economic operators and authorities should be reinforced. authorities should be reinforced. public authorities should be
reinforced.
(6a) Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for the coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the Regulation in their respective national law.
DGD 2C LIMITE EN
(7) The objectives and principles of (7) The objectives and principles of (7) The objectives and principles of
Directive 95/46/EC i remain sound, Directive 95/46/EC i remain sound, Directive 95/46/EC i remain sound, but it has not prevented but it has not prevented but it has not prevented fragmentation in the way data fragmentation in the way data fragmentation in the way data protection is implemented across protection is implemented across protection is implemented across the Union, legal uncertainty and a the Union, legal uncertainty and a the Union, legal uncertainty and a widespread public perception that widespread public perception that widespread public perception that there are significant risks for the there are significant risks for the there are significant risks for the protection of individuals associated protection of individuals associated protection of individuals associated notably with online activity. notably with online activity. notably with online activity.
Differences in the level of Differences in the level of Differences in the level of protection of the rights and protection of the rights and protection of the rights and freedoms of individuals, notably to freedoms of individuals, notably to freedoms of individuals, notably to the right to the protection of the right to the protection of the right to the protection of personal data, with regard to the personal data, with regard to the personal data, with regard to the processing of personal data processing of personal data processing of personal data afforded in the Member States may afforded in the Member States may afforded in the Member States may prevent the free flow of personal prevent the free flow of personal prevent the free flow of personal data throughout the Union. These data throughout the Union. These data throughout the Union. These differences may therefore constitute differences may therefore constitute differences may therefore constitute an obstacle to the pursuit of an obstacle to the pursuit of an obstacle to the pursuit of economic activities at the level of economic activities at the level of economic activities at the level of the Union, distort competition and the Union, distort competition and the Union, distort competition and impede authorities in the discharge impede authorities in the discharge impede authorities in the discharge of their responsibilities under Union of their responsibilities under Union of their responsibilities under Union law. This difference in levels of law. This difference in levels of law. This difference in levels of protection is due to the existence of protection is due to the existence of protection is due to the existence of differences in the implementation differences in the implementation differences in the implementation and application of Directive and application of Directive and application of Directive
95/46/EC. 95/46/EC. 95/46/EC.
DGD 2C LIMITE EN
(8) In order to ensure consistent and (8) In order to ensure consistent and (8) In order to ensure consistent and high level of protection of high level of protection of high level of protection of individuals and to remove the individuals and to remove the individuals and to remove the obstacles to flows of personal data, obstacles to flows of personal data, obstacles to flows of personal data the level of protection of the rights the level of protection of the rights within the Union, the level of and freedoms of individuals with and freedoms of individuals with protection of the rights and regard to the processing of such regard to the processing of such freedoms of individuals with regard data should be equivalent in all data should be equivalent in all to the processing of such data
Member States. Consistent and Member States. Consistent and should be equivalent in all Member homogenous application of the homogenous application of the States. Consistent and homogenous rules for the protection of the rules for the protection of the application of the rules for the fundamental rights and freedoms of fundamental rights and freedoms of protection of the fundamental rights natural persons with regard to the natural persons with regard to the and freedoms of natural persons processing of personal data should processing of personal data should with regard to the processing of be ensured throughout the Union. be ensured throughout the Union. personal data should be ensured
throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC i Member States have several sector specific laws in areas that need more specific
DGD 2C LIMITE EN
provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules. Within this margin of manoeuvre sector-specific laws that Member States have issued implementing Directive 95/46/EC i should be able to be upheld.
(9) Effective protection of personal (9) Effective protection of personal (9) Effective protection of personal data throughout the Union requires data throughout the Union requires data throughout the Union requires strengthening and detailing the strengthening and detailing the strengthening and detailing the rights of data subjects and the rights of data subjects and the rights of data subjects and the obligations of those who process obligations of those who process obligations of those who process and determine the processing of and determine the processing of and determine the processing of personal data, but also equivalent personal data, but also equivalent personal data, but also equivalent powers for monitoring and ensuring powers for monitoring and ensuring powers for monitoring and ensuring compliance with the rules for the compliance with the rules for the compliance with the rules for the protection of personal data and protection of personal data and protection of personal data and equivalent sanctions for offenders equivalent sanctions for offenders equivalent sanctions for offenders in the Member States. in the Member States. in the Member States.
(10) Article 16(2) of the Treaty (10) Article 16(2) of the Treaty (10) Article 16(2) of the Treaty mandates the European Parliament mandates the European Parliament mandates the European Parliament and the Council to lay down the and the Council to lay down the and the Council to lay down the rules relating to the protection of rules relating to the protection of rules relating to the protection of individuals with regard to the individuals with regard to the individuals with regard to the processing of personal data and the processing of personal data and the processing of personal data and the rules relating to the free movement rules relating to the free movement rules relating to the free movement of personal data. of personal data. of personal data
DGD 2C LIMITE EN
(11) In order to ensure a consistent (11) In order to ensure a consistent (11) In order to ensure a consistent level of protection for individuals level of protection for individuals level of protection for individuals throughout the Union and to throughout the Union and to throughout the Union and to prevent divergences hampering the prevent divergences hampering the prevent divergences hampering the free movement of data within the free movement of data within the free movement of data within the internal market, a Regulation is internal market, a Regulation is internal market, a Regulation is necessary to provide legal certainty necessary to provide legal certainty necessary to provide legal certainty and transparency for economic and transparency for economic and transparency for economic operators, including micro, small operators, including micro, small operators, including micro, small and medium-sized enterprises, and and medium-sized enterprises, and and medium-sized enterprises, and to provide individuals in all to provide individuals in all to provide individuals in all
Member States with the same level Member States with the same level Member States with the same level of legally enforceable rights and of legally enforceable rights and of legally enforceable rights and obligations and responsibilities for obligations and responsibilities for obligations and responsibilities for controllers and processors, to controllers and processors, to controllers and processors, to ensure consistent monitoring of the ensure consistent monitoring of the ensure consistent monitoring of the processing of personal data, and processing of personal data, and processing of personal data, and equivalent sanctions in all Member equivalent sanctions in all Member equivalent sanctions in all Member States as well as effective co States as well as effective co States as well as effective cooperation by the supervisory operation by the supervisory operation by the supervisory authorities of different Member authorities of different Member authorities of different Member States. To take account of the States. To take account of the States. The proper functioning of specific situation of micro, small specific situation of micro, small the internal market requires that and medium-sized enterprises, this and medium-sized enterprises, this the free movement of personal Regulation includes a number of Regulation includes a number of data within the Union should not derogations. In addition, the Union derogations. In addition, the Union be restricted or prohibited for institutions and bodies, Member institutions and bodies, Member reasons connected with the
States and their supervisory States and their supervisory protection of individuals with authorities are encouraged to take authorities are encouraged to take regard to the processing of account of the specific needs of account of the specific needs of personal data. micro, small and medium-sized micro, small and medium-sized
enterprises in the application of this enterprises in the application of this To take account of the specific
DGD 2C LIMITE EN
Regulation. The notion of micro, Regulation. The notion of micro, situation of micro, small and small and medium-sized enterprises small and medium-sized enterprises medium-sized enterprises, this should draw upon Commission should draw upon Commission Regulation includes a number of
Recommendation 2003/361/EC of 6 Recommendation 2003/361/EC 1 of derogations. In addition, the Union
May 2003 concerning the definition 6 May 2003 concerning the institutions and bodies, Member of micro, small and medium-sized definition of micro, small and States and their supervisory enterprises. medium-sized enterprises. authorities are encouraged to take
account of the specific needs of
1 Commission Recommendation micro, small and medium-sized
2003/361/EC of 6 May 2003 concerning
the definition of micro, small and enterprises in the application of this
medium-sized enterprises (OJ L 124, Regulation. The notion of micro,
20.5.2003, p. 36). small and medium-sized enterprises
should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.
DGD 2C LIMITE EN
(12) The protection afforded by this (12) The protection afforded by this (12) The protection afforded by this
Regulation concerns natural Regulation concerns natural Regulation concerns natural persons, whatever their nationality persons, whatever their nationality persons, whatever their nationality or place of residence, in relation to or place of residence, in relation to or place of residence, in relation to the processing of personal data. the processing of personal data. the processing of personal data. With regard to the processing of With regard to the processing of With regard to the processing of data which concern legal persons data which concern legal persons data which concern legal persons and in particular undertakings and in particular undertakings and in particular undertakings established as legal persons, established as legal persons, established as legal persons, including the name and the form of including the name and the form of including the name and the form of the legal person and the contact the legal person and the contact the legal person and the contact details of the legal person, the details of the legal person, the details of the legal person, the protection of this Regulation should protection of this Regulation should protection of this Regulation should not be claimed by any person. This not be claimed by any person. This not be claimed by any person. This should also apply where the name should also apply where the name should also apply where the name of the legal person contains the of the legal person contains the of the legal person contains the names of one or more natural names of one or more natural names of one or more natural persons. persons. persons.
DGD 2C LIMITE EN
(13) The protection of individuals (13) The protection of individuals (13) The protection of individuals should be technologically neutral should be technologically neutral should be technologically neutral and not depend on the techniques and not depend on the techniques and not depend on the techniques used; otherwise this would create a used; otherwise this would create a used; otherwise this would create a serious risk of circumvention. The serious risk of circumvention. The serious risk of circumvention. The protection of individuals should protection of individuals should protection of individuals should apply to processing of personal data apply to processing of personal data apply to processing of personal data by automated means as well as to by automated means as well as to by automated means as well as to manual processing, if the data are manual processing, if the data are manual processing, if the data are contained or are intended to be contained or are intended to be contained or are intended to be contained in a filing system. Files contained in a filing system. Files contained in a filing system. Files or sets of files as well as their cover or sets of files as well as their cover or sets of files as well as their cover pages, which are not structured pages, which are not structured pages, which are not structured according to specific criteria, according to specific criteria, according to specific criteria, should not fall within the scope of should not fall within the scope of should not fall within the scope of this Regulation. this Regulation. this Regulation.
DGD 2C LIMITE EN
Amendment 1
(14) This Regulation does not (14) This Regulation does not This (14) This Regulation does not address issues of protection of Regulation does not address issues address issues of protection of fundamental rights and freedoms or of protection of fundamental rights fundamental rights and freedoms or the free flow of data related to and freedoms or the free flow of the free flow of data related to activities which fall outside the data related to activities which fall activities which fall outside the scope of Union law, nor does it outside the scope of Union law, nor scope of Union law, such as cover the processing of personal does it cover the processing of activities concerning national data by the Union institutions, personal data by the Union security, nor does it cover the bodies, offices and agencies, which institutions, bodies, offices and processing of personal data by the are subject to Regulation (EC) No agencies, which are subject to. Union institutions, bodies, offices
45/2001 4 , or the processing of Regulation (EC) No 45/2001 i, or the and agencies, which are subject to personal data by the Member States processing of personal data by the Regulation (EC) No 45/2001 i 5 , or
when carrying out activities in Member States when carrying out the processing of personal data by relation to the common foreign and activities in relation to the common the Member States when carrying security policy of the Union. foreign and security policy of the out activities in relation to the
Union of the European Parliament common foreign and security policy
and of the Council 1 should be of the Union.
brought in line with this Regulation and applied in accordance with this Regulation.
________________
1 Regulation (EC) No 45/2001 i of
the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of
4 OJ L 8, 12.1.2001, p. 1.
5 OJ L 8, 12.1.2001, p. 1.
DGD 2C LIMITE EN
personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(14a) Regulation (EC) No 45/2001 i applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No
45/2001 6 and other Union legal
instruments applicable to such processing of personal data should be adapted to the principles and rules of this Regulation.
6 OJ L 8, 12.1.2001, p. 1.
DGD 2C LIMITE EN
Amendment 2
(15) This Regulation should not (15) This Regulation should not (15) This Regulation should not apply to processing of personal apply to processing of personal data apply to processing of personal data data by a natural person, which are by a natural person, which are by a natural person in the course of exclusively personal or domestic, exclusively personal, familya, which are exclusively personal or such as correspondence and the related, or domestic, such as domestichousehold activity, such as holding of addresses, and without correspondence and the holding of correspondence and the holding of any gainful interest and thus addresses or a private sale, and addresses, and without any gainful without any connection with a without any gainful interest and interest and thus without any a professional or commercial thus without any connection with a connection with a professional or activity. The exemption should also professional or commercial activity. commercial activity. Personal and not apply to controllers or The exemption should also not household activities include social processors which provide the apply to controllers or processors networking and on-line activity means for processing personal data which provide the means for undertaken within the context of for such personal or domestic processing personal data for such such personal and household activities. personal or domestic activities. activities. However, this
However, this Regulation should Regulation The exemption should apply to controllers and processors also not apply to controllers or which provide the means for processors which provide the means processing personal data for such for processing personal data for personal or domestic activities. such personal or domestic activities.
DGD 2C LIMITE EN
(16) The protection of individuals (16) The protection of individuals (16) The protection of individuals with regard to the processing of with regard to the processing of with regard to the processing of personal data by competent personal data by competent personal data by competent authorities for the purposes of authorities for the purposes of authorities for the purposes of prevention, investigation, detection prevention, investigation, detection prevention, investigation, detection or prosecution of criminal offences or prosecution of criminal offences or prosecution of criminal offences or the execution of criminal or the execution of criminal or the execution of criminal penalties, and the free movement of penalties, and the free movement of penalties or the safeguarding such data, is subject of a specific such data, is subject of a specific against and the prevention of legal instrument at Union level. legal instrument at Union level. threats to public security, and the Therefore, this Regulation should Therefore, this Regulation should free movement of such data, is not apply to the processing not apply to the processing subject of a specific legal activities for those purposes. activities for those purposes. instrument at Union level.
However, data processed by public However, data processed by public
authorities under this Regulation authorities under this Regulation Therefore, this Regulation should when used for the purposes of when used for the purposes of not apply to the processing prevention, investigation, detection prevention, investigation, detection activities for those purposes. or prosecution of criminal offences or prosecution of criminal offences However, data processed by public or the execution of criminal or the execution of criminal authorities under this Regulation penalties should be governed by the penalties should be governed by the when used for the purposes of more specific legal instrument at more specific legal instrument at prevention, investigation, detection Union level (Directive XX/YYY). Union level (Directive or prosecution of criminal offences
XX/YYY(Directive 2014/.../EU of or the execution of criminal the European Parliament and of penalties should be governed by the the Council on the protection of more specific legal instrument at individuals with regard to the Union level (Directive XX/YYY).
processing of personal data by
competent authorities for the Member States may entrust purposes of prevention, competent authorities within the investigation, detection or meaning of Directive XX/YYY with prosecution of criminal offences or other tasks which are not
the execution of criminal necessarily carried out for the purposes of the prevention,
DGD 2C LIMITE EN
penalties, and the free movement investigation, detection or of such data). prosecution of criminal offences or the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, fallw within the scope of this Regulation.
With regard to the processing of personal data by those competent authorities for purposes falling within scope of the General Data Protection Regulation, Member States may maintain or introduce more specific provisions to adapt the application of the rules of the General Data Protection Regulation. Such provisions may determine more precisely specific requirements for processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State.
When processing of personal data by private bodies falls within the scope of this Regulation, this
DGD 2C LIMITE EN
Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection and prosecution of criminal offences. This is relevant for instance in the framework of antimoney laundering or the activities of forensic laboratories.
DGD 2C LIMITE EN
(16a) While this Regulation applies also to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including its decisionmaking. Supervision of such data processing operations may be entrusted to specific bodies within the judicial system of the Member State, which should in particular control compliance with the rules of this Regulation, promote the awareness of the judiciary of their obligations under this Regulation and deal with complaints in relation to such processing.
DGD 2C LIMITE EN
(17) This Regulation should be (17) This Regulation should be (17) Directive 2000/31/EC i does not without prejudice to the application without prejudice to the application apply to questions relating to of Directive 2000/31/EC i, in of Directive 2000/31/EC i of the information society services particular of the liability rules of European Parliament and of the covered by this Regulation. That
intermediary service providers in Council 1 , in particular of the Directive seeks to contribute to the
Articles 12 to 15 of that Directive. liability rules of intermediary proper functioning of the internal service providers in Articles 12 to market by ensuring the free
15 of that Directive. movement of information society services between Member States. Its application should not be
1 affected by this Regulation.This Directive 2000/31/EC i of the European
Parliament and of the Council of 8 June Regulation should therefore be
2000 on certain legal aspects of without prejudice to the application
information society services, in particular of Directive 2000/31/EC i, in
electronic commerce, in the Internal particular of the liability rules of Market (Directive on electronic intermediary service providers in
commerce) (OJ L 178, 17.7.2000, p. 1). Articles 12 to 15 of that Directive.
DGD 2C LIMITE EN
Amendment 3
(18) This Regulation allows the (18) This Regulation allows the (18) deleted principle of public access to official principle of public access to official documents to be taken into account documents to be taken into account when applying the provisions set when applying the provisions set out in this Regulation. out in this Regulation. Personal
data in documents held by a public authority or public body may be disclosed by that authority or body in accordance with Union or Member State law regarding public access to official documents, which reconciles the right to data protection with the right of public access to official documents and constitutes a fair balance of the various interests involved.
DGD 2C LIMITE EN
(19) Any processing of personal (19) Any processing of personal (19) Any processing of personal data in the context of the activities data in the context of the activities data in the context of the activities of an establishment of a controller of an establishment of a controller of an establishment of a controller or a processor in the Union should or a processor in the Union should or a processor in the Union should be carried out in accordance with be carried out in accordance with be carried out in accordance with this Regulation, regardless of this Regulation, regardless of this Regulation, regardless of whether the processing itself takes whether the processing itself takes whether the processing itself takes place within the Union or not. place within the Union or not. place within the Union or not.
Establishment implies the effective Establishment implies the effective Establishment implies the effective and real exercise of activity and real exercise of activity and real exercise of activity through through stable arrangements. The through stable arrangements. The stable arrangements. The legal form legal form of such arrangements, legal form of such arrangements, of such arrangements, whether whether through a branch or a whether through a branch or a through a branch or a subsidiary subsidiary with a legal personality, subsidiary with a legal personality, with a legal personality, is not the is not the determining factor in this is not the determining factor in this determining factor in this respect. respect. respect.
DGD 2C LIMITE EN
Amendment 4
(20) In order to ensure that (20) In order to ensure that (20) In order to ensure that individuals are not deprived of the individuals are not deprived of the individuals are not deprived of the protection to which they are protection to which they are protection to which they are entitled entitled under this Regulation, the entitled under this Regulation, the under this Regulation, the processing of personal data of data processing of personal data of data processing of personal data of data subjects residing in the Union by a subjects residing in the Union by a subjects residing in the Union by a controller not established in the controller not established in the controller not established in the Union should be subject to this Union should be subject to this Union should be subject to this Regulation where the processing Regulation where the processing Regulation where the processing activities are related to the offering activities are related to the offering activities are related to the offering of goods or services to such data of goods or services, irrespective of of goods or services to such data subjects, or to the monitoring of the whether connected to a payment or subjects, or to the monitoring of the behaviour of such data subjects. not, to such data subjects, or to the behaviour of such data subjects
monitoring of the behaviour of such irrespective of whether connected
data subjects. In order to determine to a payment or not, which takes
whether such a controller is place in the Union. In order to
offering goods or services to such determine whether such a
data subjects in the Union, it controller is offering goods or
should be ascertained whether it is services to such data subjects in
apparent that the controller is the Union, it should be ascertained
envisaging the offering of services whether it is apparent that the
to data subjects in one or more controller is envisaging doing
Member States in the Union. business with data subjects
residing in one or more Member
States in the Union. Whereas the
mere accessibility of the
controller’s or an intermediary’s
website in the Union or of an
email address and of other contact
details or the use of a language
DGD 2C LIMITE EN
generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users residing in the Union, may make it apparent that the controller envisages offering goods or services to such data subjects in the Union.
DGD 2C LIMITE EN
Amendment 5
(21) In order to determine whether (21) In order to determine whether (21) The processing of personal a processing activity can be a processing activity can be data of data subjects residing in considered to ‘monitor the considered to ‘monitor the the Union by a controller not behaviour’ of data subjects, it behaviour’ of data subjects, it established in the Union should should be ascertained whether should be ascertained whether also be subject to this Regulation individuals are tracked on the individuals are tracked on the when it is related to the internet with data processing internet with, regardless of the monitoring of their behaviour techniques which consist of origins of the data, or if other data taking place within the European applying a ‘profile’ to an about them are collected, Union. In order to determine individual, particularly in order to including from public registers whether a processing activity can take decisions concerning her or and announcements in the Union be considered to ‘monitor the him or for analysing or predicting that are accessible from outside of behaviour’ of data subjects, it her or his personal preferences, the Union, including with the should be ascertained whether behaviours and attitudes. intention to use, or potential of individuals are tracked on the
subsequent use of data processing internet with data processing techniques which consist of techniques which consist of applying a ‘profile’ to an applying a ‘profile’ to profiling an individual, particularly in order to individual, particularly in order to take decisions concerning her or take decisions concerning her or him or for analysing or predicting him or for analysing or predicting her or his personal preferences, her or his personal preferences, behaviours and attitudes. behaviours and attitudes.
DGD 2C LIMITE EN
(22) Where the national law of a (22) Where the national law of a (22) Where the national law of a
Member State applies by virtue of Member State applies by virtue of Member State applies by virtue of public international law, this public international law, this public international law, this
Regulation should also apply to a Regulation should also apply to a Regulation should also apply to a controller not established in the controller not established in the controller not established in the Union, such as in a Member State's Union, such as in a Member State's Union, such as in a Member State's diplomatic mission or consular diplomatic mission or consular diplomatic mission or consular post. post. post.
Amendment 6
(23) The principles of protection (23) The principles of data (23) The principles of data should apply to any information protection should apply to any protection should apply to any concerning an identified or information concerning an information concerning an identifiable person. To determine identified or identifiable natural identified or identifiable natural whether a person is identifiable, person. To determine whether a person. Data including account should be taken of all the person is identifiable, account pseudonymised data, which could means likely reasonably to be used should be taken of all the means be attributed to a natural person by either by the controller or by any likely reasonably likely to be used the use of additional information, other person to identify the either by the controller or by any should be considered as individual. The principles of data other person to identify or single information on an identifiable protection should not apply to data out the individual directly or natural person. To determine rendered anonymous in such a way indirectly. To ascertain whether whether a person is identifiable, that the data subject is no longer means are reasonably likely to be account should be taken of all the identifiable. used to identify the individual, means likely reasonably to be used
account should be taken of all either by the controller or by any objective factors, such as the costs other person to identify the of and the amount of time individual directly or indirectly. To required for identification, taking ascertain whether means are
into consideration both available reasonable likely to be used to technology at the time of the identify the individual, account processing and technological should be taken of all objective
DGD 2C LIMITE EN
development. The principles of factors, such as the costs of and data protection should therefore the amount of time required for not apply to anonymous data identification, taking into rendered anonymous in such a way consideration both available that the data subject is no longer technology at the time of the identifiable, which is information processing and technological that does not relate to an development. The principles of data identified or identifiable natural protection should therefore not person. This Regulation does apply to anonymous information, therefore not concern the that is information which does not processing of such anonymous relate to an identified or data, including for statistical and identifiable natural person or to research purposes. data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation does therefore not concern the processing of such anonymous information, including for statistical and research purposes.
(23aa) The principles of data protection should not apply to data of deceased persons. The national law of a Member State may provide for rules regarding the processing of data of deceased persons.
DGD 2C LIMITE EN
(23a) The application of pseudonymisation to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data protection obligations. The explicit introduction of ‘pseudonymisation’ through the articles of this Regulation is thus not intended to preclude any other measures of data protection.
23b) (…)
(23c) In order to create incentives for applying pseudonymisation when processing personal data, measures of pseudonymisation whilst allowing general analysis should be possible within the same controller when the controller has taken technical and organisational measures necessary to ensure that the provisions of this Regulation are implemented, taking into account the respective data processing and ensuring that additional information for
DGD 2C LIMITE EN
attributing the personal data to a specific data subject is kept separately. The controller who processes the data shall also refer to authorised persons within the same controller. In such case however the controller shall make sure that the individual(s) performing the pseudonymisation are not referenced in the metadata.
Amendment 7
(24) When using online services, (24) When using online services, (24) When using online services, individuals may be associated with individuals may be associated with individuals may be associated with online identifiers provided by their online This Regulation should be online identifiers provided by their devices, applications, tools and applicable to processing involving devices, applications, tools and protocols, such as Internet Protocol identifiers provided by their protocols, such as Internet Protocol addresses or cookie identifiers. devices, applications, tools and addresses or cookie identifiers. This This may leave traces which, protocols, such as Internet Protocol may leave traces which, when combined with unique identifiers addresses or cookie identifiers and combined with unique identifiers and other information received by Radio Frequency Identification and other information received by the servers, may be used to create tags, unless those identifiers do not the servers, may be used to create profiles of the individuals and relate to an identified or profiles of the individuals and identify them. It follows that identifiable natural person. This identify them. It follows that identification numbers, location may leave traces which, combined iIdentification numbers, location data, online identifiers or other with unique identifiers and other data, online identifiers or other specific factors as such need not information received by the servers, specific factors as such need should necessarily be considered as may be used to create profiles of not necessarily be considered as personal data in all circumstances. the individuals and identify them. It personal datain all circumstances if
DGD 2C LIMITE EN
follows that identification numbers, they do not identify an individual location data, online identifiers or or make an individual identifiable. other specific factors as such need not necessarily be considered as personal data in all circumstances.
Amendment 8
(25) Consent should be given (25) Consent should be given (25) Consent should be given explicitly by any appropriate explicitly by any appropriate explicitly unambiguously by any method enabling a freely given method enabling a freely given appropriate method enabling a specific and informed indication of specific and informed indication of freely given specific and informed the data subject's wishes, either by the data subject's wishes, either by a indication of the data subject's a statement or by a clear statement or by a clear affirmative wishes, either by a written, affirmative action by the data action that is the result of choice including electronic, oral or other subject, ensuring that individuals by the data subject, ensuring that statement or, if required by specific are aware that they give their individuals are aware that they give circumstances, by any other clear consent to the processing of their consent to the processing of affirmative action by the data personal data, including by ticking personal data, including by. Clear subject, signifying his or her a box when visiting an Internet affirmative action could include agreement to ensuring that website or by any other statement ticking a box when visiting an individuals are aware that they give or conduct which clearly indicates Internet website or by any other their consent to the processing in this context the data subject's statement or conduct which clearly ofpersonal data relating to him or acceptance of the proposed indicates in this context the data her being processed., This could processing of their personal data. subject's acceptance of the including include by ticking a box Silence or inactivity should proposed processing of his or her when visiting an Internet website or therefore not constitute consent. personal data. Silence, mere use of by any other statement or conduct Consent should cover all a service or inactivity should which clearly indicates in this processing activities carried out for therefore not constitute consent. context the data subject's
DGD 2C LIMITE EN
the same purpose or purposes. If Consent should cover all processing acceptance of the proposed the data subject's consent is to be activities carried out for the same processing of their personal data. given following an electronic purpose or purposes. If the data Silence or inactivity should request, the request must be clear, subject's consent is to be given therefore not constitute consent. concise and not unnecessarily following an electronic request, the Where it is technically feasible and disruptive to the use of the service request must be clear, concise and effective, the data subject's consent for which it is provided. not unnecessarily disruptive to the to processing may be given by
use of the service for which it is using the appropriate settings of a provided. browser or other application. In such cases it is sufficient that the data subject receives the information needed to give freely specific and informed consent when starting to use the service. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, unambiguous consent should be granted for all of the processing purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided .
DGD 2C LIMITE EN
(25a) Genetic data should be defined as personal data relating to the genetic characteristics of an individual which have been inherited or acquired as they result from an analysis of a biological sample from the individual in question, in particular by chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained.
(25aa) It is often not possible to fully identify the purpose of data processing for scientific purposes at the time of data collection. Therefore data subjects can give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose and provided that this does not involve disproportionate efforts in view of the protective purpose.
DGD 2C LIMITE EN
(26) Personal data relating to health (26) Personal data relating to health (26) Personal data relating to should include in particular all data should include in particular all data concerning health should include in pertaining to the health status of a pertaining to the health status of a particular all data pertaining to the data subject; information about the data subject; information about the health status of a data subject which registration of the individual for the registration of the individual for the reveal information relating to the provision of health services; provision of health services; past, current or future physical or information about payments or information about payments or mental health of the data subject; eligibility for healthcare with eligibility for healthcare with including information about the respect to the individual; a number, respect to the individual; a number, registration of the individual for the symbol or particular assigned to an symbol or particular assigned to an provision of health services; individual to uniquely identify the individual to uniquely identify the information about payments or individual for health purposes; any individual for health purposes; any eligibility for healthcare with information about the individual information about the individual respect to the individual; a number, collected in the course of the collected in the course of the symbol or particular assigned to an provision of health services to the provision of health services to the individual to uniquely identify the individual; information derived individual; information derived individual for health purposes; any from the testing or examination of from the testing or examination of a information about the individual a body part or bodily substance, body part or bodily substance, collected in the course of the including biological samples; including biological samples; provision of health services to the identification of a person as identification of a person as individual; information derived provider of healthcare to the provider of healthcare to the from the testing or examination of a individual; or any information on individual; or any information on body part or bodily substance, e.g. a disease, disability, disease e.g. a disease, disability, disease including genetic data and risk, medical history, clinical risk, medical history, clinical biological samples; identification of treatment, or the actual treatment, or the actual a person as provider of healthcare physiological or biomedical state of physiological or biomedical state of to the individual; or any the data subject independent of its the data subject independent of its information on e.g. for example a source, such as e.g. from a source, such as e.g. from a disease, disability, disease risk,
DGD 2C LIMITE EN
physician or other health physician or other health medical history, clinical treatment, professional, a hospital, a medical professional, a hospital, a medical or the actual physiological or device, or an in vitro diagnostic device, or an in vitro diagnostic biomedical state of the data subject test. test. independent of its source, such as
e.g. for example from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
(27) The main establishment of a (27) The main establishment of a (27) The main establishment of a controller in the Union should be controller in the Union should be controller in the Union should be determined according to objective determined according to objective the place of its central criteria and should imply the criteria and should imply the administration in the Union, effective and real exercise of effective and real exercise of unless determined according to management activities determining management activities determining objective criteria and should imply the main decisions as to the the main decisions as to the the effective and real exercise of purposes, conditions and means of purposes, conditions and means of management activities determining processing through stable processing through stable the main decisions as to on the arrangements. This criterion should arrangements. This criterion should purposes, conditions and means of not depend whether the processing not depend whether the processing processing of personal data are of personal data is actually carried of personal data is actually carried taken in another establishment of out at that location; the presence out at that location; the presence the controller in the Union. In this and use of technical means and and use of technical means and case the latter should be technologies for processing technologies for processing considered as the main personal data or processing personal data or processing establishment. through stable activities do not, in themselves, activities do not, in themselves, arrangements. constitute such main establishment constitute such main establishment and are therefore no determining and are therefore no determining criteria for a main establishment. criteria for a main establishment.
DGD 2C LIMITE EN
The main establishment of the The main establishment of the The main establishment of a processor should be the place of its processor should be the place of its controller in the Union should be central administration in the Union. central administration in the Union. determined according to objective
criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. This criterion should not depend on whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union and, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead
DGD 2C LIMITE EN
supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment but the supervisory authority of the processor should be considered as a concerned supervisory authority and participate to the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered as concerned supervisory authorities when the draft decision concerns only the controller.
Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered as the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.
DGD 2C LIMITE EN
(28) A group of undertakings (28) A group of undertakings (28) A group of undertakings should cover a controlling should cover a controlling should cover a controlling undertaking and its controlled undertaking and its controlled undertaking and its controlled undertakings, whereby the undertakings, whereby the undertakings, whereby the controlling undertaking should be controlling undertaking should be controlling undertaking should be the undertaking which can exercise the undertaking which can exercise the undertaking which can exercise a dominant influence over the other a dominant influence over the other a dominant influence over the other undertakings by virtue, for undertakings by virtue, for undertakings by virtue, for example, of ownership, financial example, of ownership, financial example, of ownership, financial participation or the rules which participation or the rules which participation or the rules which govern it or the power to have govern it or the power to have govern it or the power to have personal data protection rules personal data protection rules personal data protection rules implemented. implemented. implemented. A central
undertaking which controls the processing of personal data in undertakings affiliated to it forms together with these undertakings an entity which may be treated as “group of undertakings”.
DGD 2C LIMITE EN
Amendment 9
(29) Children deserve specific (29) Children deserve specific (29) Children deserve specific protection of their personal data, as protection of their personal data, as protection of their personal data, as they may be less aware of risks, they may be less aware of risks, they may be less aware of risks, consequences, safeguards and their consequences, safeguards and their consequences, safeguards and their rights in relation to the processing rights in relation to the processing rights in relation to the processing of personal data. To determine of personal data. To determine of personal data. To determine when an individual is a child, this when an individual is a child, this when an individual is a child, this Regulation should take over the Regulation should take over the Regulation should take over the definition laid down by the UN definition laid down by the UN definition laid down by the UN Convention on the Rights of the Convention on the Rights of the Convention on the Rights of the Child. Child. Where data processing is Child. This concerns especially the
based on the data subject’s consent use of personal data of children in relation to the offering of goods for the purposes of marketing or or services directly to a child, creating personality or user consent should be given or profiles and the collection of child authorised by the child’s parent or data when using services offered legal guardian in cases where the directly to a child. child is below the age of 13. Ageappropriate language should be used where the intended audience is children. Other grounds of lawful processing such as grounds of public interest should remain applicable, such as for processing in the context of preventive or counselling services offered directly to a child.
DGD 2C LIMITE EN
(30) Any processing of personal (30) Any processing of personal (30) Any processing of personal data should be lawful, fair and data should be lawful, fair and data should be lawful and, fair. and transparent in relation to the transparent in relation to the It should be transparent in relation individuals concerned. In individuals concerned. In particular, to for the individuals concerned. In particular, the specific purposes for the specific purposes for which the particular, the specific purposes for which the data are processed data are processed should be which the data are processed should should be explicit and legitimate explicit and legitimate and be explicit and legitimate and and determined at the time of the determined at the time of the determined at the time of the collection of the data. The data collection of the data. The data collection of the data. The data should be adequate, relevant and should be adequate, relevant and should be adequate, relevant and limited to the minimum necessary limited to the minimum necessary limited to the minimum necessary for the purposes for which the data for the purposes for which the data for the purposes for which the data are processed; this requires in are processed; this requires in are processed; this requires in particular ensuring that the data particular ensuring that the data particular ensuring that the data collected are not excessive and that collected are not excessive and that collected are not excessive and that the period for which the data are the period for which the data are the period for which the data are stored is limited to a strict stored is limited to a strict stored is limited to a strict minimum. Personal data should minimum. Personal data should minimum. Personal data should only be processed if the purpose of only be processed if the purpose of only be processed if the purpose of the processing could not be the processing could not be fulfilled the processing could not be fulfilled fulfilled by other means. Every by other means. Every reasonable by other means. that personal data reasonable step should be taken to step should be taken to ensure that concerning them are collected, ensure that personal data which are personal data which are inaccurate used, consulted or otherwise inaccurate are rectified or deleted. are rectified or deleted. In order to processed and to which extent the In order to ensure that the data are ensure that the data are not kept data are processed or will be not kept longer than necessary, longer than necessary, time limits processed. The principle of time limits should be established should be established by the transparency requires that any by the controller for erasure or for a controller for erasure or for a information and communication periodic review. periodic review. relating to the processing of those
data should be easily accessible
DGD 2C LIMITE EN
and easy to understand, and that clear and plain language is used. This concerns in particular the information of the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the individuals concerned and their right to get confirmation and communication of personal data being processed concerning them.
Individuals should be made aware on risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise his or her rights in relation to the processing. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate and relevant for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are
DGD 2C LIMITE EN
stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or the use of personal data and the equipment used for the processing.
DGD 2C LIMITE EN
Amendment 10
(31) In order for processing to be (31) In order for processing to be (31) In order for processing to be lawful, personal data should be lawful, personal data should be lawful, personal data should be processed on the basis of the processed on the basis of the processed on the basis of the consent of the person concerned or consent of the person concerned or consent of the person concerned or some other legitimate basis, laid some other legitimate basis, laid some other legitimate basis, laid down by law, either in this down by law, either in this down by law, either in this
Regulation or in other Union or Regulation or in other Union or Regulation or in other Union or
Member State law as referred to in Member State law as referred to in Member State law as referred to in this Regulation. this Regulation. In case of a child this Regulation, including the
or a person lacking legal capacity, necessity for compliance with the relevant Union or Member State legal obligation to which the law should determine the controller is subject or the conditions under which consent is necessity for the performance of a given or authorised by that person. contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
DGD 2C LIMITE EN
(31a) Wherever this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant the constitutional order of the Member State concerned, however such legal basis or legislative measure should be clear and precise and its application foreseeable for those subject to it as required by the case law of the Court of Justice of the European Union and the European Court of Human Rights.
DGD 2C LIMITE EN
Amendment 11
(32) Where processing is based on (32) Where processing is based on (32) Where processing is based on the data subject's consent, the the data subject’s consent, the the data subject's consent, the controller should have the burden controller should have the burden controller should have the burden of proving that the data subject has of proving that the data subject has of proving be able to demonstrate given the consent to the processing given the consent to the processing that the data subject has given the operation. In particular in the operation. In particular in the consent to the processing operation. context of a written declaration on context of a written declaration on In particular in the context of a another matter, safeguards should another matter, safeguards should written declaration on another ensure that the data subject is ensure that the data subject is aware matter, safeguards should ensure aware that and to what extent that and to what extent consent is that the data subject is aware that consent is given. given. To comply with the principle and to what the extent to which
of data minimisation, the burden consent is given . A declaration of of proof should not be understood consent pre-formulated by the as requiring the positive controller should be provided in an identification of data subjects intelligible and easily accessible unless necessary. Similar to civil form, using clear and plain law terms (e.g. Council Directive language and its content should
93/13/EEC 1 ), data protection not be unusual within the overall
policies should be as clear and context. For consent to be transparent as possible. They informed, the data subject should should not contain hidden or be aware at least of the identity of disadvantageous clauses. Consent the controller and the purposes of cannot be given for the processing the processing for which the of personal data of third persons. personal data are intended; ______________________ consent should not be regarded as
1 Council Directive 93/13/EEC i of 5 freely-given if the data subject has
April 1993 on unfair terms in no genuine and free choice and is consumer contracts (OJ L 95, unable to refuse or withdraw 21.4.1993, p. 29). consent without detriment.
DGD 2C LIMITE EN
Amendment 12
(33) In order to ensure free consent, (33) In order to ensure free consent, (33) deleted it should be clarified that consent it should be clarified that consent does not provide a valid legal does not provide a valid legal ground where the individual has no ground where the individual has no genuine and free choice and is genuine and free choice and is subsequently not able to refuse or subsequently not able to refuse or withdraw consent without withdraw consent without detriment. detriment. This is especially the
case if the controller is a public authority that can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given. The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent. Consent for the processing of additional personal data that are not necessary for the provision of a service should not be required for using the service. When consent is withdrawn, this may allow the
DGD 2C LIMITE EN
termination or non-execution of a service which is dependent on the data. Where the conclusion of the intended purpose is unclear, the controller should in regular intervals provide the data subject with information about the processing and request a reaffirmation of their his or her consent.
Amendment 13
(34) Consent should not provide a deleted (34) In order to safeguard that valid legal ground for the Consent consent has been freelyprocessing of personal data, where given, consent should not provide a there is a clear imbalance between valid legal ground for the the data subject and the controller. processing of personal data in a This is especially the case where specific case, where there is a clear the data subject is in a situation of imbalance between the data subject dependence from the controller, and the controller and This this is among others, where personal data especially the case where the data are processed by the employer of subject is in a situation of employees' personal data in the dependence from the controller, employment context. Where the among others, where personal data controller is a public authority, are processed by the employer of there would be an imbalance only employees' personal data in the in the specific data processing employment context. Where the
DGD 2C LIMITE EN
operations where the public controller is a public authority, authority can impose an obligation there would be an imbalance only by virtue of its relevant public in the specific data processing powers and the consent cannot be operations where the public deemed as freely given, taking into authority can impose an obligation account the interest of the data by virtue of its relevant public subject. powers and makes it unlikely that
the consent cannot be deemed was given as freely- given, taking into account the interest of the data subject in all the circumstances of that specific situation. Consent is presumed not to be freely given, if it does not allow separate consent to be given to different data processing operations despite it is appropriate in the individual case, or if the performance of a contract is made dependent on the consent despite this is not necessary for such performance and the data subject cannot reasonably obtain equivalent services from another source without consent.
(35) Processing should be lawful (35) Processing should be lawful (35) Processing should be lawful where it is necessary in the context where it is necessary in the context where it is necessary in the context of a contract or the intended of a contract or the intended of a contract or the intended entering into a contract. entering into a contract. entering into a contract.
DGD 2C LIMITE EN
(35a) This Regulation provides for general rules on data protection and that in specific cases Member States are also empowered to lay down national rules on data protection. The Regulation does therefore not exclude Member State law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful. National law may also provide for special processing conditions for specific sectors and for the processing of special categories of data.
DGD 2C LIMITE EN
Amendment 14
(36) Where processing is carried (36) Where processing is carried (36) Where processing is carried out in compliance with a legal out in compliance with a legal out in compliance with a legal obligation to which the controller is obligation to which the controller is obligation to which the controller is subject or where processing is subject or where processing is subject or where processing is necessary for the performance of a necessary for the performance of a necessary for the performance of a task carried out in the public task carried out in the public task carried out in the public interest or in the exercise of an interest or in the exercise of an interest or in the exercise of an official authority, the processing official authority, the processing official authority, the processing should have a legal basis in Union should have a legal basis in Union should have a legal basis in Union law, or in a Member State law law, or in a Member State law law, or in the national law of a which meets the requirements of which meets the requirements of Member State law which meets the the Charter of Fundamental Rights the Charter of Fundamental Rights requirements of the Charter of of the European Union for any of the European Union for any Fundamental Rights of the limitation of the rights and limitation of the rights and European Union for any limitation freedoms. It is also for Union or freedoms. This should include also of the rights and freedoms. It is national law to determine whether collective agreements that could be should be also for Union or the controller performing a task recognised under national law as national law to determine the carried out in the public interest or having general validity. It is also purpose of processing. whether the in the exercise of official authority for Union or national law to controller performing a task carried should be a public administration determine whether the controller out in the public interest or in the or another natural or legal person performing a task carried out in the exercise of official authority should governed by public law, or by public interest or in the exercise of be a public administration or private law such as a professional official authority should be a public another natural or legal person association. administration or another natural or governed by public law, or by
legal person governed by public private law such as a professional law, or by private law such as a association. Furthermore, this professional association. basis could specify the general
DGD 2C LIMITE EN
conditions of the Regulation governing the lawfulness of data processing, determine specifications for determining the controller, the type of data which are subject to the processing, the data subjects concerned, the entities to which the data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.
It should also be for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or by private law such as a professional association, where grounds of public interest so justify including for health purposes, such as public health and social protection and the management of health care services.
DGD 2C LIMITE EN
(37) The processing of personal (37) The processing of personal (37) The processing of personal data should equally be regarded as data should equally be regarded as data should equally be regarded as lawful where it is necessary to lawful where it is necessary to lawful where it is necessary to protect an interest which is protect an interest which is protect an interest which is essential essential for the data subject's life. essential for the data subject's life. for the data subject's life or that of
another person. Some types of data processing may serve both important grounds of public interest and the vital interests of the data subject as, for instance when processing is necessary for humanitarian purposes, including for monitoring epidemic and its spread or in situations of humanitarian emergencies, in particular in situations of natural disasters.
DGD 2C LIMITE EN
Amendment 15
(38) The legitimate interests of a (38) The legitimate interests of a (38) The legitimate interests of a controller may provide a legal basis the controller, or in case of controller including of a controller for processing, provided that the disclosure, of the third party to to which the data may be disclosed interests or the fundamental rights whom the data is are disclosed, or of a third party may provide a and freedoms of the data subject may provide a legal basis for legal basis for processing, provided are not overriding. This would need processing, provided that they meet that the interests or the fundamental careful assessment in particular the reasonable expectations of the rights and freedoms of the data where the data subject is a child, data subject based on his or her subject are not overriding. This given that children deserve specific relationship with the controller would need careful assessment protection. The data subject should and that the interests or the including whether a data subject have the right to object the fundamental rights and freedoms of can expect at the time and in the processing, on grounds relating to the data subject are not overriding. context of the collection of the their particular situation and free of This would need careful assessment data that processing for this charge. To ensure transparency, the in particular where the data subject purpose may take place. controller should be obliged to is a child, given that children Legitimate interest could exist for explicitly inform the data subject deserve specific protection. example when there is a relevant on the legitimate interests pursued Provided that the interests or the and appropriate connection and on the right to object, and also fundamental rights and freedoms between the data subject and the be obliged to document these of the data subject are not controller in situations such as the legitimate interests. Given that it is overriding, processing limited to data subject being a client or in for the legislator to provide by law pseudonymous data should be the service of the controller. At the legal basis for public authorities presumed to meet the reasonable any rate the existence of a to process data, this legal ground expectations of the data subject legitimate interest would need should not apply for the processing based on his or her relationship careful assessment including by public authorities in the with the controller. The data whether a data subject can expect performance of their tasks. subject should have the right to at the time and in the context of
object the processing, on grounds the collection of the data that
DGD 2C LIMITE EN
relating to their particular situation processing for this purpose may and free of charge. To ensure take place. iIn particular where transparency, the controller should such assessment must take into be obliged to explicitly inform the account whether the data subject is data subject on the legitimate a child, given that children deserve interests pursued and on the right to specific protection. The data object, and also be obliged to subject should have the right to document these legitimate interests. object to the processing, on The interests and fundamental grounds relating to their particular rights of the data subject could in situation and free of charge. To particular override the interest of ensure transparency, the controller the data controller where personal should be obliged to explicitly data are processed in inform the data subject on the circumstances where data subjects legitimate interests pursued and on do not reasonably expect further the right to object, and also be processing. Given that it is for the obliged to document these legislator to provide by law the legitimate interests. Given that it is legal basis for public authorities to for Union or national law the process data, this legal ground legislator to provide by law the should not apply for the processing legal basis for public authorities to by public authorities in the process data, this legal ground performance of their tasks. should not apply for the processing by public authorities in the exercise performance of their tasksduties.
DGD 2C LIMITE EN
(38a) Controllers that are part of a group of undertakings or institution affiliated to a central body may have a legitimate interest to transmit personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
Amendment 16
(39) The processing of data to the (39) The processing of data to the (39) The processing of data to the extent strictly necessary for the extent strictly necessary and extent strictly necessary for the purposes of ensuring network and proportionate for the purposes of purposes of ensuring network and information security, i.e. the ability ensuring network and information information security, i.e. the ability of a network or an information security, i.e. the ability of a network of a network or an information system to resist, at a given level of or an information system to resist, system to resist, at a given level of confidence, accidental events or at a given level of confidence, confidence, accidental events or unlawful or malicious actions that accidental events or unlawful or unlawful or malicious actions that compromise the availability, malicious actions that compromise compromise the availability, authenticity, integrity and the availability, authenticity, authenticity, integrity and confidentiality of stored or integrity and confidentiality of confidentiality of stored or transmitted data, and the security of stored or transmitted data, and the transmitted data, and the security of the related services offered by, or security of the related services the related services offered by, or
DGD 2C LIMITE EN
accessible via, these networks and offered by, or accessible via, these accessible via, these networks and systems, by public authorities, networks and systems, by public systems, by public authorities,
Computer Emergency Response authorities, Computer Emergency Computer Emergency Response
Teams – CERTs, Computer Response Teams – CERTs, Teams – CERTs, Computer
Security Incident Response Teams Computer Security Incident Security Incident Response Teams -
– CSIRTs, providers of electronic Response Teams – CSIRTs, – CSIRTs, providers of electronic communications networks and providers of electronic communications networks and services and by providers of communications networks and services and by providers of security technologies and services, services and by providers of security technologies and services, constitutes a legitimate interest of security technologies and services constitutes a legitimate interest of the concerned data controller. This constitutes a legitimate interest of the concerned data controller could, for example, include the concerned data controller. This concerned. This could, for preventing unauthorised access to could, for example, include example, include preventing electronic communications preventing unauthorised access to unauthorised access to electronic networks and malicious code electronic communications communications networks and distribution and stopping ‘denial of networks and malicious code malicious code distribution and service’ attacks and damage to distribution and stopping ‘denial of stopping ‘denial of service’ attacks computer and electronic service’ attacks and damage to and damage to computer and communication systems. computer and electronic electronic communication systems.
communication systems. This The processing of personal data principle also applies to processing strictly necessary for the purposes of personal data to restrict abusive of preventing fraud also access to and use of publicly constitutes a legitimate interest of available network or information the data controller concerned. The systems, such as the blacklisting of processing of personal data for electronic identifiers. direct marketing purposes may be regarded as carried out for a legitimate interest.
DGD 2C LIMITE EN
Amendment 17
(39a) Provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, the prevention or limitation of damages on the side of the data controller should be presumed as carried out for the legitimate interest of the data controller or, in case of disclosure, of the third party to whom the data is are disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller. The same principle also applies to the enforcement of legal claims against a data subject, such as debt collection or civil damages and remedies.
DGD 2C LIMITE EN
Amendment 18
(39b) Provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, the processing of personal data for the purpose of direct marketing for own or similar products and services or for the purpose of postal direct marketing should be presumed as carried out for the legitimate interest of the controller, or in case of disclosure, of the third party to whom the data are disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller if highly visible information on the right to object and on the source of the personal data is given. The processing of business contact details should be generally regarded as carried out for the legitimate interest of the controller, or in case of disclosure, of the third party to whom the data are disclosed, and as meeting the
DGD 2C LIMITE EN
reasonable expectations of the data subject based on his or her relationship with the controller. The same should apply to the processing of personal data made manifestly public by the data subject.
Amendment 19
(40) The processing of personal deleted (40) The processing of personal data for other purposes should be data for other purposes than the only allowed where the processing purposes for which the data have is compatible with those purposes been initially collected should be for which the data have been only allowed where the processing initially collected, in particular is compatible with those purposes where the processing is necessary for which the data have been for historical, statistical or initially collected, . in In such case scientific research purposes. Where no separate legal basis is required the other purpose is not compatible other than the one which allowed with the initial one for which the the collection of the data. If data are collected, the controller particular where the processing is should obtain the consent of the necessary for the performance of a data subject for this other purpose task carried out in the public or should base the processing on interest or in the exercise of another legitimate ground for official authority vested in the lawful processing, in particular controller, Union law or Member where provided by Union law or State law may determine and the law of the Member State to specify the tasks and purposes for which the controller is subject. which the further processing shall
DGD 2C LIMITE EN
In any case, the application of the be regarded as lawful. The further principles set out by this processing for archiving purposes Regulation and in particular the in the public interest, or historical, information of the data subject on statistical, or scientific research or those other purposes should be historical purposes or in view of ensured. future dispute resolution should be
considered as compatible lawful processing operations. The legal basis provided by Union or Member State law for the collection and processing of personal data may also provide a legal basis for further processing for other purposes if these purposes are in line with the assigned task and the controller is entitled legally to collect the data for these other purposes.
In order to ascertain whether a purpose of further processing is compatible with the purpose for which the data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account inter alia any link between those purposes and the purposes of
DGD 2C LIMITE EN
the intended further processing, the context in which the data have been collected, including the reasonable expectations of the data subject as to their further use, the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in both the original and intended processing operations. Where the intended other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject.
DGD 2C LIMITE EN
In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting these data to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
DGD 2C LIMITE EN
Amendment 20
(41) Personal data which are, by deleted (41) Personal data which are, by their nature, particularly sensitive their nature, particularly sensitive and vulnerable in relation to and vulnerable in relation to fundamental rights or privacy, fundamental rights and freedomsor deserve specific protection. Such privacy, deserve specific protection data should not be processed, as the context of their processing unless the data subject gives his may create important risks for the explicit consent. However, fundamental rights and freedoms. derogations from this prohibition These data should also include should be explicitly provided for in personal data revealing racial or respect of specific needs, in ethnic origin, whereby the use of particular where the processing is the term ‘racial origin’ in this carried out in the course of Regulation does not imply an legitimate activities by certain acceptance by the European Union associations or foundations the of theories which attempt to purpose of which is to permit the determine the existence of separate exercise of fundamental freedoms. human races. Such data should not
be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules
DGD 2C LIMITE EN
of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided inter alia where the data subject gives his or her explicit consent.
DGD 2C LIMITE EN
However, derogations from this prohibition should be explicitly provided for or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Special categories of personal data may also be processed where the data have manifestly been made public or voluntarily and at the request of the data subject transferred to the controller for a specific purpose specified by the data subject, where the processing is done in the interest of the data subject.
Member State and Union Law may provide that the general prohibition for processing such special categories of personal data in certain cases may not be lifted by the data subject’s explicit consent.
DGD 2C LIMITE EN
Amendment 21
(42) Derogating from the (42) Derogating from the (42) Derogating from the prohibition on processing sensitive prohibition on processing sensitive prohibition on processing sensitive categories of data should also be categories of data should also be categories of data should also be allowed if done by a law, and allowed if done by a law, and allowed if done by a when subject to suitable safeguards, so as subject to suitable safeguards, so as provided for in Union or Member to protect personal data and other to protect personal data and other State law, and subject to suitable fundamental rights, where grounds fundamental rights, where grounds safeguards, so as to protect of public interest so justify and in of public interest so justify and in personal data and other particular for health purposes, particular for health purposes, fundamental rights, where grounds including public health and social including public health and social of public interest so justify, in protection and the management of protection and the management of particular processing data in the health-care services, especially in health-care services, especially in field of employment law, social order to ensure the quality and order to ensure the quality and costsecurity and social protection law, cost-effectiveness of the procedures effectiveness of the procedures used including pensions and for health used for settling claims for benefits for settling claims for benefits and security, monitoring and alert and services in the health insurance services in the health insurance purposes, the prevention or system, or for historical, statistical system, for historical, statistical and control of communicable diseases and scientific research purposes. scientific research purposes, or for and other serious threats to
archive services. health or ensuring high standards of quality and safety of health care and services and of medicinal products or medical devices or assessing public policies adopted in the field of health, also by producing quality and activity indicators. and in
DGD 2C LIMITE EN
particular This may be done for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and costeffectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving in the public interest or historical, statistical and scientific research purposes.
A derogation should also allow processing of such data where necessary for the establishment, exercise or defence of legal claims, regardless of whether in a judicial procedure or whether in an administrative or any out-ofcourt procedure.
DGD 2C LIMITE EN
(42a) Special categories of personal data which deserve higher protection, may only be processed for health-related purposes where necessary to achieve those purposes for the benefit of individuals and society as a whole, in particular in the context of the management of health or social care services and systems including the processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes or for archiving purposes in the public interest, for historical, statistical or scientific purposes as well as for studies conducted in the public interest in the area of public health. Therefore this Regulation
DGD 2C LIMITE EN
should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of individuals.
(42b) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. This processing is subject to suitable and specific measures so as to protect the rights and freedoms of individuals. In that context, ‘public health’ should be interpreted as defined in
Regulation (EC) No 1338/2008 i of the European Parliament and of the Council of 16 December 2008 on Community statistics on public
DGD 2C LIMITE EN
health and health and safety at work, meaning all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of personal data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers, insurance and banking companies.
(43) Moreover, the processing of (43) Moreover, the processing of (43) Moreover, the processing of personal data by official authorities personal data by official authorities personal data by official authorities for achieving aims, laid down in for achieving aims, laid down in for achieving aims, laid down in constitutional law or international constitutional law or international constitutional law or international public law, of officially recognised public law, of officially recognised public law, of officially recognised religious associations is carried out religious associations is carried out religious associations is carried out on grounds of public interest. on grounds of public interest. on grounds of public interest.
DGD 2C LIMITE EN
(44) Where in the course of (44) Where in the course of (44) Where in the course of electoral activities, the operation of electoral activities, the operation of electoral activities, the operation of the democratic system requires in a the democratic system requires in a the democratic system requires in a Member State that political parties Member State that political parties Member State that political parties compile data on people's political compile data on people's political compile data on people's political opinions, the processing of such opinions, the processing of such opinions, the processing of such data may be permitted for reasons data may be permitted for reasons data may be permitted for reasons of public interest, provided that of public interest, provided that of public interest, provided that appropriate safeguards are appropriate safeguards are appropriate safeguards are established. established. established.
Amendment 22
(45) If the data processed by a (45) If the data processed by a (45) If the data processed by a controller do not permit the controller do not permit the controller do not permit the controller to identify a natural controller to identify a natural controller to identify a natural person, the data controller should person, the data controller should person, the data controller should not be obliged to acquire additional not be obliged to acquire additional not be obliged to acquire additional information in order to identify the information in order to identify the information in order to identify the data subject for the sole purpose of data subject for the sole purpose of data subject for the sole purpose of complying with any provision of complying with any provision of complying with any provision of this Regulation. In case of a request this Regulation. In case of a request this Regulation. In case of a request for access, the controller should be for access, the controller should be for access, the controller should be entitled to ask the data subject for entitled to ask the data subject for entitled to ask the data subject for further information to enable the further information to enable the further information to enable the data controller to locate the data controller to locate the data controller to locate the personal data which that person personal data which that person personal data which that person seeks.
DGD 2C LIMITE EN
seeks. If it is possible for the data seeks However, the controller subject to provide such data, should not refuse to take controllers should not be able to additional information provided by invoke a lack of information to the data subject in order to refuse an access request. support the exercise of his or her rights.
(46) The principle of transparency (46) The principle of transparency (46) The principle of transparency requires that any information requires that any information requires that any information addressed to the public or to the addressed to the public or to the addressed to the public or to the data subject should be easily data subject should be easily data subject should be easily accessible and easy to understand, accessible and easy to understand, accessible and easy to understand, and that clear and plain language is and that clear and plain language is and that clear and plain language used. This is in particular relevant used. This is in particular relevant and, additionally, where where in situations, such as online where in situations, such as online appropriate, visualisation is used. advertising, the proliferation of advertising, the proliferation of This information could be actors and the technological actors and the technological provided in electronic form, for complexity of practice makes it complexity of practice makes it example, when addressed to the difficult for the data subject to difficult for the data subject to public, through a website. This is know and understand if personal know and understand if personal in particular relevant where in data relating to them are being data relating to him or her are situations, such as online collected, by whom and for what being collected, by whom and for advertising, the proliferation of purpose. Given that children what purpose. Given that children actors and the technological deserve specific protection, any deserve specific protection, any complexity of practice makes it information and communication, information and communication, difficult for the data subject to where processing is addressed where processing is addressed know and understand if personal specifically to a child, should be in specifically to a child, should be in data relating to them are being such a clear and plain language that such a clear and plain language that collected, by whom and for what the child can easily understand. the child can easily understand. purpose. Given that children
DGD 2C LIMITE EN
deserve specific protection, any information and communication, where processing is addressed specifically to a child, should be in such a clear and plain language that the child can easily understand.
Amendment 23
(47) Modalities should be provided (47) Modalities should be provided (47) Modalities should be provided for facilitating the data subject’s for facilitating the data subject’s for facilitating the data subject’s exercise of their rights provided by exercise of his or her rights exercise of their rights provided by this Regulation, including provided by this Regulation, this Regulation, including mechanisms to request, free of including mechanisms to request mechanisms to request, free of charge, in particular access to data, obtain, free of charge, in particular charge, in particular access to data, rectification, erasure and to exercise access to data, rectification, erasure rectification, erasure and to exercise the right to object. The controller and to exercise the right to object. the right to object. Thus the should be obliged to respond to The controller should be obliged to controller should also provide requests of the data subject within a respond to requests of the data means for requests to be made fixed deadline and give reasons, in subject within a fixed reasonable electronically, especially where case he does not comply with the deadline and give reasons, in case personal data are processed by data subject's request. he does not comply with the data electronic means. The controller
subject’s request. should be obliged to respond to requests of the data subject without undue delay and at the latest
within a fixed deadline of one month and give reasons where the controller , in case he does not intend to comply with the data subject's request.
DGD 2C LIMITE EN
Amendment 24
(48) The principles of fair and (48) The principles of fair and (48) The principles of fair and transparent processing require that transparent processing require that transparent processing require that the data subject should be informed the data subject should be informed the data subject should be informed in particular of the existence of the in particular of the existence of the in particular of the existence of the processing operation and its processing operation and its processing operation and its purposes, how long the data will be purposes, how long the data will be purposes, how long the data will be stored, on the existence of the right likely stored for each purpose, if stored, on the existence of the right of access, rectification or erasure the data are to be transferred to of access, rectification or erasure and on the right to lodge a third parties or third countries, on and on the right to lodge a complaint. Where the data are the existence of measures to object complaint. The controller should collected from the data subject, the and of the right of access, provide the data subject with any data subject should also be rectification or erasure and on the further information necessary to informed whether they are obliged right to lodge a complaint. Where guarantee fair and transparent to provide the data and of the the data are collected from the data processing. Furthermore the data consequences, in cases they do not subject, the data subject should also subject should be informed about provide such data. be informed whether they are the existence of profiling, and the
obliged to provide the data and of consequences of such profiling. the consequences, in cases they do Where the data are collected from not provide such data. This the data subject, the data subject information should be provided, should also be informed whether which can also mean made readily they are obliged to provide the data available, to the data subject after and of the consequences, in cases the provision of simplified they do not provide such data. information in the form of standardised icons. This should also mean that personal data are processed in a way that effectively allows the data subject to exercise his or her rights.
DGD 2C LIMITE EN
(49) The information in relation to (49) The information in relation to (49) The information in relation to the processing of personal data the processing of personal data the processing of personal data relating to the data subject should relating to the data subject should relating to the data subject should be given to them at the time of be given to them at the time of be given to them at the time of collection, or, where the data are collection, or, where the data are collection, or, where the data are not collected from the data subject, not collected from the data subject, not collected from the data subject, within a reasonable period, within a reasonable period, within a reasonable period, depending on the circumstances of depending on the circumstances of depending on the circumstances of the case. Where data can be the case. Where data can be the case. Where data can be legitimately disclosed to another legitimately disclosed to another legitimately disclosed to another recipient, the data subject should be recipient, the data subject should be recipient, the data subject should be informed when the data are first informed when the data are first informed when the data are first disclosed to the recipient. disclosed to the recipient. disclosed to the recipient. Where
the controller intends to process the data for a purpose other than the one for which the data were collected the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the data could not be provided to the data subject because various sources have been used, the information should be provided in a general manner.
DGD 2C LIMITE EN
Amendment 25
(50) However, it is not necessary to (50) However, it is not necessary to (50) However, it is not necessary to impose this obligation where the impose this obligation where the impose this obligation where the data subject already disposes of this data subject already disposes of data subject already disposes information, or where the recording knows this information, or where possesses of this information, or or disclosure of the data is the recording or disclosure of the where the recording or disclosure of expressly laid down by law, or data is expressly laid down by law, the data is expressly laid down by where the provision of information or where the provision of law, or where the provision of to the data subject proves information to the data subject information to the data subject impossible or would involve proves impossible or would involve proves impossible or would involve disproportionate efforts. The latter disproportionate efforts. The latter disproportionate efforts. The latter could be particularly the case where could be particularly the case where could be particularly the case where processing is for historical, processing is for historical, processing is for archiving purpose statistical or scientific research statistical or scientific research in the public interest, for historical, purposes; in this regard, the number purposes; in this regard, the number statistical or scientific of data subjects, the age of the data, of data subjects, the age of the data, researchpurposes; in this regard, the and any compensatory measures and any compensatory measures number of data subjects, the age of adopted may be taken into adopted may be taken into the data, and any compensatory consideration. consideration. measures appropriate safeguards
adopted may be taken into consideration.
DGD 2C LIMITE EN
Amendment 26
(51) Any person should have the (51) Any person should have the (51) Any A natural person should right of access to data which has right of access to data which have have the right of access to data been collected concerning them, been collected concerning them, which has been collected and to exercise this right easily, in and to exercise this right easily, in concerning themhim or her, and to order to be aware and verify the order to be aware and verify the exercise this right easily and at lawfulness of the processing. Every lawfulness of the processing. Every reasonable intervals, in order to be data subject should therefore have data subject should therefore have aware of and verify the lawfulness the right to know and obtain the right to know and obtain of the processing. This includes communication in particular for communication in particular for the right for individuals to have what purposes the data are what purposes the data are access to their personal data processed, for what period, which processed, for what estimated concerning their health, for recipients receive the data, what is period, which recipients receive the example the data in their medical the logic of the data that are data, what is the general logic of records containing such undergoing the processing and what the data that are undergoing the information as diagnosis, might be, at least when based on processing and what might be, at examination results, assessments profiling, the consequences of such least when based on profiling, the by treating physicians and any processing. This right should not consequences of such processing. treatment or interventions adversely affect the rights and This right should not adversely provided. Every data subject freedoms of others, including trade affect the rights and freedoms of should therefore have the right to secrets or intellectual property and others, including trade secrets or know and obtain communication in in particular the copyright intellectual property and in particular for what purposes the protecting the software. However, particular, such as in relation to the data are processed, where possible the result of these considerations copyright protecting the software. for what period, which recipients should not be that all information is However, the result of these receive the data, what is the logic refused to the data subject. considerations should not be that all involved in any automatic of the
information is refused to the data data that are undergoing the subject. processing and what might be, at least when based on profiling, the consequences of such processing.
DGD 2C LIMITE EN
This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller may request that before the information is delivered the data subject specify to which information or to which processing activities the request relates.
DGD 2C LIMITE EN
(52) The controller should use all (52) The controller should use all (52) The controller should use all reasonable measures to verify the reasonable measures to verify the reasonable measures to verify the identity of a data subject that identity of a data subject that identity of a data subject thatwho requests access, in particular in the requests access, in particular in the requests access, in particular in the context of online services and context of online services and context of online services and online identifiers. A controller online identifiers. A controller online identifiers. Identification should not retain personal data for should not retain personal data for should include the digital the unique purpose of being able to the unique purpose of being able to identification of a data subject, for react to potential requests. react to potential requests. example through authentication
mechanism such as the same credentials, used by the data subject to log-into the on-line service offered by the data controller. A controller should not retain personal data for the unique sole purpose of being able to react to potential requests.
DGD 2C LIMITE EN
Amendment 27
(53) Any person should have the (53) Any person should have the (53) Any A natural person should right to have personal data right to have personal data have the right to have personal data concerning them rectified and a concerning them rectified and a concerning them rectified and a 'right to be forgotten' where the 'right to be forgotten erasure' where 'right to be forgotten' where the retention of such data is not in the retention of such data is not in retention of such data is not in compliance with this Regulation. In compliance with this Regulation. In compliance with this Regulation or particular, data subjects should particular, data subjects should with Union or Member State law to have the right that their personal have the right that their personal which the controller is subject. In data are erased and no longer data are erased and no longer particular, data subjects should processed, where the data are no processed, where the data are no have the right that their personal longer necessary in relation to the longer necessary in relation to the data are erased and no longer purposes for which the data are purposes for which the data are processed, where the data are no collected or otherwise processed, collected or otherwise processed, longer necessary in relation to the where data subjects have withdrawn where data subjects have withdrawn purposes for which the data are their consent for processing or their consent for processing or collected or otherwise processed, where they object to the processing where they object to the processing where data subjects have withdrawn of personal data concerning them or of personal data concerning them or their consent for processing or where the processing of their where the processing of their where they object to the processing personal data otherwise does not personal data otherwise does not of personal data concerning them or comply with this Regulation. This comply with this Regulation. This where the processing of their right is particularly relevant, when right is particularly relevant, when personal data otherwise does not the data subject has given their the data subject has given their comply with this Regulation. This consent as a child, when not being consent as a child, when not being right is particularly in particular fully aware of the risks involved by fully aware of the risks involved by relevant, when the data subject has the processing, and later wants to the processing, and later wants to given their consent as a child, when remove such personal data remove such personal data not being fully aware of the risks especially on the Internet. especially on the Internet. involved by the processing, and
later wants to remove such personal data especially on the Internet.
DGD 2C LIMITE EN
However, the further retention of However, the further retention of The data subject should be able to the data should be allowed where it the data should be allowed where it exercise this right notwithstanding is necessary for historical, statistical is necessary for historical, statistical the fact that he or she is no longer and scientific research purposes, for and scientific research purposes, for a child. However, the further reasons of public interest in the area reasons of public interest in the area retention of the data should be of public health, for exercising the of public health, for exercising the allowed lawful where it is right of freedom of expression, right of freedom of expression, necessary for historical, statistical when required by law or where when required by law or where and scientific research purposes, for there is a reason to restrict the there is a reason to restrict the reasons of public interest in the area processing of the data instead of processing of the data instead of of public health, for exercising the erasing them. erasing them. Also, the right to right of freedom of expression and
erasure should not apply when the information, for compliance with a retention of personal data is legal obligation, for the necessary for the performance of a performance of a task carried out contract with the data subject, or in the public interest or in the when there is a legal obligation to exercise of official authority vested retain this data. in the controller, for reasons of public interest in the area of public health, for archiving purposes in the public interest, for historical, statistical and scientific purposes or for the establishment, exercise or defence of legal claims when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
DGD 2C LIMITE EN
Amendment 28
(54) To strengthen the 'right to be (54) To strengthen the 'right to be (54) To strengthen the 'right to be forgotten' in the online forgotten erasure' in the online forgotten' in the online environment, the right to erasure environment, the right to erasure environment, the right to erasure should also be extended in such a should also be extended in such a should also be extended in such a way that a controller who has made way that a controller who has made way that a controller who has made the personal data public should be the personal data public without the personal data public should be obliged to inform third parties legal justification should be obliged to inform third parties the which are processing such data that obliged to inform third parties controllers which are processing a data subject requests them to which are processing such data that such data that a data subject erase any links to, or copies or a data subject requests them to requests them to erase any links to, replications of that personal data. erase any links to, or copies or or copies or replications of that To ensure this information, the replications of that personal data. personal data. To ensure this the controller should take all reasonable To ensure this information, the above mentioned information, the steps, including technical measures, controller should take all reasonable controller should take allreasonable in relation to data for the steps, including technical measures, steps, taking into account available publication of which the controller in relation to data for the technology and the means is responsible. In relation to a third publication of which the controller available to the controller, party publication of personal data, is responsible. In relation to a third including technical measures, in the controller should be considered party publication of personal data, relation to data for the publication responsible for the publication, the controller should be considered of which the controller is where the controller has authorised responsible for the publication, responsible. In relation to a third the publication by the third party. where the controller has authorised party publication of personal data,
the publication by the third party the controller should be considered take all necessary steps to have the responsible for the publication, data erased, including by third where the controller has authorised parties, without prejudice to the the publication by the third party. right of the data subject to claim compensation.
DGD 2C LIMITE EN
Amendment 29
(54a) Data which are contested by the data subject and whose accuracy or inaccuracy cannot be determined should be blocked until the issue is cleared.
54a) Methods to restrict processing of personal data could include, inter alia, temporarily moving the selected data to another processing system or making the selected data unavailable to users or temporarily removing published data from a website. In automated filing systems the restriction of processing of personal data should in principle be ensured by technical means; the fact that the processing of personal data is restricted should be indicated in the system in such a way that it is clear that the processing of the personal data is restricted.
DGD 2C LIMITE EN
Amendment 30
(55) To further strengthen the (55) To further strengthen the (55) To further strengthen the control over their own data and control over their own data and control over their own data and their right of access, data subjects their right of access, data subjects their right of access, data subjects should have the right, where should have the right, where should have the right, where the personal data are processed by personal data are processed by processing of personal data are electronic means and in a structured electronic means and in a structured processed is carried out by and commonly used format, to and commonly used format, to electronic automated means and in obtain a copy of the data obtain a copy of the data a structured and commonly used concerning them also in commonly concerning them also in commonly format, to obtain a copy of the data used electronic format. The data used electronic format. The data concerning them also in commonly subject should also be allowed to subject should also be allowed to used electronic format. The the data transmit those data, which they transmit those data, which they subject should also be allowed to have provided, from one automated have provided, from one automated transmit receivethose the personal application, such as a social application, such as a social data concerning him or her, which network, into another one. This network, into another one. Data they have he or she has provided , should apply where the data subject controllers should be encouraged from one automated application, provided the data to the automated to develop interoperable formats such as a social network, into to a processing system, based on their that enable data portability. This controller, in a structured and consent or in the performance of a should apply where the data subject commonly used and machinecontract. provided the data to the automated readable format and transmit to
processing system, based on another onecontroller. theirhis or her consent or in the performance of a contract. Providers of information society services should not make the transfer of those data mandatory for the provision of their services.
DGD 2C LIMITE EN
This right should apply where the data subject provided the personal data to the automated processing system, based on their his or her consent or in the performance of a contract. It should not apply where processing is based on another legal ground other than consent or contract. By its very nature this right should not be exercised against controllers processing data in the exercise of their public duties. It should therefore in particular not apply where processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
DGD 2C LIMITE EN
The data subject’s right to transmit personal data does not create an obligation for the controllers to adopt or maintain data processing systems which are technically compatible.
Where, in a certain set of personal data, more than one data subject is concerned, the right to transmit the data should be without prejudice to the requirements on the lawfulness of the processing of personal data related to another data subject in accordance with this Regulation. This right should also not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should in particular not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract, to the extent and as long as the data are necessary for the performance of that contract.
DGD 2C LIMITE EN
Amendment 31
(56) In cases where personal data (56) In cases where personal data (56) In cases where personal data might lawfully be processed to might lawfully be processed to might lawfully be processed to protect the vital interests of the data protect the vital interests of the data protect the vital interests of the data subject, or on grounds of public subject, or on grounds of public subject, or because processing is interest, official authority or the interest, official authority or the necessary for the performance of a legitimate interests of a controller, legitimate interests of a controller, task carried out in the public any data subject should any data subject should interest or in the exercise of nevertheless be entitled to object to nevertheless be entitled to object to official authority vested in the the processing of any data relating the processing of any data relating controller or on grounds of public to them. The burden of proof to themhim or her, free of charge interest, official authority or the should be on the controller to and in a manner that can be easily legitimate interests of a controller demonstrate that their legitimate and effectively invoked. The or a third party, any data subject interests may override the interests burden of proof should be on the should nevertheless be entitled to or the fundamental rights and controller to demonstrate that their object to the processing of any data freedoms of the data subject. legitimate interests may override relating to themtheir particular
the interests or the fundamental situation. The burden of proof It
rights and freedoms of the data should be on for the controller to
subject. demonstrate that their compelling
legitimate interests may override
the interests or the fundamental
rights and freedoms of the data
subject.
DGD 2C LIMITE EN
Amendment 32
(57) Where personal data are (57) Where personal data are (57) Where personal data are processed for the purposes of direct processed for the purposes of direct processed for the purposes of direct marketing, the data subject should marketing, the data subject should marketing, the data subject should have the right to object to such have has the right to object to such have the right to object to such processing free of charge and in a the processing free of charge and in processing, whether the initial or manner that can be easily and a manner that can be easily and further processing, free of charge effectively invoked. effectively invoked, the controller and in a manner that can be easily
should explicitly offer it to the data and effectively invoked. subject in an intelligible manner and form, using clear and plain language and should clearly distinguish it from other information.
DGD 2C LIMITE EN
Amendment 33
(58) Every natural person should (58) Without prejudice to the (58) Every natural person The data have the right not to be subject to a lawfulness of the data processing, subject should have the right not to measure which is based on profiling every natural person should have be subject to a measure a decision by means of automated processing. the right not to be subject to object evaluating personal aspects
However, such measure should be to a measure which is based on relating to him or her which is allowed when expressly authorised profiling by means of automated based solely on profiling by means by law, carried out in the course of processing. However, such of automated processing, which entering or performance of a measure. Profiling which leads to produces legal effects concerning contract, or when the data subject measures producing legal effects him or her or significantly affects has given his consent. In any case, concerning the data subject or him or her, like automatic refusal such processing should be subject does similarly significantly affect of an on-line credit application or to suitable safeguards, including the interests, rights or freedoms of e-recruiting practices without any specific information of the data the concerned data subject should human intervention. Such subject and the right to obtain only be allowed when expressly processing includes also 'profiling' human intervention and that such authorised by law, carried out in the consisting in any form of measure should not concern a child. course of entering or performance automated processing of personal
of a contract, or when the data data evaluating personal aspects subject has given his consent. The relating to a natural person, in In any case, such processing should particular to analyse or predict be subject to suitable safeguards, aspects concerning performance at including specific information of work, economic situation, health, the data subject and the right to personal preferences or interests, obtain human intervention reliability or behaviour, location or assessment and that such measure movements as long as it produces should not concern a child. Such legal effects concerning him or her measures should not lead to or significantly affects him or her.
DGD 2C LIMITE EN
discrimination against individuals However, such measure decision
on the basis of race or ethnic making based on such processing,
origin, political opinions, religion including profiling, should be
or beliefs, trade union allowed when expressly authorised
membership, sexual orientation or by Union or Member State law,
gender identity. carried out in the course of to
which the controller is subject,
including for fraud and tax
evasion monitoring and prevention
purposes and to ensure the
security and reliability of a service
provided by the controller, or
necessary for the entering or
performance of a contract between
the data subject and a controller,
or when the data subject has given
his or her explicit consent. In any
case, such processing should be
subject to suitable safeguards,
including specific information of
the data subject and the right to
obtain human intervention and that
such measure should not concern a
child, to express his or her point of
view, to get an explanation of the
decision reached after such
assessment and the right to contest
the decision. In order to ensure
fair and transparent processing in
DGD 2C LIMITE EN
respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed, the controller should use adequate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure in particular that factors which result in data inaccuracies are corrected and the risk of errors is minimized, secure personal data in a way which takes account of the potential risks involved for the interests and rights of the data subject and which prevents inter alia discriminatory effects against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic or health status, sexual orientation or that result in measures having such effect. Automated decision making and profiling based on special categories of personal data should only be allowed under specific conditions.
DGD 2C LIMITE EN
Amendment 34
(58a) Profiling based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject. Where profiling, whether based on a single source of pseudonymous data or on the aggregation of pseudonymous data from different sources, permits the controller to attribute pseudonymous data to a specific data subject, the processed data should no longer be considered to be pseudonymous.
(58a) Profiling as such is subject to the (general) rules of this Regulation governing processing of personal data (legal grounds of processing, data protection principles etc.) with specific safeguards (for instance the obligation to conduct an impact assessment in some cases or provisions concerning specific information to be provided to the concerned individual). The European Data Protection Board should have the possibility to issue guidance in this context.
DGD 2C LIMITE EN
Amendment 35
(59) Restrictions on specific (59) Restrictions on specific (59) Restrictions on specific principles and on the rights of principles and on the rights of principles and on the rights of information, access, rectification information, access, rectification information, access, rectification and erasure or on the right to data and erasure or on the right of access and erasure or on the right to data portability, the right to object, and to obtain data portability, the portability, the right to object, measures based on profiling, as right to object, measures based on measures based on profiling, as well as on the communication of a profiling, as well as on the well as on the communication of a personal data breach to a data communication of a personal data personal data breach to a data subject and on certain related breach to a data subject and on subject and on certain related obligations of the controllers may certain related obligations of the obligations of the controllers may be imposed by Union or Member controllers may be imposed by be imposed by Union or Member State law, as far as necessary and Union or Member State law, as far State law, as far as necessary and proportionate in a democratic as necessary and proportionate in a proportionate in a democratic society to safeguard public security, democratic society to safeguard society to safeguard public security, including the protection of human public security, including the including the protection of human life especially in response to natural protection of human life especially life especially in response to natural or man made disasters, the in response to natural or man made or man made disasters, the prevention, investigation and disasters, the prevention, prevention, investigation and prosecution of criminal offences or investigation and prosecution of prosecution of criminal offences or of breaches of ethics for regulated criminal offences or of breaches of of breaches of ethics for regulated professions, other public interests ethics for regulated professions, professions, other public interests of the Union or of a Member State, other specific and well-defined of the Union or of a Member State, in particular an important economic public interests of the Union or of a in particular an important economic or financial interest of the Union or Member State, in particular an or financial interest of the Union or of a Member State, or the important economic or financial of a Member State, the keeping of protection of the data subject or the interest of the Union or of a public registers kept for reasons of rights and freedoms of others. Member State, or the protection of general public interest, further
the data subject or the rights and processing of archived personal freedoms of others.
DGD 2C LIMITE EN
Those restrictions should be in Those restrictions should be in data to provide specific compliance with requirements set compliance with requirements set information related to the political out by the Charter of Fundamental out by the Charter of Fundamental behaviour under former
Rights of the European Union and Rights of the European Union and totalitarian state regimes or the by the European Convention for the by the European Convention for the protection of the data subject or the Protection of Human Rights and Protection of Human Rights and rights and freedoms of others,
Fundamental Freedoms. Fundamental Freedoms. including social protection public health and humanitarian
purposes, such as the performance of a task incumbent upon the International Red Cross and Red Crescent Movement. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
(59a) Nothing in this Regulation should derogate from the privilege of non-disclosure of confidential information of the International Committee of the Red Cross under international law, which shall be applicable in judicial and administrative proceedings.
DGD 2C LIMITE EN
Amendment 36
(60) Comprehensive responsibility (60) Comprehensive responsibility (60) Comprehensive The and liability of the controller for and liability of the controller for responsibility and liability of the any processing of personal data any processing of personal data controller for any processing of carried out by the controller or on carried out by the controller or on personal data carried out by the the controller's behalf should be the controller's behalf should be controller or on the controller's established. In particular, the established, in particular with behalf should be established. In controller should ensure and be regard to documentation, data particular, the controller should obliged to demonstrate the security, impact assessments, the ensure and be obliged to implement compliance of each processing data protection officer and appropriate measures and be able operation with this Regulation. oversight by data protection to demonstrate the compliance of
authorities. In particular, the each processing operation activities controller should ensure and be with this Regulation. These obliged able to demonstrate the measures should take into account compliance of each processing the nature, scope, context and operation with this Regulation. This purposes of the processing and the should be verified by independent risk for the rights and freedoms of internal or external auditors. individuals.
(60a) Such risks, of varying likelihood and severity, may result from data processing which could lead to physical, material or moral damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of
DGD 2C LIMITE EN
confidentiality of data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage; or where data subjects might be deprived of their rights and freedoms or from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing and prediction of aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable individuals, in particular of children, are processed; where processing involves a large amount of personal data and affects a large number of data subjects.
DGD 2C LIMITE EN
(60b) The likelihood and severity of the risk should be determined in function of the nature, scope, context and purposes of the data processing. Risk should be evaluated on an objective assessment, by which it is established whether data processing operations involve a high risk. A high risk is a particular risk of prejudice to the rights and freedoms of individuals.
(60c) Guidance for the implementation of appropriate measures, and for demonstrating the compliance by the controller or processor, especially as regards the identification of the risk related to the processing, their assessment in terms of their origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by approved codes of conduct, approved certifications, guidelines of the European Data
DGD 2C LIMITE EN
Protection Board or through the indications provided by a data protection officer. The European Data Protection Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk for the rights and freedoms of individuals and indicate what measures may be sufficient in such cases to address such risk.
Amendment 37
(61) The protection of the rights (61) The protection of the rights (61) The protection of the rights and freedoms of data subjects with and freedoms of data subjects with and freedoms of data subjects regard to the processing of personal regard to the processing of personal individuals with regard to the data require that appropriate data require that appropriate processing of personal data require technical and organisational technical and organisational that appropriate technical and measures are taken, both at the time measures are taken, both at the time organisational measures are taken, of the design of the processing and of the design of the processing and both at the time of the design of the at the time of the processing itself, at the time of the processing itself, processing and at the time of the to ensure that the requirements of to ensure that the requirements of processing itself, to ensure that the this Regulation are met. In order to this Regulation are met. In order to requirements of this Regulation are ensure and demonstrate compliance ensure and demonstrate compliance met. In order to ensure andbe able with this Regulation, the controller with this Regulation, the controller to demonstrate compliance with this should adopt internal policies and should adopt internal policies and Regulation, the controller should implement appropriate measures, implement appropriate measures, adopt internal policies and which meet in particular the which meet in particular the implement appropriate measures,
DGD 2C LIMITE EN
principles of data protection by principles of data protection by which meet in particular the design and data protection by design and data protection by principles of data protection by default. default. The principle of data design and data protection by
protection by design requires data default. Such measures could protection to be embedded within consist inter alia of minimising the the entire life cycle of the processing of personal data, technology, from the very early pseudonymising personal data as design stage, right through to its soon as possible, transparency ultimate deployment, use and final with regard to the functions and disposal. This should also include processing of personal data, the responsibility for the products enabling the data subject to and services used by the controller monitor the data processing, or processor. The principle of data enabling the controller to create protection by default requires and improve security features. privacy settings on services and When developing, designing, products which should by default selecting and using applications, comply with the general principles services and products that are of data protection, such as data either based on the processing of minimisation and purpose personal data or process personal limitation. data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.
DGD 2C LIMITE EN
Amendment 38
(62) The protection of the rights (62) The protection of the rights (62) The protection of the rights and freedoms of data subjects as and freedoms of data subjects as and freedoms of data subjects as well as the responsibility and well as the responsibility and well as the responsibility and liability of controllers and liability of controllers and liability of controllers and processor, also in relation to the processor, also in relation to the processors, also in relation to the monitoring by and measures of monitoring by and measures of monitoring by and measures of supervisory authorities, requires a supervisory authorities, requires a supervisory authorities, requires a clear attribution of the clear attribution of the clear attribution of the responsibilities under this responsibilities under this responsibilities under this
Regulation, including where a Regulation, including where a Regulation, including where a controller determines the purposes, controller determines the purposes, controller determines the purposes, conditions and means of the conditions and means of the conditions and means of the processing jointly with other processing jointly with other processing jointly with other controllers or where a processing controllers or where a processing controllers or where a processing operation is carried out on behalf of operation is carried out on behalf of operation is carried out on behalf of a controller. a controller. The arrangement a controller.
between the joint controllers should reflect the joint controllers' effective roles and relationships. The processing of personal data under this Regulation should include the permission for a controller to transmit the data to a joint controller or to a processor for the processing of the data on their his or her behalf.
DGD 2C LIMITE EN
Amendment 39
(63) Where a controller not (63) Where a controller not (63) Where a controller not established in the Union is established in the Union is established in the Union is processing personal data of data processing personal data of data processing personal data of data subjects residing in the Union subjects residing in the Union subjects residing in the Union whose processing activities are whose processing activities are whose processing activities are related to the offering of goods or related to the offering of goods or related to the offering of goods or services to such data subjects, or to services to such data subjects, or to services to such data subjects, or to the monitoring their behaviour, the the monitoring their behaviour, the the monitoring of their behaviour in controller should designate a controller should designate a the Union, the controller should representative, unless the controller representative, unless the controller designate a representative, unless is established in a third country is established in a third country the processing it carries out is ensuring an adequate level of ensuring an adequate level of occasional and unlikely to result protection, or the controller is a protection, or the controller is a in a risk for the rights and small or medium sized enterprise or small or medium sized enterprise or freedoms of data subjects, taking a public authority or body or where processing relates to fewer than into account the nature, scope, the controller is only occasionally 5000 data subjects during any context and purposes of the offering goods or services to such consecutive 12-month period and processing or the controller is data subjects. The representative is not carried out on special established in a third country should act on behalf of the categories of personal data, or is a ensuring an adequate level of controller and may be addressed by public authority or body or where protection, or the controller is a any supervisory authority. the controller is only occasionally small or medium sized enterprise or
offering goods or services to such a public authority or body or where
data subjects. The representative the controller is only occasionally
should act on behalf of the offering goods or services to such
controller and may be addressed by data subjects. The representative
any supervisory authority. should act on behalf of the
controller and may be addressed by
any supervisory authority.
DGD 2C LIMITE EN
The representative should be explicitly designated by a written mandate of the controller to act on its behalf with regard to the latter's obligations under this Regulation. The designation of such representative does not affect the responsibility and liability of the controller under this Regulation. Such representative should perform its tasks according to the received mandate from the controller, including to cooperate with the competent supervisory authorities on any action taken in ensuring compliance with this Regulation. The designated representative should be subjected to enforcement actions in case of non-compliance by the controller.
(63a) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing
DGD 2C LIMITE EN
sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. Adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk for the rights and freedoms of the data subject.
DGD 2C LIMITE EN
The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission, or which are part of a certification granted in the certification mechanism. After the completion of the processing on behalf of the controller, the processor should return or delete the personal data, unless there is a requirement to store the data under Union or Member State law to which the processor is subject.
Amendment 39
(64) In order to determine whether (64) In order to determine whether deleted a controller is only occasionally a controller is only occasionally offering goods and services to data offering goods and services to data subjects residing in the Union, it subjects residing in the Union, it should be ascertained whether it is should be ascertained whether it is apparent from the controller's apparent from the controller's overall activities that the offering overall activities that the offering of of goods and services to such data goods and services to such data subjects is ancillary to those main subjects is ancillary to those main activities. activities.
DGD 2C LIMITE EN
Amendment 41
(65) In order to demonstrate (65) In order to be able to (65) In order to demonstrate compliance with this Regulation, demonstrate compliance with this compliance with this Regulation, the controller or processor should Regulation, the controller or the controller or processor should document each processing processor should document each document each maintain records operation. Each controller and processing operation maintain the regarding all categories of processor should be obliged to codocumentation necessary in order processing operationactivities operate with the supervisory to fulfill the requirements laid under its responsibility. Each authority and make this down in this Regulation. Each controller and processor should be documentation, on request, controller and processor should be obliged to co-operate with the available to it, so that it might serve obliged to co-operate with the supervisory authority and make this for monitoring those processing supervisory authority and make this documentationthese records, on operations. documentation, on request, request, available to it, so that it
available to it, so that it might serve might serve for monitoring those for monitoring those processing processing operations. operations evaluating the compliance with this Regulation. However, equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation.
DGD 2C LIMITE EN
Amendment 42
(66) In order to maintain security (66) In order to maintain security (66) In order to maintain security and to prevent processing in breach and to prevent processing in breach and to prevent processing in breach of this Regulation, the controller or of this Regulation, the controller or of this Regulation, the controller or processor should evaluate the risks processor should evaluate the risks processor should evaluate the risks inherent to the processing and inherent to the processing and inherent to the processing and implement measures to mitigate implement measures to mitigate implement measures to mitigate those risks. These measures should those risks. These measures should those risks. These measures should ensure an appropriate level of ensure an appropriate level of ensure an appropriate level of security, taking into account the security, taking into account the security including confidentiality, state of the art and the costs of their state of the art and the costs of their taking into account available implementation in relation to the implementation in relation to the technology the state of the art and risks and the nature of the personal risks and the nature of the personal the costs of their implementation in data to be protected. When data to be protected. When relation to the risks and the nature establishing technical standards and establishing technical standards and of the personal data to be protected. organisational measures to ensure organisational measures to ensure When establishing technical security of processing, the security of processing, the standards and organisational
Commission should promote Commission should promote measures to ensure security of technological neutrality, technological neutrality, processing, the Commission should interoperability and innovation, interoperability and innovation promote technological neutrality, and, where appropriate, cooperate should be promoted and, where interoperability and innovation, with third countries. appropriate, cooperate cooperation and, where appropriate, cooperate
with third countries should be with third countries In assessing encouraged. data security risk, consideration
DGD 2C LIMITE EN
should be given to the risks that are presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, which may in particular lead to physical, material or moral damage.
(66a) In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance with this Regulation.
DGD 2C LIMITE EN
Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Amendment 43
(67) A personal data breach may, if (67) A personal data breach may, if (67) A personal data breach may, if not addressed in an adequate and not addressed in an adequate and not addressed in an adequate and timely manner, result in substantial timely manner, result in substantial timely manner, result in physical, economic loss and social harm, economic loss and social harm, material or moral damage to including identity fraud, to the including identity fraud, to the individuals such as substantial individual concerned. Therefore, as individual concerned. Therefore, as economic loss of control over their soon as the controller becomes soon as the controller becomes personal data or limitation of their aware that such a breach has aware that such a breach has rights, discrimination, identity occurred, the controller should occurred, the controller should theft or fraud, financial loss, notify the breach to the supervisory notify the breach to the supervisory unauthorized reversal of authority without undue delay and, authority without undue delay and, pseudonymisation, damage to the where feasible, within 24 hours. where feasible, within 24,which reputation, loss of confidentiality Where this cannot achieved within should be presumed to be not later of data protected by professional 24 hours, an explanation of the than 72 hours. Where this cannot secrecy or any other economic or reasons for the delay should achieved within 24 hours If and social harm, including identity accompany the notification. applicable, an explanation of the fraud, disadvantage to the
reasons for the delay should individual concerned. accompany the notification.
DGD 2C LIMITE EN
The individuals whose personal The individuals whose personal Therefore, as soon as the controller data could be adversely affected by data could be adversely affected by becomes aware that such a personal the breach should be notified the breach should be notified data breach which may result in without undue delay in order to without undue delay in order to physical, material or moral allow them to take the necessary allow them to take the necessary damage has occurred, the controller precautions. A breach should be precautions. A breach should be should notify the breach to the considered as adversely affecting considered as adversely affecting supervisory authority without the personal data or privacy of a the personal data or privacy of a undue delay and, where feasible, data subject where it could result data subject where it could result in, within 24 72 hours. Where this in, for example, identity theft or for example, identity theft or fraud, cannot be achieved within 24 72 fraud, physical harm, significant physical harm, significant hours, an explanation of the reasons humiliation or damage to humiliation or damage to for the delay should accompany the reputation. The notification should reputation. The notification should notification. The individuals whose describe the nature of the personal describe the nature of the personal rights and freedoms personal data data breach as well as data breach and formulate as well could be adversely severely affected recommendations as well as as recommendations as well as by the breach should be notified recommendations for the individual recommendations for the individual without undue delay in order to concerned to mitigate potential concerned to mitigate potential allow them to take the necessary adverse effects. Notifications to adverse effects. Notifications to precautions. A breach should be data subjects should be made as data subjects should be made as considered as adversely affecting soon as reasonably feasible, and in soon as reasonably feasible, and in the personal data or privacy of a close cooperation with the close cooperation with the data subject where it could result in, supervisory authority and supervisory authority and for example, identity theft or fraud, respecting guidance provided by it respecting guidance provided by it physical harm, significant or other relevant authorities (e.g. or other relevant authorities (e.g. humiliation or damage to law enforcement authorities). For law enforcement authorities). For reputation. The notification should example, the chance for data example, the chance for data describe the nature of the personal subjects to mitigate an immediate data breach as well as risk of harm would call for a
DGD 2C LIMITE EN
prompt notification of data subjects subjects to mitigate an immediate recommendations as well as whereas the need to implement risk of harm would call for a recommendations for the individual appropriate measures against prompt notification of data subjects concerned to mitigate potential continuing or similar data breaches whereas the need to implement adverse effects. Notifications to may justify a longer delay. appropriate measures against data subjects should be made as
continuing or similar data breaches soon as reasonably feasible, and in may justify a longer delay. close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects need to mitigate an immediate risk of harmdamage would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
DGD 2C LIMITE EN
(68) In order to determine whether (68) In order to determine whether (68) In order to determine It must a personal data breach is notified to a personal data breach is notified to whether a personal data breach is the supervisory authority and to the the supervisory authority and to the notified to the supervisory authority data subject without undue delay, it data subject without undue delay, it and to the data subject without should be ascertained whether the should be ascertained whether the undue delay, it should be controller has implemented and controller has implemented and ascertained whether the controller applied appropriate technological applied appropriate technological has implemented and applied all protection and organisational protection and organisational appropriate technological protection measures to establish immediately measures to establish immediately and organisational measures have whether a personal data breach has whether a personal data breach has been implemented to establish taken place and to inform promptly taken place and to inform promptly immediately whether a personal the supervisory authority and the the supervisory authority and the data breach has taken place and to data subject, before a damage to data subject, before a damage to inform promptly the supervisory personal and economic interests personal and economic interests authority and the data subject., occurs, taking into account in occurs, taking into account in before a damage to personal and particular the nature and gravity of particular the nature and gravity of economic interests occurs, The fact the personal data breach and its the personal data breach and its that the notification was made consequences and adverse effects consequences and adverse effects without undue delay should be for the data subject. for the data subject. established taking into account in
particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
DGD 2C LIMITE EN
(68a) The communication of a personal data breach to the data subject should not be required if the controller has implemented appropriate technological protection measures, and that those measures were applied to the data affected by the personal data breach. Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data .
(69) In setting detailed rules (69) In setting detailed rules (69) In setting detailed rules concerning the format and concerning the format and concerning the format and procedures applicable to the procedures applicable to the procedures applicable to the notification of personal data notification of personal data notification of personal data breaches, due consideration should breaches, due consideration should breaches, due consideration should be given to the circumstances of be given to the circumstances of the be given to the circumstances of the the breach, including whether or breach, including whether or not breach, including whether or not not personal data had been personal data had been protected by personal data had been protected by protected by appropriate technical appropriate technical protection appropriate technical protection protection measures, effectively measures, effectively limiting the measures, effectively limiting the limiting the likelihood of identity likelihood of identity fraud or other likelihood of identity fraud or other fraud or other forms of misuse. forms of misuse. forms of misuse.
DGD 2C LIMITE EN
Moreover, such rules and Moreover, such rules and Moreover, such rules and procedures should take into procedures should take into account procedures should take into account account the legitimate interests of the legitimate interests of law the legitimate interests of law law enforcement authorities in enforcement authorities in cases enforcement authorities in cases cases where early disclosure could where early disclosure could where early disclosure could unnecessarily hamper the unnecessarily hamper the unnecessarily hamper the investigation of the circumstances investigation of the circumstances investigation of the circumstances of a breach. of a breach. of a breach.
(70) Directive 95/46/EC i provided (70) Directive 95/46/EC i provided (70) Directive 95/46/EC i provided for a general obligation to notify for a general obligation to notify for a general obligation to notify processing of personal data to the processing of personal data to the processing of personal data to the supervisory authorities. While this supervisory authorities. While this supervisory authorities. While this obligation produces administrative obligation produces administrative obligation produces administrative and financial burdens, it did not in and financial burdens, it did not in and financial burdens, it did not in all cases contribute to improving all cases contribute to improving all cases contribute to improving the protection of personal data. the protection of personal data. the protection of personal data. Therefore such indiscriminate Therefore such indiscriminate Therefore such indiscriminate general notification obligation general notification obligation general notification obligations should be abolished, and replaced should be abolished, and replaced should be abolished, and replaced by effective procedures and by effective procedures and by effective procedures and mechanism which focus instead on mechanism which focus instead on mechanisms which focus instead on those processing operations which those processing operations which those types of processing operations are likely to present specific risks are likely to present specific risks to which are likely to present to the rights and freedoms of data the rights and freedoms of data specificresult in a high risks to the subjects by virtue of their nature, subjects by virtue of their nature, rights and freedoms of data their scope or their purposes. In their scope or their purposes. In subjectsindividuals by virtue of such cases, a data protection impact such cases, a data protection impact their nature, their scope, context assessment should be carried out by assessment should be carried out by and or their purposes. In such
DGD 2C LIMITE EN
the controller or processor prior to the controller or processor prior to cases, a data protection impact the processing, which should the processing, which should assessment should be carried out by include in particular the envisaged include in particular the envisaged the controller or processor prior to measures, safeguards and measures, safeguards and the types of processing, operations mechanisms for ensuring the mechanisms for ensuring the may be those which should include protection of personal data and for protection of personal data and for in particular, involve using new demonstrating the compliance with demonstrating the compliance with technologies, or are of a new kind this Regulation. this Regulation. and where no data protection
impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processingthe envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
(70a) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk, which should
DGD 2C LIMITE EN
include in particular the envisaged measures, safeguards and mechanisms for mitigating that risk and for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
(71) This should in particular apply (71) This should in particular apply (71) This should in particular apply to newly established large scale to newly established large scale to newly established large-scale filing systems, which aim at filing systems, which aim at filing systemsprocessing processing a considerable amount processing a considerable amount operations, which aim at of personal data at regional, of personal data at regional, processing a considerable amount national or supranational level and national or supranational level and of personal data at regional, which could affect a large number which could affect a large number national or supranational level and of data subjects. of data subjects. which could affect a large number
of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk for the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to
DGD 2C LIMITE EN
exercise their rights. A data protection impact assessment should also be made in cases where data are processed for taking decisions regarding specific individuals following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk for the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a
DGD 2C LIMITE EN
service or a contract, or because they are carried out systematically on a large scale. The processing of personal data irrespective of the volume or the nature of the data, should not be considered as being on a large scale, if the processing of these data is protected by professional secrecy, such as the processing of personal data from patients or clients by an individual doctor, health care professional, hospital or attorney. In these cases a data protection impact assessment should not be mandatory.
Amendment 44
(71a) Impact assessments are the essential core of any sustainable data protection framework, making sure that businesses are aware from the outset of all possible consequences of their data processing operations. If impact assessments are thorough, the likelihood of any data breach or privacy-intrusive operation can
DGD 2C LIMITE EN
be fundamentally limited. Data protection impact assessments should consequently have regard to the entire lifecycle management of personal data from collection to processing to deletion, describing in detail the envisaged processing operations, the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure compliance with the this Rregulation.
Amendment 45
(71b) Controllers should focus on the protection of personal data throughout the entire data lifecycle from collection to processing to deletion by investing from the outset in a sustainable data management framework and by following it up with a comprehensive compliance mechanism.
DGD 2C LIMITE EN
(72) There are circumstances under (72) There are circumstances under (72) There are circumstances under which it may be sensible and which it may be sensible and which it may be sensible and economic that the subject of a data economic that the subject of a data economic that the subject of a data protection impact assessment protection impact assessment protection impact assessment should be broader than a single should be broader than a single should be broader than a single project, for example where public project, for example where public project, for example where public authorities or bodies intend to authorities or bodies intend to authorities or bodies intend to establish a common application or establish a common application or establish a common application or processing platform or where processing platform or where processing platform or where several controllers plan to several controllers plan to introduce several controllers plan to introduce introduce a common application or a common application or processing a common application or processing processing environment across an environment across an industry environment across an industry industry sector or segment or for a sector or segment or for a widely sector or segment or for a widely widely used horizontal activity. used horizontal activity. used horizontal activity.
Amendment 46
(73) Data protection impact deleted (73) Data protection impact assessments should be carried out assessments should may be carried by a public authority or public out by a public authority or public body if such an assessment has not body if such an assessment has not already been made in the context of already been made in the context of the adoption of the national law on the adoption of the national law on which the performance of the tasks which the performance of the tasks of the public authority or public of the public authority or public body is based and which regulates body is based and which regulates the specific processing operation or the specific processing operation or set of operations in question. set of operations in question.
DGD 2C LIMITE EN
Amendment 47
(74) Where a data protection (74) Where a data protection impact (74) Where a data protection impact impact assessment indicates that assessment indicates that assessment indicates that the processing operations involve a processing operations involve a processing would, despite the high degree of specific risks to the high degree of specific risks to the envisaged safeguards, security rights and freedoms of data rights and freedoms of data measures and mechanisms to subjects, such as excluding subjects, such as excluding mitigate the operations involve a individuals from their right, or by individuals from their right, or by high degree of specific risks to the the use of specific new the use of specific new result in a high risk to the rights technologies, the supervisory technologies, the data protection and freedoms of data authority should be consulted, prior officer or the supervisory authority subjectsindividuals and the to the start of operations, on a risky should be consulted, prior to the controller is of the opinion that the processing which might not be in start of operations, on a risky risk cannot be mitigated by compliance with this Regulation, processing which might not be in reasonable means in terms of and to make proposals to remedy compliance with this Regulation, available technologies and costs of such situation. Such consultation and to make proposals to remedy implementation, such as excluding should equally take place in the such situation. Such A consultation individuals from their right, or by course of the preparation either of a of the supervisory authority should the use of specific new measure by the national parliament equally take place in the course of technologies, the supervisory or of a measure based on such the preparation either of a measure authority should be consulted, prior legislative measure which defines by the national parliament or of a to the start of operationsprocessing the nature of the processing and measure based on such legislative activities, on a risky processing lays down appropriate safeguards. measure which defines the nature of which might not be in compliance
the processing and lays down with this Regulation, and to make
appropriate safeguards. proposals to remedy such situation.
DGD 2C LIMITE EN
Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards. Such high risk is likely to result from certain types of data processing and certain extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the data subject. The supervisory authority should respond to the request for consultation in a defined period. However, the absence of a reaction of the supervisory authority within this period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of this consultation process,
DGD 2C LIMITE EN
the outcome of a data protection impact assessment carried out with regard to the processing at issue pursuant to Article 33 may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk for the rights and freedoms of individuals.
Amendment 48
(74a) Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. It should further demonstrate the ability of the data controller to comply with the autonomous choices of data subjects. In addition, in case the review finds compliance inconsistencies, it should highlight these and present recommendations on how to achieve full compliance.
DGD 2C LIMITE EN
(74a) The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.
(74b) A consultation with the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.
DGD 2C LIMITE EN
Amendment 49
(75) Where the processing is (75) Where the processing is (75) Where the processing is carried out in the public sector or carried out in the public sector or carried out in the public sector or where, in the private sector, where, in the private sector, where, in the private sector, processing is carried out by a large processing is carried out by a large processing is carried out by a large enterprise, or where its core enterprise relates to more than enterprise, or where its core activities, regardless of the size of 5000 data subjects within 12 activities, regardless of the size of the enterprise, involve processing months, or where its core activities, the enterprise, involve processing operations which require regular regardless of the size of the operations which require regular and systematic monitoring, a person enterprise, involve processing and systematic monitoring, a person should assist the controller or operations on sensitive data, or should with expert knowledge of processor to monitor internal processing operations which data protection law and practices compliance with this Regulation. require regular and systematic may assist the controller or
Such data protection officers, monitoring, a person should assist processor to monitor internal whether or not an employee of the the controller or processor to compliance with this Regulation. controller, should be in a position to monitor internal compliance with Such data protection officers, perform their duties and tasks this Regulation. When establishing whether or not an employee of the independently. whether data about a large controller, should be in a position to
number of data subjects are perform their duties and tasks in an processed, archived data that are independently manner. restricted in such a way that they are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection officers, whether or not an employee of the controller and
DGD 2C LIMITE EN
whether or not performing that task full time, should be in a position to perform their duties and tasks independently and enjoy special protection against dismissal. Final responsibility should stay with the management of an organisation. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
Amendment 50
(75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data
DGD 2C LIMITE EN
security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties. The designation as a data protection officer does not necessarily require fulltime occupation of the respective employee.
DGD 2C LIMITE EN
Amendment 51
(76) Associations or other bodies (76) Associations or other bodies (76) Associations or other bodies representing categories of representing categories of representing categories of controllers should be encouraged to controllers should be encouraged, controllers or processors should be draw up codes of conduct, within after consultation of the encouraged to draw up codes of the limits of this Regulation, so as representatives of the employees, conduct, within the limits of this to facilitate the effective application to draw up codes of conduct, within Regulation, so as to facilitate the of this Regulation, taking account the limits of this Regulation, so as effective application of this of the specific characteristics of the to facilitate the effective application Regulation, taking account of the processing carried out in certain of this Regulation, taking account specific characteristics of the sectors. of the specific characteristics of the processing carried out in certain
processing carried out in certain sectors and the specific needs of sectors. Such codes should make micro, small and medium compliance with this Regulation enterprises. In particular such easier for industry. codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of individuals.
DGD 2C LIMITE EN
(76a) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult with relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.
Amendment 52
(77) In order to enhance (77) In order to enhance (77) In order to enhance transparency and compliance with transparency and compliance with transparency and compliance with this Regulation, the establishment this Regulation, the establishment this Regulation, the establishment of certification mechanisms, data of certification mechanisms, data of certification mechanisms, data protection seals and marks should protection seals and standardised protection seals and marks should be encouraged, allowing data marks should be encouraged, be encouraged, allowing data subjects to quickly assess the level allowing data subjects to quickly, subjects to quickly assess the level of data protection of relevant reliably and verifiably assess the of data protection of relevant products and services. level of data protection of relevant products and services.
products and services.
DGD 2C LIMITE EN
A "European Data Protection Seal" should be established on the European level to create trust among data subjects, legal certainty for controllers, and at the same time export European data protection standards by allowing non-European companies to more easily enter European markets by being certified.
(78) Cross-border flows of personal (78) Cross-border flows of personal (78) Cross-border flows of personal data are necessary for the data are necessary for the expansion data to and from countries outside expansion of international trade of international trade and the Union and international and international co-operation. The international co-operation. The organisations are necessary for the increase in these flows has raised increase in these flows has raised expansion of international trade and new challenges and concerns with new challenges and concerns with international co-operation. The respect to the protection of personal respect to the protection of personal increase in these flows has raised data. However, when personal data data. However, when personal data new challenges and concerns with are transferred from the Union to are transferred from the Union to respect to the protection of personal third countries or to international third countries or to international data. However, when personal data organisations, the level of organisations, the level of are transferred from the Union to protection of individuals protection of individuals guaranteed controllers, processors or other guaranteed in the Union by this in the Union by this Regulation recipients in third countries or to Regulation should not be should not be undermined. In any international organisations, the undermined. In any event, transfers event, transfers to third countries level of protection of individuals to third countries may only be may only be carried out in full guaranteed in the Union by this carried out in full compliance with compliance with this Regulation. Regulation should not be this Regulation. undermined, including in cases of
DGD 2C LIMITE EN
onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer may only take place if, subject to the other provisions of this Regulation, the conditions laid down in Chapter V are complied with by the controller or processor.
Amendment 53
(79) This Regulation is without (79) This Regulation is without (79) This Regulation is without prejudice to international prejudice to international prejudice to international agreements concluded between the agreements concluded between the agreements concluded between the Union and third countries Union and third countries Union and third countries regulating the transfer of personal regulating the transfer of personal regulating the transfer of personal data including appropriate data including appropriate data including appropriate safeguards for the data subjects. safeguards for the data subjects safeguards for the data subjects.
ensuring an adequate level of Member States may conclude protection for the fundamental international agreements which rights of citizens. involve the transfer of personal data to third countries or
DGD 2C LIMITE EN
international organisations, as far as such agreements do not affect this Regulation or any other provisions of EU law and include safeguards to protect the rights of the data subjects.
Amendment 54
(80) The Commission may decide (80) The Commission may decide (80) The Commission may decide with effect for the entire Union that with effect for the entire Union that with effect for the entire Union that certain third countries, or a territory certain third countries, or a territory certain third countries, or a territory or a processing sector within a third or a processing sector within a third or a processing specified sector, country, or an international country, or an international such as the private sector or one or organisation, offer an adequate organisation, offer an adequate more specific economic sectors level of data protection, thus level of data protection, thus within a third country, or an providing legal certainty and providing legal certainty and international organisation, offer an uniformity throughout the Union as uniformity throughout the Union as adequate level of data protection, regards the third countries or regards the third countries or thus providing legal certainty and international organisations which international organisations which uniformity throughout the Union as are considered to provide such are considered to provide such level regards the third countries or level of protection. In these cases, of protection. In these cases, international organisations, which transfers of personal data to these transfers of personal data to these are considered to provide such level countries may take place without countries may take place without of protection. In these cases, needing to obtain any further needing to obtain any further transfers of personal data to these authorisation. authorisation. The Commission countries may take place without
may also decide, having given needing to obtain any further notice and a complete justification authorisation. to the third country, to revoke such a decision.
DGD 2C LIMITE EN
(81) In line with the fundamental (81) In line with the fundamental (81) In line with the fundamental values on which the Union is values on which the Union is values on which the Union is founded, in particular the founded, in particular the founded, in particular the protection protection of human rights, the protection of human rights, the of human rights, the Commission Commission should, in its Commission should, in its should, in its assessment of thea assessment of the third country, assessment of the third country, third country or of a territory or of take into account how a given third take into account how a given third a specified sector within a third country respects the rule of law, country respects the rule of law, country, take into account how a access to justice as well as access to justice as well as given third country respects the rule international human rights norms international human rights norms of law, access to justice as well as and standards. and standards. international human rights norms
and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision to a territory or a specified sector in a third country should take into account clear and objective criteria , such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees that ensure an adequate level of protection in particular when data are processed in one or several specific sectors.
DGD 2C LIMITE EN
In particular, the third country should ensure effective data protection supervision and should provide for cooperation mechanisms with the European data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(81a) Apart from the international commitments the third country or international organisation has entered into, the Commission should also take account of obligations arising from the third country’s or international organisation’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular the third country’s accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the
DGD 2C LIMITE EN
Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult with the European Data Protection Board when assessing the level of protection in third countries or international organisations.
(81b) The Commission should monitor the functioning of decisions on the level of protection in a third country or a territory or specified sector within a third country, or an international organisation, including decisions adopted on the basis of Article 25(6) or Article 26 (4) of Directive 95/46/EC. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any pertinent findings to the Committee within the meaning of Regulation (EU) No 182/2011 as established under this Regulation.
DGD 2C LIMITE EN
Amendment 55
(82) The Commission may equally (82) The Commission may equally (82) The Commission may equally recognise that a third country, or a recognise that a third country, or a recognise that a third country, or a territory or a processing sector territory or a processing sector territory or a processing specified within a third country, or an within a third country, or an sector within a third country, or an international organisation offers no international organisation offers no international organisation offers no adequate level of data protection. adequate level of data protection. longer ensures an adequate level of Consequently the transfer of Any legislation which provides for data protection. Consequently the personal data to that third country extra-territorial access to personal transfer of personal data to that should be prohibited. In that case, data processed in the Union third country or international provision should be made for without authorisation under Union organisation should be prohibited, consultations between the or Member State law should be unless the requirements of Articles Commission and such third considered as an indication of a 42 to 44 are fulfilled. In that case, countries or international lack of adequacy. Consequently the provision should be made for organisations. transfer of personal data to that consultations between the
third country should be prohibited. Commission and such third In that case, provision should be countries or international made for consultations between the organisations. The Commission Commission and such third should, in a timely manner, inform countries or international the third country or international organisations. organisation of the reasons and enter into consultations with it in order to remedy the situation.
DGD 2C LIMITE EN
Amendment 56
(83) In the absence of an adequacy (83) In the absence of an adequacy (83) In the absence of an adequacy decision, the controller or processor decision, the controller or processor decision, the controller or processor should take measures to should take measures to should take measures to compensate for the lack of data compensate for the lack of data compensate for the lack of data protection in a third country by protection in a third country by way protection in a third country by way way of appropriate safeguards for of appropriate safeguards for the of appropriate safeguards for the the data subject. Such appropriate data subject. Such appropriate data subject. Such appropriate safeguards may consist of making safeguards may consist of making safeguards may consist of making use of binding corporate rules, use of binding corporate rules, use of binding corporate rules, standard data protection clauses standard data protection clauses standard data protection clauses adopted by the Commission, adopted by the Commission, adopted by the Commission, standard data protection clauses standard data protection clauses standard data protection clauses adopted by a supervisory authority adopted by a supervisory authority adopted by a supervisory authority or contractual clauses authorised by or contractual clauses authorised by or ad hoc contractual clauses a supervisory authority, or other a supervisory authority, or other authorised by a supervisory suitable and proportionate suitable and proportionate measures authority, or other suitable and measures justified in the light of all justified in the light of all the proportionate measures justified in the circumstances surrounding a circumstances surrounding a data the light of all the circumstances data transfer operation or set of transfer operation or set of data surrounding a data transfer data transfer operations and where transfer operations and where operation or set of data transfer authorised by a supervisory authorised by a supervisory operations and where authorised by authority. authority. Those appropriate a supervisory authority. Those
safeguards should uphold a safeguards should ensure respect of the data subject’s rights compliance with data protection adequate to intra-EU processing, requirements and the rights of the in particular relating to purpose data subjects, including the right limitation, right to access, to obtain effective administrative
DGD 2C LIMITE EN
rectification, erasure and to claim or judicial redress. They should compensation. Those safeguards relate in particular to compliance should in particular guarantee the with the general principles relating observance of the principles of to personal data processing, the personal data processing, availability of enforceable data safeguard the data subject’s rights subject's rights and of effective and provide for effective redress legal remedies and the principles mechanisms, ensure the of data protection by design and by observance of the principles of default. Transfers may be carried data protection by design and by out also by public authorities or default, guarantee the existence of bodies with public authorities or a data protection officer. bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding. The authorisation of the competent supervisory authority should be obtained when the safeguards are adduced in non legally binding administrative arrangements.
DGD 2C LIMITE EN
Amendment 57
(84) The possibility for the (84) The possibility for the (84) The possibility for the controller or processor to use controller or processor to use controller or processor to use standard data protection clauses standard data protection clauses standard data protection clauses adopted by the Commission or by a adopted by the Commission or by a adopted by the Commission or by a supervisory authority should supervisory authority should neither supervisory authority should neither neither prevent the possibility for prevent the possibility for prevent the possibility for controllers or processors to include controllers or processors to include controllers or processors to include the standard data protection clauses the standard data protection clauses the standard data protection clauses in a wider contract nor to add other in a wider contract nor to add other in a wider contract, including in a clauses as long as they do not clauses or supplementary contract between the processor and contradict, directly or indirectly, safeguards as long as they do not another processor, nor to add other the standard contractual clauses contradict, directly or indirectly, the clauses or additional safeguards as adopted by the Commission or by a standard contractual clauses long as they do not contradict, supervisory authority or prejudice adopted by the Commission or by a directly or indirectly, the standard the fundamental rights or freedoms supervisory authority or prejudice contractual clauses adopted by the of the data subjects. the fundamental rights or freedoms Commission or by a supervisory
of the data subjects. The standard authority or prejudice the data protection clauses adopted by fundamental rights or freedoms of the Commission could cover the data subjects. different situations, namely transfers from controllers established in the Union to controllers established outside the Union and from controllers established in the Union to processors, including sub
DGD 2C LIMITE EN
processors, established outside the Union. Controllers and processors should be encouraged to provide even more robust safeguards via additional contractual commitments that supplement standard protection clauses.
Amendment 58
(85) A corporate group should be (85) A corporate group should be (85) A corporate group or a group able to make use of approved able to make use of approved of enterprises engaged in a joint binding corporate rules for its binding corporate rules for its economic activity should be able to international transfers from the international transfers from the make use of approved binding
Union to organisations within the Union to organisations within the corporate rules for its international same corporate group of same corporate group of transfers from the Union to undertakings, as long as such undertakings, as long as such organisations within the same corporate rules include essential corporate rules include all essential corporate group of undertakings or principles and enforceable rights to principles and enforceable rights to group of enterprises, as long as ensure appropriate safeguards for ensure appropriate safeguards for such corporate rules include transfers or categories of transfers transfers or categories of transfers essential principles and enforceable of personal data. of personal data rights to ensure appropriate
safeguards for transfers or categories of transfers of personal data.
DGD 2C LIMITE EN
Amendment 59
(86) Provisions should be made for (86) Provisions should be made for (86) Provisions should be made for the possibility for transfers in the possibility for transfers in the possibility for transfers in certain circumstances where the certain circumstances where the certain circumstances where the data subject has given his consent, data subject has given his consent, data subject has given his explicit where the transfer is necessary in where the transfer is necessary in consent, where the transfer is relation to a contract or a legal relation to a contract or a legal necessary occasional in relation to claim, where important grounds of claim, where important grounds of a contract or a legal claim, public interest laid down by Union public interest laid down by Union regardless of whether in a judicial or Member State law so require or or Member State law so require or procedure or whether in an where the transfer is made from a where the transfer is made from a administrative or any out-of-court register established by law and register established by law and procedure, including procedures intended for consultation by the intended for consultation by the before regulatory bodies. Provision public or persons having a public or persons having a should also be made for the legitimate interest. In this latter legitimate interest. In this latter case possibility for transfers where case such a transfer should not such a transfer should not involve important grounds of public interest involve the entirety of the data or the entirety of the data or entire laid down by Union or Member entire categories of the data categories of the data contained in State law so require or where the contained in the register and, when the register and, when the register is transfer is made from a register the register is intended for intended for consultation by established by law and intended for consultation by persons having a persons having a legitimate interest, consultation by the public or legitimate interest, the transfer the transfer should be made only at persons having a legitimate interest. should be made only at the request the request of those persons or if In this latter case such a transfer of those persons or if they are to be they are to be the recipients, taking should not involve the entirety of the recipients. into full account the interests and the data or entire categories of the
fundamental rights of the data data contained in the register and, subject. when the register is intended for consultation by persons having a
DGD 2C LIMITE EN
legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients.
Amendment 60
(87) These derogations should in (87) These derogations should in (87) These derogations rules should particular apply to data transfers particular apply to data transfers in particular apply to data transfers required and necessary for the required and necessary for the required and necessary for the protection of important grounds of protection of important grounds of protection of important grounds public interest, for example in public interest, for example in cases reasons of public interest, for cases of international data transfers of international data transfers example in cases of international between competition authorities, between competition authorities, data transfers exchange between tax or customs administrations, tax or customs administrations, competition authorities, tax or financial supervisory authorities, financial supervisory authorities, customs administrations, between between services competent for between services competent for financial supervisory authorities, social security matters, or to social security matters or for public between services competent for competent authorities for the health, or to competent public social security matters, or to prevention, investigation, detection authorities for the prevention, competent authorities for the and prosecution of criminal investigation, detection and prevention, investigation, detection offences. prosecution of criminal offences, and prosecution of criminal
including for the prevention of offencesfor public health, for money laundering and the fight example in case of contact tracing against terrorist financing. A for contagious diseases or in order transfer of personal data should to reduce and/or eliminate doping equally be regarded as lawful in sport. A transfer of personal where it is necessary to protect an data should equally be regarded as interest which is essential for the lawful where it is necessary to
DGD 2C LIMITE EN
personal data for such important protect an interest which is grounds of public interest should essential for the data subject’s or only be used for occasional another person’s vital interests, transfers. In each and every case, including physical integrity or life, a careful assessment of all if the data subject is incapable of circumstances of the transfer giving consent. In the absence of should be carried out. an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organization. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation, such as a National Society of the Red Cross or to the ICRC of personal data of a data subject who is physically or legally incapable of giving consent, with the view to accomplishing a task incumbent upon the International Red Cross and Red Crescent Movement under the Geneva Conventions and/or to work for the faithful
DGD 2C LIMITE EN
application of international humanitarian law applicable in armed conflicts could be considered as necessary for an important reason of public interest or being in the vital interest of the data subject.
Amendment 61
(88) Transfers which cannot be (88) Transfers which cannot be (88) Transfers which cannot be qualified as frequent or massive, qualified as frequent or massive, qualified as large scale or frequent could also be possible for the could also be possible for the or massive, could also be possible purposes of the legitimate interests purposes of the legitimate interests for the purposes of the legitimate pursued by the controller or the pursued by the controller or the interests pursued by the controller processor, when they have assessed processor, when they have assessed or the processor, when they have all the circumstances surrounding all the circumstances surrounding those interests are not overridden the data transfer. For the purposes the data transfer. For the purposes by the interests or rights and of processing for historical, of processing for historical, freedoms of the data subject and statistical and scientific research statistical and scientific research when the controller or the purposes, the legitimate purposes, the legitimate processor has assessed all the expectations of society for an expectations of society for an circumstances surrounding the data increase of knowledge should be increase of knowledge should be transfer. The controller or taken into consideration. taken into consideration. processor should give particular
consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the
DGD 2C LIMITE EN
situation in the country of origin, the third country and the country of final destination, and adduced suitable safeguards to protect fundamental rights and freedoms of natural persons with respect to processing of their personal data. For the purposes of processing for historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. To assess whether a transfer is large scale or frequent the amount of personal data and number of data subjects should be taken into account and whether the transfer takes place on an occasional or regular basis.
Amendment 62
(89) In any case, where the (89) In any case, where the (89) In any case, where the
Commission has taken no decision Commission has taken no decision Commission has taken no decision on the adequate level of data on the adequate level of data on the adequate level of data protection in a third country, the protection in a third country, the protection in a third country, the controller or processor should controller or processor should make controller or processor should make make use of solutions that provide use of solutions that provide data use of solutions that provide data data subjects with a guarantee that subjects with a legally binding subjects with a guarantee that they
DGD 2C LIMITE EN
they will continue to benefit from guarantee that they will continue to will continue to benefit from the the fundamental rights and benefit from the fundamental rights fundamental rights and safeguards safeguards as regards processing of and safeguards as regards as regards processing of their data their data in the Union once this processing of their data in the in the Union once this data has been data has been transferred. Union once those data have been transferred.
transferred, to the extent that the processing is not massive, not repetitive and not structural. That guarantee should include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country.
Amendment 63
(90) Some third countries enact (90) Some third countries enact (90) Some third countries enact laws, regulations and other laws, regulations and other laws, regulations and other legislative instruments which legislative instruments which legislative instruments which purport to directly regulate data purport to directly regulate data purport to directly regulate data processing activities of natural and processing activities of natural and processing activities of natural and legal persons under the jurisdiction legal persons under the jurisdiction legal persons under the jurisdiction of the Member States. The of the Member States. The of the Member States. The extraterritorial application of these extraterritorial application of these extraterritorial application of these laws, regulations and other laws, regulations and other laws, regulations and other legislative instruments may be in legislative instruments may be in legislative instruments may be in breach of international law and breach of international law and may breach of international law and may may impede the attainment of the impede the attainment of the impede the attainment of the protection of individuals protection of individuals guaranteed protection of individuals guaranteed
DGD 2C LIMITE EN
guaranteed in the Union by this in the Union by this Regulation. in the Union by this Regulation.
Regulation. Transfers should only Transfers should only be allowed Transfers should only be allowed be allowed where the conditions of where the conditions of this where the conditions of this this Regulation for a transfer to Regulation for a transfer to third Regulation for a transfer to third third countries are met. This may countries are met. This may inter countries are met. This may inter inter alia be the case where the alia be the case where the alia be the case where the disclosure is necessary for an disclosure is necessary for an disclosure is necessary for an important ground of public interest important ground of public interest important ground of public interest recognised in Union law or in a recognised in Union law or in a recognised in Union law or in a Member State law to which the Member State law to which the Member State law to which the controller is subject. The conditions controller is subject. The conditions controller is subject. The conditions under which an important ground under which an important ground of under which an important ground of of public interest exists should be public interest exists should be public interest exists should be further specified by the further specified by the further specified by the
Commission in a delegated act. Commission in a delegated act. In Commission in a delegated act. cases where controllers or
processors are confronted with conflicting compliance requirements between the jurisdiction of the Union on the one hand, and that of a third country on the other, the Commission should ensure that Union law takes precedence at all times. The Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
DGD 2C LIMITE EN
(91) When personal data moves (91) When personal data moves (91) When personal data moves across borders it may put at across borders it may put at across borders outside the Union it increased risk the ability of increased risk the ability of may put at increased risk the ability individuals to exercise data individuals to exercise data of individuals to exercise data protection rights in particular to protection rights in particular to protection rights in particular to protect themselves from the protect themselves from the protect themselves from the unlawful use or disclosure of that unlawful use or disclosure of that unlawful use or disclosure of that information. At the same time, information. At the same time, information. At the same time, supervisory authorities may find supervisory authorities may find supervisory authorities may find that they are unable to pursue that they are unable to pursue that they are unable to pursue complaints or conduct complaints or conduct complaints or conduct investigations relating to the investigations relating to the investigations relating to the activities outside their borders. activities outside their borders. activities outside their borders.
Their efforts to work together in Their efforts to work together in the Their efforts to work together in the the cross-border context may also cross-border context may also be cross-border context may also be be hampered by insufficient hampered by insufficient hampered by insufficient preventative or remedial powers, preventative or remedial powers, preventative or remedial powers, inconsistent legal regimes, and inconsistent legal regimes, and inconsistent legal regimes, and practical obstacles like resource practical obstacles like resource practical obstacles like resource constraints. Therefore, there is a constraints. Therefore, there is a constraints. Therefore, there is a need to promote closer coneed to promote closer co-operation need to promote closer co-operation operation among data protection among data protection supervisory among data protection supervisory supervisory authorities to help authorities to help them exchange authorities to help them exchange them exchange information and information and carry out information and carry out carry out investigations with their investigations with their investigations with their international counterparts. international counterparts. international counterparts.
DGD 2C LIMITE EN
For the purposes of developing international co-operation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in compliance with the provisions of this Regulation, including those laid down in Chapter V.
Amendment 64
(92) The establishment of (92) The establishment of (92) The establishment of supervisory authorities in Member supervisory authorities in Member supervisory authorities in Member States, exercising their functions States, exercising their functions States, empowered to perform their with complete independence, is an with complete independence, is an tasks and exercising exercise their essential component of the essential component of the functions powers with complete protection of individuals with protection of individuals with independence, is an essential regard to the processing of their regard to the processing of their component of the protection of personal data. Member States may personal data. Member States may individuals with regard to the establish more than one establish more than one supervisory processing of their personal data.
DGD 2C LIMITE EN
supervisory authority, to reflect authority, to reflect their Member States may establish more their constitutional, organisational constitutional, organisational and than one supervisory authority, to and administrative structure. administrative structure. An reflect their constitutional,
authority shall have adequate organisational and administrative financial and personal resources structure. to fully carry out its role, taking into account the size of the population and the amount of personal data processing.
(92a) The independence of supervisory authorities should not mean that the supervisory authorities cannot be subjected to control or monitoring mechanism regarding their financial expenditure. Neither does it imply that supervisory authorities cannot be subjected to judicial review.
(93) Where a Member State (93) Where a Member State (93) Where a Member State establishes several supervisory establishes several supervisory establishes several supervisory authorities, it should establish by authorities, it should establish by authorities, it should establish by law mechanisms for ensuring the law mechanisms for ensuring the law mechanisms for ensuring the effective participation of those effective participation of those effective participation of those supervisory authorities in the supervisory authorities in the supervisory authorities in the consistency mechanism. That consistency mechanism. That consistency mechanism. That
Member State should in particular Member State should in particular Member State should in particular designate the supervisory authority designate the supervisory authority designate the supervisory authority
DGD 2C LIMITE EN
which functions as a single contact which functions as a single contact which functions as a single contact point for the effective participation point for the effective participation point for the effective participation of those authorities in the of those authorities in the of those authorities in the mechanism, to ensure swift and mechanism, to ensure swift and mechanism, to ensure swift and smooth co-operation with other smooth co-operation with other smooth co-operation with other supervisory authorities, the supervisory authorities, the supervisory authorities, the
European Data Protection Board European Data Protection Board European Data Protection Board and the Commission. and the Commission. and the Commission.
Amendment 65
(94) Each supervisory authority (94) Each supervisory authority (94) Each supervisory authority should be provided with the should be provided with the should be provided with the adequate financial and human adequate financial and human adequate financial and human resources, premises and resources, paying particular resources, premises and infrastructure, which is necessary attention to ensuring adequate infrastructure, which is are for the effective performance of technical and legal skills of staff, necessary for the effective their tasks, including for the tasks premises and infrastructure, which performance of their tasks, related to mutual assistance and cois necessary for the effective including for the tasks related to operation with other supervisory performance of their tasks, mutual assistance and co-operation authorities throughout the Union. including for the tasks related to with other supervisory authorities
mutual assistance and co-operation throughout the Union. Each with other supervisory authorities supervisory authority should have throughout the Union. a separate annual budget, which may be part of the overall state or national budget.
DGD 2C LIMITE EN
Amendment 66
(95) The general conditions for the (95) The general conditions for the (95) The general conditions for the members of the supervisory members of the supervisory member or members of the authority should be laid down by authority should be laid down by supervisory authority should be laid law in each Member State and law in each Member State and down by law in each Member State should in particular provide that should in particular provide that and should in particular provide those members should be either those members should be either that those members should be either appointed by the parliament or the appointed by the parliament or the appointed by the parliament and/or government of the Member State, government of the Member State the government or the head of and include rules on the personal taking due care to minimise the State of the Member State, and qualification of the members and possibility of political interference, include rules on the personal the position of those members. and include rules on the personal qualification of the members and
qualification of the members, the the position of those members or by
avoidance of conflicts of interest an independent body entrusted by
and the position of those members. Member State law with the
appointment by means of a
transparent procedure. In order to
ensure the independence of the
supervisory authority, the member
or members should refrain from
any action incompatible with their
duties and should not, during their
term of office, engage in any
incompatible occupation, whether
gainful or not.
DGD 2C LIMITE EN
(95a) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the European Union when targeting data subjects residing in its territory. This should include dealing with complaints lodged by a data subject, conducting investigations on the application of the Regulation, promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.
DGD 2C LIMITE EN
(96) The supervisory authorities (96) The supervisory authorities (96) The supervisory authorities should monitor the application of should monitor the application of should monitor the application of the provisions pursuant to this the provisions pursuant to this the provisions pursuant to this
Regulation and contribute to its Regulation and contribute to its Regulation and contribute to its consistent application throughout consistent application throughout consistent application throughout the Union, in order to protect the Union, in order to protect the Union, in order to protect natural persons in relation to the natural persons in relation to the natural persons in relation to the processing of their personal data processing of their personal data processing of their personal data and to facilitate the free flow of and to facilitate the free flow of and to facilitate the free flow of personal data within the internal personal data within the internal personal data within the internal market. For that purpose, the market. For that purpose, the market. For that purpose, this supervisory authorities should cosupervisory authorities should co Regulation should oblige and operate with each other and the operate with each other and the empower the supervisory
Commission. Commission. authorities should to co-operate with each other and the
Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.
DGD 2C LIMITE EN
Amendment 67
(97) Where the processing of (97) Where the processing of (97) Where the processing of personal data in the context of the personal data in the context of the personal data takes place in the activities of an establishment of a activities of an establishment of a context of the activities of an controller or a processor in the controller or a processor in the establishment of a controller or a Union takes place in more than one Union takes place in more than one processor in the Union and the Member State, one single Member State, one single controller or processor is supervisory authority should be supervisory authority should be established takes place in more competent for monitoring the competent for monitoring the than one Member State, or where activities of the controller or activities of act as the single processing taking place in the processor throughout the Union contact point and the lead context of the activities of aone and taking the related decisions, in authority responsible for single supervisory authority should order to increase the consistent supervising the controller or be competent for monitoring the application, provide legal certainty processor throughout the Union and activities of the controller or and reduce administrative burden taking the related decisions, in processor throughout the Union for such controllers and processors. order to increase the consistent and taking the related decisions, in
application, provide legal certainty order to increase the consistent and reduce administrative burden application, provide legal certainty for such controllers and processors. and reduce administrative burden for such controllers and processors establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the
DGD 2C LIMITE EN
controller or processor should act as lead authority. It should cooperate with the other authorities that are concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority to which such complaint has been lodged should also be a concerned supervisory authority. Within its tasks to issue guidelines on any question covering the application of this Regulation, the European Data Protection Board may issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.
DGD 2C LIMITE EN
(97a) The lead authority should be competent to adopt binding decisions regarding measures applying the powers conferred on it in accordance with the provisions of this Regulation. In its capacity as lead authority, the supervisory authority should closely involve and coordinate the concerned supervisory authorities in the decision-making process. In cases where the decisions is to reject the complaint by the data subject in whole or in part that decision should be adopted by the supervisory authority at which the complaint has been lodged.
(97b) The decision should be agreed jointly by the lead supervisory authority and the concerned supervisory authorities and should be directed towards the main or single establishment of the controller or processor and be binding on the controller and processor. The controller or processor should take the necessary measures to ensure the
DGD 2C LIMITE EN
compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor as regards the processing activities in the Union.
(97c) Each supervisory authority not acting as lead supervisory authority should be competent to deal with local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involving only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees data in the specific employment context of a Member State. In such cases, the supervisory authority should inform the lead supervisory authority without delay on this matter. After being informed, the lead supervisory authority should
DGD 2C LIMITE EN
decide, whether it will deal with the case within the one-stop-shop mechanism or whether the supervisory authority which informed it should deal with the case at local level. When deciding whether it will deal with the case, the lead supervisory authority should take into account, whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it, in order to ensure effective enforcement of a decision vis-à-vis the controller or processor. Where the lead supervisory authority decides to deal with the case, the supervisory authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory authority should take utmost account when preparing its draft decision in the one-stop-shop mechanism.
DGD 2C LIMITE EN
Amendment 68
(98) The competent authority, (98) The competent lead authority, (98) The competent rules on the providing such one-stop shop, providing such one-stop shop, lead supervisory authority, should be the supervisory authority should be the supervisory authority providing such and the one-stop- of the Member State in which the of the Member State in which the shop mechanism, should not apply controller or processor has its main controller or processor has its main where the processing is carried out establishment. establishment or its representative. by public authorities or private
The European Data Protection bodies in the public interest. In Board may designate the lead such cases be the only supervisory authority through the consistency authority competent to exercise the mechanism in certain cases at the powers conferred to it in request of a competent authority. accordance with this Regulation should be the supervisory authority of the Member State where the public authority or private body is establishedin which the controller or processor has its main establishment.
Amendment 69
(98a) Data subjects whose personal data is are processed by a data controller or processor in another Member State should be able to complain to the supervisory authority of their choice. The lead data protection authority should coordinate its work with that of the other authorities involved.
DGD 2C LIMITE EN
(99) While this Regulation applies (99) While this Regulation applies deleted also to the activities of national also to the activities of national courts, the competence of the courts, the competence of the supervisory authorities should not supervisory authorities should not cover the processing of personal cover the processing of personal data when courts are acting in their data when courts are acting in their judicial capacity, in order to judicial capacity, in order to safeguard the independence of safeguard the independence of judges in the performance of their judges in the performance of their judicial tasks. However, this judicial tasks. However, this exemption should be strictly exemption should be strictly limited limited to genuine judicial to genuine judicial activities in activities in court cases and not court cases and not apply to other apply to other activities where activities where judges might be judges might be involved in, in involved in, in accordance with accordance with national law. national law.
(100) In order to ensure consistent (100) In order to ensure consistent (100) In order to ensure consistent monitoring and enforcement of this monitoring and enforcement of this monitoring and enforcement of this Regulation throughout the Union, Regulation throughout the Union, Regulation throughout the Union, the supervisory authorities should the supervisory authorities should the supervisory authorities should have in each Member State the have in each Member State the have in each Member State the same duties and effective powers, same duties and effective powers, same duties tasks and effective including powers of investigation, including powers of investigation, powers, including powers of legally binding intervention, legally binding intervention, investigation, corrective powers decisions and sanctions, decisions and sanctions, particularly legally binding intervention, particularly in cases of complaints in cases of complaints from decisions and sanctions, and from individuals, and to engage in individuals, and to engage in legal authorisation and advisory powers, legal proceedings. Investigative proceedings. Investigative powers particularly in cases of complaints powers of supervisory authorities of supervisory authorities as from individuals, and without
DGD 2C LIMITE EN
as regards access to premises regards access to premises should infringements of this Regulation to should be exercised in conformity be exercised in conformity with prejudice to the powers of with Union law and national law. Union law and national law. This prosecutorial authorities under This concerns in particular the concerns in particular the national law, to bring the attention requirement to obtain a prior requirement to obtain a prior of the judicial authorities and/or to judicial authorisation. judicial authorisation. engage in legal proceedings. Such
powers should also include the power to forbid the processing on which the authority is consulted. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in conformity with appropriate procedural safeguards set out in Union law and national law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would
DGD 2C LIMITE EN
affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigative Investigatory powers of supervisory authorities as regards access to premises should be exercised in conformity accordance with specific requirements in national procedural law, such as with Union law and national law. This concerns in particular the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy.
DGD 2C LIMITE EN
This should not preclude additional requirements pursuant to national procedural law. The adoption of such legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.
Amendment 70
(101) Each supervisory authority (101) Each supervisory authority (101 & 101a) Each Where the should hear complaints lodged by should hear complaints lodged by supervisory authority should hear to any data subject and should any data subject or by associations which the complaints has been investigate the matter. The acting in the public interest and lodged is not the lead supervisory investigation following a complaint should investigate the matter. The authority, the lead supervisory should be carried out, subject to investigation following a complaint authority should closely co-operate judicial review, to the extent that is should be carried out, subject to with the supervisory authority to appropriate in the specific case. judicial review, to the extent that is which the complaint has been
The supervisory authority should appropriate in the specific case. The lodged according to the provisions inform the data subject of the supervisory authority should inform on co-operation and consistency progress and the outcome of the the data subject or the association laid down in this Regulation. In complaint within a reasonable of the progress and the outcome of such cases, by any data subject and period. If the case requires further the complaint within a reasonable should investigate the matter. The investigation or coordination with period. If the case requires further investigation following a complaint another supervisory authority, investigation or coordination with should be carried out, subject to intermediate information should be another supervisory authority, judicial review, to the extent that is given to the data subject. intermediate information should be appropriate in the specific case.
given to the data subject.
DGD 2C LIMITE EN
Thethe lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take utmost account of the view of the inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject to which the complaint has been lodged and which should remain competent to carry out any investigation on the territory of its own Member State in liaison with the competent supervisory authority.
(101b) The supervisory authority receiving a complaint or detecting or being informed otherwise of situations that entail possible infringements of the Regulation should seek an amicable settlement and, if this proves unsuccessful, exercise its full range of powers in
DGD 2C LIMITE EN
cases where another supervisory authority should act as a lead supervisory authority for the processing activities of the controller or processor but the concrete subject matter of a complaint or the possible infringement concerns only processing activities of the controller or processor in the one Member State where the complaint has been lodged or the possible infringement detected and the matter does not substantially affect or is not likely to substantially affect data subjects in other Member States. This should include specific processing carried out in the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; or to processing that is carried out in the context of an offer of goods or services specifically aimed at data subjects in the territory of the Member State of the supervisory authority; or that has to be assessed taking into account relevant legal obligations under national law.
DGD 2C LIMITE EN
(102) Awareness raising activities (102) Awareness raising activities (102) Awareness raising activities by supervisory authorities by supervisory authorities by supervisory authorities addressed to the public should addressed to the public should addressed to the public should include specific measures directed include specific measures directed include specific measures directed at controllers and processors, at controllers and processors, at controllers and processors, including micro, small and including micro, small and including micro, small and medium-sized enterprises, as well medium-sized enterprises, as well medium-sized enterprises, as well as data subjects. as data subjects. as data subjectsindividuals in
particular in the educational context.
(103) The supervisory authorities (103) The supervisory authorities (103) The supervisory authorities should assist each other in should assist each other in should assist each other in performing their duties and provide performing their duties and provide performing their duties tasks and mutual assistance, so as to ensure mutual assistance, so as to ensure provide mutual assistance, so as to the consistent application and the consistent application and ensure the consistent application enforcement of this Regulation in enforcement of this Regulation in and enforcement of this Regulation the internal market. the internal market. in the internal market. Where a
supervisory authority requesting mutual assistance, in the case of no response of the requested supervisory authority within one month of receiving the request, adopts a provisional measure, such provisional measure should be duly justified and only of a temporary nature.
DGD 2C LIMITE EN
(104) Each supervisory authority (104) Each supervisory authority (104) Each supervisory authority should have the right to participate should have the right to participate should have the right to participate in joint operations between in joint operations between in joint operations between supervisory authorities. The supervisory authorities. The supervisory authorities. The requested supervisory authority requested supervisory authority requested supervisory authority should be obliged to respond to the should be obliged to respond to the should be obliged to respond to the request in a defined time period. request in a defined time period. request in a defined time period.
Amendment 71
(105) In order to ensure the (105) In order to ensure the (105) In order to ensure the consistent application of this consistent application of this consistent application of this
Regulation throughout the Union, a Regulation throughout the Union, a Regulation throughout the Union, a consistency mechanism for coconsistency mechanism for coconsistency mechanism for cooperation between the supervisory operation between the supervisory operation between the supervisory authorities themselves and the authorities themselves and the authorities themselves and the
Commission should be established. Commission should be established. Commission should be established.
This mechanism should in This mechanism should in This mechanism should in particular apply where a particular apply where a particular apply where a supervisory authority intends to supervisory authority intends to supervisory authority intends to take a measure as regards take a measure as regards take adopt a measure intended to processing operations that are processing operations that are produce legal effects as regards related to the offering of goods or related to the offering of goods or processing operations that are services to data subjects in several services to data subjects in several related to the offering of goods or Member States, , or to the Member States, or to the services to data subjects in several monitoring such data subjects, or monitoring of such data subjects, or Member States, , or to the that might substantially affect the that might substantially affect the monitoring such data subjects, or free flow of personal data. It should free flow of personal data. It should that might which substantially also apply where any supervisory also apply where any supervisory affect a significant number of data authority or the Commission authority or the Commission subjects in several Member States.
DGD 2C LIMITE EN
requests that the matter should be requests that the matter should be the free flow of personal data. It dealt with in the consistency dealt with in the consistency should also apply where any mechanism. This mechanism mechanism. Furthermore, the data concerned supervisory authority or should be without prejudice to any subjects should have the right to the Commission requests that the measures that the Commission may obtain consistency, if they deem a such matter should be dealt with in take in the exercise of its powers measure by a Data Protection the consistency mechanism. This under the Treaties. Authority of a Member State has mechanism should be without
not fulfilled this criterion. This prejudice to any measures that the mechanism should be without Commission may take in the prejudice to any measures that the exercise of its powers under the Commission may take in the Treaties. exercise of its powers under the Treaties.
(106) In application of the (106) In application of the (106) In application of the consistency mechanism, the consistency mechanism, the consistency mechanism, the
European Data Protection Board European Data Protection Board European Data Protection Board should, within a determined period should, within a determined period should, within a determined period of time, issue an opinion, if a of time, issue an opinion, if a of time, issue an opinion, if a simple majority of its members so simple majority of its members so simple majority of its members so decides or if so requested by any decides or if so requested by any decides or if so requested by any supervisory authority or the supervisory authority or the concerned supervisory authority Commission. Commission. concerned or the Commission. The
European Data Protection Board should also be empowered to adopt legally binding decisions in case of disputes between supervisory authorities. For that purposes it should issue, in principle with a two-third majority of its members,
DGD 2C LIMITE EN
legally binding decisions in clearly defined cases where there are conflicting views among supervisory authorities in particular in the cooperation mechanism between the lead supervisory authority and concerned supervisory authorities on the merits of the case, notably whether there is an infringement of this Regulation or not.
Amendment 72
(106a) In order to ensure the consistent application of this Regulation, the European Data Protection Board may in individual cases adopt a decision which is binding on the competent supervisory authorities.
Amendment 73
(107) In order to ensure compliance deleted deleted with this Regulation, the
Commission may adopt an opinion on this matter, or a decision, requiring the supervisory authority to suspend its draft measure.
DGD 2C LIMITE EN
(108) There may be an urgent need (108) There may be an urgent need (108) There may be an urgent need to act in order to protect the to act in order to protect the to act in order to protect the rights interests of data subjects, in interests of data subjects, in and freedoms interests of data particular when the danger exists particular when the danger exists subjects, in particular when the that the enforcement of a right of a that the enforcement of a right of a danger exists that the enforcement data subject could be considerably data subject could be considerably of a right of a data subject could be impeded. Therefore, a supervisory impeded. Therefore, a supervisory considerably impeded. Therefore, a authority should be able to adopt authority should be able to adopt supervisory authority should be provisional measures with a provisional measures with a able to adopt provisional measures specified period of validity when specified period of validity when with a specified period of validity applying the consistency applying the consistency when applying the consistency mechanism. mechanism. mechanism.
(109) The application of this (109) The application of this (109) The application of this mechanism should be a condition mechanism should be a condition mechanism should be a condition for the legal validity and for the legal validity and for the legal validity and enforcement of the respective enforcement of the respective enforcement of the respective decision by a supervisory authority. decision by a supervisory authority. decision lawfulness of a measure In other cases of cross-border In other cases of cross-border intended to produce legal effects relevance, mutual assistance and relevance, mutual assistance and by a supervisory authority in those joint investigations might be joint investigations might be carried cases where its application is carried out between the concerned out between the concerned mandatory. In other cases of crosssupervisory authorities on a supervisory authorities on a border relevance, the co-operation bilateral or multilateral basis bilateral or multilateral basis mechanism between the lead without triggering the consistency without triggering the consistency supervisory authority and mechanism. mechanism. concerned supervisory authorities
should be applied and mutual assistance and joint investigations operations might be carried out
DGD 2C LIMITE EN
between the concerned supervisory authorities on a bilateral or multilateral basis without triggering the consistency mechanism.
Amendment 74
(110) At Union level, a European (110) At Union level, a European (110) In order to promote the
Data Protection Board should be Data Protection Board should be set consistent application of this set up. It should replace the up. It should replace the Working Regulation, At Union level, a the Working Party on the Protection of Party on the Protection of European Data Protection Board Individuals with Regard to the Individuals with Regard to the should be set up as an independent Processing of Personal Data Processing of Personal Data body of the Union. To fulfil its established by Directive 95/46/EC i. established by Directive 95/46/EC i. objectives, the European Data
It should consist of a head of a It should consist of a head of a Protection Board should have supervisory authority of each supervisory authority of each legal personality. The European Member State and of the European Member State and of the European Data Protection Board should be Data Protection Supervisor. The Data Protection Supervisor. The represented by its Chair. It should Commission should participate in Commission should participate in replace the Working Party on the its activities. The European Data its activities. The European Data Protection of Individuals with
Protection Board should contribute Protection Board should contribute Regard to the Processing of to the consistent application of this to the consistent application of this Personal Data established by
Regulation throughout the Union, Regulation throughout the Union, Directive 95/46/EC i. It should including by advising the including by advising the consist of a head of a supervisory Commission and promoting co Commission institutions of the authority of each Member State or operation of the supervisory Union and promoting co-operation his or her representative and of. authorities throughout the Union. of the supervisory authorities the The Commission and the
The European Data Protection throughout the Union, including European Data Protection
Board should act independently the coordination of joint Supervisor. The Commission when exercising its tasks. operations. The European Data should participate in its activities
DGD 2C LIMITE EN
Protection Board should act without voting rights. The independently when exercising its European Data Protection Board tasks. The European Data should contribute to the consistent Protection Board should application of this Regulation strengthen the dialogue with throughout the Union, including by concerned stakeholders such as advising the Commission, in data subjects’ associations, particular on the level of consumer organisations, data protection in third countries or controllers and other relevant international organisations, and stakeholders and experts. promoting co-operation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.
(110a) The European Data Protection Board should be assisted by a secretariat provided by the secretariat of the European Data Protection Supervisor. The staff of the secretariat of the European Data Protection Supervisor involved in carrying out the tasks conferred on the European Data Protection Board by this Regulation should perform its tasks exclusively under the instructions of, and report to the
DGD 2C LIMITE EN
Chair of the European Data Protection Board. Organisational separation of staff should concern all services needed for the independent functioning of the European Data Protection Board.
Amendment 75
(111) Every data subject should (111) Every data Data subject (111) Every data subject should have the right to lodge a complaint subjects should have the right to have the right to lodge a complaint with a supervisory authority in any lodge a complaint with a with a supervisory authority, in Member State and have the right to supervisory authority in any particular in the Member State of a judicial remedy if they consider Member State and have the right to his or her habitual residence, in that their rights under this a an effective judicial remedy in any Member State and have the Regulation are infringed or where accordance with Article 47 of the right to an effective judicial remedy the supervisory authority does not Charter of Fundamental Rights if in accordance with Article 47 of react on a complaint or does not act they consider that their rights under the Charter of Fundamental where such action is necessary to this Regulation are infringed or Rights if the data subject if they protect the rights of the data where the supervisory authority considers that their his or her rights subject. does not react on a complaint or under this Regulation are infringed
does not act where such action is or where the supervisory authority necessary to protect the rights of the does not react on a complaint, data subject. partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
DGD 2C LIMITE EN
The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can be completed also electronically, without excluding other means of communication.
Amendment 76
(112) Any body, organisation or (112) Any body, organisation or (112) Where a data subject association which aims to protects association which aims to protects considers that his or her rights the rights and interests of data the rights and interests of data under this Regulation are subjects in relation to the protection subjects in relation to the protection infringed, he or she should have of their data and is constituted of their data acts in the public the right to mandate aAny body, according to the law of a Member interest and is constituted according organisation or association which State should have the right to lodge to the law of a Member State aims to protects the rights and a complaint with a supervisory should have the right to lodge a interests of data subjects in relation authority or exercise the right to a complaint with a supervisory to the protection of their data and is judicial remedy on behalf of data authority on behalf of data subjects constituted according to the law of
DGD 2C LIMITE EN
subjects, or to lodge, independently with their consent or exercise the a Member State, should have the of a data subject's complaint, an right to a judicial remedy on behalf right to lodge a complaint on his or own complaint where it considers of if mandated by the data her behalf with a supervisory that a personal data breach has subjectssubject, or to lodge, authority or exercise the right to a occurred. independently of a data subject's judicial remedy on behalf of data
complaint, an own complaint where subjects. Member States may it considers that a personal data provide that such a body, breach of this Regulation has organisation or association should occurred. have the right, or to lodge, independently of a data subject's mandate, in such Member State a complaint, and/or have the right to an own effective judicial remedy complaint where it has reasons to considers that the rights of a data subject have been infringed as a result of the processing of a personal data breach has occurred which is not in compliance with this Regulation. This body, organisation or association may not be allowed to claim compensation on a data subject's behalf.
DGD 2C LIMITE EN
(113) Each natural or legal person (113) Each natural or legal person (113) Each Any natural or legal should have the right to a judicial should have the right to a judicial person should have has the right to remedy against decisions of a remedy against decisions of a bring an action for annulment of supervisory authority concerning supervisory authority concerning decisions of the European Data them. Proceedings against a them. Proceedings against a Protection Board before the Court supervisory authority should be supervisory authority should be of Justice of the European Union brought before the courts of the brought before the courts of the (the “Court of Justice”) under the Member State, where the Member State, where the conditions provided for in Article supervisory authority is supervisory authority is established. 263 TFEU. As addressees of such established. decisions, the concerned
supervisory authorities who wish to challenge them, have to bring action within two months of their notification to them, in accordance with Article 263 TFEU. Where decisions of the European Data Protection Board are of direct and individual concern to a controller, processor or the complainant, the latter may bring an action for annulment against those decisions and they should do so within two months of their publication on the website of the European Data Protection Board, in accordance with Article 263 TFEU. Without prejudice to this right under
DGD 2C LIMITE EN
Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decisions of a supervisory authority which produces legal effects concerning themthis person.
Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, this right does not encompass other measures of supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the
DGD 2C LIMITE EN
supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State, where the supervisory authority is established and should be conducted in accordance with the national procedural law of that Member State. Those courts should exercise full jurisdiction which should include jurisdiction to examine all questions of fact and law relevant to the dispute before it. Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings to the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law including this Regulation.
DGD 2C LIMITE EN
Furthermore, where a decision of a supervisory authority implementing a decision of the European Data Protection Board is challenged before a national court and the validity of the decision of the European Data Protection Board is at issue, that national court does not have the power to declare the European Data Protection Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court
of Justice in the Foto-frost case 7 ,
whenever it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the European Data Protection Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down by Article 263 TFEU.
7 Case C-314/85
DGD 2C LIMITE EN
(113a) Where a court seized with a proceeding against a decision of a supervisory authority has reason to believe that proceedings concerning the same processing such as the same subject matter as regards processing of the same controller or processor activities or the same cause of action are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seized may stay its proceedings or may, on request of one of the parties, decline jurisdiction in favour of the court first seized if the latter has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together to avoid the risk of irreconcilable judgments resulting from separate proceedings.
DGD 2C LIMITE EN
Amendment 77
(114) In order to strengthen the (114) In order to strengthen the deleted judicial protection of the data judicial protection of the data subject in situations where the subject in situations where the competent supervisory authority is competent supervisory authority is established in another Member established in another Member
State than the one where the data State than the one where the data subject is residing, the data subject subject is residing, the data subject may request any body, organisation may request mandate any body, or association aiming to protect the organisation or association aiming rights and interests of data subjects to protect the rights and interests of in relation to the protection of their data subjects in relation to the data to bring on the data subject's protection of their data acting in behalf proceedings against that the public interest to bring on the supervisory authority to the data subject's behalf proceedings competent court in the other against that supervisory authority to
Member State. the competent court in the other
Member State.
DGD 2C LIMITE EN
Amendment 78
(115) In situations where the (115) In situations where the deleted competent supervisory authority competent supervisory authority established in another Member established in another Member
State does not act or has taken State does not act or has taken insufficient measures in relation to insufficient measures in relation to a complaint, the data subject may a complaint, the data subject may request the supervisory authority in request the supervisory authority in the Member State of his or her the Member State of his or her habitual residence to bring habitual residence to bring proceedings against that proceedings against that supervisory authority to the supervisory authority to the competent court in the other competent court in the other
Member State. The requested Member State. This does not apply supervisory authority may decide, to non-EU residents. The requested subject to judicial review, whether supervisory authority may decide, it is appropriate to follow the subject to judicial review, whether request or not. it is appropriate to follow the
request or not.
DGD 2C LIMITE EN
Amendment 79
(116) For proceedings against a (116) For proceedings against a (116) For proceedings against a controller or processor, the plaintiff controller or processor, the plaintiff controller or processor, the plaintiff should have the choice to bring the should have the choice to bring the should have the choice to bring the action before the courts of the action before the courts of the action before the courts of the
Member States where the controller Member States where the controller Member States where the controller or processor has an establishment or processor has an establishment or processor has an establishment or where the data subject resides, or, in case of EU residence, where or where the data subject resides, unless the controller is a public the data subject resides, unless the unless the controller is a public authority acting in the exercise of controller is a public authority of authority acting in the exercise of its public powers. the Union or a Member State its public powers.
acting in the exercise of its public powers.
(117) Where there are indications (117) Where there are indications deleted that parallel proceedings are that parallel proceedings are pending before the courts in pending before the courts in different Member States, the courts different Member States, the courts should be obliged to contact each should be obliged to contact each other. The courts should have the other. The courts should have the possibility to suspend a case where possibility to suspend a case where a parallel case is pending in another a parallel case is pending in another
Member State. Member States Member State. Member States should ensure that court actions, in should ensure that court actions, in order to be effective, should allow order to be effective, should allow the rapid adoption of measures to the rapid adoption of measures to remedy or prevent an infringement remedy or prevent an infringement of this Regulation. of this Regulation.
DGD 2C LIMITE EN
Amendment 80
(118) Any damage which a person (118) Any damage, whether (118) Any damage which a person may suffer as a result of unlawful pecuniary or not, which a person may suffer as a result of unlawful processing should be compensated may suffer as a result of unlawful processing that is not in by the controller or processor, who processing should be compensated compliance with this Regulation may be exempted from liability if by the controller or processor, who should be compensated by the they prove that they are not may be exempted from liability controller or processor, who may responsible for the damage, in only if they prove he proves that should be exempted from liability particular where he establishes they are he is not responsible for if they prove that they are not in fault on the part of the data subject the damage, in particular where he any way responsible for the or in case of force majeure. establishes fault on the part of the damage, in particular where he
data subject or in case of force establishes fault on the part of the majeure. data subject or in case of force majeure. The concept of damage should be broadly interpreted in the light of the case law of the Court of Justice of the European Union in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law.
When reference is made to a processing that is not in compliance with this Regulation it
DGD 2C LIMITE EN
also covers processing that is not in compliance with delegated and implementing acts adopted in accordance with this Regulation and national law specifying rules of this Regulation.
Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with national law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor who has paid full compensation, may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
DGD 2C LIMITE EN
(118a) Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 should not prejudice the application of such specific rules.
(118b) In order to strengthen the enforcement of the rules of this Regulation, penalties and administrative fines may be imposed for any infringement of the Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of
DGD 2C LIMITE EN
the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.
The imposition of penalties and administrative fines should be subject to adequate procedural safeguards in conformity with general principles of Union law and the Charter of Fundamental Rights, including effective judicial protection and due process. Where the national law of a Member State does not provide for administrative fines, such Member State may abstain from providing administrative fines for infringements of this Regulation that are already subject to criminal
DGD 2C LIMITE EN
sanctions in their national law ensuring that these criminal sanctions are effective, proportionate and dissuasive, taking into account the level of administrative fines provided for in this Regulation.
Amendment 81
(119) Penalties should be imposed (119) Penalties should be imposed (119) Member States may lay down to any person, whether governed by to any person, whether governed by the rules on criminal sanctions for private or public law, who fails to private or public law, who fails to infringements of this Regulation, comply with this Regulation. comply with this Regulation. including for infringements of Member States should ensure that Member States should ensure that national rules adopted pursuant to the penalties should be effective, the penalties should be effective, and within the limits of Penalties proportionate and dissuasive and proportionate and dissuasive and should be imposed to any person, should take all measures to should take all measures to whether governed by private or implement the penalties. implement the penalties. The rules public law, who fails to comply
on penalties should be subject to with this Regulation. These appropriate procedural safeguards criminal sanctions may also allow in conformity with the general for the deprivation of the profits principles of Union law and the obtained through infringements of Charter of Fundamental Rights, this Regulation. However, the including those concerning the imposition of criminal sanctions right to an effective judicial for infringements of such national remedy, due process and the rules and of administrative principle of ne bis in idem. sanctions Member States should ensure that the penalties should be
DGD 2C LIMITE EN
effective, proportionate and dissuasive and should take all measures to implement the penalties.not lead to the breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
Amendment 82
(119a) In applying penalties, Member States should show full respect for appropriate procedural safeguards, including the right to an effective judicial remedy, due process, and the principle of ne bis in idem.
(120) In order to strengthen and (120) In order to strengthen and (120) In order to strengthen and harmonise administrative sanctions harmonise administrative sanctions harmonise administrative sanctions against infringements of this against infringements of this penalties against infringements of Regulation, each supervisory Regulation, each supervisory this Regulation, each supervisory authority should have the power to authority should have the power to authority should have the power to sanction administrative offences. sanction administrative offences. impose sanction administrative This Regulation should indicate This Regulation should indicate offencesfines. This Regulation these offences and the upper limit these offences and the upper limit should indicate these offencesand, for the related administrative fines, for the related administrative fines, the upper limit and criteria for which should be fixed in each which should be fixed in each fixing the related administrative individual case proportionate to the individual case proportionate to the fines, which should be fixed specific situation, with due regard specific situation, with due regard determined by the competent in particular to the nature, gravity in particular to the nature, gravity supervisory authority in each and duration of the breach. and duration of the breach. individual case, taking into
DGD 2C LIMITE EN
The consistency mechanism may The consistency mechanism may account all relevant circumstances also be used to cover divergences also be used to cover divergences in of proportionate to the specific in the application of administrative the application of administrative situation, with due regard in sanctions. sanctions. particular to the nature, gravity and
duration of the breach and of its consequences and the measures taken to ensure compliance with the obligations under the Regulation and to prevent or mitigate the consequences of the infringement. Where the fines are imposed on persons that are not a commercial undertaking, the supervisory authority should take account of the general level of income in the Member State in considering the appropriate amount of fine. The consistency mechanism may also be used to promote a consistent cover divergences in the application of administrative sanctionsfines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other sanctions under the Regulation.
DGD 2C LIMITE EN
(120a) Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of the Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. The nature of such penalties (criminal or administrative) should be determined by national law.
Amendment 83
(121) The processing of personal (121) The processing of personal (121) Member States law should data solely for journalistic data solely for journalistic reconcile the rules governing purposes, or for the purposes of purposes, or for the purposes of freedom of expression and artistic or literary expression should artistic or literary expression should information, including qualify for exemption from the qualify for exemption Whenever journalistic, academic, artistic and requirements of certain provisions necessary, exemptions or or literary expression with the of this Regulation in order to derogations from the requirements right to the protection of personal reconcile the right to the protection of certain provisions of this data pursuant to this Regulation. of personal data with the right to Regulation for the processing of The processing of personal data freedom of expression, and notably personal data should be provided solely for journalistic purposes, or the right to receive and impart for in order to reconcile the right to for the purposes of academic, information, as guaranteed in the protection of personal data with artistic or literary expression should particular by Article 11 of the the right to freedom of expression, be subject to qualify for exemption
and notably the right to receive and from the requirements of certain impart information, as guaranteed provisions of this Regulation in in particular by Article 11 of the order to reconcile the right to the
DGD 2C LIMITE EN
Charter of Fundamental Rights of Charterof Fundamental Rights of protection of personal data with the the European Union. This should the European Union. This should right to freedom of expression, and apply in particular to processing of apply in particular to processing of notably the right to receive and personal data in the audiovisual personal data in the audiovisual impart information, as guaranteed field and in news archives and press field and in news archives and press in particular by Article 11 of the libraries. Therefore, Member States libraries. Therefore, Member States Charter of Fundamental Rights of should adopt legislative measures, should adopt legislative measures, the European Union. derogations which should lay down exemptions which should lay down exemptions or exemptions from certain and derogations which are and derogations which are provisions of this Regulation if necessary for the purpose of necessary for the purpose of necessary to reconcile the right to balancing these fundamental rights. balancing these fundamental rights. the protection of personal data, Such exemptions and derogations Such exemptions and derogations with the right to freedom of should be adopted by the Member should be adopted by the Member expression and information, as States on general principles, on the States on general principles, on the guaranteed by Article 11 of the rights of the data subject, on rights of the data subject, on Charter of Fundamental Rights of controller and processor, on the controller and processor, on the the European Union. This should transfer of data to third countries or transfer of data to third countries or apply in particular to processing of international organisations, on the international organisations, on the personal data in the audiovisual independent supervisory authorities independent supervisory field and in news archives and press and on co-operation and authorities, and on co-operation and libraries. Therefore, Member States consistency. This should not, consistency and on specific data should adopt legislative measures, however, lead Member States to lay processing situations. This should which should lay down exemptions down exemptions from the other not, however, lead Member States and derogations which are provisions of this Regulation. In to lay down exemptions from the necessary for the purpose of order to take account of the other provisions of this Regulation. balancing these fundamental rights. importance of the right to freedom In order to take account of the Such exemptions and derogations of expression in every democratic importance of the right to freedom should be adopted by the Member society, it is necessary to interpret of expression in every democratic States on general principles, on the notions relating to that freedom, society, it is necessary to interpret rights of the data subject, on such as journalism, broadly. notions relating to that freedom, controller and processor, on the Therefore, Member States should such as journalism, broadly. transfer of data to third countries or classify activities as ‘journalistic’ Therefore, Member States should international organisations, on the
DGD 2C LIMITE EN
for the purpose of the exemptions classify activities as "journalistic" independent supervisory authorities and derogations to be laid down for the purpose of the exemptions and on co-operation and under this Regulation if the object and derogations to be laid down consistency. In case these of these activities is the disclosure under this Regulation if the object exemptions or derogations differ to the public of information, of these to cover all activities is from one Member State to another, opinions or ideas, irrespective of which aim at the disclosure to the the national law of the Member the medium which is used to public of information, opinions or State to which the controller is transmit them. They should not be ideas, irrespective of the medium subject should apply. This should limited to media undertakings and which is used to transmit them, also not, however, lead Member States may be undertaken for profittaking into account technological to lay down exemptions from the making or for non-profit making development. They should not be other provisions of this Regulation. purposes. limited to media undertakings and In order to take account of the
may be undertaken for profitimportance of the right to freedom
making or for non-profit making of expression in every democratic
purposes. society, it is necessary to interpret
notions relating to that freedom,
such as journalism, broadly.
Therefore, Member States should
classify activities as ‘journalistic’
for the purpose of the exemptions
and derogations to be laid down
under this Regulation if the object
of these activities is the disclosure
to the public of information,
opinions or ideas, irrespective of
the medium which is used to
transmit them. They should not be
limited to media undertakings and
may be undertaken for profitmaking
or for non-profit making
DGD 2C LIMITE EN
purposes.In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.
(121a) This Regulation allows the principle of public access to official documents to be taken into account when applying the provisions set out in this Regulation. Public access to official documents may be considered as a public interest. Personal data in documents held by a public authority or a public body should be able to be publicly disclosed by this authority or body if the disclosure is provided for by Union law or Member State law to which the public authority or public body is subject. Such laws should reconcile public access to official documents and the reuse of public sector information with the right to the protection of personal data and may therefore provide for the necessary derogations from the rules of this
DGD 2C LIMITE EN
regulation. The reference to public authorities and bodies should in this context include all authorities or other bodies covered by Member State law on public access to documents. Directive 2003/98/EC i of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of Union and national law, and in particular does not alter the obligations and rights set out in this Regulation. In particular, that Directive should not apply to documents access to which is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data, and parts of documents accessible by virtue of those regimes which contain personal data the re-use of which has been defined by law as being
DGD 2C LIMITE EN
incompatible with the law concerning the protection of individuals with regard to the processing of personal data.
(122) The processing of personal (122) The processing of personal deleted data concerning health, as a special data concerning health, as a special category of data which deserves category of data which deserves higher protection, may often be higher protection, may often be justified by a number of legitimate justified by a number of legitimate reasons for the benefit of reasons for the benefit of individuals and society as a whole, individuals and society as a whole, in particular in the context of in particular in the context of ensuring continuity of cross-border ensuring continuity of cross-border healthcare. Therefore this healthcare. Therefore this
Regulation should provide for Regulation should provide for harmonised conditions for the harmonised conditions for the processing of personal data processing of personal data concerning health, subject to concerning health, subject to specific and suitable safeguards so specific and suitable safeguards so as to protect the fundamental rights as to protect the fundamental rights and the personal data of individuals. and the personal data of individuals.
This includes the right for This includes the right for individuals to have access to their individuals to have access to their personal data concerning their personal data concerning their health, for example the data in their health, for example the data in their medical records containing such medical records containing such information as diagnosis, information as diagnosis, examination results, assessments by examination results, assessments by treating physicians and any treating physicians and any treatment or interventions provided. treatment or interventions provided.
DGD 2C LIMITE EN
Amendment 84
(122a) A professional who processes personal data concerning health should receive, if possible, anonymised or pseudonymised data, leaving the knowledge of the identity only to the General general Practitioner practitioner or to the Specialist specialist who has requested such data processing.
Amendment 85
(123) The processing of personal (123) The processing of personal deleted data concerning health may be data concerning health may be necessary for reasons of public necessary for reasons of public interest in the areas of public interest in the areas of public health, without consent of the data health, without consent of the data subject. In that context, ‘public subject. In that context, ‘public health’ should be interpreted as health’ should be interpreted as defined in Regulation (EC) No defined in Regulation (EC) No
1338/2008 of the European 1338/2008 of the European
Parliament and of the Council of 16 Parliament and of the Council 1 of 16
December 2008 on Community December 2008 on Community statistics on public health and statistics on public health and health and safety at work, meaning health and safety at work, meaning all elements related to health, all elements related to health, namely health status, including namely health status, including morbidity and disability, the morbidity and disability, the
DGD 2C LIMITE EN
determinants having an effect on determinants having an effect on that health status, health care needs, that health status, health care needs, resources allocated to health care, resources allocated to health care, the provision of, and universal the provision of, and universal access to, health care as well as access to, health care as well as health care expenditure and health care expenditure and financing, and the causes of financing, and the causes of mortality. Such processing of mortality. Such processing of personal data concerning health for personal data concerning health for reasons of public interest should not reasons of public interest should not result in personal data being result in personal data being processed for other purposes by processed for other purposes by third parties such as employers, third parties such as employers, insurance and banking companies. insurance and banking companies.
________________________
1b Regulation (EC) No 1338/2008 i
of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
DGD 2C LIMITE EN
Amendment 86
123a) The processing of personal data concerning health, as a special category of data, may be necessary for reasons of historical, statistical or scientific research. Therefore this Regulation foresees an exemption from the requirement of consent in cases of research that serves a high public interest.
Amendment 87
(124) The general principles on the (124) The general principles on the (124) The general principles on the protection of individuals with protection of individuals with protection of individuals with regard to the processing of personal regard to the processing of personal regard to the processing of personal data should also be applicable to the data should also be applicable to the data should also be applicable to the employment context. Therefore, in employment and the social security employment context. Therefore, in order to regulate the processing of context. Therefore, in order order to regulate the processing of employees' personal data in the Member States should be able to employees' personal data in the employment context, Member regulate the processing of employment context, Member
States should be able, within the employees' personal data in the States should be able, within the limits of this Regulation, to adopt employment and the processing of limits of this Regulation, to adopt by law specific rules for the personal data in the social security by law specific rules for the processing of personal data in the context in accordance with the processing of personal data in the employment sector. rules and minimum standards set employment sector. National law
out in, Member States should be or collective agreements (including able, within the limits of this 'works agreements') may provide Regulation, to adopt by law specific for specific rules on the
DGD 2C LIMITE EN
rules for. Where a statutory basis is processing of employees' personal provided in the Member State in data in the employment context, question for the regulation of in particular for the purposes of employment matters by agreement the recruitment, the performance between employee representatives of the contract of employment, and the management of the including discharge of obligations undertaking or the controlling laid down by law or by collective undertaking of a group of agreements, management, undertakings (collective planning and organisation of agreement) or under Directive work, equality and diversity in 2009/38/EC of the European the workplace , health and safety
Parliament and of the Council 1 , at work, and for the purposes of the processing of personal data in the exercise and enjoyment, on an the an employment sector context individual or collective basis, of may also be regulated by such an rights and benefits related to agreement. employment, and for the purpose of the termination of the
_________________ employment relationship.
1 Directive 2009/38/EC i of the
European Parliament and of the Council of 6 May 2009 on the establishment of a European Works Council or a procedure in Community-scale undertakings and Community-scale groups of undertakings for the purposes of informing and consulting employees (OJ L 122, 16.5.2009, p. 28).
DGD 2C LIMITE EN
(125) The processing of personal (125) The processing of personal (125) The processing of personal data for the purposes of historical, data for the purposes of historical, data for the purposes of historical, statistical or scientific research statistical or scientific research statistical or scientific research should, in order to be lawful, also should, in order to be lawful, also purposes and for archiving respect other relevant legislation respect other relevant legislation purposes in the public interest such as on clinical trials. such as on clinical trials. should, in addition to the general
principles and specific rules of this Regulation, in particular as regards the conditions for in order to be lawful processing, also comply with respect to other relevant legislation such as on clinical trials. The further processing of personal data for historical, statistical and scientific purposes and for archiving purposes in the public interest should not be considered incompatible with the purposes for which the data are initially collected and may be processed for those purposes for a longer period than necessary for that initial purpose. Member States should be authorised to provide, under specific conditions and in the presence of appropriate safeguards for data subjects, specifications and derogations to the information requirements and the rights to
DGD 2C LIMITE EN
access, rectification, erasure, to be forgotten, restriction of processing and on the right to data portability and the right to object when processing personal data for historical, statistical or scientific purposes and for archiving purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles.
DGD 2C LIMITE EN
Amendment 88
(125a) Personal data may also be processed subsequently by archive services whose main or mandatory task is to collect, conserve, provide information about, exploit and disseminate archives in the public interest. Member State legislation should reconcile the right to the protection of personal data with the rules on archives and on public access to administrative information. Member States should encourage the drafting, in particular by the European Archives Group, of rules to guarantee the confidentiality of data vis-à-vis third parties and the authenticity, integrity and proper conservation of data.
DGD 2C LIMITE EN
(125aa) By coupling information from registries, researchers can obtain new knowledge of great value when it comes to e.g. widespread diseases as cardiovascular disease, cancer, depression etc. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about longterm impact of a number of social conditions e.g. unemployment, education, and the coupling of this information to other life conditions. Research results obtained on the basis of registries provide solid, high quality knowledge, which can provide the basis for the formulation and implementation of knowledgebased policy, improve the quality of life for a number of people, and improve the efficiency of social services etc.
DGD 2C LIMITE EN
In order to facilitate scientific research, personal data can be processed for scientific purposes subject to appropriate conditions and safeguards set out in Member State or Union law. Hence consent from the data subject should not be necessary for each further processing for scientific purposes.
(125b) 'The importance of archives for the understanding of the history and culture of Europe' and 'that well-kept and accessible archives contribute to the democratic function of our societies', were underlined by Council Resolution of 6 May 2003
on archives in the Member States 8 .
Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons.
8 OJ C 113, 13.5.2003, p.2.
DGD 2C LIMITE EN
Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide that personal data may be further processed for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes.
DGD 2C LIMITE EN
Amendment 89
(126) Scientific research for the (126) Scientific research for the (126) Where personal data are purposes of this Regulation should purposes of this Regulation should processed for Sscientific research include fundamental research, include fundamental research, for the purposes, of this Regulation applied research, and privately applied research, and privately should also apply to that funded research and in addition funded research and in addition processing. For the purposes of should take into account the should take into account the this Regulation, processing of
Union's objective under Article Union's objective under Article personal data for scientific
179(1) of the Treaty on the 179(1) of the Treaty on the purposes should include
Functioning of the European Union Functioning of the European Union fundamental research, applied of achieving a European Research of achieving a European Research research, and privately funded
Area. Area. The processing of personal research and in addition should take data for historical, statistical and into account the Union's objective
scientific research purposes should under Article 179(1) of the Treaty
not result in personal data being on the Functioning of the European
processed for other purposes, Union of achieving a European
unless with the consent of the data Research Area. Scientific purposes
subject or on the basis of Union or should also include studies
Member State law. conducted in the public interest in
the area of public health. To meet
the specificities of processing
personal data for scientific
purposes specific conditions
should apply in particular as
regards the publication or
otherwise disclosure of personal
data in the context of scientific
purposes. If the result of scientific
research in particular in the health
DGD 2C LIMITE EN
context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.
(126a) Where personal data are processed for historical purposes, this Regulation should also apply to that processing. This should also include historical research and research for genealogical purposes, bearing in mind that this Regulation should not apply to deceased persons.
(126b) For the purpose of consenting to the participation in scientific research activities in clinical trials the relevant provisions of Regulation (EU) No. 536/2014 of the European Parliament and of the Council should apply.
DGD 2C LIMITE EN
(126c) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union law or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for guaranteeing statistical confidentiality.
(126d) The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in conformity with the statistical principles as set out in Article 338(2) of the Treaty of the Functioning of the European Union, while national statistics should also comply with national law.
DGD 2C LIMITE EN
Regulation (EC) No 223/2009 i of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities provides further specifications on statistical confidentiality for European statistics.
DGD 2C LIMITE EN
(127) As regards the powers of the (127) As regards the powers of the (127) As regards the powers of the supervisory authorities to obtain supervisory authorities to obtain supervisory authorities to obtain from the controller or processor from the controller or processor from the controller or processor access personal data and access to access personal data and access to access personal data and access to its premises, Member States may its premises, Member States may its premises, Member States may adopt by law, within the limits of adopt by law, within the limits of adopt by law, within the limits of this Regulation, specific rules in this Regulation, specific rules in this Regulation, specific rules in order to safeguard the professional order to safeguard the professional order to safeguard the professional or other equivalent secrecy or other equivalent secrecy or other equivalent secrecy obligations, in so far as necessary obligations, in so far as necessary to obligations, in so far as necessary to to reconcile the right to the reconcile the right to the protection reconcile the right to the protection protection of personal data with an of personal data with an obligation of personal data with an obligation obligation of professional secrecy. of professional secrecy. of professional secrecy. This is
without prejudice to existing Member State obligations to adopt professional secrecy where required by Union law.
DGD 2C LIMITE EN
Amendment 90
(128) This Regulation respects and (128) This Regulation respects and (128) This Regulation respects and does not prejudice the status under does not prejudice the status under does not prejudice the status under national law of churches and national law of churches and existing constitutional national law religious associations or religious associations or of churches and religious communities in the Member States, communities in the Member States, associations or communities in the as recognised in Article 17 of the as recognised in Article 17 of the Member States, as recognised in Treaty on the Functioning of the Treaty on the Functioning of the Article 17 of the Treaty on the
European Union. As a European Union. As a consequence, Functioning of the European Union. consequence, where a church in a where a church in a Member State As a consequence, where a church Member State applies, at the time applies, at the time of entry into in a Member State applies, at the of entry into force of this force of this Regulation, time of entry into force of this
Regulation, comprehensive rules comprehensive adequate rules Regulation, comprehensive rules relating to the protection of relating to the protection of relating to the protection of individuals with regard to the individuals with regard to the individuals with regard to the processing of personal data, these processing of personal data, these processing of personal data, these existing rules should continue to existing rules should continue to existing rules should continue to apply if they are brought in line apply if they are brought in line apply if they are brought in line with this Regulation. Such with this Regulation and with this Regulation. Such churches churches and religious associations recognised as compliant. Such and religious associations should be should be required to provide for churches and religious associations required to provide for the the establishment of a completely should be required to provide for establishment of a completely independent supervisory authority. the establishment of a completely independent supervisory authority.
independent supervisory authority. .
DGD 2C LIMITE EN
Amendment 91
(129) In order to fulfil the (129) In order to fulfil the (129) In order to fulfil the objectives of this Regulation, objectives of this Regulation, objectives of this Regulation, namely to protect the fundamental namely to protect the fundamental namely to protect the fundamental rights and freedoms of natural rights and freedoms of natural rights and freedoms of natural persons and in particular their right persons and in particular their right persons and in particular their right to the protection of personal data to the protection of personal data to the protection of personal data and to ensure the free movement of and to ensure the free movement of and to ensure the free movement of personal data within the Union, the personal data within the Union, the personal data within the Union, the power to adopt acts in accordance power to adopt acts in accordance power to adopt acts in accordance with Article 290 of the Treaty on with Article 290 of the Treaty on with Article 290 of the Treaty on the Functioning of the European the Functioning of the European the Functioning of the European Union should be delegated to the Union should be delegated to the Union should be delegated to the Commission. In particular, Commission. In particular, Commission. In particular, delegated acts should be adopted in delegated acts should be adopted in delegated acts should be adopted in respect of lawfulness of processing; respect of lawfulness of processing; respect of lawfulness of processing; specifying the criteria and specifying the criteria and specifying the criteria and conditions in relation to the consent conditions in relation to the consent conditions in relation to the consent of a child; processing of special of a child; processing of special of a child; processing of special categories of data; specifying the categories of data; specifying the categories of data; specifying the criteria and conditions for criteria and conditions for criteria and conditions for manifestly excessive requests and manifestly excessive requests and manifestly excessive requests and fees for exercising the rights of the fees for exercising the rights of the fees for exercising the rights of the data subject; criteria and data subject; criteria and data subject; criteria and requirements for the information to requirements for the information to requirements for the information to the data subject and in relation to the data subject and in relation to the data subject and in relation to the right of access; the right to be the right of access conditions of the right of access; the right to be forgotten and to erasure; measures icon-based mode for provision of forgotten and to erasure; measures based on profiling; criteria and information; the right to be based on profiling; criteria and requirements in relation to the forgotten and to erasure; measures requirements in relation to the
DGD 2C LIMITE EN
responsibility of the controller and based on profiling; criteria and responsibility of the controller and to data protection by design and by requirements in relation to the to data protection by design and by default; a processor; criteria and responsibility of the controller and default; a processor; criteria and requirements for the documentation to data protection by design and by requirements for the documentation and the security of processing; default; a processor; criteria and and the security of processing; criteria and requirements for requirements for the documentation criteria and requirements for establishing a personal data breach and the security of processing; establishing a personal data breach and for its notification to the criteria and requirements for and for its notification to the supervisory authority, and on the establishing a personal data breach supervisory authority, and on the circumstances where a personal and for its notification to the circumstances where a personal data breach is likely to adversely supervisory authority, and on the data breach is likely to adversely affect the data subject; the criteria circumstances where a personal affect the data subject; the criteria and conditions for processing data breach is likely to adversely and conditions for processing operations requiring a data affect the data subject; the criteria operations requiring a data protection impact assessment; the and conditions for processing protection impact assessment; the criteria and requirements for operations requiring a data criteria and requirements for determining a high degree of protection impact assessment; the determining a high degree of specific risks which require prior criteria and requirements for specific risks which require prior consultation; designation and tasks determining a high degree of consultation; designation and tasks of the data protection officer; codes specific risks which require prior of the data protection officer; codes of conduct; criteria and consultation; designation and tasks of conduct; criteria and requirements for certification of the data protection officer; requirements for certification mechanisms; criteria and declaring that codes of conduct are mechanisms; criteria and requirements for transfers by way in line with this Regulation; requirements for transfers by way of binding corporate rules; transfer criteria and requirements for of binding corporate rules; transfer derogations; administrative certification mechanisms; the derogations; administrative sanctions; processing for health adequate level of protection sanctions; processing for health purposes; processing in the afforded by a third country or an purposes; processing in the employment context and international organisation; criteria employment context and processing
DGD 2C LIMITE EN
processing for historical, statistical and requirements for transfers by for historical, statistical and and scientific research purposes. It way of binding corporate rules; scientific research purposes. It is of is of particular importance that the transfer derogations; administrative particular importance that the
Commission carry out appropriate sanctions; processing for health Commission carry out appropriate consultations during its preparatory purposes; and processing in the consultations during its preparatory work, including at expert level. The employment context and processing work, including at expert level. The Commission, when preparing and for historical, statistical and Commission, when preparing and drawing-up delegated acts, should scientific research purposes. It is of drawing-up delegated acts, should ensure a simultaneous, timely and particular importance that the ensure a simultaneous, timely and appropriate transmission of Commission carry out appropriate appropriate transmission of relevant relevant documents to the consultations during its preparatory documents to the European
European Parliament and Council. work, including at expert level, in Parliament and Council. particular with the European Data
Protection Board. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
DGD 2C LIMITE EN
Amendment 92
(130) In order to ensure uniform (130) In order to ensure uniform (130) In order to ensure uniform conditions for the implementation conditions for the implementation conditions for the implementation of this Regulation, implementing of this Regulation, implementing of this Regulation, implementing powers should be conferred on the powers should be conferred on the powers should be conferred on the Commission for: specifying Commission for: specifying Commission for: standard standard forms in relation to the standard forms for specific methods contractual clauses between processing of personal data of a to obtain verifiable consent in controllers and processors and child; standard procedures and relation to the processing of between processors, codes of forms for exercising the rights of personal data of a child; standard conduct specifying standard forms data subjects; standard forms for procedures and forms for exercising in relation to the processing of the information to the data subject; the rights of the communication to personal data of a child; standard standard forms and procedures in the data subjects on the exercise of procedures and forms for exercising relation to the right of access; the their rights; standard forms for the the rights of data subjects; standard right to data portability; standard information to the data subject; forms for the information to the forms in relation to the standard forms and procedures in data subject; standard forms and responsibility of the controller to relation to the right of access procedures in relation to the right of data protection by design and by including for communicating the access; the right to data portability; default and to the documentation; personal data to the data subject; standard forms in relation to the specific requirements for the the right to data portability; responsibility of the controller to security of processing; the standard standard forms in relation to the data protection by design and by format and the procedures for the responsibility of the controller to default and to the documentation; notification of a personal data data protection by design and by specific requirements for the breach to the supervisory authority default and to the documentation to security of processing; the standard and the communication of a be kept by the controller and the format and the procedures for the personal data breach to the data processor; specific requirements for notification of a personal data subject; standards and procedures the security of processing; the breach to the supervisory authority for a data protection impact standard format and the procedures and the communication of a assessment; forms and procedures form for the notification of a personal data breach to the data for prior authorisation and prior personal data breach to the subject; standards and procedures consultation; technical standards for a data protection impact
DGD 2C LIMITE EN
and mechanisms for certification; supervisory authority and the assessment; forms and procedures the adequate level of protection communication of a personal data for prior authorisation and prior afforded by a third country or a breach to the data subject for consultation; technical standards territory or a processing sector documenting a personal data and mechanisms for certification; within that third country or an breach; standards and procedures the adequate level of protection international organisation; for a data protection impact afforded by a third country or a disclosures not authorized by assessment; forms and procedures territory or a processing sector
Union law; mutual assistance; joint for prior authorisation and prior within that third country or an operations; decisions under the consultation; technical standards international organisation; adopt consistency mechanism. Those and mechanisms for certification; standard data protection clauses; powers should be exercised in the adequate level of protection formats and procedures for the accordance with Regulation (EU) afforded by a third country or a exchange of information between No 182/2011 of the European territory or a processing sector controllers, processors and
Parliament and of the Council of 16 within that third country or an supervisory authorities for binding
February 2011 laying down the international organisation; corporate rulesdisclosures not rules and general principles disclosures not authorized by Union authorized by Union law; mutual concerning mechanisms for control law; mutual assistance; joint assistance; joint operations; by the Member States of the operations; decisions under the decisions under the consistency Commission's exercise of consistency mechanism and mechanism the arrangements for implementing powers45. In this information to the supervisory the exchange of information by context, the Commission should authority. Those powers should be electronic means between consider specific measures for exercised in accordance with supervisory authorities, and micro, small and medium-sized Regulation (EU) No 182/2011 i of between supervisory authorities enterprises. the European Parliament and of the and the European Data Protection
Council 1 of 16 February 2011 Board. Those powers should be
laying down the rules and general exercised in accordance with principles concerning mechanisms Regulation (EU) No 182/2011 i of for control by the Member States of the European Parliament and of the the Commission's exercise of Council of 16 February 2011 laying implementing powers In this down the rules and general
DGD 2C LIMITE EN
context, the Commission should principles concerning mechanisms consider specific measures for for control by the Member States of micro, small and medium-sized the Commission's exercise of
enterprises. implementing powers 9 . In this
context, the Commission should
___________________ consider specific measures for
1 micro, small and medium-sized Regulation (EU) No 182/2011 i of the European Parliament and of the enterprises.
Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
9 Regulation (EU) No 182/2011 i of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers, OJ L 55, 28.2.2011, p. 13.
DGD 2C LIMITE EN
Amendment 93
(131)The examination procedure (131) The examination procedure (131) The examination procedure should be used for the adoption of should be used for the adoption of should be used for the adoption of specifying standard forms in specifying standard forms in specifying standard forms in relation to the consent of a child; relation to the: for specific methods relation to the consent of a child; standard procedures and forms for to obtain verifiable consent in standard procedures and forms for exercising the rights of data relation to the processing of exercising the rights of data subjects; standard forms for the personal data of a child; standard subjects; standard forms for the information to the data subject; procedures and forms for exercising information to the data subject; standard forms and procedures in the the communication to the data standard forms and procedures in relation to the right of access;, the subjects on the exercise of their relation to the right of access;, the right to data portability; standard rights of data subjects; standard right to data portability; standard forms in relation to the forms for the information to the forms in relation to the responsibility of the controller to data subject; standard forms and responsibility of the controller to data protection by design and by procedures in relation to the right of data protection by design and by default and to the documentation; access including for default and to the documentation; specific requirements for the communicating the personal data specific requirements for the security of processing; the standard to the data subject; the right to security of processing; the standard format and the procedures for the data portability; standard forms in format and the procedures for the notification of a personal data relation to the responsibility of notification of a personal data breach to the supervisory authority documentation to be kept by the breach to the supervisory authority and the communication of a controller to data protection by and the communication of a personal data breach to the data design and by default and to the personal data breach to the data subject; standards and procedures documentation and the processor; subject; standards and procedures for a data protection impact specific requirements for the for a data protection impact assessment; forms and procedures security of processing; the standard assessment; forms and procedures for prior authorisation and prior format and the procedures for the for prior authorisation and prior consultation; technical standards notification of a personal data consultation implementing acts on and mechanisms for certification; standard contractual clauses
DGD 2C LIMITE EN
the adequate level of protection breach to the supervisory authority between controllers and processors afforded by a third country or a and the communication of for and between processors; codes of territory or a processing sector documenting a personal data conduct; technical standards and within that third country or an breach to the data subject; standards mechanisms for certification; the international organisation; and procedures for a data protection adequate level of protection disclosures not authorized by impact assessment; forms and afforded by a third country or a Union law; mutual assistance; joint procedures for prior authorisation territory or a processing sector operations; decisions under the and prior consultation; technical within that third country or an consistency mechanism, given that standards and mechanisms for international organisation; those acts are of general scope. certification; the adequate level of disclosures not authorized by Union
protection afforded by a third law; mutual assistance; joint country or a territory or a operations; decisions under the processing sector within that third consistency mechanism, adopt country or an international standard data protection clauses; organisation; disclosures not formats and procedures for the authorized by Union law; mutual exchange of information by assistance; joint operations; electronic means between decisions under the consistency controllers, processors and mechanism, and information to the supervisory authorities for binding supervisory authority, given that corporate rules; mutual those acts are of general scope. assistance; the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the European Data Protection Board given that those acts are of general scope.
DGD 2C LIMITE EN
Amendment 94
(132) The Commission should deleted (132) The Commission should adopt immediately applicable adopt immediately applicable implementing acts where, in duly implementing acts where, in duly justified cases relating to a third justified cases relating to a third country or a territory or a country or a territory or a processing sector within that third processing sector within that third country or an international country or an international organisation which does not ensure organisation which does not ensure an adequate level of protection and an adequate level of protection and relating to matters communicated relating to matters communicated by supervisory authorities under the by supervisory authorities under the consistency mechanism, imperative consistency mechanism, imperative grounds of urgency so require. grounds of urgency so require.
(133) Since the objectives of this (133) Since the objectives of this (133) Since the objectives of this Regulation, namely to ensure an Regulation, namely to ensure an Regulation, namely to ensure an equivalent level of protection of equivalent level of protection of equivalent level of protection of individuals and the free flow of individuals and the free flow of data individuals and the free flow of data data throughout the Union, cannot throughout the Union, cannot be throughout the Union, cannot be be sufficiently achieved by the sufficiently achieved by the sufficiently achieved by the
Member States and can therefore, Member States and but can Member States and can therefore, by reason of the scale or effects of thereforerather, by reason of the by reason of the scale or effects of the action, be better achieved at scale or effects of the action, be the action, be better achieved at Union level, the Union may adopt better achieved at Union level, the Union level, the Union may adopt measures, in accordance with the Union may adopt measures, in measures, in accordance with the principle of subsidiarity as set out accordance with the principle of principle of subsidiarity as set out in Article 5 of the Treaty on subsidiarity as set out in Article 5 in Article 5 of the Treaty on
European Union. In accordance of the Treaty on European Union. European Union. In accordance
DGD 2C LIMITE EN
with the principle of In accordance with the principle of with the principle of proportionality proportionality as set out in that proportionality as set out in that as set out in that Article, this
Article, this Regulation does not go Article, this Regulation does not go Regulation does not go beyond beyond what is necessary in order beyond what is necessary in order what is necessary in order to to achieve that objective. to achieve that objective. achieve that objective.
Amendment 95
(134) Directive 95/46/EC i should be (134) Directive 95/46/EC i should be (134) Directive 95/46/EC i should be repealed by this Regulation. repealed by this Regulation. repealed by this Regulation.
However, Commission decisions However, Commission decisions Processing already under way on adopted and authorisations by adopted and authorisations by the date of the entry into force of supervisory authorities based on supervisory authorities based on this Regulation should be brought Directive 95/46/EC i should remain Directive 95/46/EC i should remain into conformity with this in force. in force. Commission decisions Regulation within the period of
and authorisations by supervisory two years after which this authorities relating to transfers of Regulation enters into force. personal data to third countries However, Commission decisions pursuant to Article 41(8) should adopted and authorisations by remain in force for a transition supervisory authorities based on period of five years after the entry where such processing is in into force of this Regulation unless compliance with Directive amended, replaced or repealed by 95/46/EC, the requirements of this the Commission before the end of Regulation concerning the this period. carrying out of data protection impact assessments and the prior consultation of the supervisory authority should not apply to the processing operations already under way prior to the entry into
DGD 2C LIMITE EN
force of this Regulation, given that these requirements, by their very nature, are to be met prior to the processing. Where such processing is in compliance with Directive 95/46/EC i, it is also not necessary for the data subject to give his or her consent again so as to allow the controller to continue such processing after the data of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed should remain in force.
DGD 2C LIMITE EN
(135) This Regulation should apply (135) This Regulation should apply (135) This Regulation should apply to all matters concerning the to all matters concerning the to all matters concerning the protection of fundamental rights protection of fundamental rights protection of fundamental rights and freedom vis-à-vis the and freedom vis-à-vis the and freedom vis-à-vis the processing of personal data, which processing of personal data, which processing of personal data, which are not subject to specific are not subject to specific are not subject to specific obligations with the same objective obligations with the same objective obligations with the same objective set out in Directive 2002/58/EC i, set out in Directive 2002/58/EC i of set out in Directive 2002/58/EC i, including the obligations on the the European Parliament and of including the obligations on the
controller and the rights of the Council 1 , including the controller and the rights of
individuals. In order to clarify the obligations on the controller and the individuals. In order to clarify the relationship between this rights of individuals. In order to relationship between this
Regulation and Directive clarify the relationship between this Regulation and Directive
2002/58/EC, the latter Directive Regulation and Directive 2002/58/EC i, the latter Directive should be amended accordingly. 2002/58/EC, the latter Directive should be amended accordingly.
should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC i should be reviewed in particular in order to
1 Directive 2202/58/EC of the ensure consistency with this Regulation.
European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002, P.37)
DGD 2C LIMITE EN
(136) As regards Iceland and (136) As regards Iceland and deleted
Norway, this Regulation constitutes Norway, this Regulation constitutes a development of provisions of the a development of provisions of the
Schengen acquis to the extent that it Schengen acquis to the extent that applies to the processing of it applies to the processing of personal data by authorities personal data by authorities involved in the implementation of involved in the implementation of that acquis, as provided for by the that acquis, within the meaning of
Agreement concluded by the as provided for by the Agreement
Council of the European Union and concluded by the Council of the the Republic of Iceland and the European Union and the Republic
Kingdom of Norway concerning the of Iceland and the Kingdom of association of those two States with Norway concerning the latters’ the implementation, application and association of those two States with development of the Schengen the implementation, application and
acquis 46 . development of the Schengen acquis 1 .
_________________ _________________
46 OJ L 176, 10.7.1999, p. 36.
1 OJ L 176, 10.7.1999, p. 36.
DGD 2C LIMITE EN
(137) As regards Switzerland, this (137) As regards Switzerland, this deleted
Regulation constitutes a Regulation constitutes a development of provisions of the development of provisions of the
Schengen acquis to the extent that Schengen acquis to the extent that it applies to the processing of it applies to the processing of personal data by authorities personal data by authorities involved in the implementation of involved in the implementation of that acquis, as provided for by the that acquis, within the meaning of
Agreement between the European as provided for by the Agreement
Union, the European Community between the European Union, the and the Swiss Confederation European Community and the concerning the association of the Swiss Confederation concerning on
Swiss Confederation with the the association of the Swiss implementation, application and Confederation’s association with development of the Schengen the implementation, application
acquis 47 . and development of the Schengen acquis 1 .
________________
________________
47 OJ L 53, 27.2.2008, p. 52
1 OJ L 53, 27.2.2008, p. 52
DGD 2C LIMITE EN
(138) As regards Liechtenstein, this (138) As regards Liechtenstein, this deleted
Regulation constitutes a Regulation constitutes a development of provisions of the development of provisions of the
Schengen acquis to the extent that Schengen acquis to the extent that it applies to the processing of it applies to the processing of personal data by authorities personal data by authorities involved in the implementation of involved in the implementation of that acquis, as provided for by the that acquis, within the meaning of
Protocol between the European as provided for by the Protocol
Union, the European Community, between the European Union, the the Swiss Confederation and the European Community, the Swiss
Principality of Liechtenstein on the Confederation and the Principality accession of the Principality of of Liechtenstein on the accession of
Liechtenstein to the Agreement the Principality of Liechtenstein to between the European Union, the the Agreement between the
European Community and the European Union, the European
Swiss Confederation on the Swiss Community and the Swiss
Confederation’s association with Confederation on the Swiss the implementation, application Confederation’s association with and development of the Schengen the implementation, application
acquis 48 . and development of the Schengen acquis 1 .
___________________ ___________________
48 OJ L 160 of 18.6.2011, p. 19 1 OJ L 160 of 18.6.2011, p. 19
DGD 2C LIMITE EN
(139) In view of the fact that, as (139) In view of the fact that, as deleted underlined by the Court of Justice underlined by the Court of Justice of the European Union, the right to of the European Union, the right to the protection of personal data is the protection of personal data is not an absolute right, but must be not an absolute right, but must be considered in relation to its function considered in relation to its function in society and be balanced with in society and be balanced with other fundamental rights, in other fundamental rights, in accordance with the principle of accordance with the principle of proportionality, this Regulation proportionality, this Regulation respects all fundamental rights and respects all fundamental rights and observes the principles recognised observes the principles recognised in the Charter of Fundamental in the Charter of Fundamental
Rights of the European Union as Rights of the European Union as enshrined in the Treaties, notably enshrined in the Treaties, notably the right to respect for private and the right to respect for private and family life, home and family life, home and communications, the right to the communications, the right to the protection of personal data, the protection of personal data, the freedom of thought, conscience and freedom of thought, conscience and religion, the freedom of expression religion, the freedom of expression and information, the freedom to and information, the freedom to conduct a business, the right to an conduct a business, the right to an effective remedy and to a fair trial effective remedy and to a fair trial as well as cultural, religious and as well as cultural, religious and linguistic diversity.business, the linguistic diversity.business, the right to an effective remedy and to right to an effective remedy and to a fair trial as well as cultural, a fair trial as well as cultural, religious and linguistic diversity. religious and linguistic diversity
DGD 2C LIMITE EN
HAVE ADOPTED THIS HAVE ADOPTED THIS HAVE ADOPTED THIS
REGULATION: REGULATION: REGULATION:
CHAPTER I CHAPTER I CHAPTER I
GENERAL GENERAL GENERAL
PROVISIONS PROVISIONS PROVISIONS
Article 1 Article 1 Article 1
Subject matter and objectives Subject matter and objectives Subject matter and objectives
-
1.This Regulation lays down rules 1. This Regulation lays down rules 1. This Regulation lays down rules relating to the protection of relating to the protection of relating to the protection of individuals with regard to the individuals with regard to the individuals with regard to the processing of personal data and processing of personal data and processing of personal data and rules relating to the free movement rules relating to the free movement rules relating to the free movement of personal data. of personal data of personal data.
-
2.This Regulation protects the 2. This Regulation protects the 2. This Regulation protects the fundamental rights and freedoms of fundamental rights and freedoms of fundamental rights and freedoms of natural persons, and in particular natural persons, and in particular natural persons, and in particular their right to the protection of their right to the protection of their right to the protection of personal data. personal data. personal data.
DGD 2C LIMITE EN
2a. Member States may maintain
or introduce more specific
provisions to adapt the application
of the rules of this Regulation with
regard to the processing of personal data for compliance with
a legal obligation or for the
performance of a task carried out
in the public interest or in the
exercise of official authority vested in the controller or for
other specific processing
situations as provided for in
Article 6(1)(c) and (e) by determining more precisely
specific requirements for the
processing and other measures to
ensure lawful and fair processing
including for other specific processing situations as provided
for in Chapter IX.
DGD 2C LIMITE EN
-
3.The free movement of personal 3. The free movement of personal 3. The free movement of personal data within the Union shall neither data within the Union shall neither data within the Union shall neither be restricted nor prohibited for be restricted nor prohibited for be restricted nor prohibited for reasons connected with the reasons connected with the reasons connected with the protection of individuals with protection of individuals with protection of individuals with regard to the processing of personal regard to the processing of personal regard to the processing of personal data. data. data.
Article 2 Article 2 Article 2
Material scope Material scope Material scope
Amendment 96
-
1.This Regulation applies to the 1. This Regulation applies to the 1. This Regulation applies to the processing of personal data wholly processing of personal data wholly processing of personal data wholly or partly by automated means, and or partly by automated means, or partly by automated means, and to the processing other than by irrespective of the method of to the processing other than by automated means of personal data processing, and to the processing automated means of personal data which form part of a filing system other than by automated means of which form part of a filing system or are intended to form part of a personal data which form part of a or are intended to form part of a filing system. filing system or are intended to filing system.
form part of a filing system.
-
2.This Regulation does not apply 2. This Regulation does not apply 2. This Regulation does not apply to the processing of personal data: to the processing of personal data: to the processing of personal data:
DGD 2C LIMITE EN
(a) in the course of an activity (a) in the course of an activity (a) in the course of an activity which falls outside the scope of which falls outside the scope of which falls outside the scope of Union law, in particular concerning Union law, in particular concerning Union law, in particular concerning national security; national security; national security;
(b) by the Union institutions, deleted (b) by the Union institutions, bodies, offices and agencies; bodies, offices and agencies;
(c) by the Member States when (c) by the Member States when (c) by the Member States when carrying out activities which fall carrying out activities which fall carrying out activities which fall within the scope of Chapter 2 of the within the scope of Chapter 2 of within the scope of Chapter 2 of Treaty on European Union; Title V of the Treaty on European Title V of the Treaty on European
Union; Union;
(d) by a natural person without any (d) by a natural person without any (d) by a natural person without any gainful interest in the course of its gainful interest in the course of its gainful interest in the course of its own exclusively personal or own an exclusively personal or own exclusively a personal or household activity; household activity. This exemption household activity;
shall also apply to a publication of personal data where it can be reasonably expected that it they will be only accessed by a limited number of persons;
DGD 2C LIMITE EN
(e) by competent authorities for the (e) by competent public authorities (e) by competent authorities for the purposes of prevention, for the purposes of prevention, purposes of prevention, investigation, detection or investigation, detection or investigation, detection or prosecution of criminal offences or prosecution of criminal offences or prosecution of criminal offences, the execution of criminal penalties. the execution of criminal penalties. or the execution of criminal
penalties or the safeguarding against and the prevention of threats to public security.
-
3.This Regulation shall be without 3. This Regulation shall be without deleted prejudice to the application of prejudice to the application of
Directive 2000/31/EC i, in particular Directive 2000/31/EC i, in particular of the liability rules of intermediary of the liability rules of intermediary service providers in Articles 12 to service providers in Articles 12 to
15 of that Directive. 15 of that Directive.
Article 3 Article 3 Article 3
Territorial scope Territorial scope Territorial scope
Amendment 97
-
1.This Regulation applies to the 1. This Regulation applies to the 1. This Regulation applies to the processing of personal data in the processing of personal data in the processing of personal data in the context of the activities of an context of the activities of an context of the activities of an establishment of a controller or a establishment of a controller or a establishment of a controller or a processor in the Union. processor in the Union, whether the processor in the Union.
processing takes place in the Union or not.
DGD 2C LIMITE EN
-
2.This Regulation applies to the 2. This Regulation applies to the 2. This Regulation applies to the processing of personal data of data processing of personal data of data processing of personal data of data subjects residing in the Union by a subjects residing in the Union by a subjects residing in the Union by a controller not established in the controller or processor not controller not established in the Union, where the processing established in the Union, where the Union, where the processing activities are related to: processing activities are related to: activities are related to:
(a) the offering of goods or services (a) the offering of goods or (a) the offering of goods or to such data subjects in the Union; services, irrespective of whether a services, irrespective of whether a or payment of the data subject is payment by the data subject is
required, to such data subjects in required, to such data subjects in the Union; or the Union; or
(b) the monitoring of their (b) the monitoring of their (b) the monitoring of their behaviour. behaviour such data subjects. behaviour as far as their behaviour
takes place within the European Union.
-
3.This Regulation applies to the 3. This Regulation applies to the 3. This Regulation applies to the processing of personal data by a processing of personal data by a processing of personal data by a controller not established in the controller not established in the controller not established in the Union, but in a place where the Union, but in a place where the Union, but in a place where the national law of a Member State national law of a Member State national law of a Member State applies by virtue of public applies by virtue of public applies by virtue of public international law. international law. international law.
DGD 2C LIMITE EN
Article 4 Article 4 Article 4
Definitions Definitions Definitions
Amendment 98
For the purposes of this Regulation: For the purposes of this Regulation: For the purposes of this Regulation:
(1) 'data subject' means an deleted (1) 'personal data' means any identified natural person or a information relating to 'data natural person who can be subject' means an identified or identified, directly or indirectly, by identifiable natural person (“data means reasonably likely to be used subject or a natural an identifiable by the controller or by any other person is one who can be identified, natural or legal person, in particular directly or indirectly, by means by reference to an identification reasonably likely to be used by the number, location data, online controller or by any other natural or identifier or to one or more factors legal person, in particular by specific to the physical, reference to an identifier such as a physiological, genetic, mental, name, an identification number, economic, cultural or social location data, online identifier or to identity of that person; one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that person;
DGD 2C LIMITE EN
(2) 'personal data' means any (2) 'personal data' means any deleted information relating to a data information relating to a an subject; identified or identifiable natural
person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person;
(2a) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution;
DGD 2C LIMITE EN
(2b) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access them;
(3) 'processing' means any (3) 'processing' means any (3) 'processing' means any operation or set of operations which operation or set of operations which operation or set of operations which is performed upon personal data or is performed upon personal data or is performed upon personal data or sets of personal data, whether or not sets of personal data, whether or not sets of personal data, whether or not by automated means, such as by automated means, such as by automated means, such as collection, recording, organization, collection, recording, organization, collection, recording, organization, structuring, storage, adaptation or structuring, storage, adaptation or structuring, storage, adaptation or alteration, retrieval, consultation, alteration, retrieval, consultation, alteration, retrieval, consultation, use, disclosure by transmission, use, disclosure by transmission, use, disclosure by transmission, dissemination or otherwise making dissemination or otherwise making dissemination or otherwise making available, alignment or available, alignment or available, alignment or combination, erasure or destruction; combination, erasure or destruction; combination, restriction, erasure or
destruction;
DGD 2C LIMITE EN
(3a) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
(3a) 'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
(3b) 'pseudonymisation' means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.
DGD 2C LIMITE EN
(4) ' filing system' means any (4) 'filing system' means any (4) 'filing system' means any structured set of personal data structured set of personal data structured set of personal data which are accessible according to which are accessible according to which are accessible according to specific criteria, whether specific criteria, whether specific criteria, whether centralized, decentralized or centralized, decentralized or centralized, decentralized or dispersed on a functional or dispersed on a functional or dispersed on a functional or geographical basis; geographical basis; geographical basis;
(5) 'controller' means the natural or (5) 'controller' means the natural or (5) 'controller' means the natural or legal person, public authority, legal person, public authority, legal person, public authority, agency or any other body which agency or any other body which agency or any other body which alone or jointly with others alone or jointly with others alone or jointly with others determines the purposes, conditions determines the purposes, conditions determines the purposes, conditions and means of the processing of and means of the processing of and means of the processing of personal data; where the purposes, personal data; where the purposes, personal data; where the purposes, conditions and means of processing conditions and means of processing conditions and means of processing are determined by Union law or are determined by Union law or are determined by Union law or Member State law, the controller or Member State law, the controller or Member State law, the controller or the specific criteria for his the specific criteria for his the specific criteria for his nomination may be designated by nomination may be designated by nomination may be designated by Union law or by Member State law; Union law or by Member State law; Union law or by Member State law;
(6) 'processor' means a natural or (6) 'processor' means a natural or (6) 'processor' means a natural or legal person, public authority, legal person, public authority, legal person, public authority, agency or any other body which agency or any other body which agency or any other body which processes personal data on behalf of processes personal data on behalf of processes personal data on behalf of the controller; the controller; the controller;
DGD 2C LIMITE EN
(7) 'recipient' means a natural or (7) 'recipient' means a natural or (7) 'recipient' means a natural or legal person, public authority, legal person, public authority, legal person, public authority, agency or any other body to which agency or any other body to which agency or any other body to which the personal data are disclosed; the personal data are disclosed; the personal data are disclosed,
whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;
(7a) ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
(8) 'the data subject's consent' (8) 'the data subject's consent' (8) 'the data subject's consent' means any freely given specific, means any freely given specific, means any freely given, specific, informed and explicit indication of informed and explicit indication of and informed and explicit his or her wishes by which the data his or her wishes by which the data indication of his or her wishes by subject, either by a statement or by subject, either by a statement or by which the data subject, either by a a clear affirmative action, signifies a clear affirmative action, signifies statement or by a clear affirmative agreement to personal data relating agreement to personal data relating action, signifies agreement to to them being processed; to them being processed; personal data relating to them being
processed;
DGD 2C LIMITE EN
(9) 'personal data breach' means a (9) 'personal data breach' means a (9) 'personal data breach' means a breach of security leading to the breach of security leading to the breach of security leading to the accidental or unlawful destruction, accidental or unlawful destruction, accidental or unlawful destruction, loss, alteration, unauthorised loss, alteration, unauthorised loss, alteration, unauthorised disclosure of, or access to, personal disclosure of, or access to, personal disclosure of, or access to, personal data transmitted, stored or data transmitted, stored or data transmitted, stored or otherwise processed; otherwise processed; otherwise processed;
(10) 'genetic data' means all data, of (10) 'genetic data' means all (10) 'genetic data' means all whatever type, concerning the personal data, of whatever type, personal data, of whatever type, characteristics of an individual concerning relating to the genetic concerning relating to the genetic which are inherited or acquired characteristics of an individual characteristics of an individual during early prenatal development; which are have been inherited or which are inherited or acquired
acquired during early prenatal during early prenatal development development as they result from an that have been inherited or analysis of a biological sample acquired, which give unique from the individual in question, in information about the physiology particular by chromosomal, or the health of that individual, desoxyribonucleic acid (DNA) or resulting in particular from an ribonucleic acid (RNA) analysis or analysis of a biological sample analysis of any other element from the individual in question; enabling equivalent information to be obtained;
DGD 2C LIMITE EN
(11) 'biometric data' means any data (11) 'biometric data' means any (11) 'biometric data' means any relating to the physical, personal data relating to the personal data resulting from physiological or behavioural physical, physiological or specific technical processing characteristics of an individual behavioural characteristics of an relating to the physical, which allow their unique individual which allow his or her physiological or behavioural identification, such as facial unique identification, such as facial characteristics of an individual images, or dactyloscopic data; images, or dactyloscopic data; which allows or confirms the their
unique identification of that individual, such as facial images, or dactyloscopic data;
(12) ‘data concerning health’ means (12) ‘data concerning health’ means (12) ‘data concerning health’ means any information which relates to the any information personal data data related any information which physical or mental health of an which relate to the physical or relates to the physical or mental individual, or to the provision of mental health of an individual, or to health of an individual, which health services to the individual; the provision of health services to reaveal information about his or
the individual; her health statusor to the provision of health services to the individual;
(12a) 'profiling' means any form of automated processing of personal data consisting of using those data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements;
DGD 2C LIMITE EN
(13) ‘main establishment’ means as (13) ‘main establishment’ means as (13) ‘main establishment’ means regards the controller, the place of regards the controller, the place of its establishment in the Union its establishment of the
where the main decisions as to the undertaking or group of - as regards the a controller with purposes, conditions and means of undertakings in the Union, establishments in more than one the processing of personal data are whether controller or processor, Member State, the place of its
taken; if no decisions as to the where the main decisions as to the establishment central purposes, conditions and means of purposes, conditions and means of administration in the Union where the processing of personal data are the processing of personal data are unless the main decisions as to on taken in the Union, the main taken.; if no decisions as to the the purposes, conditions and means establishment is the place where the purposes, conditions and means of of the processing of personal data main processing activities in the the processing of personal data are are taken in another establishment context of the activities of an taken in the Union, the main of the controller in the Union and establishment of a controller in the establishment is the place where the the latter establishment has the Union take place. As regards the main processing activities in the power to have such decisions processor, 'main establishment' context of the activities of an implemented, in this case the means the place of its central establishment of a controller in the establishment having taken such administration in the Union; Union take place. As regards the decisions shall be considered as
processor, 'main establishment' the main establishment.
means the place of its central administration in the Union The
following objective criteria may be If no decisions as to the purposes, considered among others: the conditions and means of the location of the controller or processing of personal data are processor's headquarters; the taken in the Union, the main location of the entity within a establishment is the place where the group of undertakings which is main processing activities in the best placed in terms of context of the activities of an management functions and establishment of a controller in the administrative responsibilities to Union take place.
deal with and enforce the rules as set out in this Regulation; the
DGD 2C LIMITE EN
location where effective and real - As as regards the a processor with
management activities are establishments in more than one
exercised determining the data Member State, 'main establishment'
processing through stable means the place of its central
arrangements; administration in the Union, and, if
the processor has no central
administration in the Union, the
establishment of the processor in
the Union where the main
processing activities in the context
of the activities of an
establishment of the processor take
place to the extent that the
processor is subject to specific
obligations under this Regulation;
(14) ‘representative’ means any (14) ‘representative’ means any (14) ‘representative’ means any natural or legal person established natural or legal person established natural or legal person established in the Union who, explicitly in the Union who, explicitly in the Union who, explicitly designated by the controller, acts designated by the controller, acts designated by the controller in and may be addressed by any and may be addressed by any writing pursuant to Article 25, supervisory authority and other supervisory authority and other represents acts and may be bodies in the Union instead of the bodies in the Union instead of addressed by any supervisory controller, with regard to the represents the controller, with authority and other bodies in the obligations of the controller under regard to the obligations of the Union instead of the controller, this Regulation; controller under this Regulation; with regard to the obligations of the
controller under this Regulation;
DGD 2C LIMITE EN
(15) ‘enterprise’ means any entity (15) ‘enterprise’ means any entity (15) ‘enterprise’ means any natural engaged in an economic activity, engaged in an economic activity, or legal person entity engaged in an irrespective of its legal form, thus irrespective of its legal form, thus economic activity, irrespective of including, in particular, natural and including, in particular, natural and its legal form, thus including, in legal persons, partnerships or legal persons, partnerships or particular, natural and legal associations regularly engaged in an associations regularly engaged in an persons, partnerships or economic activity; economic activity; associations regularly engaged in an
economic activity;
(16) 'group of undertakings' means (16) 'group of undertakings' means (16) 'group of undertakings' means a controlling undertaking and its a controlling undertaking and its a controlling undertaking and its controlled undertakings; controlled undertakings; controlled undertakings;
(17) ‘binding corporate rules’ (17) ‘binding corporate rules’ (17) ‘binding corporate rules’ means personal data protection means personal data protection means personal data protection policies which are adhered to by a policies which are adhered to by a policies which are adhered to by a controller or processor established controller or processor established controller or processor established on the territory of a Member State on the territory of a Member State on the territory of a Member State of the Union for transfers or a set of of the Union for transfers or a set of of the Union for transfers or a set of transfers of personal data to a transfers of personal data to a transfers of personal data to a controller or processor in one or controller or processor in one or controller or processor in one or more third countries within a group more third countries within a group more third countries within a group of undertakings; of undertakings; of undertakings or group of
enterprises engaged in a joint
economic activity ;
(18) 'child' means any person below (18) 'child' means any person below deleted the age of 18 years; the age of 18 years;
DGD 2C LIMITE EN
(19) 'supervisory authority' means a (19) 'supervisory authority' means a (19) 'supervisory authority' means public authority which is public authority which is an independent public authority established by a Member State in established by a Member State in which is established by a Member accordance with Article 46. accordance with Article 46. State in accordance with pursuant
to Article 46.
19a) 'concerned supervisory authority' means
- a supervisory authority which is concerned by the processing, because:
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) data subjects residing in this Member State are substantially affected or likely to be substantially affected by the processing; or
c) the underlying complaint has been lodged to that supervisory authority.
DGD 2C LIMITE EN
(19b) “transnational processing of personal data” means either:
(a) processing which takes place in the context of the activities of establishments in more than one Member State of a
controller or a processor in the Union and the controller or processor is established in more than one Member State; or
(b) processing which takes place in the context of the activities of a single establishment of a
controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
(19c) “relevant and reasoned objection” means :
an objection as to whether there is an infringement of this Regulation or not, or, as the case may be, whether the envisaged action in relation to the controller or processor is in conformity with the
DGD 2C LIMITE EN
Regulation. The objection shall clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and where applicable, the free flow of personal data.
(20) 'Information Society service' means any service as defined by Article 1 (2) of Directive 98/34/EC i of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services.
(21) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;
DGD 2C LIMITE EN
CHAPTER II CHAPTER II CHAPTER II PRINCIPLES PRINCIPLES PRINCIPLES
Article 5 Article 5 Article 5
Principles relating to personal Principles relating to personal Principles relating to personal data data processing data processing processing
Amendment 99
Personal data must be: 1. Personal data mustshall be: Personal data must be:
(a) processed lawfully, fairly and in (a) processed lawfully, fairly and in (a) processed lawfully, fairly and in a transparent manner in relation to a transparent manner in relation to a transparent manner in relation to the data subject; the data subject (lawfulness, the data subject;
fairness and transparency);
(b) collected for specified, explicit (b) collected for specified, explicit (b) collected for specified, explicit and legitimate purposes and not and legitimate purposes and not and legitimate purposes and not further processed in a way further processed in a way further processed in a way incompatible with those purposes; incompatible with those purposes incompatible with those purposes;
(purpose limitation); further processing of personal data for archiving purposes in the
public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes;
DGD 2C LIMITE EN
(c) adequate, relevant, and limited (c) adequate, relevant, and limited (c) adequate, relevant, and not to the minimum necessary in to the minimum necessary in excessive limited to the minimum relation to the purposes for which relation to the purposes for which necessary in relation to the they are processed; they shall only they are processed; they shall only purposes for which they are be processed if, and as long as, the be processed if, and as long as, the processed; they shall only be purposes could not be fulfilled by purposes could not be fulfilled by processed if, and as long as, the processing information that does processing information that does purposes could not be fulfilled by not involve personal data; not involve personal data (data processing information that does
minimisation); not involve personal data;
(d) accurate and kept up to date; (d) accurate and, where necessary, (d) accurate and, where necessary, every reasonable step must be taken kept up to date; every reasonable kept up to date; every reasonable to ensure that personal data that are step must be taken to ensure that step must be taken to ensure that inaccurate, having regard to the personal data that are inaccurate, personal data that are inaccurate, purposes for which they are having regard to the purposes for having regard to the purposes for processed, are erased or rectified which they are processed, are which they are processed, are without delay; erased or rectified without delay erased or rectified without delay;
(accuracy).
(e) kept in a form which permits (e) kept in a form which permits (e) kept in a form which permits identification of data subjects for no direct or indirect identification of identification of data subjects for no longer than is necessary for the data subjects for no longer than is longer than is necessary for the purposes for which the personal necessary for the purposes for purposes for which the personal data are processed; personal data which the personal data are data are processed; personal data may be stored for longer periods processed; personal data may be may be stored for longer periods insofar as the data will be processed stored for longer periods insofar as insofar as the data will be processed solely for historical, statistical or the data will be processed solely for solely for archiving purposes in scientific research purposes in historical, statistical or scientific the public interest, or scientific, accordance with the rules and research or for archive purposes in historical, statistical, or scientific conditions of Article 83 and if a accordance with the rules and research or historical purposes in
DGD 2C LIMITE EN
periodic review is carried out to conditions of Article Articles 83 accordance with the rules and assess the necessity to continue the and 83a and if a periodic review is conditions of Article 83 and if a storage; carried out to assess the necessity to periodic review is carried out to
continue the storage, and if assess the necessity to continue the appropriate technical and storagesubject to implementation organizational measures are put in of the appropriate technical and place to limit access to the data organisational measures required only for these purposes (storage by the Regulation in order to minimisation); safeguard the rights and freedoms of data subject;
(ea) processed in a way that effectively allows the data subject to exercise his or her rights (effectiveness);
(eb) processed in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity);
(ee) processed in a manner that ensures appropriate security of the personal data.
DGD 2C LIMITE EN
(f) processed under the (f) processed under the deleted responsibility and liability of the responsibility and liability of the controller, who shall ensure and controller, who shall ensure and be demonstrate for each processing able to demonstrate for each operation the compliance with the processing operation the provisions of this Regulation. compliance with the provisions of
this Regulation (accountability).
2. The controller shall be responsible for compliance with paragraph 1.
Article 6 Article 6 Article 6
Lawfulness of processing Lawfulness of processing Lawfulness of processing
Amendment 100
-
1.Processing of personal data shall 1. Processing of personal data shall 1. Processing of personal data shall be lawful only if and to the extent be lawful only if and to the extent be lawful only if and to the extent that at least one of the following that at least one of the following that at least one of the following applies: applies: applies:
(a) the data subject has given (a) the data subject has given (a) the data subject has given consent to the processing of their consent to the processing of their unambiguous consent to the personal data for one or more personal data for one or more processing of their personal data for specific purposes; specific purposes; one or more specific purposes;
DGD 2C LIMITE EN
(b) processing is necessary for the (b) processing is necessary for the (b) processing is necessary for the performance of a contract to which performance of a contract to which performance of a contract to which the data subject is party or in order the data subject is party or in order the data subject is party or in order to take steps at the request of the to take steps at the request of the to take steps at the request of the data subject prior to entering into a data subject prior to entering into a data subject prior to entering into a contract; contract; contract;
(c) processing is necessary for (c) processing is necessary for (c) processing is necessary for compliance with a legal obligation compliance with a legal obligation compliance with a legal obligation to which the controller is subject; to which the controller is subject; to which the controller is subject;
(d) processing is necessary in order (d) processing is necessary in order (d) processing is necessary in order to protect the vital interests of the to protect the vital interests of the to protect the vital interests of the data subject; data subject; data subject or of another person;
(e) processing is necessary for the (e) processing is necessary for the (e) processing is necessary for the performance of a task carried out in performance of a task carried out in performance of a task carried out in the public interest or in the exercise the public interest or in the exercise the public interest or in the exercise of official authority vested in the of official authority vested in the of official authority vested in the controller; controller; controller;
(f) processing is necessary for the (f) processing is necessary for the (f) processing is necessary for the purposes of the legitimate interests purposes of the legitimate interests purposes of the legitimate interests pursued by a controller, except pursued by the controller or, in pursued by a the controller or by a where such interests are overridden case of disclosure, by the third third party, except where such by the interests or fundamental party to whom the data is are interests are overridden by the rights and freedoms of the data disclosed, and which meet the interests or fundamental rights and subject which require protection of reasonable expectations of the freedoms of the data subject which personal data, in particular where data subject based on his or her require protection of personal data, the data subject is a child. This shall relationship with the controller, in particular where the data subject not apply to processing carried out except where such interests are is a child. This shall not apply to
DGD 2C LIMITE EN
by public authorities in the overridden by the interests or processing carried out by public performance of their tasks. fundamental rights and freedoms of authorities in the performance
the data subject which require exercise of their tasks. protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
-
2.Processing of personal data 2. Processing of personal data 2. Processing of personal data which is necessary for the purposes which is necessary for the purposes which is necessary for archiving of historical, statistical or scientific of historical, statistical or scientific thepurposes in the public interest, research shall be lawful subject to research shall be lawful subject to or offor historical, statistical or the conditions and safeguards the conditions and safeguards scientific research purposes shall be referred to in Article 83. referred to in Article 83. lawful subject also to the conditions
and safeguards referred to in Article 83.
-
3.The basis of the processing 3. The basis of the processing 3. The basis of for the processing referred to in points (c) and (e) of referred to in points (c) and (e) of referred to in points (c) and (e) of paragraph 1 must be provided for paragraph 1 must be provided for paragraph 1 must be provided for in: in: established in accordance with:
(a) Union law, or (a) Union law, or (a) Union law, or
(b) the law of the Member State to (b) the law of the Member State to (b) national the law of the Member which the controller is subject. which the controller is subject. State to which the controller is
subject.
DGD 2C LIMITE EN
The purpose of the processing shall be determined in this legal basis or as regards the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia the general conditions governing the lawfulness of data processing by the controller, the type of data which are subject to the processing, the data subjects concerned; the entities to, and the purposes for which the data may be disclosed; the purpose limitation; storage periods and processing operations and processing procedures, including measures to ensure lawful and fair processing, including for other specific processing situations as provided for in Chapter IX.
DGD 2C LIMITE EN
3a. In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take into account, unless the data subject has given consent, inter alia:
(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;
(b) the context in which the data have been collected;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards.
DGD 2C LIMITE EN
The law of the Member State must The law of the Member State must deleted meet an objective of public interest meet an objective of public interest or must be necessary to protect the or must be necessary to protect the rights and freedoms of others, rights and freedoms of others, respect the essence of the right to respect the essence of the right to the protection of personal data and the protection of personal data and be proportionate to the legitimate be proportionate to the legitimate aim pursued. aim pursued. Within the limits of
this Regulation, the law of the Member State may provide details of the lawfulness of processing, particularly as regards data controllers, the purpose of processing and purpose limitation, the nature of the data and the data subjects, processing measures and procedures, recipients, and the duration of storage.
DGD 2C LIMITE EN
-
4.Where the purpose of further deleted 4. Where the purpose of further processing is not compatible with processing is not incompatible with the one for which the personal data the one for which the personal data have been collected, the processing have been collected by the same must have a legal basis at least in controller, the further processing one of the grounds referred to in must have a legal basis at least in points (a) to (e) of paragraph 1. one of the grounds referred to in This shall in particular apply to any points (a) to (e) of paragraph 1. change of terms and general This shall in particular apply to any conditions of a contract. change of terms and general
conditions of a contract. Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point
(f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
DGD 2C LIMITE EN
Article 7 Article 7 Article 7
Conditions for consent Conditions for consent Conditions for consent
Amendment 101
-
1.The controller shall bear the 1. Where processing is based on 1. Where Article 6(1)(a) applies the burden of proof for the data consent, Tthe controller shall bear controller shall bear the burden of subject's consent to the processing the burden of proof for the data proof for the data subject's be able of their personal data for specified subject's consent to the processing to demonstrate that unambiguous purposes. of their his or her personal data for consent to the processing of their
specified purposes. personal data for specified purposes was given by the data subject.
1a. Where Article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.
-
2.If the data subject's consent is to 2. If the data subject's consent is 2. If the data subject's consent is to be given in the context of a written given in the context of a written be given in the context of a written declaration which also concerns declaration which also concerns declaration which also concerns another matter, the requirement to another matter, the requirement to another matters, the requirement to give consent must be presented give consent must be presented giverequest for consent must be distinguishable in its appearance clearly distinguishable in its presented in a manner which is from this other matter. appearance from this other matter. clearly distinguishable in its
Provisions on the data subject’s appearance from thise other consent which are partly in matters, in an intelligible and violation of this Regulation are easily accessible form, using clear fully void. and plain language.
DGD 2C LIMITE EN
-
3.The data subject shall have the 3. Notwithstanding other legal 3. The data subject shall have the right to withdraw his or her consent grounds for processing, Tthe data right to withdraw his or her consent at any time. The withdrawal of subject shall have the right to at any time. The withdrawal of consent shall not affect the withdraw his or her consent at any consent shall not affect the lawfulness of processing based on time. The withdrawal of consent lawfulness of processing based on consent before its withdrawal. shall not affect the lawfulness of consent before its withdrawal. Prior
processing based on consent before to giving consent, the data subject its withdrawal. It shall be as easy shall be informed thereof. to withdraw consent as to give it. The data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller.
-
4.Consent shall not provide a legal 4. Consent shall not provide a legal deleted basis for the processing, where basis for the processing, where there is a significant imbalance there is a significant imbalance between the position of the data between the position of the data subject and the controller. subject and the controller be
purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. The execution of a contract or the provision of a service shall not be made
DGD 2C LIMITE EN
conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1), point (b).
Article 8 Article 8 Article 8
Processing of personal data of a Processing of personal data of a Conditions applicable to child's child child consent in relation to information society services
Amendment 102
-
1.For the purposes of this 1. For the purposes of this 1. For the purposes of this
Regulation, in relation to the Regulation, in relation to the RegulationWhere Article 6 (1)(a) offering of information society offering of information society applies, in relation to the offering services directly to a child, the goods or services directly to a of information society services processing of personal data of a child, the processing of personal directly to a child, the processing of child below the age of 13 years data of a child below the age of 13 personal data of a child below the shall only be lawful if and to the years shall only be lawful if and to age of 13 years shall only be lawful extent that consent is given or the extent that consent is given or if and to the extent that such authorised by the child's parent or authorised by the child's parent or consent is given or authorised by custodian. The controller shall custodianlegal guardian. The the holder of parental make reasonable efforts to obtain controller shall make reasonable responsibility over the child's verifiable consent, taking into efforts to obtain verifiable verify parent or custodianis given by the consideration available technology. such consent, taking into child in circumstances where it is
consideration available technology treated as valid by Union or without causing otherwise Member State law. unnecessary processing of personal data.
DGD 2C LIMITE EN
1a. Information provided to children, parents and legal guardians in order to express consent, including about the controller’s collection and use of personal data, should be given in a clear language appropriate to the intended audience.
(1a) The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
-
2.Paragraph 1 shall not affect the 2. Paragraph 1 shall not affect the 2. Paragraph 1 shall not affect the general contract law of Member general contract law of Member general contract law of Member States such as the rules on the States such as the rules on the States such as the rules on the validity, formation or effect of a validity, formation or effect of a validity, formation or effect of a contract in relation to a child. contract in relation to a child. contract in relation to a child.
DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86 for the criteria and requirements for the the purpose entrusted with the task methods to obtain verifiable of further specifying the criteria and consent referred to in paragraph 1. requirements issuing guidelines,
In doing so, the Commission shall recommendations and best consider specific measures for practices for the methods to obtain micro, small and medium-sized verifiable of verifying consent enterprises. referred to in paragraph 1, in
accordance with Article 66. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
-
4.The Commission may lay down deleted deleted standard forms for specific methods to obtain verifiable consent referred to in paragraph 1.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 9 Article 9 Article 9
Amendment 103
Processing of special categories of Processing of special Special Processing of special categories of personal data categories of personal data personal data
-
1.The processing of personal data, 1. The processing of personal data, 1. The processing of personal data, revealing race or ethnic origin, revealing race or ethnic origin, revealing race racial or ethnic political opinions, religion or political opinions, religion or origin, political opinions, religionus beliefs, trade-union membership, philosophical beliefs, sexual or philosophical beliefs, tradeand the processing of genetic data orientation or gender identity, union membership, and the or data concerning health or sex life trade-union membership and processing of genetic data or data or criminal convictions or related activities, and the processing of concerning health or sex life or security measures shall be genetic or biometric data or data criminal convictions or related prohibited. concerning health or sex lifeor, security measures shall be
administrative sanctions, prohibited. judgments, criminal or suspected offences, convictions or related security measures shall be prohibited.
-
2.Paragraph 1 shall not apply 2. Paragraph 1 shall not applywhere 2. Paragraph 1 shall not apply if where: if one of the following applies: one of the following applies:
DGD 2C LIMITE EN
(a) the data subject has given (a) the data subject has given (a) the data subject has given consent to the processing of those consent to the processing of those explicit consent to the processing of personal data, subject to the personal data for one or more those personal data, subject to the conditions laid down in Articles 7 specified purposes, subject to the conditions laid down in Articles 7 and 8, except where Union law or conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data prohibition referred to in paragraph 1 may not be lifted by the data subject; or 1 may not be lifted by the data subject; or
subject; or
(aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(b) processing is necessary for the (b) processing is necessary for the (b) processing is necessary for the purposes of carrying out the purposes of carrying out the purposes of carrying out the obligations and exercising specific obligations and exercising specific obligations and exercising specific rights of the controller in the field rights of the controller in the field rights of the controller or of the of employment law in so far as it is of employment law in so far as it is data subject in the field of authorised by Union law or authorised by Union law or employment and social security Member State law providing for Member State law or collective and social protection law in so far adequate safeguards; or agreements providing for adequate as it is authorised by Union law or
safeguards for the fundamental Member State law or a collective rights and the interests of the data agreement pursuant to Member subject such as right to non State law providing for adequate discrimination, subject to the safeguards; or conditions and safeguards referred to in Article 82; or
DGD 2C LIMITE EN
(c) processing is necessary to (c) processing is necessary to (c) processing is necessary to protect the vital interests of the data protect the vital interests of the data protect the vital interests of the data subject or of another person where subject or of another person where subject or of another person where the data subject is physically or the data subject is physically or the data subject is physically or legally incapable of giving consent; legally incapable of giving consent; legally incapable of giving consent; or or or
(d) processing is carried out in the (d) processing is carried out in the (d) processing is carried out in the course of its legitimate activities course of its legitimate activities course of its legitimate activities with appropriate safeguards by a with appropriate safeguards by a with appropriate safeguards by a foundation, association or any other foundation, association or any other foundation, association or any other non-profit-seeking body with a non-profit-seeking body with a non-profit-seeking body with a political, philosophical, religious or political, philosophical, religious or political, philosophical, religious or trade-union aim and on condition trade-union aim and on condition trade-union aim and on condition that the processing relates solely to that the processing relates solely to that the processing relates solely to the members or to former members the members or to former members the members or to former members of the body or to persons who have of the body or to persons who have of the body or to persons who have regular contact with it in connection regular contact with it in connection regular contact with it in connection with its purposes and that the data with its purposes and that the data with its purposes and that the data are not disclosed outside that body are not disclosed outside that body are not disclosed outside that body without the consent of the data without the consent of the data without the consent of the data subjects; or subjects; or subjects; or
(e) the processing relates to (e) the processing relates to (e) the processing relates to personal data which are manifestly personal data which are manifestly personal data which are manifestly made public by the data subject; or made public by the data subject; or made public by the data subject; or
DGD 2C LIMITE EN
(f) processing is necessary for the (f) processing is necessary for the (f) processing is necessary for the establishment, exercise or defence establishment, exercise or defence establishment, exercise or defence of legal claims; or of legal claims; or of legal claims or whenever courts
are acting in their judicial capacity; or
(g) processing is necessary for the (g) processing is necessary for the (g) processing is necessary for the performance of a task carried out in performance of a task carried out in performance of a task carried out in the public interest, on the basis of the for reasons of high public the reasons of public interest, on Union law, or Member State law interest, on the basis of Union law, the basis of Union law, or Member which shall provide for suitable or Member State law which shall be State law which shall provide for measures to safeguard the data proportionate to the aim pursued, suitable and specific measures to subject's legitimate interests; or respect the essence of the right to safeguard the data subject's
data protection and provide for legitimate interests; or suitable measures to safeguard the fundamental rights and the data subject's legitimate interests of the data subject; or
DGD 2C LIMITE EN
(h) processing of data concerning (h) processing of data concerning (h) processing of data concerning health is necessary for health health is necessary for health health is necessary for health purposes and subject to the purposes and subject to the purposes the purposes of conditions and safeguards referred conditions and safeguards referred preventive or occupational to in Article 81; or to in Article 81; or medicine, for the assessment of the
working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in Article 81paragraph 4; or
(ha)
DGD 2C LIMITE EN
(hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or
(i) processing is necessary for (i) processing is necessary for (i) processing is necessary for historical, statistical or scientific historical, statistical or scientific archiving purposes in the public research purposes subject to the research purposes subject to the interest or historical, statistical or conditions and safeguards referred conditions and safeguards referred scientific research purposes and to in Article 83; or to in Article 83; or subject to the conditions and
safeguards laid down in Union or Member State law, including those referred to in Article 83.
(ia) processing is necessary for archive services subject to the conditions and safeguards referred to in Article 83a; or
DGD 2C LIMITE EN
(j) processing of data relating to (j) processing of data relating to deleted criminal convictions or related administrative sanctions, security measures is carried out judgments, criminal offences, either under the control of official convictions or related security authority or when the processing is measures is carried out either under necessary for compliance with a the control of official authority or legal or regulatory obligation to when the processing is necessary which a controller is subject, or for for compliance with a legal or the performance of a task carried regulatory obligation to which a out for important public interest controller is subject, or for the reasons, and in so far as authorised performance of a task carried out by Union law or Member State law for important public interest providing for adequate safeguards. reasons, and in so far as authorised
A complete register of criminal by Union law or Member State law convictions shall be kept only under providing for adequate safeguards. the control of official authority. A complete for the fundamental
rights and the interests of the data subject. Any register of criminal convictions shall be kept only under the control of official authority.
DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86 for the criteria, conditions and the purposeentrusted with the task appropriate safeguards for the of further specifying the criteria, processing of the special categories conditions and appropriate of personal data referred to in safeguards issuing guidelines, paragraph 1 and the exemptions recommendations and best laid down in paragraph 2. practices for the processing of the
special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2, in accordance with Article 66.
4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
DGD 2C LIMITE EN
5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to introduce further conditions for the processing of these data.
Article 9a
Processing of data relating to criminal convitions and offences
Processing of data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out either under the control of official authority or when the processing is authorised by Union law or Member State law providing for adequate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the control of official authority.
DGD 2C LIMITE EN
Article 10 Article 10 Article 10
Processing not allowing Processing not allowing Processing not allowing requiring identification identification identification
Amendment 104
If the data processed by a controller 1. If the data processed by a If the data processed by purposes do not permit the controller to controller do not permit the for which a controller processes identify a natural person, the controller or processor to directly personal data do not permitor do controller shall not be obliged to or indirectly identify a natural no longer require the identification acquire additional information in person, or consist only of of a data subject by the controller order to identify the data subject for pseudonymous data, the controller to identify a natural person, the the sole purpose of complying with shall not be obliged to process or controller shall not be obliged to any provision of this Regulation. acquire additional information in maintain or acquire additional
order to identify the data subject for information nor to engage in the sole purpose of complying with additional processing in order to any provision of this Regulation. identify the data subject for the sole purpose of complying with any provision of this Regulation.
2. Where the data controller is unable to comply with a provision of this Regulation because of paragraph 1, the controller shall not be obliged to comply with that particular provision of this Regulation. Where as a consequence the data controller is unable to comply with a request of the data subject, it shall inform the data subject accordingly.
DGD 2C LIMITE EN
damages resulting from an unlawful processing operation. Such rights shall in general be exercised free of charge. The data controller shall respond to requests from the data subject within a reasonable period of time.
2. Where, in such cases the controller is not in a position to identify the data subject, articles 15, 16, 17, 17a, 17b and 18 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.
DGD 2C LIMITE EN
CHAPTER III CHAPTER III CHAPTER III
RIGHTS OF THE RIGHTS OF THE RIGHTS OF THE
DATA SUBJECT DATA SUBJECT DATA SUBJECT
Article 10 a (new)
Amendment 105
General principles for the rights of the data subject rights
1. The basis of data protection is clear and unambiguous rights for the data subject which shall be respected by the data controller. The provisions of this Regulation aim to strengthen, clarify, guarantee and where appropriate, codify these rights.
DGD 2C LIMITE EN
damages resulting from an unlawful processing operation. Such rights shall in general be exercised free of charge. The data controller shall respond to requests from the data subject within a reasonable period of time.
2. Such rights include, inter alia, the provision of clear and easily understandable information regarding the processing of the data subject’s his or her personal data, the right of access, rectification and erasure of their his or her data, the right to obtain data, the right to object to profiling, the right to lodge a complaint with the competent data protection authority and to bring legal proceedings as well as the right to compensation and
DGD 2C LIMITE EN
SECTION 1 SECTION 1 SECTION 1 TRANSPARENCY AND TRANSPARENCY AND TRANSPARENCY AND
MODALITIES MODALITIES MODALITIES
Article 11 Article 11 Article 11
Transparent information and Transparent information and Transparent information and communication communication communication
Amendment 106
-
1.The controller shall have 1. The controller shall have deleted transparent and easily accessible concise, transparent, clear and policies with regard to the easily accessible policies with processing of personal data and for regard to the processing of personal the exercise of data subjects' rights. data and for the exercise of data
subjects' rights
DGD 2C LIMITE EN
-
2.The controller shall provide any 2. The controller shall provide any deleted information and any information and any communication relating to the communication relating to the processing of personal data to the processing of personal data to the data subject in an intelligible form, data subject in an intelligible form, using clear and plain language, using clear and plain language, adapted to the data subject, in adapted to the data subject, in particular for any information particular for any information addressed specifically to a child. addressed specifically to a child.
Article 12 Article 12 Article 12
Procedures and mechanisms for Procedures and mechanisms for Procedures and mechanisms exercising the rights of the data exercising the rights of the data Transparent information, subject subject communication and modalities for exercising the rights of the data subject
Amendment 107
-
1.The controller shall establish 1. The controller shall establish 1. The controller shall establish procedures for providing the procedures for providing the procedures for providing the take information referred to in Article information referred to in Article appropriate measured to provide 14 and for the exercise of the rights 14 and for the exercise of the rights any information referred to in of data subjects referred to in of data subjects referred to in Article 14 and 14a for the exercise Article 13 and Articles 15 to 19. Article 13 and Articles 15 to 19. of the rights of data subjects The controller shall provide in The controller shall provide in referred to in Article 13 and any particular mechanisms for particular mechanisms for communication under Articles 15 facilitating the request for the facilitating the request for the to 19 and 32 relating to the actions referred to in Article 13 and actions referred to in Article 13 and processing of personal data to the Articles 15 to 19. Articles 15 to 19.
DGD 2C LIMITE EN
Where personal data are processed Where personal data are processed data subject in an intelligible and by automated means, the controller by automated means, the controller easily accessible form, using clear shall also provide means for shall also provide means for and plain language. The requests to be made electronically. requests to be made electronically information shall be provided in
where possible. writing, or by other means, where appropriately in electronic form. Where the data subject makes the request in electronic form, the
information may as a rule be provided in electronic form, unless otherwise requested by the data subject. When requested by the data subject, the information may be given orally provided that the identity of the data subject is proven other means. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.
DGD 2C LIMITE EN
1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19. In cases referred to in Article 10 (2) the controller shall not refuse to act on the request of the data subject for exercising his/her rights under Articles 15 to 19, unless the controller demonstrates that he/she is not in a position to identify the data subject.
-
2.The controller shall inform the 2. The controller shall inform the 2. The controller shall provide data subject without delay and, at data subject without undue delay information on action taken on a the latest within one month of and, at the latest within one month rquest under Articles 15 and 16 to receipt of the request, whether or 40 calendar days of receipt of the 19 to the data subject without not any action has been taken request, whether or not any action undue delay and, at the latest pursuant to Article 13 and Articles has been taken pursuant to Article within one month of receipt of the 15 to 19 and shall provide the 13 and Articles 15 to 19 and shall request, whether or not any action requested information. This period provide the requested information. has been taken pursuant to Article may be prolonged for a further This period may be prolonged for a 13 and Articles 15 to 19 and shall month, if several data subjects further month, if several data provide the requested information. exercise their rights and their subjects exercise their rights and This period may be prolonged cooperation is necessary to a their cooperation is necessary to a extended for a further two months reasonable extent to prevent an reasonable extent to prevent an when necessary, taking into unnecessary and disproportionate unnecessary and disproportionate account the complexity of the effort on the part of the controller. effort on the part of the controller. request and the number of the The information shall be given in The information shall be given in requests., if several data subjects writing. Where the data subject writing and, where possible, the exercise their rights and their makes the request in electronic controller may provide remote cooperation is necessary to a
DGD 2C LIMITE EN
form, the information shall be access to a secure system which reasonable extent to prevent an provided in electronic form, unless would provide the data subject unnecessary and disproportionate otherwise requested by the data with direct access to their his or effort on the part of the controller. subject. her personal data. Where the data The information shall be given in
subject makes the request in writing. Where the extended period
electronic form, the information applies, the data subject makes the
shall be provided in electronic form request in electronic form, the
where possible, unless otherwise information shall be provided in
requested by the data subject. electronic form, unless otherwise
requested by the data
subjectinformed within one month
of receipt of the request of the
reasons for the delay.
-
3.If the controller refuses to take 3. If the controller refuses to does 3. If the controller refuses todoes action on the request of the data not take action at the request of the not take action on the request of the subject, the controller shall inform data subject, the controller shall data subject, the controller shall the data subject of the reasons for inform the data subject of the inform the data subject without the refusal and on the possibilities reasons for the refusalinaction and delay and at the latest within one of lodging a complaint to the on the possibilities of lodging a month of receipt of the request of supervisory authority and seeking a complaint to the supervisory the reasons for the refusalnot judicial remedy. authority and seeking a judicial taking action and on the
remedy. possibilities possibility of lodging a complaint to the a supervisory
authority and seeking a judicial remedy.
DGD 2C LIMITE EN
-
4.The information and the actions 4. The information and the actions 4. The iInformation and the actions taken on requests referred to in taken on requests referred to in taken on requests referred to in paragraph 1 shall be free of charge. paragraph 1 shall be free of charge. paragraph 1provided under Articles Where requests are manifestly Where requests are manifestly 14 and 14a and any excessive, in particular because of excessive, in particular because of communication under Articles 16 their repetitive character, the their repetitive character, the to 19 and 32 shall be provided free controller may charge a fee for controller may charge a reasonable of charge. Where requests from a providing the information or taking fee taking into account the data subject are manifestly the action requested, or the administrative costs for providing unfounded or excessive, in controller may not take the action the information or taking the action particular because of their repetitive requested. In that case, the requested, or the controller may not character, the controller may charge controller shall bear the burden of take the action requested. In that a fee for providing the information proving the manifestly excessive case, the controller shall bear the or taking the action requested, or character of the request. burden of proving the manifestly the controller may not take the
excessive character of the request. action requested refuse to act on the request. In that case, the
controller shall bear the burden of proving demonstrating the manifestly unfounded or excessive character of the request.
4a. Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
DGD 2C LIMITE EN
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
-
6.The Commission may lay down deleted deleted standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the
Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 13 Article 13 Article 13
Amendment 108
Rights in relation to recipients Rights in relation to recipients Rights in relation to recipients Notification requirement in the
event of rectification and erasure
The controller shall communicate The controller shall communicate deleted any rectification or erasure carried any rectification or erasure carried out in accordance with Articles 16 out in accordance with Articles 16 and 17 to each recipient to whom and 17 to each recipient to whom the data have been disclosed, unless the data have been disclosed this proves impossible or involves a transferred, unless this proves disproportionate effort. impossible or involves a
disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests this.
DGD 2C LIMITE EN
Article 13 a (new)
Amendment 109
Standardised information policies
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with the following particulars before providing information pursuant to Article 14:
(a) whether personal data are collected beyond the minimum necessary for each specific purpose of the processing;
(b) whether personal data are retained beyond the minimum necessary for each specific purpose of the processing;
(c) whether personal data are processed for purposes other than the purposes for which they were collected;
(d) whether personal data are disseminated to commercial third parties;
DGD 2C LIMITE EN
(e) whether personal data are sold or rented out;
(f) whether personal data are retained in encrypted form.
2. The particulars referred to in paragraph 1 shall be presented pursuant to Annex to this Regulation in an aligned tabular format, using text and symbols, in the following three columns:
(a) the first column depicts graphical forms symbolising those particulars;
(b) the second column contains essential information describing those particulars;
(c) the third column depicts graphical forms indicating whether a specific particular is met.
DGD 2C LIMITE EN
3. The information referred to in paragraphs 1 and 2 shall be presented in an easily visible and clearly legible way and shall appear in a language easily understood by the consumers of the Member States to whom the information is provided. Where the particulars are presented electronically, they shall be machine readable.
4. Additional particulars shall not be provided. Detailed explanations or further remarks regarding the particulars referred to in paragraph 1 may be provided together with the other information requirements pursuant to Article 14.
5. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the particulars referred to in paragraph 1 and their presentation as referred to in paragraph 2 and in the Annex to this Regulation.
DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2
INFORMATION AND INFORMATION AND INFORMATION AND ACCESS TO DATA ACCESS TO DATA ACCESS TO DATA
Article 14 Article 14 Article 14
Information to the data subject Information to the data subject Information to be provided where the data are collected from the data subject
Amendment 110
-
1.Where personal data relating to a 1. Where personal data relating to a 1. Where personal data relating to data subject are collected, the data subject are collected, the a data subject are collected from controller shall provide the data controller shall provide the data the data subject, the controller subject with at least the following subject with at least the following shall, at the time when personal information: information, after the particulars data are obtained, provide the
pursuant to Article 13a have been data subject with at least the provided: following information:
(a) the identity and the contact (a) the identity and the contact (a) the identity and the contact details of the controller and, if any, details of the controller and, if any, details of the controller and, if of the controller's representative of the controller's representative and any, of the controller's and of the data protection officer; of the data protection officer; representative; the controller
shall also include the contact details and of the data protection officer, if any;
DGD 2C LIMITE EN
(b) the purposes of the processing (b) the purposes of the processing for (b) the purposes of the processing for which the personal data are which the personal data are intended, for which the personal data are intended, including the contract as well as information regarding the intended, including the contract terms and general conditions security of the processing of terms and general conditions where the processing is based on personal data, including the contract where the processing is based on point (b) of Article 6(1) and the terms and general conditions where point (b) of Article 6(1) and the legitimate interests pursued by the the processing is based on point (b) legitimate interests pursued by the controller where the processing is of Article 6(1) and the legitimate controller where the processing is based on point (f) of Article 6(1); interests pursued by the controller based on point (f) of Article 6(1);
where the processing is based on , as well as the legal basis of the where applicable, information on processing. how they implement and meet the requirements of point (f) of Article 6(1);
1a. In addition to the information referred to in paragraph 1, the controller shall at the time when personal data are obtained provide the data subject with such further information that is necessary to ensure fair and transparent processing, having regard to the specific circumstances and context in which the personal data are processed:
DGD 2C LIMITE EN
(c) the period for which the (c) the period for which the personal deleted personal data will be stored; data will be stored, or if this is not
possible, the criteria used to determine this period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(fc) the recipients or categories of recipients of the personal data;
(gd) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
DGD 2C LIMITE EN
(d) the existence of the right to (d) the existence of the right to (de) the existence of the right to request from the controller access request from the controller access to request from the controller access to and rectification or erasure of the and rectification or erasure of the to and rectification or erasure of personal data concerning the data personal data concerning the data the personal data or restriction of subject or to object to the subject, or to object to the processing processing of personal data processing of such personal data; of such personal data, or to obtain concerning the data subject or and
data; to object to the processing of such personal data as well as the right to data portability;
(e) the right to lodge a complaint to (e) the right to lodge a complaint (ef) the right to lodge a complaint the supervisory authority and the towith the supervisory authority and to the a supervisory authority and contact details of the supervisory the contact details of the supervisory the contact details of the authority; authority; supervisory authority;
(f) the recipients or categories of (f) the recipients or categories of moved under (c) recipients of the personal data; recipients of the personal data;
(g) where applicable, that the (g) where applicable, that the moved under (d) modified controller intends to transfer to a controller’s intends to transfer the third country or international data to a third country or organisation and on the level of international organisation and on the protection afforded by that third level of protection afforded by that country or international third country or international organisation by reference to an organisation by reference to the adequacy decision by the existence or absence of an adequacy
Commission; decision by the Commission, or in case of transfers referred to in
Article 42, Articleor 43, or point (h) of Article 44(1), reference to the appropriate safeguards and the means to obtain a copy of them;
DGD 2C LIMITE EN
(g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the data and of the possible consequences of failure to provide such data;
(ga) where applicable, information about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the data subject;
(gb) meaningful information about the logic involved in any automated processing;
(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
DGD 2C LIMITE EN
(h) any further information (h) any further information which is deleted necessary to guarantee fair necessary to guarantee fair processing in respect of the data processing in respect of the data subject, having regard to the subject, having regard to the specific specific circumstances in which the circumstances in which the personal personal data are collected. data are collected or processed, in
particular the existence of certain processing activities and operations for which a personal data impact assessment has indicated that there may be a high risk;
(ha) where applicable, information whether personal data was were provided to public authorities during the last consecutive 12- month period.
1b. Where the controller intends to further process the data for a purpose other than the one for which the data were collected the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 1a.
DGD 2C LIMITE EN
-
2.Where the personal data are 2. Where the personal data are deleted collected from the data subject, the collected from the data subject, the controller shall inform the data controller shall inform the data subject, in addition to the subject, in addition to the information referred to in paragraph information referred to in paragraph
1, whether the provision of personal 1, whether the provision of personal data is obligatory or voluntary, as data is obligatory mandatory or well as the possible consequences voluntaryoptional, as well as the of failure to provide such data. possible consequences of failure to
provide such data.
2a. In deciding on further information which is necessary to make the processing fair under point (h) of paragraph 1, controllers shall have regard to any relevant guidance under Article 3834.
-
3.Where the personal data are not 3. Where the personal data are not deleted collected from the data subject, the collected from the data subject, the controller shall inform the data controller shall inform the data subject, in addition to the subject, in addition to the information referred to in paragraph information referred to in paragraph
1, from which source the personal 1, from which source the specific data originate. personal data originate. If personal
data originate from publicly available sources, a general indication may be given.
-
4.The controller shall provide the 4. The controller shall provide the deleted information referred to in information referred to in paragraphs paragraphs 1, 2 and 3: 1, 2 and 3:
DGD 2C LIMITE EN
(a) at the time when the personal (a) at the time when the personal deleted data are obtained from the data data are obtained from the data subject; or subject or without undue delay
where the above is not feasible; or
(aa) on at the request by of a body, organization or association referred to in Article 73;
(b) where the personal data are not (b) where the personal data are not deleted collected from the data subject, at collected from the data subject, at the the time of the recording or within a time of the recording or within a reasonable period after the reasonable period after the collection, having regard to the collection, having regard to the specific circumstances in which the specific circumstances in which the data are collected or otherwise data are collected or otherwise processed, or, if a disclosure to processed, or, if a disclosure transfer another recipient is envisaged, and to another recipient is envisaged, and at the latest when the data are first at the latest when the data are first disclosed. disclosed.at the time of the first
transfer, or, if the data are to be used for communication with the data subject concerned, at the latest at the time of the first communication to that data subject; or
DGD 2C LIMITE EN
(ba) only on request where the data are processed by a small or micro enterprise which processes personal data only as an ancillary activity.
-
5.Paragraphs 1 to 4 shall not apply, 5. Paragraphs 1 to 4 shall not apply, 5. Paragraphs 1, to 41a and 1b where: where: shall not apply, where and insofar
as the data subject already has the information.
(a) the data subject has already the (a) the data subject has already the merged with above 5. information referred to in information referred to in paragraphs paragraphs 1, 2 and 3; or 1, 2 and 3; or
(b) the data are not collected from (b) the data are processed for deleted the data subject and the provision historical, statistical or scientific of such information proves research purposes subject to the impossible or would involve a conditions and safeguards referred disproportionate effort; or to in Articles 81 and 83, are not
collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and the controller has published the information for anyone to retrieve; or
DGD 2C LIMITE EN
(c) the data are not collected from (c) the data are not collected from the deleted the data subject and recording or data subject and recording or disclosure is expressly laid down by disclosure is expressly laid down by law; or law to which the controller is
subject, which provides appropriate measures to protect the data subject's legitimate interests, considering the risks represented by the processing and the nature of the personal data; or
(d) the data are not collected from (d) the data are not collected from deleted the data subject and the provision the data subject and the provision of of such information will impair the such information will impair the rights and freedoms of others, as rights and freedoms of others other defined in Union law or Member natural persons, as defined in Union
State law in accordance with law or Member State law in
Article 21. accordance with Article 21;
(da) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by Union or Member State law or to a statutory obligation of secrecy, unless the data is collected directly from the data subject.
DGD 2C LIMITE EN
-
6.In the case referred to in point (b) 6. In the case referred to in point (b) deleted of paragraph 5, the controller shall of paragraph 5, the controller shall provide appropriate measures to provide appropriate measures to protect the data subject's legitimate protect the data subject's rights or interests. legitimate interests.
-
7.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph
1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sizedenterprises.
DGD 2C LIMITE EN
-
8.The Commission may lay down deleted deleted standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 14a
Information to be provided where the data have not been obtained from the data subject
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, if any, of the controller's representative; the controller shall also include the contact details of the data protection officer, if any;
(b) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing.
DGD 2C LIMITE EN
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information that is necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed :
(a) the categories of personal data concerned;
(b)
(c) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(d) the recipients or categories of recipients of the personal data;
(da) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisatio;
DGD 2C LIMITE EN
(e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data as well as the right to data portability;
(ea) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(f) the right to lodge a complaint to a supervisory authority;
(g) from which source the personal data originate, unless the data originate from publicly accessible sources;
DGD 2C LIMITE EN
(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the data, but at the latest within one month, having regard to the specific circumstances in which the data are processed, or
(b) if a disclosure to another recipient is envisaged, at the latest when the data are first disclosed.
DGD 2C LIMITE EN
3a. Where the controller intends to further process the data for a purpose other than the one for which the data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2
4. Paragraphs 1 to 3 shall not apply where and insofar as:
(a) the data subject already has the information; or
(b) the provision of such information proves impossible or would involve a disproportionate effort; in such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests; or
DGD 2C LIMITE EN
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests; or
(d)
(e) where the data must remain confidential in accordance with Union or Member State law .
DGD 2C LIMITE EN
Article 15 Article 15 Article 15
Amendment 111
Right of access for the data subject Right of to access and to obtain data Right of access for the data for the data subject subject
-
1.The data subject shall have the 1. TheSubject to Article 12(4), the 1. The data subject shall have the right to obtain from the controller at data subject shall have the right to right to obtain from the controller any time, on request, confirmation obtain from the controller at any at reasonable intervals and free as to whether or not personal data time, on request, confirmation as to of charge any time, on request, relating to the data subject are whether or not personal data relating confirmation as to whether or not being processed. Where such to the data subject are being personal data relating to the data personal data are being processed, processed. Where such personal data subject concerning him or her are the controller shall provide the are being processed, and, in clear being processed and . Wwhere following information: and plain language, the controller such personal data are being
shall provide the following processed, the controller shall information: provideaccess to the data and the following information:
(a) the purposes of the processing; (a) the purposes of the processing for (a) the purposes of the processing; each category of personal data;
(b) the categories of personal data (b) the categories of personal data deleted concerned; concerned;
(c) the recipients or categories of (c) the recipients or categories of (c) the recipients or categories of recipients to whom the personal recipients to whom the personal data recipients to whom the personal data are to be or have been are to be or have been disclosed, in data are to be or have been or will disclosed, in particular to recipients particular including to recipients in be disclosed, in particular to in third countries; third countries; recipients in third countries or
international organisations;
DGD 2C LIMITE EN
(d) the period for which the (d) the period for which the personal (d) where possible, the envisaged personal data will be stored; data will be stored, or if this is not period for which the personal data
possible, the criteria used to will be stored; determine this period;
(e) the existence of the right to (e) the existence of the right to (e) the existence of the right to request from the controller request from the controller request from the controller rectification or erasure of personal rectification or erasure of personal rectification or erasure of personal data concerning the data subject or data concerning the data subject or to data or restriction of the to object to the processing of such object to the processing of such processing of personal data personal data; personal data; concerning the data subject or to
object to the processing of such personal data;
(f) the right to lodge a complaint to (f) the right to lodge a complaint to (f) the right to lodge a complaint the supervisory authority and the with the supervisory authority and to a supervisory authority; contact details of the supervisory the contact details of the supervisory authority; authority;
(g) communication of the personal deleted (g) where communication of the data undergoing processing and of personal data undergoing any available information as to their processing and of are not source; collected from the data subject,
any available information as to their source;
DGD 2C LIMITE EN
(h) the significance and envisaged (h) the significance and envisaged (h) in the case of decisions based consequences of such processing, at consequences of such processing, at on automated processing least in the case of measures least in the case of measures referred including profiling referred to in referred to in Article 20. to in Article 20.; Article 20(1) and (3), information
concerning the logic involved as well as the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
(ha) meaningful information about the logic involved in any automated processing;
(hb) without prejudice to Article 21, in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been made.
1a. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 42 relating to the transfer.
DGD 2C LIMITE EN
1b. On request and without an excessive charge, the controller shall provide a copy of the personal data undergoing processing to the data subject.
-
2.The data subject shall have the 2. The data subject shall have the deleted right to obtain from the controller right to obtain from the controller communication of the personal data communication of the personal data undergoing processing. Where the undergoing processing. Where the data subject makes the request in data subject makes the request in electronic form, the information electronic form, the information shall shall be provided in electronic be provided in an electronic form form, unless otherwise requested by and structured format, unless the data subject. otherwise requested by the data
subject. Without prejudice to Article 10, the controller shall take all reasonable steps to verify that the person requesting access to the data is the data subject.
DGD 2C LIMITE EN
2a. Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.
2b. This Article shall be without prejudice to the obligation to delete data when no longer necessary under point (e) of Article 5(1).
2c. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of point (da) of Article 14(5) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
DGD 2C LIMITE EN
2a. The right to obtain a copy referred to in paragraph 1b shall not apply where such copy cannot be provided without disclosing personal data of other data subjects or confidential data of the controller. Furthermore, this right shall not apply if disclosing personal data would infringe intellectual property rights in relation to processing of those personal data.
-
3.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph
1.
DGD 2C LIMITE EN
-
4.The Commission may specify deleted deleted standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
SECTION 3 SECTION 3 SECTION 3 RECTIFICATION AND RECTIFICATION AND RECTIFICATION AND
ERASURE ERASURE ERASURE
Article 16 Article 16 Article 16
Right to rectification Right to rectification Right to rectification
The data subject shall have the right The data subject shall have the right The data subject shall have the to obtain from the controller the to obtain from the controller the right to obtain from the controller rectification of personal data rectification of personal data relating without undue delay the relating to them which are to them which are inaccurate. The rectification of personal data inaccurate. The data subject shall data subject shall have the right to relating to them concerning him have the right to obtain completion obtain completion of incomplete or her which are inaccurate. of incomplete personal data, personal data, including by way of Having regard the purposes for including by way of supplementing supplementing a corrective which data were processed, The a corrective statement. statement. the data subject shall have the
right to obtain completion of incomplete personal data, including by way means of supplementing providing a corrective supplementary statement.
DGD 2C LIMITE EN
Article 17 Article 17 Article 17
Amendment 112
Right to be forgotten and to Right to be forgotten and to erasure Right to erasure and to be erasure forgotten and to erasure
-
1.The data subject shall have the 1. The data subject shall have the 1. The data subject shall have the right to obtain from the controller right to obtain from the controller the right to obtain from the controller the erasure of personal data relating erasure of personal data relating to shall have the obligation to erase to them and the abstention from him or her and the abstention from the erasure of personal data further dissemination of such data, further dissemination of such data, relating to them and the abstention especially in relation to personal especially in relation to personal data from further dissemination of such data which are made available by which are made available by the data data, especially in relation to the data subject while he or she was subject while he or she was a child, personal data which are made a child, where one of the following and to obtain from third parties the available by without undue delay, grounds applies: erasure of any links to, or copy or especially in relation to personal
replication of, those data where one which are collected when the data of the following grounds applies: subject while he or she was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
(a) the data are no longer necessary (a) the data are no longer necessary (a) the data are no longer in relation to the purposes for in relation to the purposes for which necessary in relation to the which they were collected or they were collected or otherwise purposes for which they were otherwise processed; processed; collected or otherwise processed;
DGD 2C LIMITE EN
(b) the data subject withdraws (b) the data subject withdraws (b) the data subject withdraws consent on which the processing is consent on which the processing is consent on which the processing is based according to point (a) of based according to point (a) of based according to point (a) of Article 6(1), or when the storage Article 6(1), or when the storage Article 6(1), or point (a) of Article period consented to has expired, period consented to has expired, and 9(2) and when the storage period and where there is no other legal where there is no other legal ground consented to has expired, and ground for the processing of the for the processing of the data; where there is no other legal data; ground for the processing of the
data;
(c) the data subject objects to the (c) the data subject objects to the (c) the data subject objects to the processing of personal data processing of personal data pursuant processing of personal data pursuant to Article 19; to Article 19; pursuant to Article 19(1) and
there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2) ;
(ca) a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased;
(d) the processing of the data does (d) the processing of the data does (d) the processing of the data does not comply with this Regulation for not comply with this Regulation for not comply with this Regulation other reasons. other reasons has have been for other reasons have been
unlawfully processed. unlawfully processed;
DGD 2C LIMITE EN
(e) the data have to be erased for compliance with a legal obligation to which the controller is subject.
1a. The application of paragraph 1 shall be dependent upon the ability of the controller to verify that the person requesting the erasure is the data subject.
1a. The data subject shall have also the right to obtain from the controller the erasure of personal data concerning him or her, without undue delay, if the data have been collected in relation to the offering of information society services referred to in Article 8(1).
DGD 2C LIMITE EN
-
2.Where the controller referred to 2. Where the controller referred to in deleted in paragraph 1 has made the paragraph 1 has made the personal personal data public, it shall take all data public without a justification reasonable steps, including based on Article 6(1), it shall take all technical measures, in relation to reasonable steps, including technical data for the publication of which measures, in relation to data for the the controller is responsible, to publication of which the controller is inform third parties which are responsible, to inform third parties processing such data, that a data which are processing such data, that subject requests them to erase any a data subject requests them to erase links to, or copy or replication of any links to, or copy or replication of that personal data. Where the that personal data. Where the controller has authorised a third controller has authorised a third party publication of personal data, party publication of personal data, the controller shall be considered the controller shall be considered responsible for that publication. responsible for that publication to
have the data erased, including by third parties, without prejudice to Article 77. The controller shall inform the data subject, where possible, of the action taken by the relevant third parties.
DGD 2C LIMITE EN
2a. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the data, that the data subject has requested the erasure by such controllers of any links to, or copy or replication of that personal data.
-
3.The controller shall carry out the 3. The controller and, where 3. The controller shall carry out erasure without delay, except to the applicable, the third party shall the erasure without delay, except extent that the retention of the carry out the erasure without delay, Paragraphs 1 and 2a shall not personal data is necessary: except to the extent that the retention apply to the extent that the
of the personal data is necessary: retention processing of the personal data is necessary:
(a) for exercising the right of (a) for exercising the right of (a) for exercising the right of freedom of expression in freedom of expression in accordance freedom of expression in accordance with Article 80; with Article 80; accordance with Article 80 and
information;
DGD 2C LIMITE EN
(b) for compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(b) for reasons of public interest in (b) for reasons of public interest in (bc) for reasons of public interest the area of public health in the area of public health in in the area of public health in accordance with Article 81; accordance with Article 81; accordance with Article 819(2)(h)
and (hb) as well as Article 9(4);
(c) for historical, statistical and (c) for historical, statistical and (cd) for archiving purposes in the scientific research purposes in scientific research purposes in public interest or for scientific, accordance with Article 83; accordance with Article 83; historical, statistical and
historicalscientific research purposes in accordance with Article 83;
(d) for compliance with a legal (d) for compliance with a legal deleted obligation to retain the personal obligation to retain the personal data data by Union or Member State law by Union or Member State law to to which the controller is subject; which the controller is subject;
Member State laws shall meet an Member State laws shall meet an objective of public interest, respect objective of public interest, respect the essence of the right to the the right to the protection of personal protection of personal data and be data and be proportionate to the proportionate to the legitimate aim legitimate aim pursued; pursued;
DGD 2C LIMITE EN
(e) in the cases referred to in (e) in the cases referred to in deleted paragraph 4. paragraph 4.
(g) for the establishment, exercise or defence of legal claims.
-
4.Instead of erasure, the controller 4. Instead of erasure, the controller deleted shall restrict processing of personal shall restrict processing of personal data where: data in such a way that it is not
subject to the normal data access and processing operations and cannot be changed anymore, where:
(a) their accuracy is contested (a) their accuracy is contested by the deleted by the data subject, for a period data subject, for a period enabling enabling the controller to verify the the controller to verify the accuracy accuracy of the data; of the data;
(b) the controller no longer needs (b) the controller no longer needs the deleted the personal data for the personal data for the accomplishment accomplishment of its task but they of its task but they have to be have to be maintained for purposes maintained for purposes of proof; of proof;
(c) the processing is unlawful and (c) the processing is unlawful and the deleted the data subject opposes their data subject opposes their erasure erasure and requests the restriction and requests the restriction of their of their use instead; use instead;
DGD 2C LIMITE EN
(ca) a court or regulatory authority based in the Union has ruled as final and absolute than the processing that the data concerned must be restricted;
(d) the data subject requests to (d) the data subject requests to deleted transmit the personal data into transmit the personal data into another automated processing another automated processing system system in accordance with Article in accordance with paragraphs 2a of
18(2). Article 18(2).15;
(da) the particular type of storage technology does not allow for erasure and has been installed before the entry into force of this Regulation.
-
5.Personal data referred to in 5. Personal data referred to in deleted paragraph 4 may, with the paragraph 4 may, with the exception exception of storage, only be of storage, only be processed for processed for purposes of proof, or purposes of proof, or with the data with the data subject's consent, or subject's consent, or for the for the protection of the rights of protection of the rights of another another natural or legal person or natural or legal person or for an for an objective of public interest. objective of public interest.
DGD 2C LIMITE EN
-
6.Where processing of personal 6. Where processing of personal data deleted data is restricted pursuant to is restricted pursuant to paragraph 4, paragraph 4, the controller shall the controller shall inform the data inform the data subject before subject before lifting the restriction lifting the restriction on processing. on processing.
-
7.The controller shall implement deleted deleted mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
-
8.Where the erasure is carried out, 8. Where the erasure is carried out, deleted the controller shall not otherwise the controller shall not otherwise process such personal data. process such personal data.
8a. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
-
9.The Commission shall be 9. The Commission shall be deleted empowered to adopt delegated acts empowered to adopt, after in accordance with Article 86 for requesting an opinion of the the purpose of further specifying: European Data Protection Board,
delegated acts in accordance with Article 86 for the purpose of further specifying:
DGD 2C LIMITE EN
(a) the criteria and requirements for (a) the criteria and requirements for deleted the application of paragraph 1 for the application of paragraph 1 for specific sectors and in specific data specific sectors and in specific data processing situations; processing situations;
(b) the conditions for deleting links, (b) the conditions for deleting links, deleted copies or replications of personal copies or replications of personal data from publicly available data from publicly available communication services as referred communication services as referred to in paragraph 2; to in paragraph 2;
(c) the criteria and conditions for (c) the criteria and conditions for deleted restricting the processing of restricting the processing of personal personal data referred to in data referred to in paragraph 4. paragraph 4.
Article 17a
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller the restriction of the processing of personal data where:
(a) the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
DGD 2C LIMITE EN
(b) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
(c) he or she has objected to processing pursuant to Article 19(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2.
3. Where processing of personal data has been restricted under paragraph 1, such data may, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
DGD 2C LIMITE EN
4. A data subject who obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Article 17b
Notification obligation regarding rectification, erasure or
restriction
The controller shall communicate any rectification, erasure or restriction of processing carried out in accordance with Articles 16, 17(1) and 17a to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
DGD 2C LIMITE EN
Article 18 Article 18 Article 18
Amendment 113
Right to data portability Right to data portability Right to data portability
-
1.The data subject shall have the deleted deleted right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
-
2.Where the data subject has deleted 2. Where tThe data subject has provided the personal data and the provided shall have the right to processing is based on consent or receive the personal data on a contract, the data subject shall concerning him or her, which he have the right to transmit those or she has provided and the personal data and any other processing is based on consent or information provided by the data on a contract, the data subject subject and retained by an shall have the right to transmit automated processing system, into those personal data and any other another one, in an electronic format information provided by the data which is commonly used, without subject and retained by an hindrance from the controller from automated processing system, into whom the personal data are another one, in an electronic withdrawn.
DGD 2C LIMITE EN
format which is to a ontroller, in a structured and commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller from whom the personal data are withdrawn to which the data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1)or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1); and
(b) the processing is carried out by automated means.
2a. The exercise of this right shall be without prejudice to Article 17. The right referred to in paragraph 2 shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
DGD 2C LIMITE EN
2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data.
-
3.The Commission may specify the deleted deleted electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph
-
2.Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
SECTION 4 SECTION 4 SECTION 4
RIGHT TO OBJECT AND RIGHT TO OBJECT AND RIGHT TO OBJECT AND PROFILING PROFILING PROFILING AUTOMATED INDIVIDUAL DECISION MAKING
Article 19 Article 19 Article 19
Right to object Right to object Right to object
Amendment 114
-
1.The data subject shall have the 1. The data subject shall have the 1. The data subject shall have the right to object, on grounds relating right to object, on grounds relating right to object, on grounds relating to their particular situation, at any to their particular situation, at any to their his or her particular time to the processing of personal time to the processing of personal situation, at any time to the data which is based on points (d), data which is based on points (d), processing of personal data (e) and (f) of Article 6(1), unless and (e) and (f) of Article 6(1), concerning him or her which is the controller demonstrates unless the controller demonstrates based on points (e) and or (f) of compelling legitimate grounds for compelling legitimate grounds for Article 6(1); the first sentence of the processing which override the the processing which override the Article 6(4) in conjunction with interests or fundamental rights and interests or fundamental rights and point (e) of Article 6(1) or the freedoms of the data subject. freedoms of the data subject. second sentence of Article 6(4).
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for
DGD 2C LIMITE EN
the processing which override the interests, or fundamental rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
-
2.Where personal data are 2. Where the processing of 2. Where personal data are processed for direct marketing personal data are processed for processed for direct marketing purposes, the data subject shall direct marketing purposes is based purposes, the data subject shall have the right to object free of on point (f) of Article 6(1), the data have the right to object free of charge to the processing of their subject shall have, at any time and charge at any time to the personal data for such marketing. without any further justification, processing of their personal data This right shall be explicitly offered the right to object free of charge in concerning him or her for such to the data subject in an intelligible general or for any particular marketing. At the latest at the time manner and shall be clearly purpose to the processing of his or of the first communication with distinguishable from other her personal data for such the data subject, Tthis right shall be information. marketing. This right shall be explicitly offered to brought to the
explicitly offered to the data subject attention of the data subject in an in an intelligible manner and shall intelligible manner and shall be be clearly distinguishable from clearly distinguishable presented other information. clearly and separately from any other information.
DGD 2C LIMITE EN
2a. The right referred to in paragraph 2 shall be explicitly offered to the data subject in an intelligible manner and form, using clear and plain language, in particular if addressed specifically to a child, and shall be clearly distinguishable from other information.
2a. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
2b. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the right to object may be exercised by automated means using a technical standard which allows the data subject to clearly express his or her wishes.
DGD 2C LIMITE EN
2aa. Where personal data are processed for historical, statistical or scientific purposes the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
-
3.Where an objection is upheld 3. Where an objection is upheld deleted pursuant to paragraphs 1 and 2, the pursuant to paragraphs 1 and 2, the controller shall no longer use or controller shall no longer use or otherwise process the personal data otherwise process the personal data concerned. concerned for the purposes
determined in the objection.
DGD 2C LIMITE EN
Article 20 Article 20 Article 20
Amendment 115
Measures based on profiling Measures based on Measures based on profilingProfiling profilingAutomated individual decision making
-
1.Every natural person shall have 1. Without prejudice to the 1. Every natural person The data the right not to be subject to a provisions in Article 6, Every every subject shall have the right not to measure which produces legal natural person shall have the right be subject to a measure which effects concerning this natural to object not to be subject to a produces legal effects concerning person or significantly affects this measure which produces legal this natural person or significantly natural person, and which is based effects concerning this natural affects this natural person, and solely on automated processing person or significantly affects this which decision isbased solely on intended to evaluate certain natural person, and which is based automated processing,intended to personal aspects relating to this solely on automated processing evaluate certain personal aspects natural person or to analyse or intended to evaluate certain relating to this natural person or to predict in particular the natural personal aspects relating to this analyse or predict in particular the person's performance at work, natural person or to analyse or natural person's performance at economic situation, location, predict in particular the natural work, economic situation, location, health, personal preferences, person's performance at work, health, personal preferences, reliability or behaviour. economic situation, location, reliability or behaviourincluding
health, personal preferences, profiling, which produces legal reliability or behaviour profiling in effects concerning him or her or accordance with Article 19. The significantly affects him or her. data subject shall be informed about the right to object to profiling in a highly visible manner.
DGD 2C LIMITE EN
1a. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a
data controller ; or
(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
1b. In cases referred to in paragraph 1a (a) and (c) the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
DGD 2C LIMITE EN
-
2.Subject to the other provisions of 2. Subject to the other provisions of deleted this Regulation, a person may be this Regulation, a person may be subjected to a measure of the kind subjected to a measure of the kind referred to in paragraph 1 only if referred to in paragraph 1 profiling the processing: which leads to measures
producing legal effects concerning the data subject or does similarly significantly affect the interests, rights or freedoms of the concerned data subject only if the processing:
(a) is carried out in the course of the (a) is carried out in the course of deleted entering into, or performance of, a necessary for the entering into, or contract, where the request for the performance of, a contract, where entering into or the performance of the request for the entering into or the contract, lodged by the data the performance of the contract, subject, has been satisfied or where lodged by the data subject, has been suitable measures to safeguard the satisfied or where, provided that data subject's legitimate interests suitable measures to safeguard the have been adduced, such as the data subject's legitimate interests right to obtain human intervention; have been adduced, such as the or right to obtain human intervention;
or
(b) is expressly authorized by a (b) is expressly authorized by a deleted
Union or Member State law which Union or Member State law which also lays down suitable measures to also lays down suitable measures to safeguard the data subject's safeguard the data subject's legitimate interests; or legitimate interests;
DGD 2C LIMITE EN
(c) is based on the data subject's (c) is based on the data subject's deleted consent, subject to the conditions consent, subject to the conditions laid down in Article 7 and to laid down in Article 7 and to suitable safeguards. suitable safeguards.
-
3.Automated processing of 3. Automated processing of 2. Automated processing of personal data intended to evaluate personal data intended to evaluate personal data intended to evaluate certain personal aspects relating to certain personal aspects relating to certain personal aspects relating to a natural person shall not be based a natural person Profiling that has a natural person Decisions referred solely on the special categories of the effect of discriminating against to in paragraph 1a shall not be personal data referred to in individuals on the basis of race or based solely on the special Article 9. ethnic origin, political opinions, categories of personal data referred
religion or beliefs, trade union to in Article 9(1), unless points (a) membership, sexual orientation or or (g) of Article 9(2) apply and gender identity, or that results in suitable measures to safeguard the measures which have such effect, data subject's rights and freedoms shall be prohibited. The controller and legitimate interests are in shall implement effective place. protection against possible discrimination resulting from profiling. Profiling shall not be based solely on the special categories of personal data referred to in Article 9.
DGD 2C LIMITE EN
-
4.In the cases referred to in deleted deleted paragraph 2, the information to be provided by the controller under
Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
-
5.The Commission shall be 5. The Commission shall be deleted empowered to adopt delegated acts empowered to adopt delegated acts in accordance with Article 86 for in accordance with Article 86 for the purpose of further specifying the purpose of further specifying the criteria and conditions for the criteria and conditions for suitable measures to safeguard the Profiling which leads to measures data subject's legitimate interests producing legal effects concerning referred to in paragraph 2. the data subject or does similarly
significantly affect the interests, rights or freedoms of the concerned data subject shall not be based solely or predominantly on automated processing and shall include human assessment, including an explanation of the decision reached after such an assessment. The suitable measures to safeguard the data subject's legitimate interests referred to in
DGD 2C LIMITE EN
paragraph 2 shall include the right to obtain human assessment and an explanation of the decision reached after such assessment.
5a. The European Data Protection Board shall be entrusted with the task of issuing guidelines, recommendations and best practices in accordance with point (b) of Article 66(1) for further specifying the criteria and conditions for profiling pursuant to paragraph 2.
DGD 2C LIMITE EN
SECTION 5 SECTION 5 SECTION 5 RESTRICTIONS RESTRICTIONS RESTRICTIONS
Article 21 Article 21 Article 21
Restrictions Restrictions Restrictions
Amendment 116
-
1.Union or Member State law may 1. Union or Member State law may 1. Union or Member State law to restrict by way of a legislative restrict by way of a legislative which the data controller or measure the scope of the measure the scope of the obligations processor is subject may restrict obligations and rights provided for and rights provided for in points (a) by way of a legislative measure in points (a) to (e) of Article 5 and to (e) of Article 5 and Articles 11 to the scope of the obligations and Articles 11 to 20 and Article 32, 2019 and Article 32, when such a rights provided for in points (a) to when such a restriction constitutes a restriction constitutes meets a clearly (e) of Article 5 and Articles 11 12 necessary and proportionate defined objective of public interest, to 20 and Article 32, as well as measure in a democratic society to respects the essence of the right to Article 5 in so far as its safeguard: protection of personal data, is provisions correspond to the
proportionate to the legitimate aim rights and obligations provided pursued and respects the for in Articles 12 to 20,when such fundamental rights and interests of a restriction constitutes a the data subject and is a necessary necessary and proportionate and proportionate measure in a measure in a democratic society to democratic society to safeguard: safeguard:
(aa) national security;
DGD 2C LIMITE EN
(ab) defence;
(a) public security; (a) public security; (a) public security;
(b) the prevention, investigation, (b) the prevention, investigation, (b) the prevention, investigation, detection and prosecution of detection and prosecution of criminal detection and or prosecution of criminal offences; offences; criminal offences or the execution
of criminal penalties or the safeguarding against and the prevention of threats to public security;
(c) other public interests of the (c) other public interests of the (c) other important objectives of
Union or of a Member State, in Union or of a Member State, in general public interests of the particular an important economic or particular an important economic or Union or of a Member State, in financial interest of the Union or of financial interest of the Union or of a particular an important economic a Member State, including Member State, including monetary, or financial interest of the Union monetary, budgetary and taxation budgetary and taxation matters and or of a Member State, including matters and the protection of the protection of market stability and monetary, budgetary and taxation market stability and integrity; integrity; matters , public health and social
security, and the protection of market stability and integrity;
(ca) the protection of judicial independence and judicial proceedings;
DGD 2C LIMITE EN
(d) the prevention, investigation, (d) the prevention, investigation, (d) the prevention, investigation, detection and prosecution of detection and prosecution of detection and prosecution of breaches of ethics for regulated breaches of ethics for regulated breaches of ethics for regulated professions; professions; professions;
(e) a monitoring, inspection or (e) a monitoring, inspection or (e) a monitoring, inspection or regulatory function connected, even regulatory function connected, even regulatory function connected, occasionally, with the exercise of occasionally, with in the framework even occasionally, with the official authority in cases referred of the exercise of official a exercise of official authority in to in (a), (b), (c) and (d); competent public authority in cases cases referred to in (aa), (ab), (a)
referred to in (a), (b), (c) and (d); (b), (c) and (d);
(f) the protection of the data subject (f) the protection of the data subject (f) the protection of the data or the rights and freedoms of or the rights and freedoms of others. subject or the rights and freedoms others. of others.;
(g) the enforcement of civil law claims.
-
2.In particular, any legislative 2. In particular, any legislative 2. In particular, aAny legislative measure referred to in paragraph 1 measure referred to in paragraph 1 measure referred to in paragraph 1 shall contain specific provisions at must be necessary and shall contain specific provisions at least as to the objectives to be proportionate in a democratic least, where relevant, as to the pursued by the processing and the society and shall contain specific objectives to be pursued by the determination of the controller. provisions at least as to the processing and the determination
objectives to be pursued by the purposes of the processing or processing and the determination of categories of processing, the the controller.: categories of personal data, the scope of the restrictions
(a) the objectives to be pursued by introduced, the specification of the processing; the controller or categories of
DGD 2C LIMITE EN
(b) the determination of the controllers, the storage periods controller; and the applicable safeguards taking into account the nature,
(c) the specific purposes and means scope and purposes of the of processing; processing or categories of
processing and the risks for the (d) the safeguards to prevent abuse
or unlawful access or transfer; rights and freedoms of data subjects.
(e) the right of data subjects to be informed about the restriction.
2a. Legislative measures referred to in paragraph 1 shall neither permit nor oblige private controllers to retain data additional to those strictly necessary for the original purpose.
DGD 2C LIMITE EN
CHAPTER IV CHAPTER IV CHAPTER IV
CONTROLLER AND CONTROLLER AND CONTROLLER AND
PROCESSOR PROCESSOR PROCESSOR
SECTION 1 SECTION 1 SECTION 1 GENERAL OBLIGATIONS GENERAL OBLIGATIONS GENERAL OBLIGATIONS
Article 22 Article 22 Article 22
Amendment 117
Responsibility of the controller Responsibility and accountability Responsibility Obligations of the of the controller controller
-
1.The controller shall adopt 1. The controller shall adopt 1. Taking into account the nature, policies and implement appropriate appropriate policies and implement scope, context and purposes of the measures to ensure and be able to appropriate an demonstrable processing as well as the likelihood demonstrate that the processing of technical and organisational and severity of risk for the rights personal data is performed in measures to ensure and be able to and freedoms of individuals,Tthe compliance with this Regulation. demonstrate in a transparent controller shall adopt policies and
manner that the processing of implement appropriate measures to personal data is performed in ensure and be able to demonstrate compliance with this Regulation, that the processing of personal data having regard to the state of the is performed in compliance with art, the nature of personal data this Regulation. processing, the context, scope and purposes of processing, the risks for the rights and freedoms of the
DGD 2C LIMITE EN
data subjects and the type of the organisation, both at the time of the determination of the means for processing and at the time of the processing itself.
1a. Having regard to the state of the art and the cost of implementation, the controller shall take all reasonable steps to implement compliance policies and procedures that persistently respect the autonomous choices of data subjects. These compliance policies shall be reviewed at least every two years and updated where necessary.
-
2.The measures provided for in deleted deleted paragraph 1 shall in particular include:
(a) keeping the documentation deleted deleted pursuant to Article 28;
(b) implementing the data deleted deleted security requirements laid down in
Article 30;
(c) performing a data protection deleted deleted impact assessment pursuant to
Article 33;
DGD 2C LIMITE EN
(d) complying with the deleted deleted requirements for prior authorisation or prior consultation of the supervisory authority pursuant to
Article 34(1) and (2);
(e) designating a data protection deleted deleted officer pursuant to Article 35(1).
2a. Where proportionate in relation to the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
2b. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the obligations of the controller.
-
3.The controller shall implement 3. The controller shall implement deleted mechanisms to ensure the mechanisms to ensure the verification of the effectiveness of verification of thebe able to the measures referred to in demonstrate the adequacy and paragraphs 1 and 2. effectiveness of the measures
referred to in paragraphs 1 and 2.
DGD 2C LIMITE EN
If proportionate, this verification If proportionate, this verification shall be carried out by independent shall be carried out by independent internal or external auditors. internal or external auditors Any
regular general reports of the activities of the controller, such as the obligatory reports by publicly traded companies, shall contain a summary description of the policies and measures referred to in paragraph 1.
3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.
DGD 2C LIMITE EN
-
4.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
DGD 2C LIMITE EN
Article 23 Article 23 Article 23
Data protection by design and by Data protection by design and by Data protection by design and by default default default
Amendment 118
-
1.Having regard to the state of the 1. Having regard to the state of the 1. Having regard to available art and the cost of implementation, art and the cost of implementation, technology the state of the art and the controller shall, both at the time current technical knowledge, the cost of implementation and of the determination of the means international best practices and taking account of the nature, for processing and at the time of the the risks represented by the data scope, context and purposes of the processing itself, implement processing, the controller and the processing as well as the likelihood appropriate technical and processor, if any, shall, both at the and severity of the risk for rights organisational measures and time of the determination of the and freedoms of individuals posed procedures in such a way that the purposes and means for processing by the processing, the controllers processing will meet the and at the time of the processing shall , both at the time of the requirements of this Regulation and itself, implement appropriate and determination of the means for ensure the protection of the rights proportionate technical and processing and at the time of the of the data subject. organisational measures and processing itself, implement
procedures in such a way that the appropriate technical and processing will meet the organisational measures requirements of this Regulation and appropriate to the processing ensure the protection of the rights activity being carried out and its of the data subject, in particular objectives, such as data with regard to the principles laid minimisation and down in Article 5. Data protection pseudonymisation, and procedures by design shall have particular in such a way that the processing regard to the entire lifecycle will meet the requirements of this management of personal data Regulation and ensure protect the from collection to processing to protection of the rights of the data subjects.
DGD 2C LIMITE EN
deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures.
1a. In order to foster its widespread implementation in different economic sectors, data protection by design shall be a prerequisite for public procurement tenders according to Directive 2004/18/EC i of the European Parliament and of the
Council 1 as well as according to
Directive 2004/17/EC i of the European Parliament and of the
Council 2 (Utilities Directive).
1 Directive 2004/18/EC i of the
European Parliament and of the Council of 31 March 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public
DGD 2C LIMITE EN
service contracts (OJ L 134, 30.4.2004, p. 114).
2 Directive 2004/17/EC i of the
European Parliament and of the Council of 31 March 2004 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sector (OJ L 134, 30.4.2004, p.1)
-
2.The controller shall implement 2. The controller shall implement 2. The controller shall implement mechanisms for ensuring that, by mechanisms for ensuring ensure mechanisms appropriate measures default, only those personal data are that, by default, only those personal for ensuring that, by default, only processed which are necessary for data are processed which are those personal data are processed each specific purpose of the necessary for each specific purpose which are necessary for each processing and are especially not of the processing and are especially specific purpose of the processing collected or retained beyond the not collected or, retained or and are especially not collected or minimum necessary for those disseminated beyond the minimum retained beyond the minimum purposes, both in terms of the necessary for those purposes, both necessary for those purposes, both amount of the data and the time of in terms of the amount of the data in terms of are processed; this their storage. In particular, those and the time of their storage. In applies to the amount of the data mechanisms shall ensure that by particular, those mechanisms shall collected, the extent of their default personal data are not made ensure that by default personal data processing,and the time period of accessible to an indefinite number are not made accessible to an their storage and their accessibility. of individuals. indefinite number of individuals Where the purpose of the
and that data subjects are able to processing is not intended to control the distribution of their provide the public with personal data. informationIn particular, those
DGD 2C LIMITE EN
mechanisms shall ensure that by default personal data are not made accessible without human intervention to an indefinite number of individuals.
2a. An approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2.
-
3.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
-
4.The Commission may lay down deleted deleted technical standards for the requirements laid down in paragraph
1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 24 Article 24 Article 24
Joint controllers Joint controllers Joint controllers
Amendment 119
Where a controller determines the Where a controller determines 1. Where two or more acontrollers purposes, conditions and means of several controllers jointly jointly determines the purposes, the processing of personal data determine the purposes, conditions conditions and means of the jointly with others, the joint and means of the processing of processing of personal data jointly controllers shall determine their personal data jointly with others, with others, they are joint respective responsibilities for the joint controllers shall determine controllers. They shall in a
compliance with the obligations their respective responsibilities for transparent manner determine their under this Regulation, in particular compliance with the obligations respective responsibilities for
as regards the procedures and under this Regulation, in particular compliance with the obligations mechanisms for exercising the as regards the procedures and under this Regulation, in particular rights of the data subject, by means mechanisms for exercising the as regards the procedures and of an arrangement between them. rights of the data subject, by means mechanisms for exercising of the
of an arrangement between them. rights of the data subject and their The arrangement shall duly reflect respective duties to provide the the joint controllers' respective information referred to in Articles effective roles and relationships 14 and 14a, by means of an vis-à-vis data subjects, and the arrangement between them unless,
essence of the arrangement shall and in so far as, the respective responsibilities of the controllers
be made available for the data are determined by Union or subject. In case of unclarity of the Member State law to which the responsibility, the controllers shall controllers are subject. The be jointly and severally liable. arrangement shall designate which
of the joint controllers shall act as single point of contact for data subjects to exercise their rights.
DGD 2C LIMITE EN
2. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.
3. The arrangement shall duly reflect the joint controllers’ respective effective roles and relationships vis-à-vis data subjects, and the essence of the arrangement shall be made available for the data subject. Paragraph 2 does not apply where the data subject has been informed in a transparent and unequivocal manner which of the joint controllers is responsible, unless such arrangement other than one determined by Union or Member State law is unfair with regard to his or her rights.
DGD 2C LIMITE EN
Article 25 Article 25 Article 25
Representatives of controllers not Representatives of controllers not Representatives of controllers not established in the Union established in the Union established in the Union
Amendment 120
-
1.In the situation referred to in 1. In the situation referred to in 1. In the situation referred to in
Article 3(2), the controller shall Article 3(2), the controller shall Where Article 3(2) applies, the designate a representative in the designate a representative in the controller shall designate in writing Union. Union. a representative in the Union.
-
2.This obligation shall not apply 2. This obligation shall not apply 2. This obligation shall not apply to: to: to:
(a) a controller established in a third (a) a controller established in a third deleted country where the Commission has country where the Commission has decided that the third country decided that the third country ensures an adequate level of ensures an adequate level of protection in accordance with protection in accordance with
Article 41; or Article 41; or
(b) an enterprise employing fewer (b) an enterprise employing fewer (b) an enterprise employing fewer than 250 persons; or than 250 personsa controller than 250 persons processing which
processing personal data which is occasional and unlikely to result relates to less than 5000 data in a risk for the rights and subjects during any consecutive 12- freedoms of individuals, taking month period and not processing into account the nature, context,
special categories of personal data
as referred to in Article 9(1), scope and purposes of the location data or data on children or processing; or
employees in large-scale filing systems; or
DGD 2C LIMITE EN
(c) a public authority or body; or (c) a public authority or body; or (c) a public authority or body; or
(d) a controller offering only (d) a controller offering only deleted occasionally goods or services to occasionally offering goods or data subjects residing in the Union. services to data subjects residing in
the Union, unless the processing of personal data concerns special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems.
-
3.The representative shall be 3. The representative shall be 3. The representative shall be established in one of those Member established in one of those Member established in one of those Member States where the data subjects States where the data subjects States where the data subjects whose personal data are processed whose personal data are processed whose personal data are processed in relation to the offering of goods in relation to the offering of goods in relation to the offering of goods or services to them, or whose or services to themthe data or services to them, or whose behaviour is monitored, reside. subjects, or whose behaviour is behaviour is monitored, reside.
monitored, reside the monitoring of them, takes place.
3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation.
DGD 2C LIMITE EN
-
4.The designation of a 4. The designation of a 4. The designation of a representative by the controller representative by the controller representative by the controller shall be without prejudice to legal shall be without prejudice to legal shall be without prejudice to legal actions which could be initiated actions which could be initiated actions which could be initiated against the controller itself. against the controller itself. against the controller itself.
DGD 2C LIMITE EN
Article 26 Article 26 Article 26
Processor Processor Processor
Amendment 121
-
1.Where a processing operation is 1. Where a processing operation is 1. Where a processing operation is to be carried out on behalf of a to be carried out on behalf of a to be carried out on behalf of a controller, the controller shall controller, the controller shall controller, the The controller shall choose a processor providing choose a processor providing choose use only aprocessors sufficient guarantees to implement sufficient guarantees to implement providing sufficient guarantees to appropriate technical and appropriate technical and implement appropriate technical organisational measures and organisational measures and and organisational measures and procedures in such a way that the procedures in such a way that the procedures in such a way that the processing will meet the processing will meet the processing will meet the requirements of this Regulation and requirements of this Regulation and requirements of this Regulationand ensure the protection of the rights ensure the protection of the rights ensure the protection of the rights of the data subject, in particular in of the data subject, in particular in of the data subject, in particular in respect of the technical security respect of the technical security respect of the technical security measures and organizational measures and organisational measures and organizational measures governing the processing measures governing the processing measures governing the processing to be carried out and shall ensure to be carried out and shall ensure to be carried out and shall ensure compliance with those measures. compliance with those measures. compliance with those measures.
DGD 2C LIMITE EN
1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.
-
2.The carrying out of processing 2. The carrying out of processing 2. The carrying out of processing by a processor shall be governed by by a processor shall be governed by by a processor shall be governed by a contract or other legal act binding a contract or other legal act binding a contract or other a legal act under the processor to the controller and the processor to the controller. The Union or Member State law stipulating in particular that the controller and the processor shall binding the processor to the processor shall: be free to determine respective controller, setting out the subjectroles
and tasks with respect to the matter and duration of the requirements of this Regulation, processing, the nature and purpose and shall provide that and of the processing, the type of stipulating in particular that the personal data and categories of processor shall: data subjects, the rights of binding the processor to the controller and stipulating in particular that the processor shall:
DGD 2C LIMITE EN
(a) act only on instructions from the (a) act process personal data only (a) process the personal data act controller, in particular, where the on instructions from the controller, only on instructions from the transfer of the personal data used is in particular, where the transfer of controller,in particular, where the prohibited; the personal data used is prohibited, transfer of the personal data used is
unless otherwise required by prohibited unless required to do so
Union law or Member State law; by Union or Member State law to
which the processor is subject; in
such a case, the processor shall
inform the controller of that legal
requirement before processing the
data, unless that law prohibits
such information on important
grounds of public interest;
(b) employ only staff who have (b) employ only staff who have deleted committed themselves to committed themselves to confidentiality or are under a confidentiality or are under a statutory obligation of statutory obligation of confidentiality; confidentiality;
(c) take all required measures (c) take all required measures (c) take all required measures pursuant to Article 30; pursuant to Article 30; required pursuant to Article 30;
(d) enlist another processor only (d) enlist determine the conditions (d) respect the conditions for with the prior permission of the for enlisting another processor only enlisting another processor only controller; with the prior permission of the with the prior permission such as a
controller, unless otherwise requirement of specific prior determined; permission of the controller;
DGD 2C LIMITE EN
(e) insofar as this is possible given (e) insofar as this is possible given (e) insofar as this is possible given the nature of the processing, create the nature of the processing, create taking into account the nature of in agreement with the controller the in agreement with the controller the the processing, assist create in necessary technical and necessary appropriate and relevant agreement with the controller the organisational requirements for the technical and organisational necessary technical and fulfilment of the controller’s requirements for the fulfilment of organisational requirements for the obligation to respond to requests for the controller’s obligation to fulfilment of the controller’s exercising the data subject’s rights respond to requests for exercising obligation to in responding to laid down in Chapter III; the data subject’s rights laid down requests for exercising the data
in Chapter III; subject’s rights laid down in Chapter III;
(f) assist the controller in ensuring (f) assist the controller in ensuring (f) assist the controller in ensuring compliance with the obligations compliance with the obligations compliance with the obligations pursuant to Articles 30 to 34; pursuant to Articles 30 to 34, pursuant to Articles 30 to 34;
taking into account the nature of processing and the information available to the processor;
(g) hand over all results to the (g) hand over return all results to (g) hand over all results to return controller after the end of the the controller after the end of the or delete, at the choice of the processing and not process the processing, and not process the controller after the end of the personal data otherwise; personal data otherwise and delete processing and not process the
existing copies unless Union or personal data otherwise upon the Member State law requires storage termination of the provision of of the data; data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject;
DGD 2C LIMITE EN
(h) make available to the controller (h) make available to the controller (h) make available to the controller and the supervisory authority all and the supervisory authority all and the supervisory authority all information necessary to control information necessary to control information necessary to control compliance with the obligations demonstrate compliance with the demonstrate compliance with the laid down in this Article. obligations laid down in this Article obligations laid down in this Article
and allow on-site inspections; and allow for and contribute to audits conducted by the controller.
The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.
2a. Where a processor enlists another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and
DGD 2C LIMITE EN
organisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a.
2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a
DGD 2C LIMITE EN
certification granted to the controller or processor pursuant to Articles 39 and 39a.
2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2).
2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.
-
3.The controller and the processor 3. The controller and the processor 3. The controller and the processor shall document in writing the shall document in writing the shall document in writing the controller's instructions and the controller's instructions and the controller's instructions and the processor's obligations referred to processor's obligations referred to processor's obligations referred to in paragraph 2. in paragraph 2. in paragraph 2 The contract or the
other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.
DGD 2C LIMITE EN
3a. The sufficient guarantees referred to in paragraph 1 may be demonstrated by adherence to codes of conduct or certification mechanisms pursuant to Articles 38 or 39 of this Regulation.
-
4.If a processor processes personal 4. If a processor processes personal deleted data other than as instructed by the data other than as instructed by the controller, the processor shall be controller or becomes the considered to be a controller in determining party in relation to the respect of that processing and shall purposes and means of data be subject to the rules on joint processing, the processor shall be controllers laid down in Article 24. considered to be a controller in
respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
DGD 2C LIMITE EN
Article 27 Article 27 Article 27
Processing under the authority of Processing under the authority of Processing under the authority of the controller and processor the controller and processor the controller and processor
The processor and any person The processor and any person deleted acting under the authority of the acting under the authority of the controller or of the processor who controller or of the processor who has access to personal data shall not has access to personal data shall not process them except on instructions process them except on instructions from the controller, unless required from the controller, unless required to do so by Union or Member State to do so by Union or Member State law. law.
Article 28 Article 28 Article 28
Documentation Documentation Records of categories of personal data processing activities
Amendment 122
-
1.Each controller and processor 1. Each controller and processor 1. Each controller and processor and, if any, the controller's and, if any, the controller's and, if any, the controller's representative, shall maintain representative, shall maintain representative, shall maintain a documentation of all processing regularly updated documentation record documentation of all operations under its responsibility. of all processing operations under categories of personal data
its responsibility necessary to processing operations activities fulfill the requirements laid down under its responsibility. The in this Regulation. documentation This record shall contain at least the following information:
DGD 2C LIMITE EN
-
2.The documentation shall contain 2. The In addition, each controller [Merged with 1. above and slightly at least the following information: and processor shall maintain modified]
documentation shall contain at least of the following information:
(a) the name and contact details of (a) the name and contact details of (a) the name and contact details of the controller, or any joint the controller, or any joint the controller, or and any joint controller or processor, and of the controller or processor, and of the controller or processor, and of representative, if any; representative, if any; thecontroller's representative and
data protection officer, if any;
(b) the name and contact details of (b) the name and contact details of deleted the data protection officer, if any; the data protection officer, if any;
(c) the purposes of the processing, deleted (c) the purposes of the processing, including the legitimate interests including the legitimate interests pursued by the controller where the pursued by the controller processing is based on point (f) of wherewhen the processing is based Article 6(1); on point (f) of Article 6(1)(f);
(d) a description of categories of deleted (d) a description of categories of data subjects and of the categories data subjects and of the categories of personal data relating to them; of personal data relating to them;
(e) the recipients or categories of (e) the recipients or categories of (e) the recipients or categories of recipients of the personal data, recipients of the personal data, recipients of to whom the personal including the controllers to whom including name and contact details data, including the controllers to personal data are disclosed for the of the controllers to whom personal whom personal data are have been legitimate interest pursued by them; data are disclosed for the legitimate or will be disclosed for the
interest pursued by them, if any; legitimate interest pursued by them in particular recipients in third
countries;
DGD 2C LIMITE EN
(f) where applicable, transfers of deleted (f) where applicable, the categories data to a third country or an of transfers of personal data to a international organisation, third country or an international including the identification of that organisation, including the third country or international identification of that third country organisation and, in case of or international organisation and, in transfers referred to in point (h) of case of transfers referred to in point Article 44(1), the documentation of (h) of Article 44(1), the appropriate safeguards; documentation of appropriate
safeguards;
(g) a general indication of the time deleted (g) where possible, the envisaged a limits for erasure of the different general indication of the time limits categories of data; for erasure of the different
categories of data;
(h) the description of the deleted (h) where possible, a general mechanisms referred to in Article description of the technical and 22(3). organisational security measures
the description of the mechanisms referred to in Article 2230(31).
2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:
DGD 2C LIMITE EN
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any;
(b) the name and contact details of the data protection officer, if any;
(c) the categories of processing carried out on behalf of each controller;
(d) where applicable, the categories of transfers of personal data to a third country or an international organisation;
(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).
3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.
DGD 2C LIMITE EN
-
3.The controller and the processor deleted 3. On request, Tthe controller and and, if any, the controller's the processor and, if any, the representative, shall make the controller's representative, shall documentation available, on make the documentation record request, to the supervisory available, on request, to the authority. supervisory authority.
-
4.The obligations referred to in deleted 4. The obligations referred to in paragraphs 1 and 2 shall not apply paragraphs 1 and 2a shall not apply to the following controllers and to the following controllers and processors: processors:
(a) a natural person processing deleted (a) a natural person processing personal data without a commercial personal data without a commercial interest; or interest; or
(b) an enterprise or an organisation deleted (b) an enterprise or an organisation employing fewer than 250 persons employing fewer than 250 persons that is processing personal data that is unless the processing only as an activity ancillary to its personal data only as an activity main activities. ancillary to its main activities it
carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage
DGD 2C LIMITE EN
for the data subjects, taking into account the nature, scope, context and purposes of the processing.
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
-
6.The Commission may lay down deleted deleted standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 29 Article 29 Article 29
Co-operation with the supervisory Co-operation with the supervisory Co-operation with the supervisory authority authority authority
Amendment 123
-
1.The controller and the processor 1. The controller and, if any, the deleted and, if any, the representative of the processor and, if any, the controller, shall co-operate, on representative of the controller, request, with the supervisory shall co-operate, on request, with authority in the performance of its the supervisory authority in the duties, in particular by providing performance of its duties, in the information referred to in point particular by providing the
(a) of Article 53(2) and by granting information referred to in point (a) access as provided in point (b) of of Article 53(2) and by granting that paragraph. access as provided in point (b) of
that paragraph.
-
2.In response to the supervisory 2. In response to the supervisory deleted authority's exercise of its powers authority's exercise of its powers under Article 53(2), the controller under Article 53(2), the controller and the processor shall reply to the and the processor shall reply to the supervisory authority within a supervisory authority within a reasonable period to be specified by reasonable period to be specified by the supervisory authority. The reply the supervisory authority. The reply shall include a description of the shall include a description of the measures taken and the results measures taken and the results achieved, in response to the achieved, in response to the remarks of the supervisory remarks of the supervisory authority. authority.
DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2 DATA SECURITY DATA SECURITY DATA SECURITY
Article 30 Article 30 Article 30
Security of processing Security of processing Security of processing
Amendment 124
-
1.The controller and the processor 1. The controller and the processor 1. Having regard to available shall implement appropriate shall implement appropriate technology and the costs of technical and organisational technical and organisational implementation and taking into measures to ensure a level of measures to ensure a level of account the nature, scope, context security appropriate to the risks security appropriate to the risks and purposes of the processing as represented by the processing and represented by the processing and well as the likelihood and severity the nature of the personal data to be the nature of the personal data to be of the risk for the rights and protected, having regard to the state protected, taking into account the freedoms of individuals, Tthe of the art and the costs of their results of a data protection impact controller and the processor shall implementation. assessment pursuant to Article 33, implement appropriate technical
having regard to the state of the art and organisational measures, such
and the costs of their as pseudonymisation of personal
implementation. data to ensure a level of security
appropriate to the risks represented
by the processing and the nature of
the personal data to be protected,
having regard to the state of the art
and the costs of their
implementation.
DGD 2C LIMITE EN
1a. Having regard to the state of 1a. In assessing the appropriate the art and the cost of level of security account shall be implementation, such a security taken in particular of the risks that policy shall include: are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
(a) the ability to ensure that the integrity of the personal data is validated;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident that impacts the availability, integrity and confidentiality of information systems and services;
DGD 2C LIMITE EN
(d) in the case of sensitive personal data processing according to Articles 8 and 9, additional security measures to ensure situational awareness of risks and the ability to take preventive, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to the data;
(e) a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.
-
2.The controller and the processor 2. The controller and the processor deleted shall, following an evaluation of the shall, following an evaluation of the risks, take the measures referred to risks, take the measures referred to in paragraph 1 to protect personal in paragraph 1 to protect personal data against accidental or unlawful data against accidental or unlawful destruction or accidental loss and to destruction or accidental loss and to prevent any unlawful forms of prevent any unlawful forms of processing, in particular any processing, in particular any unauthorised disclosure, unauthorised disclosure, dissemination or access, or dissemination or access, or alteration of personal data. alteration of personal data. shall at
least:
DGD 2C LIMITE EN
(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
2a. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1.
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
2b. The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
DGD 2C LIMITE EN
(c) ensure the implementation of a security policy with respect to the processing of personal data.
-
3.The Commission shall be 3. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86 for the criteria and conditions for the the purpose of further specifying technical and organisational the criteria and conditions measures referred to in paragraphs entrusted with the task of issuing
1 and 2, including the guidelines, recommendations and determinations of what constitutes best practices in accordance with the state of the art, for specific point (b) of Article 66(1) for the sectors and in specific data technical and organisational processing situations, in particular measures referred to in paragraphs taking account of developments in 1 and 2, including the technology and solutions for determinations of what constitutes privacy by design and data the state of the art, for specific protection by default, unless sectors and in specific data paragraph 4 applies. processing situations, in particular
taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.
DGD 2C LIMITE EN
-
4.The Commission may adopt, deleted deleted where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to:
(a) prevent any unauthorised access deleted deleted to personal data;
(b) prevent any unauthorised deleted deleted disclosure, reading, copying, modification, erasure or removal of personal data;
(c) ensure the verification of the deleted deleted lawfulness of processing operations.
Those implementing acts shall be deleted deleted adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Article 31 Article 31 Article 31
Notification of a personal data Notification of a personal data Notification of a personal data breach to the supervisory authority breach to the supervisory authority breach to the supervisory authority
Amendment 125
-
1.In the case of a personal data 1. In the case of a personal data 1. In the case of a personal data breach, the controller shall without breach, the controller shall without breach which is likely to result in a undue delay and, where feasible, undue delay and, where feasible, high risk for the rights and not later than 24 hours after having not later than 24 hours after having freedoms of individuals, such as become aware of it, notify the become aware of it, notify the discrimination, identity theft or personal data breach to the personal data breach to the fraud, financial loss, unauthorized supervisory authority. The supervisory authority. The reversal of pseudonymisation, notification to the supervisory notification to the supervisory damage to the reputation, loss of authority shall be accompanied by a authority shall be accompanied by a confidentiality of data protected by reasoned justification in cases reasoned justification in cases professional secrecy or any other where it is not made within 24 where it is not made within 24 significant economic or social hours. hours. disadvantage, the controller shall
without undue delay and, where feasible, not later than 24 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 51. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 72 hours.
DGD 2C LIMITE EN
1a. The notification referred to in paragraph 1 shall not be required if a communication to the data subject is not required under Article 32(3)(a) and (b).
-
2.Pursuant to point (f) of Article 2. Pursuant to point (f) of Article 2. Pursuant to point (f) of Article
26(2), the processor shall alert and 26(2), the The processor shall alert 26(2), tThe processor shall inform the controller immediately and inform the controller alertnotify and inform the controller after the establishment of a personal immediately without undue delay immediately after the establishment data breach. after the establishment of a personal without undue delay after
data breach. becoming award of a personal data breach.
-
3.The notification referred to in 3. The notification referred to in 3. The notification referred to in paragraph 1 must at least: paragraph 1 must at least: paragraph 1 must at least:
(a) describe the nature of the (a) describe the nature of the (a) describe the nature of the personal data breach including the personal data breach including the personal data breach including categories and number of data categories and number of data where possible and appropriate, subjects concerned and the subjects concerned and the the approximate categories and categories and number of data categories and number of data number of data subjects concerned records concerned; records concerned; and the categories and approximate
number of data records concerned;
(b) communicate the identity and (b) communicate the identity and (b) communicate the identity and contact details of the data contact details of the data contact details of the data protection officer or other contact protection officer or other contact protection officer or other contact point where more information can point where more information can point where more information can be obtained; be obtained; be obtained;
DGD 2C LIMITE EN
(c) recommend measures to (c) recommend measures to deleted mitigate the possible adverse effects mitigate the possible adverse effects of the personal data breach; of the personal data breach;
(d) describe the consequences of (d) describe the consequences of (d) describe the likely consequences the personal data breach; the personal data breach; of the personal data breach
identified by the controller;
(e) describe the measures proposed (e) describe the measures proposed (e) describe the measures taken or or taken by the controller to address or taken by the controller to address proposed or to be taken by the the personal data breach. the personal data breach and/or controller to address the personal
mitigate its effects. data breach.; and
The information may if necessary be provided in phases.
(f) where appropriate, indicate measures to mitigate the possible adverse effects of the personal data breach.
3a. Where, and in so far as, it is not possible to provide the information referred to in paragraph 3 (d), (e) and (f) at the same time as the information referred to in points (a) and (b) of paragraph 3, the controller shall provide this information without undue further delay.
DGD 2C LIMITE EN
-
4.The controller shall document 4. The controller shall document 4. The controller shall document any personal data breaches, any personal data breaches, any personal data breaches referred comprising the facts surrounding comprising the facts surrounding to in paragraphs 1 and 2, the breach, its effects and the the breach, its effects and the comprising the facts surrounding remedial action taken. This remedial action taken. This the breach, its effects and the documentation must enable the documentation must be sufficient remedial action taken. This supervisory authority to verify to enable the supervisory authority documentation must enable the compliance with this Article. The to verify compliance with this supervisory authority to verify documentation shall only include Article and with Article 30. The compliance with this Article. The the information necessary for that documentation shall only include documentation shall only include purpose. the information necessary for that the information necessary for that
purpose. purpose.
4a. The supervisory authority shall keep a public register of the types of breaches notified.
-
5.The Commission shall be 5. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86 for the criteria and requirements for the purpose entrusted with the task establishing the data breach referred of further specifying the criteria and to in paragraphs 1 and 2 and for the requirements issuing guidelines, particular circumstances in which a recommendations and best controller and a processor is practices in accordance with point required to notify the personal data (b) of Article 66(1) for establishing breach. the data breach and determining
the undue delay referred to in paragraphs 1 and 2 and for the
DGD 2C LIMITE EN
particular circumstances in which a controller and a processor isare required to notify the personal data breach.
-
6.The Commission may lay down deleted deleted the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article
87(2).
DGD 2C LIMITE EN
Article 32 Article 32 Article 32
Communication of a personal data Communication of a personal data Communication of a personal data breach to the data subject breach to the data subject breach to the data subject
Amendment 126
-
1.When the personal data breach is 1. When the personal data breach is 1. When the personal data breach is likely to adversely affect the likely to adversely affect the likely to adversely affect the protection of the personal data or protection of the personal data, the protection of the personal data or privacy of the data subject, the or privacy, the rights or the privacy of the data subject result in controller shall, after the legitimate interests of the data a high risk for the rights and notification referred to in Article subject, the controller shall, after freedoms of individuals, such as 31, communicate the personal data the notification referred to in discrimination, identity theft or breach to the data subject without Article 31, communicate the fraud, financial loss, damage to undue delay. personal data breach to the data the reputation, unauthorized
subject without undue delay. reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any
other significant economic or social disadvantage, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
DGD 2C LIMITE EN
-
2.The communication to the data 2. The communication to the data 2. The communication to the data subject referred to in paragraph 1 subject referred to in paragraph 1 subject referred to in paragraph 1 shall describe the nature of the shall be comprehensive and use shall describe the nature of the personal data breach and contain at clear and plain language. It shall personal data breach and contain at least the information and the describe the nature of the personal least the information and the recommendations provided for in data breach and contain at least the recommendations provided for in points (b) and (c) of Article 31(3). information and the points (b), (e) and (cf) of Article
recommendations provided for in 31(3). points (b) and, (c) and (d) of Article 31(3) and information about the rights of the data subject, including redress.
-
3.The communication of a personal 3. The communication of a personal 3. The communication of a personal data breach to the data subject shall data breach to the data subject shall data breach to the data subject not be required if the controller not be required if the controller referred to in paragraph 1 shall not demonstrates to the satisfaction of demonstrates to the satisfaction of be required if: the supervisory authority that it has the supervisory authority that it has
implemented appropriate implemented appropriate a. the controller demonstrates to the technological protection measures, technological protection measures, satisfaction of the supervisory and that those measures were and that those measures were authority that it has implemented applied to the data concerned by the applied to the data concerned by the appropriate technological and personal data breach. Such personal data breach. Such organisational protection
technological protection measures technological protection measures measures, and that those measures shall render the data unintelligible shall render the data unintelligible were applied to the data to any person who is not authorised to any person who is not authorised concernedaffected by the personal to access it. to access it. data breach, in particular those
that .Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it, such as encryption;or
DGD 2C LIMITE EN
b. the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; or
c. it would involve disproportionate effort, in particular owing to the number of cases involved. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner; or
d. it would adversely affect a substantial public interest.
-
4.Without prejudice to the 4. Without prejudice to the deleted controller's obligation to controller's obligation to communicate the personal data communicate the personal data breach to the data subject, if the breach to the data subject, if the controller has not already controller has not already communicated the personal data communicated the personal data breach to the data subject of the breach to the data subject of the personal data breach, the personal data breach, the supervisory authority, having supervisory authority, having considered the likely adverse considered the likely adverse effects of the breach, may require it effects of the breach, may require it to do so. to do so.
DGD 2C LIMITE EN
-
5.The Commission shall be 5. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86 for the criteria and requirements as to the purpose entrusted with the task the circumstances in which a of further specifying the criteria and personal data breach is likely to requirements issuing guidelines, adversely affect the personal data recommendations and best referred to in paragraph 1. practices in accordance with point
(b) of Article 66(1) as to the circumstances in which a personal data breach is likely to adversely affect the personal data, the privacy, the rights or the legitimate interests of the data subject referred to in paragraph 1.
-
6.The Commission may lay down deleted deleted the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
Amendment 127
Article 32a
Respect to Risk
1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks.
2. The following processing operations are likely to present specific risks:
(a) processing of personal data relating to more than 5000 data subjects during any consecutive 12-month period;
(b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems;
DGD 2C LIMITE EN
(c) profiling on which measures are based that produce legal effects concerning the individual or similarly significantly affect the individual;
(d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
(e) automated monitoring of publicly accessible areas on a large scale;
(f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2);
(g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject;
DGD 2C LIMITE EN
(h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects;
(i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited.
3. According to the result of the risk analysis:
(a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25;
DGD 2C LIMITE EN
(b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35;
(c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33;
(d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article 34.
DGD 2C LIMITE EN
4. The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented.
DGD 2C LIMITE EN
Amendment 128
SECTION 3 SECTION 3 SECTION 3 DATA PROTECTION LIFECYCLE DATA DATA PROTECTION IMPACT ASSESSMENT PROTECTION IMPACT ASSESSMENT
AND PRIOR MANAGEMENT AND PRIOR AUTHORISATION AUTHORISATION
Article 33 Article 33 Article 33
Data protection impact assessment Data protection impact assessment Data protection impact assessment
-
1.Where processing operations 1. Where processing operations 1. Where a type of processing in present specific risks to the rights present specific risks to the rights particular using new technologies, and freedoms of data subjects by and freedoms of data subjects by and taking into account operations virtue of their nature, their scope or virtue of their nature, their scope or present specific risks to the rights their purposes, the controller or the their purposes, required pursuant and freedoms of data subjects by processor acting on the controller's to point (c) of Article 32a(3) the virtue of their the nature, their behalf shall carry out an assessment controller or the processor acting on scope, context and or their of the impact of the envisaged the controller's behalf shall carry purposes of the processing, is likely processing operations on the out an assessment of the impact of to result in a high risk for the protection of personal data. the envisaged processing operations rights and freedoms of individuals,
on the rights and freedoms of the such as discrimination, identity data subjects, especially their right theft or fraud, financial loss, to protection of personal data. A damage to the reputation, single assessment shall be unauthorised reversal of sufficient to address a set of pseudonymisation, loss of similar processing operations that confidentiality of data protected by present similar risks. professional secrecy or any other
DGD 2C LIMITE EN
significant economic or social disadvantage, the controller or the processor acting on the controller's behalf shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
1a. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
-
2.The following processing deleted 2. The following processing operations in particular present operations in particular present specific risks referred to in specific risks A data protection paragraph 1: impact assessment referred to in
paragraph 1 shall in particular be required in the following cases:
(a) a systematic and extensive deleted (a) a systematic and extensive evaluation of personal aspects evaluation of personal aspects relating to a natural person or for relating to a natural persons or for analysing or predicting in particular analysing or predicting in particular the natural person's economic the natural person's economic situation, location, health, personal situation, location, health, personal preferences, reliability or preferences, reliability or behaviour, which is based on behaviour, which is based on automated processing and on which automated processing which is
DGD 2C LIMITE EN
measures are based that produce based on profiling and on which legal effects concerning the measures decisions are based that individual or significantly affect the produce legal effects concerning individual; the individual data subjects or
significantly severely affect the individualdata subjects;
(b) information on sex life, health, deleted (b) information on sex life, health, race and ethnic origin or for the race and ethnic origin or for the provision of health care, provision of health care, epidemiological researches, or epidemiological researches, or surveys of mental or infectious surveys of mental or infectious diseases, where the data are diseases processing of special processed for taking measures or categories of personal data under decisions regarding specific Article 9(1), biometric data or data individuals on a large scale; on criminal convictions and
offences or related security measures, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
(c) monitoring publicly accessible deleted (c) monitoring publicly accessible areas, especially when using opticareas on a large scale, especially electronic devices (video when using optic-electronic devices surveillance) on a large scale; (video surveillance) on a large
scale;
(d) personal data in large scale deleted deleted filing systems on children, genetic data or biometric data;
DGD 2C LIMITE EN
(e) other processing operations for deleted deleted which the consultation of the supervisory authority is required pursuant to point (b) of Article
34(2).
2a. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the European Data Protection Board.
2b. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the European Data Protection Board.
DGD 2C LIMITE EN
2c. Prior to the adoption of the lists referred to in paragraphs 2a and 2b the competent supervisory authority shall apply the consistency mechanism referred to in Article 57 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
-
3.The assessment shall contain at 3. The assessment shall have regard 3. The assessment shall contain at least a general description of the to the entire lifecycle management least a general description of the envisaged processing operations, an of personal data from collection to envisaged processing operations, an assessment of the risks to the rights processing to deletion. It shall assessment evaluation of the risks and freedoms of data subjects, the contain at least a general description to the rights and freedoms of data measures envisaged to address the of the envisaged processing subjects referred to in paragraph risks, safeguards, security measures operations, an assessment of the risks 1, the measures envisaged to and mechanisms to ensure the to the rights and freedoms of data
protection of personal data and to subjects, the measures envisaged to
address the risks, including
demonstrate compliance with this address the risks, safeguards, security
safeguards, security measures and
Regulation, taking into account the measures and mechanisms to ensure
mechanisms to ensure the
rights and legitimate interests of the protection of personal data and to
protection of personal data and to
data subjects and other persons demonstrate compliance with this
demonstrate compliance with this
concerned. Regulation, taking into account the
Regulation, taking into account the
rights and legitimate interests of data rights and legitimate interests of subjects and other persons data subjects and other persons concerned: concerned.
DGD 2C LIMITE EN
(a) a systematic description of the envisaged processing operations, the purposes of the processing and, if applicable, the legitimate interests pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects, including the risk of discrimination being embedded in or reinforced by the operation;
(d) a description of the measures envisaged to address the risks and minimise the volume of personal data which is processed;
(e) a list of safeguards, security measures and mechanisms to ensure the protection of personal data, such as pseudonymisation, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned;
DGD 2C LIMITE EN
(f) a general indication of the time limits for erasure of the different categories of data;
(g) an explanation which data protection by design and default practices pursuant to Article 23 have been implemented;
(h) a list of the recipients or categories of recipients of the personal data;
(i) where applicable, a list of the intended transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;
(j) an assessment of the context of the data processing.
3a. If the controller or the processor has designated a data protection officer, he or she shall be involved in the impact assessment proceeding.
DGD 2C LIMITE EN
3b. The assessment shall be documented and lay down a schedule for regular periodic data protection compliance reviews pursuant to Article 33a(1). The assessment shall be updated without undue delay, if the results of the data protection compliance review referred to in Article 33a show compliance inconsistencies. The controller and the processor and, if any, the controller's representative shall make the assessment available, on request, to the supervisory authority.
3a. Compliance with approved codes of conduct referred to in Article 38 by the relevant controllers or processors shall be taken into due account in assessing lawfulness and impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
DGD 2C LIMITE EN
-
4.The controller shall seek the deleted 4. The controller shall seek the views of data subjects or their views of data subjects or their representatives on the intended representatives on the intended processing, without prejudice to the processing, without prejudice to the protection of commercial or public protection of commercial or public interests or the security of the interests or the security of the processing operations. processing operations.
-
5.Where the controller is a public deleted 5. Where the controller is a public authority or body and where the authority or body and where the processing results from a legal processing results from a legal obligation pursuant to point (c) of obligation pursuant to point (c) or Article 6(1) providing for rules and (e) of Article 6(1) providing for procedures pertaining to the rules and procedures pertaining to processing operations and regulated the processing operations and by Union law, paragraphs 1 to 4 regulated by has a legal basis in shall not apply, unless Member Union law, paragraphs 1 to 4 shall States deem it necessary to carry not apply, unless or the law of the out such assessment prior to the Member States to which the processing activities. controller is subject, and such law
regulates the specific processing operation or set of operations in question, paragraphs 1 to 3 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
DGD 2C LIMITE EN
-
6.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
-
7.The Commission may specify deleted deleted standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article
87(2).
DGD 2C LIMITE EN
Amendment 130
Article 33 a (new)
Data protection compliance review
1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment.
2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations.
DGD 2C LIMITE EN
3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance.
4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority.
5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding.
DGD 2C LIMITE EN
Article 34 Article 34 Article 34
Amendment 131
Prior authorisation and prior Prior authorisation and prior
consultation Prior consultation consultation
-
1.The controller or the processor as deleted deleted the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article
42(5) for the transfer of personal data to a third country or an international organisation.
DGD 2C LIMITE EN
-
2.The controller or processor 2. The controller or processor 2. The controller or processor acting on the controller's behalf acting on the controller's behalf acting on the controller's behalf shall consult the supervisory shall consult the data protection shall consult the supervisory authority prior to the processing of officer, or in case a data protection authority prior to the processing of personal data in order to ensure the officer has not been appointed, the personal data where a data compliance of the intended supervisory authority prior to the protection impact assessment as processing with this Regulation and processing of personal data in order provided for in Article 33 indicates in particular to mitigate the risks to ensure the compliance of the that the in order to ensure the involved for the data subjects intended processing with this compliance of the intended where: Regulation and in particular to processing with this Regulation and
mitigate the risks involved for the in particular to mitigate the would
data subjects where: result in a high risks involved for
the data subjects where:in the
absence of measures to be taken by
the controller to mitigate the risk.
(a) a data protection impact (a) a data protection impact deleted assessment as provided for in assessment as provided for in
Article 33 indicates that processing Article 33 indicates that processing operations are by virtue of their operations are by virtue of their nature, their scope or their nature, their scope or their purposes, likely to present a high purposes, likely to present a high degree of specific risks; or degree of specific risks; or
DGD 2C LIMITE EN
(b) the supervisory authority deems (b) the data protection officer or deleted it necessary to carry out a prior the supervisory authority deems it consultation on processing necessary to carry out a prior operations that are likely to present consultation on processing specific risks to the rights and operations that are likely to present freedoms of data subjects by virtue specific risks to the rights and of their nature, their scope and/or freedoms of data subjects by virtue their purposes, and specified of their nature, their scope and/or according to paragraph 4. their purposes, and specified
according to paragraph 4.
-
3.Where the supervisory authority 3. Where the competent 3. Where the supervisory authority is of the opinion that the intended supervisory authority is of the is of the opinion that the intended processing does not comply with opinion determines in accordance processing referred to in this Regulation, in particular where with its power that the intended paragraph 2 would does not risks are insufficiently identified or processing does not comply with comply with this Regulation, in mitigated, it shall prohibit the this Regulation, in particular where particular where the controller has intended processing and make risks are insufficiently identified or risks are insufficiently identified or appropriate proposals to remedy mitigated, it shall prohibit the mitigated the risk, it shall prohibit such incompliance. intended processing and make the intended processing and make
appropriate proposals to remedy appropriate proposals to remedy such non-compliance. such incompliance within a maximum period of 6 weeks following the request for consultation give advice to the data controller , in writing, and may use any of its powers referred to in Article 53. This period may be extended for a further six weeks, taking into account the complexity
DGD 2C LIMITE EN
of the intended processing. Where the extended period applies, the controller or processor shall be informed within one month of receipt of the request of the reasons for the delay.
-
4.The supervisory authority shall 4. The supervisory authority deleted establish and make public a list of European Data Protection Board the processing operations which are shall establish and make public a subject to prior consultation list of the processing operations pursuant to point (b) of paragraph which are subject to prior
-
2.The supervisory authority shall consultation pursuant to point (b) of communicate those lists to the paragraph 2. The supervisory
European Data Protection Board. authority shall communicate those lists to the European Data
Protection Board.
-
5.Where the list provided for in deleted deleted paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
DGD 2C LIMITE EN
-
6.The controller or processor shall 6. The controller or processor shall 6. When consulting the provide the supervisory authority provide the supervisory authority, supervisory authority pursuant to with the data protection impact on request, with the data protection paragraph2, Tthe controller or assessment provided for in Article impact assessment provided for in processor shall provide the 33 and, on request, with any other pursuant to Article 33 and, on supervisory authority, with information to allow the request, with any other information
supervisory authority to make an to allow the supervisory authority (a) where applicable, the respective assessment of the compliance of the to make an assessment of the responsibilities of controller, joint processing and in particular of the compliance of the processing and in controllers and processors risks for the protection of personal particular of the risks for the involved in the processing, in data of the data subject and of the protection of personal data of the particular for processing within a related safeguards. data subject and of the related group of undertakings;
safeguards. (b) the purposes and means of the
intended processing;
(c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
(d) where applicable, the contact details of the data protection officer;
(e) the data protection impact assessment provided for in Article 33; and
DGD 2C LIMITE EN
(f), on request, with any other information to allow requested by the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
-
7.Member States shall consult the 7. Member States shall consult the 7. Member States shall consult the supervisory authority in the supervisory authority in the supervisory authority in during the preparation of a legislative measure preparation of a legislative measure preparation of a proposal for a to be adopted by the national to be adopted by the national legislative measure to be adopted parliament or of a measure based on parliament or of a measure based on by thea national parliament or of a such a legislative measure, which such a legislative measure, which regulatory measure based on such a defines the nature of the processing, defines the nature of the processing, legislative measure, which defines in order to ensure the compliance of in order to ensure the compliance of the nature of the processing, in the intended processing with this the intended processing with this order to ensure the compliance of Regulation and in particular to Regulation and in particular to the intended provide for the mitigate the risks involved for the mitigate the risks involved for the processing with this Regulation and data subjects. data subjects. in particular to mitigate the risks
involved for the data subjects of personal data.
DGD 2C LIMITE EN
7a. Notwithstanding paragraph 2, Member States' law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to the processing of personal data by a controller for the performance of a task carried out by the controller in the public interest, including the processing of such data in relation to social protection and public health.
-
8.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
DGD 2C LIMITE EN
-
9.The Commission may set out deleted deleted standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article
87(2).
DGD 2C LIMITE EN
SECTION 4 SECTION 4 SECTION 4 DATA PROTECTION DATA PROTECTION DATA PROTECTION
OFFICER OFFICER OFFICER
Article 35 Article 35 Article 35
Designation of the data protection Designation of the data protection Designation of the data protection officer officer officer
Amendment 132
-
1.The controller and the processor 1. The controller and the processor 1. The controller and or the shall designate a data protection shall designate a data protection processor may, or where required officer in any case where: officer in any case where : by Union or Member State law
shall designate a data protection officer in any case where:.
(a) the processing is carried out by (a) the processing is carried out by a deleted a public authority or body; or public authority or body; or
(b) the processing is carried out by (b) the processing is carried out by deleted an enterprise employing 250 an enterprise employing 250 persons or more; or persons or more a legal person and
relates to more than 5000 data subjects in any consecutive 12- month period; or
DGD 2C LIMITE EN
(c) the core activities of the (c) the core activities of the deleted controller or the processor consist controller or the processor consist of processing operations which, by of processing operations which, by virtue of their nature, their scope virtue of their nature, their scope and/or their purposes, require and/or their purposes, require regular and systematic monitoring regular and systematic monitoring of data subjects. of data subjects; or
(d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems.
-
2.In the case referred to in point 2. In the case referred to in point (b) 2. In the case referred to in point
(b) of paragraph 1, a group of of paragraph 1, a A group of (b) of paragraph 1, a A group of undertakings may appoint a single undertakings may appoint a single undertakings may appoint a single data protection officer. main responsible data protection data protection officer.
officer, provided it is ensured that a data protection officer is easily accessible from each establishment.
DGD 2C LIMITE EN
-
3.Where the controller or the 3. Where the controller or the 3. Where the controller or the processor is a public authority or processor is a public authority or processor is a public authority or body, the data protection officer body, the data protection officer body, the a single data protection may be designated for several of its may be designated for several of its officer may be designated for entities, taking account of the entities, taking account of the several of its entities such organisational structure of the organisational structure of the authorities or bodies, taking public authority or body. public authority or body. account of their organisational
structure of the public authority or body and size.
-
4.In cases other than those referred 4. In cases other than those referred deleted to in paragraph 1, the controller or to in paragraph 1, the controller or processor or associations and other processor or associations and other bodies representing categories of bodies representing categories of controllers or processors may controllers or processors may designate a data protection officer. designate a data protection officer.
-
5.The controller or processor shall 5. The controller or processor shall 5. The controller or processor shall designate the data protection officer designate the data protection officer designate the data protection officer on the basis of professional on the basis of professional qualities shall be designated on the basis of qualities and, in particular, expert and, in particular, expert knowledge professional qualities and, in knowledge of data protection law of data protection law and practices particular, expert knowledge of data and practices and ability to fulfil and ability to fulfil the tasks protection law and practices and the tasks referred to in Article 37. referred to in Article 37. The ability to fulfil the tasks referred to in The necessary level of expert necessary level of expert knowledge Article 37, particularly the absence knowledge shall be determined in shall be determined in particular of any conflict of interests. The particular according to the data according to the data processing necessary level of expert knowledge processing carried out and the carried out and the protection shall be determined in particular
protection required for the personal required for the personal data according to the data processing data processed by the controller or processed by the controller or the carried out and the protection
the processor. processor. required for the personal data processed by the controller or the
processor.
DGD 2C LIMITE EN
-
6.The controller or the processor 6. The controller or the processor deleted shall ensure that any other shall ensure that any other professional duties of the data professional duties of the data protection officer are compatible protection officer are compatible with the person's tasks and duties as with the person's tasks and duties as data protection officer and do not data protection officer and do not result in a conflict of interests. result in a conflict of interests.
-
7.The controller or the processor 7. The controller or the processor 7. The controller or the processor shall designate a data protection shall designate a data protection shall designate a During their term officer for a period of at least two officer for a period of at least two of office, the data protection officer years. The data protection officer four years in case of an employee for a period of at least two years. may be reappointed for further or two years in case of an external The data protection officer may, terms. During their term of office, service contractor. The data apart from serious grounds under the data protection officer may only protection officer may be the law of the Member State be dismissed, if the data protection reappointed for further terms. concerned which justify the officer no longer fulfils the During their his or her term of dismissal of an employee or civil conditions required for the office, the data protection officer servant, be reappointed for further performance of their duties. may only be dismissed, if the data terms. During their term of office,
protection officer he or she no the data protection officer may only longer fulfils the conditions be dismissed, only if the data required for the performance of protection officer no longer fulfils their his or her duties. the conditions required for the performance of their duties his or her tasks pursuant to Article 37.
-
8.The data protection officer may 8. The data protection officer may 8. The data protection officer may be employed by the controller or be employed by the controller or be employed by a staff member of processor, or fulfil his or her tasks processor, or fulfil his or her tasks the controller or processor, or fulfil on the basis of a service contract. on the basis of a service contract. his or her the tasks on the basis of a
service contract.
DGD 2C LIMITE EN
-
9.The controller or the processor 9. The controller or the processor 9. The controller or the processor shall communicate the name and shall communicate the name and shall communicate publish the contact details of the data contact details of the data protection name and contact details of the data protection officer to the supervisory officer to the supervisory authority protection officer and authority and to the public. and to the public. communicate these to the
supervisory authority and to the public.
-
10.Data subjects shall have the 10. Data subjects shall have the 10. Data subjects shall have the right to contact the data protection right to contact the data protection right to may contact the data officer on all issues related to the officer on all issues related to the protection officer on all issues processing of the data subject’s processing of the data subject’s data related to the processing of the data data and to request exercising the and to request exercising the rights subject’s data and to request rights under this Regulation. under this Regulation. exercising the the exercise of their
rights under this Regulation.
-
11.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
DGD 2C LIMITE EN
Article 36 Article 36 Article 36
Position of the data protection Position of the data protection Position of the data protection officer officer officer
Amendment 133
-
1.The controller or the processor 1. The controller or the processor 1. The controller or the processor shall ensure that the data protection shall ensure that the data protection shall ensure that the data protection officer is properly and in a timely officer is properly and in a timely officer is properly and in a timely manner involved in all issues which manner involved in all issues which manner involved in all issues which relate to the protection of personal relate to the protection of personal relate to the protection of personal data. data. data.
-
2.The controller or processor shall 2. The controller or processor shall 2. The controller or processor shall ensure that the data protection ensure that the data protection ensure that support the data officer performs the duties and officer performs the duties and tasks protection officer in performsing tasks independently and does not independently and does not receive the duties and tasks referred to in receive any instructions as regards any instructions as regards the Article 37 by providing resources the exercise of the function. The exercise of the function. The data necessary to carry out these tasks data protection officer shall directly protection officer shall directly as well as access to personal data report to the management of the report to the executive management and processing controller or the processor. of the controller or the processor. operationsindependently and does
The controller or processor shall not receive any instructions as for this purpose designate an regards the exercise of the function. executive management member The data protection officer shall who shall be responsible for the directly report to the management compliance with the provisions of of the controller or the processor. this Regulation.
DGD 2C LIMITE EN
-
3.The controller or the processor 3. The controller or the processor 3. The controller or the processor shall support the data protection shall support the data protection shall support ensure that the data officer in performing the tasks and officer in performing the tasks and protection officer can act in an shall provide staff, premises, shall provide all means, including independent manner with respect equipment and any other resources staff, premises, equipment and any to the performingance of his or her necessary to carry out the duties other resources necessary to carry the tasks and shall provide staff, and tasks referred to in Article 37. out the duties and tasks referred to premises, equipment and any other
in Article 37, and to maintain his resources necessary to carry out the or her professional knowledge. duties and does not receive any instructions regarding the exercise of these tasks referred to in Article 37. He or she shall not be penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject.
DGD 2C LIMITE EN
4. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
DGD 2C LIMITE EN
Article 37 Article 37 Article 37
Tasks of the data protection officer Tasks of the data protection officer Tasks of the data protection officer
Amendment 134
-
1.The controller or the processor 1. The controller or the processor 1. The controller or the processor shall entrust the data protection shall entrust the data protection shall entrust the data protection officer at least with the following officer at least with the following officer at least with shall have the tasks: tasks: following tasks:
(a) to inform and advise the (a) to raise awareness, to inform (a) to inform and advise the controller or the processor of their and advise the controller or the controller or the processor and the obligations pursuant to this processor of their obligations employees who are processing Regulation and to document this pursuant to this Regulation, in personal data of their obligations activity and the responses received; particular with regard to technical pursuant to this Regulation and to
and organisational measures and document this activity and the procedures, and to document this responses received other Union or activity and the responses received; Member State data protection provisions;
(b) to monitor the implementation (b) to monitor the implementation (b) to monitor compliance with this and application of the policies of and application of the policies of the Regulation, with other Union or the controller or processor in controller or processor in relation to Member State data protection relation to the protection of the protection of personal data, provisions and with the personal data, including the including the assignment of implementation and application of
assignment of responsibilities, the responsibilities, the training of staff the policies of the controller or training of staff involved in the involved in the processing processor in relation to the protection processing operations, and the operations, and the related audits; of personal data, including the
related audits; assignment of responsibilities, awareness-raising and the training
of staff involved in the processing operations, and the related audits;
DGD 2C LIMITE EN
(c) to monitor the implementation (c) to monitor the implementation deleted and application of this Regulation, and application of this Regulation, in particular as to the requirements in particular as to the requirements related to data protection by design, related to data protection by design, data protection by default and data data protection by default and data security and to the information of security and to the information of data subjects and their requests in data subjects and their requests in exercising their rights under this exercising their rights under this
Regulation; Regulation;
(d) to ensure that the (d) to ensure that the documentation deleted documentation referred to in Article referred to in Article 28 is
28 is maintained; maintained;
(e) to monitor the documentation, (e) to monitor the documentation, deleted notification and communication of notification and communication of personal data breaches pursuant to personal data breaches pursuant to
Articles 31 and 32; Articles 31 and 32;
(f) to monitor the performance of (f) to monitor the performance of (f) to monitor the performance of the data protection impact the data protection impact provide advice where requested as assessment by the controller or assessment by the controller or regards the data protection impact processor and the application for processor and the application for assessment by the controller or prior authorisation or prior prior authorisation or prior processor and the application for consultation, if required pursuant consultation, if required pursuant to prior authorisation or prior Articles 33 and 34; Articles 32a, 33 and 34; consultation, if required monitor
its performance pursuant Articles 33 and 34;
DGD 2C LIMITE EN
(g) to monitor the response to (g) to monitor the response to (g) to monitor the responses to requests from the supervisory requests from the supervisory requests from the supervisory authority, and, within the sphere of authority, and, within the sphere of authority, and, within the sphere of the data protection officer's the data protection officer's the data protection officer's competence, co-operating with the competence, co-operating with the competence, to co-operatingoperate supervisory authority at the latter's supervisory authority at the latter's with the supervisory authority at request or on the data protection request or on the data protection the latter's request or on the data officer’s own initiative; officer’s own initiative; protection officer’s own initiative;
(h) to act as the contact point for (h) to act as the contact point for the (h) to act as the contact point for the supervisory authority on issues supervisory authority on issues the supervisory authority on issues related to the processing and related to the processing and consult related to the processing of pesonal consult with the supervisory with the supervisory authority, if data, including the prior and authority, if appropriate, on his/her appropriate, on his/her own consultation referred to in Article own initiative. initiative. 34, and consult, as with the
supervisory authority, if appropriate, on his/her own initiative any other matter.
(i) to verify the compliance with this Regulation under the prior consultation mechanism laid out in Article 34;
(j) to inform the employee representatives on data processing of the employees.
DGD 2C LIMITE EN
-
2.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
2a. The data protection officer shall in the performance his or her tasks have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
DGD 2C LIMITE EN
SECTION5 SECTION5 SECTION5 CODES OF CONDUCT CODES OF CONDUCT CODES OF CONDUCT AND CERTIFICATION AND CERTIFICATION AND CERTIFICATION
Article 38 Article 38 Article 38
Codes of conduct Codes of conduct Codes of conduct
Amendment 135
-
1.The Member States, the 1. The Member States, the 1. The Member States, the supervisory authorities and the supervisory authorities and the supervisory authorities, the Commission shall encourage the Commission shall encourage the European Data Protection Board drawing up of codes of conduct drawing up of codes of conduct or and the Commission shall intended to contribute to the proper the adoption of codes of conduct encourage the drawing up of codes application of this Regulation, drawn up by a supervisory of conduct intended to contribute to taking account of the specific authority intended to contribute to the proper application of this features of the various data the proper application of this Regulation, taking account of the processing sectors, in particular in Regulation, taking account of the specific features of the various data relation to: specific features of the various data processing sectors, in particular in
processing sectors, in particular in relation to: and the specific needs relation to: of micro, small and medium-sized enterprises.
1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:
DGD 2C LIMITE EN
(a) fair and transparent data (a) fair and transparent data (a) fair and transparent data processing; processing; processing;
(aa) respect for consumer rights;
(aa) the legitimate interests pursued by controllers in specific contexts;
(b) the collection of data; (b) the collection of data; (b) the collection of data;
(bb) the pseudonymisation of personal data;
(c) the information of the public (c) the information of the public and (c) the information of the public and of data subjects; of data subjects; and of data subjects;
(d) requests of data subjects in (d) requests of data subjects in (d) requests of data subjects inthe exercise of their rights; exercise of their rights; exercise of their rights of data
subjects;
(e) information and protection of (e) information and protection of (e) information and protection of children; children; children and the way to collect the
parent’s and guardian’s consent;
(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;
DGD 2C LIMITE EN
(ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;
(f) transfer of data to third countries (f) transfer of data to third countries deleted or international organisations; or international organisations;
(g) mechanisms for monitoring and (g) mechanisms for monitoring and deleted ensuring compliance with the code ensuring compliance with the code by the controllers adherent to it; by the controllers adherent to it;
(h) out-of-court proceedings and (h) out-of-court proceedings and deleted other dispute resolution procedures other dispute resolution procedures for resolving disputes between for resolving disputes between controllers and data subjects with controllers and data subjects with respect to the processing of respect to the processing of personal personal data, without prejudice to data, without prejudice to the rights the rights of the data subjects of the data subjects pursuant to pursuant to Articles 73 and 75. Articles 73 and 75.
1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under
DGD 2C LIMITE EN
the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.
1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.
-
2.Associations and other bodies 2. Associations and other bodies 2. Associations and other bodies representing categories of representing categories of referred to in paragraph 1a controllers or processors in one controllers or processors in one representing categories of Member State which intend to draw Member State which intend to draw controllers or processors in one up codes of conduct or to amend or up codes of conduct or to amend or Member State which intend to draw extend existing codes of conduct extend existing codes of conduct up prepare a codes of conduct or to may submit them to an opinion of may submit them to an opinion of amend or extend an existing codes, the supervisory authority in that the supervisory authority in that of conduct may shall submit them Member State. The supervisory Member State. The supervisory to an opinion of draft code to the
DGD 2C LIMITE EN
authority may give an opinion authority may shall without undue supervisory authority in that whether the draft code of conduct delay give an opinion on whether Member State which is competent or the amendment is in compliance the processing under the draft code pursuant to Article 51. The with this Regulation. The of conduct or the amendment is in supervisory authority may shall supervisory authority shall seek the compliance with this Regulation. give an opinion on whether the views of data subjects or their The supervisory authority shall seek draft code, or amended or extended representatives on these drafts. the views of data subjects or their code of conduct or the amendment
representatives on these drafts. is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.
DGD 2C LIMITE EN
2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.
-
3.Associations and other bodies 3. Associations and other bodies 3. Associations and other bodies representing categories of representing categories of representing categories of controllers in several Member controllers or processors in several controllers in several Member States may submit draft codes of Member States may submit draft States may submit draft Where the conduct and amendments or codes of conduct and amendments opinion referred to in paragraph extensions to existing codes of or extensions to existing codes of 2b confirms that the codes of conduct to the Commission. conduct to the Commission. conduct, and or amendmentsed or
extensionsded to existing codes, of conduct to the Commission is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards, the European Data Protection Board shall submit its opinion to the Commission.
DGD 2C LIMITE EN
-
4.The Commission may adopt 4. The Commission may adopt 4. The Commission may adopt implementing acts for deciding that implementing acts shall be implementing acts for deciding that the codes of conduct and empowered to adopt, after the approved codes of conduct and amendments or extensions to requesting an opinion of the amendments or extensions to existing codes of conduct submitted European Data Protection Board, existing approved codes of to it pursuant to paragraph 3 have delegated acts in accordance with conduct submitted to it pursuant to general validity within the Union. Article 86 for deciding that the paragraph 3 have general validity Those implementing acts shall be codes of conduct and amendments within the Union. Those adopted in accordance with the or extensions to existing codes of implementing acts shall be adopted examination procedure set out in conduct submitted to it pursuant to in accordance with the examination Article 87(2). paragraph 3 are in line with this procedure set out in Article 87(2).
Regulation and have general validity within the Union. Those implementing acts delegated acts shall be adopted in accordance with the examination procedure set out in Article 87(2) confer enforceable rights on data subjects.
-
5.The Commission shall ensure 5. The Commission shall ensure 5. The Commission shall ensure appropriate publicity for the codes appropriate publicity for the codes appropriate publicity for the which have been decided as having which have been decided as having approved codes which have been general validity in accordance with general validity in accordance with decided as having general validity paragraph 4. paragraph 4. in accordance with paragraph 4.
5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
DGD 2C LIMITE EN
Article 38a
Monitoring of approved codes of conduct
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the monitoring of compliance with a code of conduct pursuant to Article 38 (1b), may be carried out by a body which has an appropriate level of expertise in relation to the subjectmatter of the code and is accredited for this purpose by the competent supervisory authority.
2. A body referred to in paragraph 1 may be accredited for this purpose if:
(a) it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
DGD 2C LIMITE EN
(b) it has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
(c) it has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public;
(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. The competent supervisory authority shall submit the draft criteria for accreditation of a body referred to in paragraph 1 to the European Data Protection Board pursuant to the consistency mechanism referred to in Article 57.
DGD 2C LIMITE EN
4. Without prejudice to the provisions of Chapter VIII, a body referred to in paragraph 1 may, subject to adequate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
5. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.
6. This article shall not apply to the processing of personal data carried out by public authorities and bodies.
DGD 2C LIMITE EN
Article 39 Article 39 Article 39
Certification Certification Certification
Amendment 136
-
1.The Member States and the deleted 1. The Member States, the
Commission shall encourage, in European Data Protection Board particular at European level, the and the Commission shall establishment of data protection encourage, in particular at certification mechanisms and of European Union level, the data protection seals and marks, establishment of data protection allowing data subjects to quickly certification mechanisms and of assess the level of data protection data protection seals and marks, for provided by controllers and the purpose of demonstrating processors. The data protection compliance with this Regulation of certifications mechanisms shall processing operations carried out contribute to the proper application allowing data subjects to quickly of this Regulation, taking account assess the level of data protection of the specific features of the provided by controllers and various sectors and different processors. The data protection processing operations. certifications mechanisms shall
contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operationsneeds of micro, small and medium-sized entreprises shall be taken into account.
DGD 2C LIMITE EN
1a. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 2a may also be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation according to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(e). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards, including as regards data subjects’ rights.
1a. Any controller or processor may request any supervisory authority in the Union, for a reasonable fee taking into account the administrative costs, to certify that the processing of personal
DGD 2C LIMITE EN
data is performed in compliance with this Regulation, in particular with the principles set out in Article 5, 23 and 30, the obligations of the controller and the processor, and the data subject’s rights.
1b. The certification shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome.
1c. The supervisory authorities and the European Data Protection Board shall cooperate under the consistency mechanism pursuant to Article 57 to guarantee a harmonised data protection certification mechanism including harmonised fees within the Union.
1d. During the certification procedure, the supervisory authorityies may accredit specialised third party auditors to carry out the auditing of the controller or the processor on their behalf. Third party auditors shall have sufficiently qualified staff, be
DGD 2C LIMITE EN
impartial and free from any conflict of interests regarding their duties. Supervisory authorities shall revoke accreditation, if there are reasons to believe that the auditor does not fulfil its duties correctly. The final certification shall be provided by the supervisory authority.
1e. Supervisory authorities shall grant controllers and processors, who pursuant to the auditing have been certified that they process personal data in compliance with this Regulation, the standardised data protection mark named "European Data Protection Seal".
1f. The "European Data Protection Seal" shall be valid for as long as the data processing operations of the certified controller or processor continue to fully comply with this Regulation.
1g. Notwithstanding paragraph 1f, the certification shall be valid for maximum five years.
DGD 2C LIMITE EN
1h. The European Data Protection Board shall establish a public electronic register in which all valid and invalid certificates which have been issued in the Member States can be viewed by the publc.
1i. The European Data Protection Board may on its own initiative certify that a data protectionenhancing technical standard is compliant with this Regulation.
-
2.The Commission shall be 2. The Commission shall be [Moved and modified under empowered to adopt delegated acts empowered to adopt, after Article 39a point 7] in accordance with Article 86 for requesting an opinion of the the purpose of further specifying European Data Protection Board the criteria and requirements for the and consulting with stakeholders, data protection certification in particular industry and nonmechanisms referred to in governmental organisations, paragraph 1, including conditions delegated acts in accordance with for granting and withdrawal, and Article 86 for the purpose of further requirements for recognition within specifying the criteria and the Union and in third countries. requirements for the data protection
certification mechanisms referred to in paragraph 1paragraphs 1a to 1h, including requirements for accreditation of auditors, conditions for granting and withdrawal, and requirements for
DGD 2C LIMITE EN
recognition within the Union and in third countries. Those delegated acts shall confer enforceable rights on data subjects.
2. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.
2a. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority on the basis of the criteria approved by the competent supervisory authority or, pursuant to Article 57, the European Data Protection Board.
DGD 2C LIMITE EN
-
3.The Commission may lay down deleted [Moved under 39a point 8.] technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
3. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 39a, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
4. The certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions as long as the relevant requirements continue to be met. It shall be withdrawn by the
DGD 2C LIMITE EN
certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority where the requirements for the certification are not or no longer met.
5. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
DGD 2C LIMITE EN
Article 39a
Certificationbody and procedure
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the certification shall be issued and renewed by a certification body which has an appropriate level of expertise in relation to data protection. Each Member State shall provide whether these certification bodies are accredited by:
(a) the supervisory authority which is competent according to Article 51 or 51a; and/or
(b) the National Accreditation Body named in accordance with Regulation (EC) 765/2008 i of the European parliament and the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products in compliance with EN-ISO/IEC 17065/2012 and with the
DGD 2C LIMITE EN
additional requirements established by the supervisory authority which is competent according to Article 51 or 51a.
2. The certification body referred to in paragraph 1 may be accredited for this purpose only if:
(a) it has demonstrated its independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
(aa) it has undertaken to respect the criteria referred to in paragraph 2a of Article 39 and approved by the supervisory authority which is competent according to Article 51 or 51a or , pursuant to Article 57, the European Data Protection Board;
(b) it has established procedures for the issue, periodic review and withdrawal of data protection seals and marks;
DGD 2C LIMITE EN
(c) it has established procedures and structures to deal with complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make these procedures and structures transparent to data subjects and the public;
(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
3. The accreditation of the certification bodies referred to in paragraph 1 shall take place on the basis of criteria approved by the supervisory authority which is competent according to Article 51 or 51a or, pursuant to Article 57, the European Data Protection Board. In case of an accreditation pursuant to point (b) of paragraph 1, these requirements complement those envisaged in Regulation 765/2008 i and the technical rules that describe the methods and procedures of the certification bodies.
DGD 2C LIMITE EN
4. The certification body referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation is issued for a maximum period of five years and can be renewed in the same conditions as long as the body meets the requirements.
5. The certification body referred to in paragraph 1 shall provide the competent supervisory authority with the reasons for granting or withdrawing the requested certification.
6. The requirements referred to in paragraph 3 and the criteria referred to in paragraph 2a of Article 39 shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit these to the European Data Protection Board.
DGD 2C LIMITE EN
The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
6a. Without prejudice to the provisions of Chapter VIII, the competent supervisory authority or the National Accreditation Body shall revoke the accreditation it granted to a certification body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86, for the purpose of specifying the criteria and requirements to be taken into account for the data protection certification mechanisms referred to in paragraph 1 including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.
DGD 2C LIMITE EN
7a. The European Data Protection Board shall give an opinion to the Commission on the criteria and requirements referred to in paragraph 7.
-
3.The Commission may lay down deleted 8. The Commission may lay down technical standards for certification technical standards for certification mechanisms and data protection mechanisms and data protection seals and marks and mechanisms to seals and marks and mechanisms to promote and recognize certification promote and recognize certification mechanisms and data protection mechanisms and data protection seals and marks. Those seals and marks. Those implementing acts shall be adopted implementing acts shall be adopted in accordance with the examination in accordance with the examination procedure set out in Article 87(2). procedure set out in Article 87(2).
DGD 2C LIMITE EN
CHAPTER V CHAPTER V CHAPTER V
TRANSFER OF TRANSFER OF TRANSFER OF
PERSONAL DATA TO PERSONAL DATA TO PERSONAL DATA TO
THIRD COUNTRIES THIRD COUNTRIES THIRD COUNTRIES
OR INTERNATIONAL OR INTERNATIONAL OR INTERNATIONAL
ORGANISATIONS ORGANISATIONS ORGANISATIONS
Article 40 Article 40 Article 40
General principle for transfers General principle for transfers General principle for transfers
Any transfer of personal data which Any transfer of personal data which deleted are undergoing processing or are are undergoing processing or are intended for processing after intended for processing after transfer to a third country or to an transfer to a third country or to an international organisation may only international organisation may only take place if, subject to the other take place if, subject to the other provisions of this Regulation, the provisions of this Regulation, the conditions laid down in this conditions laid down in this Chapter
Chapter are complied with by the are complied with by the controller controller and processor, including and processor, including for onward for onward transfers of personal transfers of personal data from the data from the third country or an third country or an international international organisation to organisation to another third another third country or to another country or to another international international organisation. organisation.
DGD 2C LIMITE EN
Article 41 Article 41 Article 41
Transfers with an adequacy Transfers with an adequacy Transfers with an adequacy decision decision decision
Amendment 137
-
1.A transfer may take place where 1. A transfer may take place where 1. A transfer of personal data to a the Commission has decided that the Commission has decided that third country or an international the third country, or a territory or a the third country, or a territory or a organisation may take place where processing sector within that third processing sector within that third the Commission has decided that country, or the international country, or the international the third country, or a territory or organisation in question ensures an organisation in question ensures an one or more specified a processing adequate level of protection. Such adequate level of protection. Such sectors within that third country, or transfer shall not require any transfer shall not require any further the international organisation in further authorisation. specific authorisation. question ensures an adequate level
of protection. Such transfer shall not require any further specific authorisation.
-
2.When assessing the adequacy of 2. When assessing the adequacy of 2. When assessing the adequacy of the level of protection, the the level of protection, the the level of protection, the Commission shall give Commission shall give Commission shall, in particular, consideration to the following consideration to the following take account of give consideration elements: elements: to the following elements:
(a) the rule of law, relevant (a) the rule of law, relevant (a) the rule of law, respect for legislation in force, both general legislation in force, both general human rights and fundamental and sectoral, including concerning and sectoral, including concerning freedoms, relevant legislation in public security, defence, national public security, defence, national force, both general and sectoral, security and criminal law, the security and criminal law as well as data protection including professional rules and security the implementation of this concerning public security,
DGD 2C LIMITE EN
measures which are complied with legislation, the professional rules defence, national security and in that country or by that and security measures which are criminal law, the professional rules international organisation, as well complied with in that country or by and security measures, including as effective and enforceable rights that international organisation, rules for onward transfer of including effective administrative jurisprudential precedents, as well personal data to another third and judicial redress for data as effective and enforceable rights country or international subjects, in particular for those data including effective administrative organisation, which are complied subjects residing in the Union and judicial redress for data with in that country or by that whose personal data are being subjects, in particular for those data international organisation, as well transferred; subjects residing in the Union as the existences of effective and
whose personal data are being enforceable data subject rights transferred; including and effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
(b) the existence and effective (b) the existence and effective (b) the existence and effective functioning of one or more functioning of one or more functioning of one or more independent supervisory authorities independent supervisory authorities independent supervisory authorities in the third country or international in the third country or international in the third country or to which an
organisation in question responsible organisation in question responsible international organisation in question for ensuring compliance with the for ensuring compliance with the is subject, with responsibleility for data protection rules, for assisting data protection rules, including ensuring and enforcing compliance and advising the data subjects in sufficient sanctioning powers, for with the data protection rules exercising their rights and for coassisting and advising the data including adequate sanctioning operation with the supervisory subjects in exercising their rights powers for assisting and advising the authorities of the Union and of and for co-operation with the data subjects in exercising their Member States; and supervisory authorities of the Union rights and for co-operation with the
and of Member States; and supervisory authorities of the Union and of Member States; and
DGD 2C LIMITE EN
(c) the international commitments (c) the international commitments (c) the international commitments the third country or international the third country or international the third country or international organisation in question has entered organisation in question has entered organisation in question concerned into. into, in particular any legally has entered into or other
binding conventions or obligations arising from its instruments with respect to the participation in multilateral or protection of personal data. regional systems, in particular in relation to the protection of personal data.
2a. The European Data Protection Board shall give the Commission an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country or the territory or the international organization or the specified sector no longer ensures an adequate level of protection.
DGD 2C LIMITE EN
-
3.The Commission may decide that 3. The Commission may shall be 3. The Commission, after assessing a third country, or a territory or a empowered to adopt delegated acts the adequacy of the level of processing sector within that third in accordance with Article 86 to protection, may decide that a third country, or an international decide that a third country, or a country, or a territory or one or organisation ensures an adequate territory or a processing sector more specified a processing sectors level of protection within the within that third country, or an within that third country, or an meaning of paragraph 2. Those international organisation ensures international organisation ensures implementing acts shall be adopted an adequate level of protection an adequate level of protection in accordance with the examination within the meaning of paragraph 2. within the meaning of paragraph 2. procedure referred to in Article Those implementing acts Such Those implementing acts shall 87(2). delegated acts shall be adopted in specify its territorial and sectoral
accordance with the examination application and, where applicable, procedure referred to in Article identify the (independent) 87(2) provide for a sunset clause if supervisory authority(ies) they concern a processing sector mentioned in point(b) of and shall be revoked according to paragraph 2. The implementing paragraph 5 as soon as an act shall be adopted in accordance adequate level of protection with the examination procedure according to this Regulation is no referred to in Article 87(2). longer ensured.
3a. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC i shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5.
DGD 2C LIMITE EN
-
4.The implementing act shall 4. The implementing delegated act deleted specify its geographical and shall specify its sectoral application, and, where geographicalterritorial and sectoral applicable, identify the supervisory application, and, where applicable, authority mentioned in point (b) of identify the supervisory authority paragraph 2. mentioned in point (b) of paragraph
2.
4a. The Commission shall, on an on-going basis, monitor developments in third countries and international organisations that could affect the elements listed in paragraph 2 where a delegated act pursuant to paragraph 3 has been adopted.
4a. The Commission shall monitor the functioning of decisions adopted pursuant to paragraph 3 and decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC i.
-
5.The Commission may decide that 5. The Commission mayshall be 5. The Commission may decide that a third country, or a territory or a empowered to adopt delegated acts a third country, or a territory or a processing sector within that third in accordance with Article 86 to processing specified sector within country, or an international decide that a third country, or a that third country, or an organisation does not ensure an territory or a processing sector international organisation does not adequate level of protection within within that third country, or an no longer ensures an adequate level the meaning of paragraph 2 of this international organisation does not of protection within the meaning of Article, in particular in cases where ensure or no longer ensures an paragraph 2 and may, where the relevant legislation, both adequate level of protection within necessary, repeal, amend or
DGD 2C LIMITE EN
general and sectoral, in force in the the meaning of paragraph 2 of this suspend such decision without third country or international Article, in particular in cases where retro-active effect of this Article, in organisation, does not guarantee the relevant legislation, both general particular in cases where the effective and enforceable rights and sectoral, in force in the third relevant legislation, both general
including effective administrative country or international and sectoral, in force in the third and judicial redress for data organisation, does not guarantee country or international subjects, in particular for those data effective and enforceable rights organisation, does not guarantee subjects residing in the Union including effective administrative effective and enforceable rights whose personal data are being and judicial redress for data including effective administrative transferred. Those implementing subjects, in particular for those data and judicial redress for data acts shall be adopted in accordance subjects residing in the Union subjects, in particular for those data with the examination procedure whose personal data are being subjects residing in the Union referred to in Article 87(2), or, in transferred. Those implementing whose personal data are being cases of extreme urgency for acts shall be adopted in accordance transferred. Those The individuals with respect to their with the examination procedure implementing acts shall be adopted right to personal data protection, in referred to in Article 87(2), or, in in accordance with the examination accordance with the procedure cases of extreme urgency for procedure referred to in Article referred to in Article 87(3). individuals with respect to their 87(2), or, in cases of extreme
right to personal data protection, in urgency for individuals with respect accordance with the procedure to their right to personal data referred to in Article 87(3). protection, in accordance with the procedure referred to in Article 87(3).
5a. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the Decision made pursuant to paragraph 5.
DGD 2C LIMITE EN
-
6.Where the Commission decides 6. Where the Commission decides 6. Where the Commission decidesA pursuant to paragraph 5, any pursuant to paragraph 5, any decision pursuant to paragraph 5, transfer of personal data to the third transfer of personal data to the third any is without prejudice to country, or a territory or a country, or a territory or a transfers of personal data to the processing sector within that third processing sector within that third third country, or a the territory or a country, or the international country, or the international processing specified sector within organisation in question shall be organisation in question shall be that third country, or the prohibited, without prejudice to prohibited, without prejudice to international organisation in Articles 42 to 44. At the Articles 42 to 44. At the appropriate question shall be prohibited, appropriate time, the Commission time, the Commission shall enter without prejudice pursuant to shall enter into consultations with into consultations with the third Articles 42 to 44. At the the third country or international country or international appropriate time, the Commission organisation with a view to organisation with a view to shall enter into consultations with remedying the situation resulting remedying the situation resulting the third country or international from the Decision made pursuant to from the Decision decision made organisation with a view to paragraph 5 of this Article. pursuant to paragraph 5 of this remedying the situation resulting
Article. from the Decision made pursuant to paragraph 5 of this Article.
6a. Prior to adopting a delegated act pursuant to paragraphs 3 and 5, the Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To that end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the
DGD 2C LIMITE EN
government of the third country, territory or processing sector within that third country or the international organisation.
-
7.The Commission shall publish in 7. The Commission shall publish in 7. The Commission shall publish in the Official Journal of the the Official Journal of the European the Official Journal of the European Union a list of those third Union and on its website a list of European Union a list of those third countries, territories and processing those third countries, territories and countries, territories and processing sectors within a third country and processing sectors within a third specified sectors within a third international organisations where it country and international country and international has decided that an adequate level organisations where it has decided organisations where it has decided of protection is or is not ensured. that an adequate level of protection that an adequate level of protection
is or is not ensured. is or is not ensured in respect of which decisions have been taken pursuant to paragraphs 3, 3a
and 5.
-
8.Decisions adopted by the 8. Decisions adopted by the deleted
Commission on the basis of Article Commission on the basis of Article
25(6) or Article 26(4) of Directive 25(6) or Article 26(4) of Directive
95/46/EC shall remain in force, 95/46/EC shall remain in force until until amended, replaced or repealed five years after the entry into force by the Commission. of this Regulation unless amended,
replaced or repealed by the Commission before the end of this period.
DGD 2C LIMITE EN
Article 42 Article 42 Article 42
Transfers by way of appropriate Transfers by way of appropriate Transfers by way of appropriate safeguards safeguards safeguards
Amendment 138
-
1.Where the Commission has taken 1. Where the Commission has taken 1. Where the Commission has taken no decision pursuant to Article 41, no decision pursuant to Article 41, no In the absence of a decision a controller or processor may or decides that a third country, or a pursuant to paragraph 3 of Article transfer personal data to a third territory or processing sector 41, a controller or processor may country or an international within that third country, or an transfer personal data to a third organisation only if the controller international organisation does not country or an international or processor has adduced ensure an adequate level of organisation only if the controller appropriate safeguards with respect protection in accordance with or processor has adduced to the protection of personal data in Article 41(5), a controller or appropriate safeguardswith respect a legally binding instrument. processor may not transfer personal to the protection of personal data in
data to a third country, territory or a legally binding instrument, also an international organisation unless covering onward transfers. the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
DGD 2C LIMITE EN
-
2.The appropriate safeguards 2. The appropriate safeguards 2. The appropriate safeguards referred to in paragraph 1 shall be referred to in paragraph 1 shall be referred to in paragraph 1 shall may provided for, in particular, by: provided for, in particular, by: be provided for, in
particularwithout requiring any specific authorisation from a supervisory authority, by:
(oa) a legally binding and enforceable instrument between public authorities or bodies; or
(a) binding corporate rules in (a) binding corporate rules in (a) binding corporate rules in accordance with Article 43; or accordance with Article 43; or accordance with referred to in
Article 43; or
(aa) a valid “European Data Protection Seal” for the controller and the recipient in accordance with paragraph 1e of Article 39; or
(b) standard data protection clauses deleted (b) standard data protection clauses adopted by the Commission. Those adopted by the Commission. Those implementing acts shall be adopted implementing acts shall be adopted in accordance with the examination in accordance with the examination procedure referred to in Article procedure referred to in Article 87(2); or 87(2); or
DGD 2C LIMITE EN
(c) standard data protection clauses (c) standard data protection clauses (c) standard data protection clauses adopted by a supervisory authority adopted by a supervisory authority adopted by a supervisory authority in accordance with the consistency in accordance with the consistency in accordance with the consistency mechanism referred to in Article 57 mechanism referred to in Article 57 mechanism referred to in Article 57 when declared generally valid by when declared generally valid by when declared generally valid and the Commission pursuant to point the Commission pursuant to point adopted by the Commission (b) of Article 62(1); or (b) of Article 62(1); or pursuant to point (b) of Article
62(1)the examination procedure referred to in Article 87(2); or
(d) contractual clauses between the (d) contractual clauses between the (d) contractual clauses between the controller or processor and the controller or processor and the controller or processor and the recipient of the data authorised by a recipient of the data authorised by a recipient of the data authorised by a supervisory authority in accordance supervisory authority in accordance supervisory authority in accordance with paragraph 4. with paragraph 4. with paragraph 4.an approved code
of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or
(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
DGD 2C LIMITE EN
2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data in the third country or international organisation; or
(b)
(c)
(d) provisions to be inserted into administrative arrangements between public authorities or bodies.
-
3.A transfer based on standard data 3. A transfer based on standard data deleted protection clauses or binding protection clauses, a “European corporate rules as referred to in Data Protection Seal” or binding points (a), (b) or (c) of paragraph 2 corporate rules as referred to in shall not require any further point (a), (b) (aa) or (c) of authorisation. paragraph 2 shall not require any
furtherspecific authorisation.
DGD 2C LIMITE EN
-
4.Where a transfer is based on 4. Where a transfer is based on deleted contractual clauses as referred to in contractual clauses as referred to in point (d) of paragraph 2 of this point (d) of paragraph 2 of this
Article the controller or processor Article the controller or processor shall obtain prior authorisation of shall obtain prior authorisation of the contractual clauses according to the contractual clauses according to point (a) of Article 34(1) from the point (a) of Article 34(1) from the supervisory authority. If the supervisory authority. If the transfer transfer is related to processing is related to processing activities activities which concern data which concern data subjects in subjects in another Member State another Member State or other or other Member States, or Member States, or substantially substantially affect the free affect the free movement of movement of personal data within personal data within the Union, the the Union, the supervisory supervisory authority shall apply the authority shall apply the consistency mechanism referred to consistency mechanism referred to in Article 57. in Article 57.
-
5.Where the appropriate 5. Where the appropriate safeguards deleted safeguards with respect to the with respect to the protection of protection of personal data are not personal data are not provided for in provided for in a legally binding a legally binding instrument, the instrument, the controller or controller or processor shall obtain processor shall obtain prior prior authorisation for the transfer, authorisation for the transfer, or a or a set of transfers, or for set of transfers, or for provisions to provisions to be inserted into be inserted into administrative administrative arrangements arrangements providing the basis providing the basis for such for such transfer. Such transfer. Such authorisation by the
DGD 2C LIMITE EN
authorisation by the supervisory supervisory authority shall be in authority shall be in accordance accordance with point (a) of Article with point (a) of Article 34(1). If 34(1). If the transfer is related to the transfer is related to processing processing activities which concern activities which concern data data subjects in another Member subjects in another Member State State or other Member States, or or other Member States, or substantially affect the free substantially affect the free movement of personal data within movement of personal data within the Union, the supervisory authority the Union, the supervisory shall apply the consistency authority shall apply the mechanism referred to in Article 57. consistency mechanism referred to Authorisations by a supervisory in Article 57. Authorisations by a authority on the basis of Article supervisory authority on the basis 26(2) of Directive 95/46/EC i shall of Article 26(2) of Directive remain valid, until two years after
95/46/EC shall remain valid, until the entry into force of this amended, replaced or repealed by Regulation unless amended, that supervisory authority. replaced or repealed by that
supervisory authority before the end of that period.
5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).
DGD 2C LIMITE EN
5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC i shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.
DGD 2C LIMITE EN
Article 43 Article 43 Article 43
Transfers by way of binding Transfers by way of binding Transfers by way of binding corporate rules corporate rules corporate rules
Amendment 139
-
1.A supervisory authority shall in 1. AThe supervisory authority shall 1. A The competent supervisory accordance with the consistency in accordance with the consistency authority shall approve binding mechanism set out in Article 58 mechanism set out in Article 58 corporate rules in accordance with approve binding corporate rules, approve binding corporate rules, the consistency mechanism set out provided that they: provided that they: in Article 5857 approve binding
corporate rules, provided that they:
(a) are legally binding and apply to (a) are legally binding and apply to (a) are legally binding and apply to and are enforced by every member and are enforced by every member and are enforced by every member within the controller’s or within the controller’s group of concerned of the within the processor's group of undertakings, undertakings and those external controller’s or processor's group of and include their employees; subcontractors that are covered by undertakings or group of
the scope of the binding corporate enterprises engaged in a joint rules, and include their employees; economic activity, and include their employees;
(b) expressly confer enforceable (b) expressly confer enforceable (b) expressly confer enforceable rights on data subjects; rights on data subjects; rights on data subjects with regard
to the processing of their personal data;
(c) fulfil the requirements laid (c) fulfil the requirements laid down (c) fulfil the requirements laid down in paragraph 2. in paragraph 2 down in paragraph 2.
DGD 2C LIMITE EN
1a. With regard to employment data, the representatives of the employees shall be informed about and, in accordance with Union or Member State law and practice, be involved in the drawing-up of binding corporate rules pursuant to Article 43.
-
2.The binding corporate rules shall 2. The binding corporate rules shall 2. The binding corporate rules at least specify: at least specify. referred to in paragraph 1 shall at
least specify at least :
(a) the structure and contact details (a) the structure and contact details (a) the structure and contact details of the group of undertakings and its of the group of undertakings and its of the concerned group of members; members and those external undertakings and of each of its
subcontractors that are covered by members; the scope of the binding corporate rules;
(b) the data transfers or set of (b) the data transfers or set of (b) the data transfers or transfers, including the categories transfers, including the categories of setcategories of transfers, including of personal data, the type of personal data, the type of processing the categories types of personal processing and its purposes, the and its purposes, the type of data data, the type of processing and its type of data subjects affected and subjects affected and the purposes, the type of data subjects the identification of the third identification of the third country or affected and the identification of country or countries in question; countries in question; the third country or countries in
question;
(c) their legally binding nature, (c) their legally binding nature, both (c) their legally binding nature, both internally and externally; internally and externally; both internally and externally;
DGD 2C LIMITE EN
(d) the general data protection (d) the general data protection (d) application of the general data principles, in particular purpose principles, in particular purpose protection principles, in particular limitation, data quality, legal basis limitation, data minimisation, purpose limitation, data quality, for the processing, processing of limited retention periods, data legal basis for the processing, sensitive personal data; measures to quality, data protection by design processing of sensitive special ensure data security; and the and by default, legal basis for the categories of personal data;, requirements for onward transfers processing, processing of sensitive measures to ensure data security;, to organisations which are not personal data; measures to ensure and the requirements for in respect bound by the policies; data security; and the requirements of onward transfers to
for onward transfers to organisationsbodies which are not organisations which are not bound bound by the policiesbinding by the policies; corporate rules;
(e) the rights of data subjects and (e) the rights of data subjects and (e) the rights of data subjects in the means to exercise these rights, the means to exercise these rights, regard to the processing of their including the right not to be subject including the right not to be subject personal data and the means to to a measure based on profiling in to a measure based on profiling in exercise these rights, including the accordance with Article 20, the accordance with Article 20, the right not to be subject to a measure right to lodge a complaint before right to lodge a complaint before the based on decisions based solely on the competent supervisory authority competent supervisory authority automated processing, including and before the competent courts of and before the competent courts of profiling in accordance with Article the Member States in accordance the Member States in accordance 20, the right to lodge a complaint with Article 75, and to obtain with Article 75, and to obtain before the competent supervisory redress and, where appropriate, redress and, where appropriate, authority and before the competent compensation for a breach of the compensation for a breach of the courts of the Member States in binding corporate rules; binding corporate rules; accordance with Article 75, and to
obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
DGD 2C LIMITE EN
(f) the acceptance by the controller (f) the acceptance by the controller (f) the acceptance by the controller or processor established on the or processor established on the or processor established on the territory of a Member State of territory of a Member State of territory of a Member State of liability for any breaches of the liability for any breaches of the liability for any breaches of the binding corporate rules by any binding corporate rules by any binding corporate rules by any member of the group of member of the group of member concerned of the group of undertakings not established in the undertakings not established in the undertakingsnot established in the Union; the controller or the Union; the controller or the Union; the controller or the processor may only be exempted processor may only be exempted processor may only be exempted from this liability, in whole or in from this liability, in whole or in from this liability, in whole or in part, if he proves that that member part, if he proves that that member part, if he proves on proving that is not responsible for the event is not responsible for the event that member is not responsible for giving rise to the damage; giving rise to the damage; the event giving rise to the damage;
(g) how the information on the (g) how the information on the (g) how the information on the binding corporate rules, in binding corporate rules, in binding corporate rules, in particular on the provisions referred particular on the provisions referred particular on the provisions referred to in points (d), (e) and (f) of this to in points (d), (e) and (f) of this to in points (d), (e) and (f) of this paragraph is provided to the data paragraph is provided to the data paragraph is provided to the data subjects in accordance with Article subjects in accordance with Article subjects in accordance with Articles 11; 11; 1114 and 14a;
(h) the tasks of the data protection (h) the tasks of the data protection (h) the tasks of the any data officer designated in accordance officer designated in accordance protection officer designated in with Article 35, including with Article 35, including accordance with Article 35 or any monitoring within the group of monitoring within the group of other person or entity in charge of undertakings the compliance with undertakings the compliance with the , including monitoring within the binding corporate rules, as well the binding corporate rules, as well the group of undertakings the as monitoring the training and as monitoring the training and compliance with the binding complaint handling; complaint handling; corporate rules within the group, as
well as monitoring the training and complaint handling;
DGD 2C LIMITE EN
(hh) the complaint procedures;
(i) the mechanisms within the (i) the mechanisms within the group (i) the mechanisms within the group of undertakings aiming at of undertakings aiming at ensuring group of undertakings aiming at for ensuring the verification of the verification of compliance with ensuring the verification of compliance with the binding the binding corporate rules; compliance with the binding corporate rules; corporate rules. Such mechanisms
shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;
(j) the mechanisms for reporting (j) the mechanisms for reporting (j) the mechanisms for reporting and recording changes to the and recording changes to the and recording changes to the policies and reporting these policies and reporting these changes policies rules and reporting these changes to the supervisory to the supervisory authority; changes to the supervisory authority; authority;
DGD 2C LIMITE EN
(k) the co-operation mechanism (k) the co-operation mechanism (k) the co-operation mechanism with the supervisory authority to with the supervisory authority to with the supervisory authority to ensure compliance by any member ensure compliance by any member ensure compliance by any member of the group of undertakings, in of the group of undertakings, in of the group of undertakings, in particular by making available to particular by making available to particular by making available to the supervisory authority the results the supervisory authority the results the supervisory authority the results of the verifications of the measures of the verifications of the measures of the verifications of the measures referred to in point (i) of this referred to in point (i) of this referred to in point (i) of this paragraph. paragraph. paragraph;
(l) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(m) the appropriate data protection training to personnel having permanent or regular access to personal data.
2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules
DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission shall be deleted empowered to adopt delegated acts empowered to adopt delegated acts in accordance with Article 86 for in accordance with Article 86 for the purpose of further specifying the purpose of further specifying the the criteria and requirements for format, procedures, criteria and binding corporate rules within the requirements for binding corporate meaning of this Article, in rules within the meaning of this particular as regards the criteria for Article, in particular as regards the their approval, the application of criteria for their approval, including points (b), (d), (e) and (f) of transparency for data subjects, the paragraph 2 to binding corporate application of points (b), (d), (e) and rules adhered to by processors and (f) of paragraph 2 to binding on further necessary requirements corporate rules adhered to by to ensure the protection of personal processors and on further necessary data of the data subjects concerned. requirements to ensure the
protection of personal data of the data subjects concerned.
-
4.The Commission may specify the deleted 4. The Commission may specify the format and procedures for the format and procedures for the exchange of information by exchange of information by electronic means between electronic means between controllers, processors and controllers, processors and supervisory authorities for binding supervisory authorities for binding corporate rules within the meaning corporate rules within the meaning of this Article. Those implementing of this Article. Those implementing acts shall be adopted in accordance acts shall be adopted in accordance with the examination procedure set with the examination procedure set out in Article 87(2). out in Article 87(2).
DGD 2C LIMITE EN
Amendment 140
Article 43a (new)
Transfers or disclosures not authorised by Union law
1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer or disclosure by the supervisory authority.
DGD 2C LIMITE EN
3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of Article 44(1) and Article 44(5). Where data subjects from other Member States are affected, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
4. The supervisory authority shall inform the competent national authority of the request. Without prejudice to Article 21, the controller or processor shall also inform the data subjects of the request and of the authorisation by the supervisory authority and where applicable inform the data subject whether personal data was provided to public authorities during the last consecutive 12- month period, pursuant to point (ha) of Article 14(1).
DGD 2C LIMITE EN
Article 44 Article 44 Article 44
Derogations Derogations Derogations for specific situations
Amendment 141
-
1.In the absence of an adequacy 1. In the absence of an adequacy 1. In the absence of an adequacy decision pursuant to Article 41 or decision pursuant to Article 41 or of decision pursuant to paragraph 3 of appropriate safeguards pursuant appropriate safeguards pursuant to of Article 41, or of appropriate to Article 42, a transfer or a set of Article 42, a transfer or a set of safeguards pursuant to Article 42, transfers of personal data to a third transfers of personal data to a third including binding corporate rules country or an international country or an international a transfer or a set category of organisation may take place only organisation may take place only on transfers of personal data to a third on condition that: condition that: country or an international
organisation may take place only on condition that:
(a) the data subject has consented to (a) the data subject has consented to (a) the data subject has explicitly the proposed transfer, after having the proposed transfer, after having consented to the proposed transfer, been informed of the risks of such been informed of the risks of such after having been informed of the transfers due to the absence of an transfers due to the absence of an risks of that such transfers may adequacy decision and appropriate adequacy decision and appropriate involve risks for the data subject safeguards; or safeguards; or due to the absence of an adequacy
decision and appropriate safeguards; or
(b) the transfer is necessary for the (b) the transfer is necessary for the (b) the transfer is necessary for the performance of a contract between performance of a contract between performance of a contract between the data subject and the controller the data subject and the controller or the data subject and the controller or the implementation of prethe implementation of preor the implementation of precontractual measures taken at the contractual measures taken at the contractual measures taken at the data subject's request; or data subject's request; or data subject's request; or
DGD 2C LIMITE EN
(c) the transfer is necessary for the (c) the transfer is necessary for the (c) the transfer is necessary for the conclusion or performance of a conclusion or performance of a conclusion or performance of a contract concluded in the interest of contract concluded in the interest of contract concluded in the interest of the data subject between the the data subject between the the data subject between the controller and another natural or controller and another natural or controller and another natural or legal person; or legal person; or legal person; or
(d) the transfer is necessary for (d) the transfer is necessary for (d) the transfer is necessary for important grounds of public important grounds of public important grounds reasons of interest; or interest; or public interest; or
(e) the transfer is necessary for the (e) the transfer is necessary for the (e) the transfer is necessary for the establishment, exercise or defence establishment, exercise or defence establishment, exercise or defence of legal claims; or of legal claims; or of legal claims; or
(f) the transfer is necessary in order (f) the transfer is necessary in order (f) the transfer is necessary in order to protect the vital interests of the to protect the vital interests of the to protect the vital interests of the data subject or of another person, data subject or of another person, data subject or of another persons, where the data subject is physically where the data subject is physically where the data subject is physically or legally incapable of giving or legally incapable of giving or legally incapable of giving consent; or consent; or consent; or
DGD 2C LIMITE EN
(g) the transfer is made from a (g) the transfer is made from a (g) the transfer is made from a register which according to Union register which according to Union register which according to Union or Member State law is intended to or Member State law is intended to or Member State law is intended to provide information to the public provide information to the public provide information to the public and which is open to consultation and which is open to consultation and which is open to consultation either by the public in general or by either by the public in general or by either by the public in general or by any person who can demonstrate any person who can demonstrate any person who can demonstrate a legitimate interest, to the extent that legitimate interest, to the extent that legitimate interest, but only to the the conditions laid down in Union the conditions laid down in Union extent that the conditions laid down or Member State law for or Member State law for in Union or Member State law for consultation are fulfilled in the consultation are fulfilled in the consultation are fulfilled in the particular case; or particular case. particular case; or
(h) the transfer is necessary for the deleted (h) the transfer, which is not large purposes of the legitimate interests scale or frequent, is necessary for pursued by the controller or the the purposes of the legitimate processor, which cannot be interests pursued by the controller qualified as frequent or massive, which are not overridden by the and where the controller or interests or rights and freedoms of processor has assessed all the the data subject or the processor, circumstances surrounding the data which cannot be qualified as transfer operation or the set of data frequent or massive, and where the transfer operations and based on controller or processor has assessed this assessment adduced all the circumstances surrounding appropriate safeguards with respect the data transfer operation or the set to the protection of personal data, of data transfer operations and where necessary. based on this assessment adduced
appropriate suitable safeguards with respect to the protection of personal data, where necessary.
DGD 2C LIMITE EN
-
2.A transfer pursuant to point (g) 2. A transfer pursuant to point (g) of 2. A transfer pursuant to point (g) of paragraph 1 shall not involve the paragraph 1 shall not involve the of paragraph 1 shall not involve the entirety of the personal data or entirety of the personal data or entirety of the personal data or entire categories of the personal entire categories of the personal entire categories of the personal data contained in the register. When data contained in the register. When data contained in the register. When the register is intended for the register is intended for the register is intended for consultation by persons having a consultation by persons having a consultation by persons having a legitimate interest, the transfer shall legitimate interest, the transfer shall legitimate interest, the transfer shall be made only at the request of those be made only at the request of those be made only at the request of those persons or if they are to be the persons or if they are to be the persons or if they are to be the recipients. recipients. recipients.
-
3.Where the processing is based on deleted deleted point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.
-
4.Points (b), (c) and (h) of 4. Points (b), and (c) and (h) of 4. Points (a), (b), (c) and (h) of paragraph 1 shall not apply to paragraph 1 shall not apply to paragraph 1 shall not apply to activities carried out by public activities carried out by public activities carried out by public authorities in the exercise of their authorities in the exercise of their authorities in the exercise of their public powers. public powers. public powers.
DGD 2C LIMITE EN
-
5.The public interest referred to in 5. The public interest referred to in 5. The public interest referred to in point (d) of paragraph 1 must be point (d) of paragraph 1 must be point (d) of paragraph 1 must be recognised in Union law or in the recognised in Union law or in the recognised in Union law or in the law of the Member State to which law of the Member State to which national law of the Member State the controller is subject. the controller is subject. to which the controller is subject.
5a. In the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
-
6.The controller or processor shall deleted 6. The controller or processor shall document the assessment as well as document the assessment as well as the appropriate safeguards adduced the appropriate suitable safeguards referred to in point (h) of paragraph adduced referred to in point (h) of 1 of this Article in the paragraph 1 of this Article in the documentation referred to in Article documentation records referred to 28 and shall inform the supervisory in Article 28 and shall inform the authority of the transfer. supervisory authority of the
transfer.
DGD 2C LIMITE EN
-
7.The Commission shall be 7. The Commission European Data deleted empowered to adopt delegated acts Protection Board shall be in accordance with Article 86 for empowered to adopt delegated acts the purpose of further specifying in accordance with Article 86
'important grounds of public entrusted with the task of issuing interest' within the meaning of guidelines, recommendations and point (d) of paragraph 1 as well as best practices in accordance with the criteria and requirements for point (b) of Article 66(1) for the appropriate safeguards referred to purpose of further specifying in point (h) of paragraph 1. 'important grounds of public
interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) data transfers on the basis of paragraph 1.
DGD 2C LIMITE EN
Article 45 Article 45 Article 45
International co-operation for the International co-operation for the International co-operation for the protection of personal data protection of personal data protection of personal data
Amendment 142
-
1.In relation to third countries and 1. In relation to third countries and 1. In relation to third countries and international organisations, the international organisations, the international organisations, the Commission and supervisory Commission and supervisory Commission and supervisory authorities shall take appropriate authorities shall take appropriate authorities shall take appropriate steps to: steps to: steps to:
(a) develop effective international (a) develop effective international (a) develop effective international co-operation mechanisms to co-operation mechanisms to co-operation mechanisms to facilitate the enforcement of facilitate ensure the enforcement of facilitate the effective enforcement legislation for the protection of legislation for the protection of of legislation for the protection of personal data; personal data; personal data;
(b) provide international mutual (b) provide international mutual (b) provide international mutual assistance in the enforcement of assistance in the enforcement of assistance in the enforcement of legislation for the protection of legislation for the protection of legislation for the protection of personal data, including through personal data, including through personal data, including through notification, complaint referral, notification, complaint referral, notification, complaint referral, investigative assistance and investigative assistance and investigative assistance and information exchange, subject to information exchange, subject to information exchange, subject to appropriate safeguards for the appropriate safeguards for the appropriate safeguards for the protection of personal data and protection of personal data and protection of personal data and other fundamental rights and other fundamental rights and other fundamental rights and freedoms; freedoms; freedoms;
DGD 2C LIMITE EN
(c) engage relevant stakeholders in (c) engage relevant stakeholders in (c) engage relevant stakeholders in discussion and activities aimed at discussion and activities aimed at discussion and activities aimed at furthering international cofurthering international co-operation furthering promoting international operation in the enforcement of in the enforcement of legislation for co-operation in the enforcement of legislation for the protection of the protection of personal data; legislation for the protection of personal data; personal data;
(d) promote the exchange and d) promote the exchange and (d) promote the exchange and documentation of personal data documentation of personal data documentation of personal data protection legislation and practice. protection legislation and practice.; protection legislation and practice.
Amendment 143
(da) clarify and consult on jurisdictional conflicts with third countries.
-
2.For the purposes of paragraph 1, 2. For the purposes of paragraph 1, deleted the Commission shall take the Commission shall take appropriate steps to advance the appropriate steps to advance the relationship with third countries or relationship with third countries or international organisations, and in international organisations, and in particular their supervisory particular their supervisory authorities, where the Commission authorities, where the Commission has decided that they ensure an has decided that they ensure an adequate level of protection within adequate level of protection within the meaning of Article 41(3). the meaning of Article 41(3).
DGD 2C LIMITE EN
Amendment 144
Article 45a (new)
Report by the Commission
The Commission shall submit to the European Parliament and the Council at regular intervals, starting not later than four years after the date referred to in Article 91(1), a report on the application of Articles 40 to 45. For that purpose, the Commission may request information from the Member States and supervisory authorities, which shall be supplied without undue delay. The report shall be made public.
DGD 2C LIMITE EN
CHAPTER VI CHAPTER VI CHAPTER VI
INDEPENDENT INDEPENDENT INDEPENDENT
SUPERVISORY SUPERVISORY SUPERVISORY
AUTHORITIES AUTHORITIES AUTHORITIES
SECTION 1 SECTION 1 SECTION 1 INDEPENDENT STATUS INDEPENDENT STATUS INDEPENDENT STATUS
Article 46 Article 46 Article 46
Supervisory authority Supervisory authority Supervisory authority
-
1.Each Member State shall provide 1. Each Member State shall provide 1. Each Member State shall provide that one or more public authorities that one or more public authorities that one or more independent are responsible for monitoring the are responsible for monitoring the public authorities are responsible application of this Regulation and application of this Regulation and for monitoring the application of for contributing to its consistent for contributing to its consistent this Regulation and for contributing application throughout the Union, application throughout the Union, in to its consistent application in order to protect the fundamental order to protect the fundamental throughout the Union, in order to rights and freedoms of natural rights and freedoms of natural protect the fundamental rights and persons in relation to the processing persons in relation to the processing freedoms of natural persons in of their personal data and to of their personal data and to relation to the processing of their facilitate the free flow of personal facilitate the free flow of personal personal data and to facilitate the data within the Union. For these data within the Union. For these free flow of personal data within purposes, the supervisory purposes, the supervisory the Union. For these purposes, the authorities shall co-operate with authorities shall co-operate with supervisory authorities shall coeach other and the Commission. each other and the Commission. operate with each other and the
Commission.
DGD 2C LIMITE EN
1a Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For this purpose, the supervisory authorities shall co-operate with each other and the Commission in accordance with Chapter VII.
-
2.Where in a Member State more 2. Where in a Member State more 2. Where in a Member State more than one supervisory authority are than one supervisory authority are than one supervisory authority are established, that Member State established, that Member State shall established, that Member State shall designate the supervisory designate the supervisory authority shall designate the supervisory authority which functions as a which functions as a single contact authority which functions as a single contact point for the point for the effective participation single contact point for the effective participation of those of those authorities in the European effective participation of shall authorities in the European Data Data Protection Board and shall set represent those authorities in the Protection Board and shall set out out the mechanism to ensure European Data Protection Board the mechanism to ensure compliance by the other authorities and shall set out the mechanism to compliance by the other authorities with the rules relating to the ensure compliance by the other with the rules relating to the consistency mechanism referred to authorities with the rules relating to consistency mechanism referred to in Article 57. the consistency mechanism referred in Article 57. to in Article 57.
-
3.Each Member State shall notify 3. Each Member State shall notify 3. Each Member State shall notify to the Commission those provisions to the Commission those provisions to the Commission those provisions of its law which it adopts pursuant of its law which it adopts pursuant of its law which it adopts pursuant to this Chapter, by the date to this Chapter, by the date to this Chapter, by the date specified in Article 91(2) at the specified in Article 91(2) at the specified in Article 91(2) at the latest and, without delay, any latest and, without delay, any latest and, without delay, any subsequent amendment affecting subsequent amendment affecting subsequent amendment affecting them. them. them.
DGD 2C LIMITE EN
Article 47 Article 47 Article 47
Independence Independence Independence
Amendment 145
-
1.The supervisory authority shall 1. The supervisory authority shall 1. The Each supervisory authority act with complete independence in act with complete independence in shall act with complete exercising the duties and powers exercising the duties and powers independence in performing the entrusted to it. entrusted to it, notwithstanding coduties and exercising the duties and
operative and consistency powers entrusted to it in arrangements related to Chapter accordance with this Regulation. VII of this Regulation.
-
2.The members of the supervisory 2. The members of the supervisory 2. The member or members of the authority shall, in the performance authority shall, in the performance each supervisory authority shall, in of their duties, neither seek nor take of their duties, neither seek nor take the performance of their duties and instructions from anybody. instructions from anybody. exercise of their powers in
accordance with this Regulation, remain free from external influence, whether direct or indirect and neither seek nor take instructions from anybody.
-
3.Members of the supervisory 3. Members of the supervisory deleted authority shall refrain from any authority shall refrain from any action incompatible with their action incompatible with their duties and shall not, during their duties and shall not, during their term of office, engage in any term of office, engage in any incompatible occupation, whether incompatible occupation, whether gainful or not. gainful or not.
DGD 2C LIMITE EN
-
4.Members of the supervisory 4. Members of the supervisory deleted authority shall behave, after their authority shall behave, after their term of office, with integrity and term of office, with integrity and discretion as regards the acceptance discretion as regards the acceptance of appointments and benefits. of appointments and benefits.
-
5.Each Member State shall ensure 5. Each Member State shall ensure 5. Each Member State shall ensure that the supervisory authority is that the supervisory authority is that the each supervisory authority provided with the adequate human, provided with the adequate human, is provided with the adequate technical and financial resources, technical and financial resources, human, technical and financial premises and infrastructure premises and infrastructure resources, premises and necessary for the effective necessary for the effective infrastructure necessary for the performance of its duties and performance of its duties and effective performance of its duties powers, including those to be powers, including those to be and exercise of its powers, carried out in the context of mutual carried out in the context of mutual including those to be carried out in assistance, co-operation and assistance, co-operation and the context of mutual assistance, participation in the European Data participation in the European Data co-operation and participation in Protection Board. Protection Board. the European Data Protection
Board.
-
6.Each Member State shall ensure 6. Each Member State shall ensure 6. Each Member State shall ensure that the supervisory authority has that the supervisory authority has its that the each supervisory authority its own staff which shall be own staff which shall be appointed has its own staff which shall be appointed by and be subject to the by and be subject to the direction of appointed by and be subject to the direction of the head of the the head of the supervisory direction of the member or supervisory authority. authority. members head of the supervisory
authority.
DGD 2C LIMITE EN
-
7.Member States shall ensure that 7. Member States shall ensure that 7. Member States shall ensure that the supervisory authority is subject the supervisory authority is subject the each supervisory authority is to financial control which shall not to financial control which shall not subject to financial control which affect its independence. Member affect its independence. Member shall not affect its independence. States shall ensure that the States shall ensure that the Member States shall ensure that supervisory authority has separate supervisory authority has separate theeach supervisory authority has annual budgets. The budgets shall annual budgets. The budgets shall separate, public, annual budgets, be made public. be made public. which may be part of the overall
state or national budget. The budgets shall be made public.
Amendment 146
7a. Each Member State shall ensure that the supervisory authority shall be accountable to the national parliament for reasons of budgetary control.
DGD 2C LIMITE EN
Article 48 Article 48 Article 48
General conditions for the General conditions for the General conditions for the members of the supervisory members of the supervisory members of the supervisory
authority authority authority
-
1.Member States shall provide that 1. Member States shall provide that 1. Member States shall provide that the members of the supervisory the members of the supervisory the member or members of the authority must be appointed either authority must be appointed either each supervisory authority must be by the parliament or the by the parliament or the government appointed either by the parliament government of the Member State of the Member State concerned. and/or the government or head of concerned. State of the Member State
concerned or by an independent body entrusted by Member State law with the appointment by means of a transparent procedure.
-
2.The members shall be chosen 2. The members shall be chosen 2. The member or members shall from persons whose independence from persons whose independence have the qualifications, be chosen is beyond doubt and whose is beyond doubt and whose from persons whose independence experience and skills required to experience and skills required to is beyond doubt and whose perform their duties notably in the perform their duties notably in the experience and skills required to area of protection of personal data area of protection of personal data perform their duties notably in the are demonstrated. are demonstrated. area of protection of personal data
are demonstrated and exercise their powers.
DGD 2C LIMITE EN
-
3.The duties of a member shall end 3. The duties of a member shall end 3. The duties of a member shall end in the event of the expiry of the in the event of the expiry of the in the event of the expiry of the term of office, resignation or term of office, resignation or term of office, resignation or compulsory retirement in compulsory retirement in compulsory retirement in accordance with paragraph 5. accordance with paragraph 5. accordance with paragraph 5 the
law of the Member State concerned.
-
4.A member may be dismissed or 4. A member may be dismissed or 4. A member may be dismissed or deprived of the right to a pension or deprived of the right to a pension or deprived of the right to a pension or other benefits in its stead by the other benefits in its stead by the other benefits in its stead by the competent national court, if the competent national court, if the competent national court, if the member no longer fulfils the member no longer fulfils the member no longer fulfils the conditions required for the conditions required for the conditions required for the performance of the duties or is performance of the duties or is performance of the duties or is guilty of serious misconduct. guilty of serious misconduct. guilty of serious misconduct.
-
5.Where the term of office expires 5. Where the term of office expires 5. Where the term of office expires or the member resigns, the member or the member resigns, the member or the member resigns, the member shall continue to exercise the duties shall continue to exercise the duties shall continue to exercise the duties until a new member is appointed. until a new member is appointed. until a new member is appointed.
DGD 2C LIMITE EN
Article 49 Article 49 Article 49
Rules on the establishment of the Rules on the establishment of the Rules on the establishment of the supervisory authority supervisory authority supervisory authority
Each Member State shall provide Each Member State shall provide by Each Member State shall provide by law within the limits of this law within the limits of this by law within the limits of this Regulation: Regulation: Regulation for:
(a) the establishment and status of (a) the establishment and status of (a) the establishment and status of the supervisory authority; the supervisory authority; the each supervisory authority;
(b) the qualifications, experience (b) the qualifications, experience (b) the qualifications, experience and skills required to perform the and skills required to perform the and skills required to perform the duties of the members of the duties of the members of the duties of the members of the supervisory authority; supervisory authority; supervisory authority;
(c) the rules and procedures for the (c) the rules and procedures for the (c) the rules and procedures for the appointment of the members of the appointment of the members of the appointment of the member or supervisory authority, as well the supervisory authority, as well the members of the each supervisory rules on actions or occupations rules on actions or occupations authority, as well the rules on incompatible with the duties of the incompatible with the duties of the actions or occupations incompatible office; office; with the duties of the office;
DGD 2C LIMITE EN
(d) the duration of the term of the (d) the duration of the term of the (d) the duration of the term of the members of the supervisory members of the supervisory member or members of the each authority which shall be no less authority which shall be no less than supervisory authority which shall than four years, except for the first four years, except for the first not be no less than four years, appointment after entry into force appointment after entry into force of except for the first appointment of this Regulation, part of which this Regulation, part of which may after entry into force of this may take place for a shorter period take place for a shorter period Regulation, part of which may take where this is necessary to protect where this is necessary to protect place for a shorter period where this the independence of the supervisory the independence of the supervisory is necessary to protect the authority by means of a staggered authority by means of a staggered independence of the supervisory appointment procedure; appointment procedure; authority by means of a staggered
appointment procedure;
(e) whether the members of the (e) whether the members of the (e) whether and, if so, for how supervisory authority shall be supervisory authority shall be many terms the member or eligible for reappointment; eligible for reappointment; members of the each supervisory
authority shall be eligible for reappointment;
(f) the regulations and common (f) the regulations and common (f) the regulations and common conditions governing the duties of conditions governing the duties of conditions governing the the members and staff of the the members and staff of the dutiesobligations of the member or supervisory authority; supervisory authority; members and staff of the each
supervisory authority, prohibitions on actions and occupations incompatible therewith during and after the term of office and rules governing the cessation of employment;
DGD 2C LIMITE EN
(g) the rules and procedures on the (g) the rules and procedures on the deleted termination of the duties of the termination of the duties of the members of the supervisory members of the supervisory authority, including in case that authority, including in case that they they no longer fulfil the conditions no longer fulfil the conditions required for the performance of required for the performance of their duties or if they are guilty of their duties or if they are guilty of serious misconduct. serious misconduct.
2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their duties or exercise of their powers.
DGD 2C LIMITE EN
Article 50 Article 50 Article 50
Professional secrecy Professional secrecy Professional secrecy
Amendment 147
The members and the staff of the The members and the staff of the deleted supervisory authority shall be supervisory authority shall be subject, both during and after their subject, both during and after their term of office, to a duty of term of office and in conformity professional secrecy with regard to with national legislation and any confidential information which practice, to a duty of professional has come to their knowledge in the secrecy with regard to any course of the performance of their confidential information which has official duties. come to their knowledge in the
course of the performance of their official duties, whilst conducting their duties with independence and transparency as set out in the Regulation.
DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2 DUTIES AND POWERS DUTIES AND POWERS DUTIES COMPETENCE,
TASKS AND POWERS
Article 51 Article 51 Article 51
Competence Competence Competence
Amendment 148
-
1.Each supervisory authority shall 1. Each supervisory authority shall be 1. Each supervisory authority shall exercise, on the territory of its own competent to perform the duties and be competent to perform the tasks Member State, the powers to exercise, on the territory of its own and exercise on the territory of its conferred on it in accordance with Member State, the powers conferred own Member State, the powers this Regulation. on it in accordance with this conferred on it in accordance with
Regulation on the territory of its own this Regulation on the territory of Member State, without prejudice to its own Member State. Articles 73 and 74. Data processing by a public authority shall be supervised only by the supervisory authority of that Member State.
Amendment 149
-
2.Where the processing of deleted 2. Where the processing of personal data takes place in the personal data takes place in the context of the activities of an context of the activities of an establishment of a controller or a establishment of a controller or a processor in the Union, and the processor in the Union, and the controller or processor is controller or processor is
DGD 2C LIMITE EN
established in more than one established in more than one
Member State, the supervisory Member State, the supervisory authority of the main authority of the main establishment of the controller or establishment of the controller or processor shall be competent for processor shall be competent for the supervision of the processing the supervision of the processing activities of the controller or the activities of the controller or the processor in all Member States, processor in all Member States, without prejudice to the provisions without prejudice to the provisions of Chapter VII of this Regulation. of Chapter VII of this Regulation.
is carried out by public authorities or private bodies acting on the basis of points (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 51a does not apply.
-
3.The supervisory authority shall 3. The supervisory authority shall not 3. The sSupervisory authorityies not be competent to supervise be competent to supervise processing shall not be competent to supervise processing operations of courts operations of courts acting in their processing operations of courts acting in their judicial capacity. judicial capacity. acting in their judicial capacity.
DGD 2C LIMITE EN
Article 51a
Competence of the lead supervisory authority
1. Without prejudice to Article 51, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the transnational processing of this controller or processor in accordance with the procedure in Article 54a.
2a. By derogation from paragraph 1, each supervisory authority shall be competent to deal with a complaint lodged with it or to deal with a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
DGD 2C LIMITE EN
2b. In the cases referred to in paragraph 2a, the supervisory authority shall inform the lead supervisory authority without delay on this matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will deal with the case in accordance with the procedure provided in Article 54a, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.
2c. Where the lead supervisory authority decides to deal with the case, the procedure provided in Article 54a shall apply. The supervisory authority which informed the lead supervisory authority may submit to such supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in paragraph 2 of Article 54a.
DGD 2C LIMITE EN
2d. In case the lead supervisory authority decides not to deal with it, the supervisory authority which informed the lead supervisory authority shall deal with the case according to Articles 55 and 56.
3. The lead supervisory authority shall be the sole interlocutor of the controller or processor for their transnational processing.
DGD 2C LIMITE EN
Article 52 Article 52 Article 52
Duties Duties Tasks
-
1.The supervisory authority shall: 1. The supervisory authority shall: 1. The Without prejudice to other tasks set out under this
Regulation, each supervisory authority shall on its territory:
(a) monitor and ensure the (a) monitor and ensure the application (a) monitor and ensure enforce the application of this Regulation; of this Regulation; application of this Regulation;
(aa) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention;
(ab) advise, in accordance with national law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data;
DGD 2C LIMITE EN
(ac) promote the awareness of controllers and processors of their obligations under this Regulation;
(ad) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end;
Amendment 150
(b) hear complaints lodged by any (b) hear complaints lodged by any data (b) hear deal with complaints data subject, or by an association subject, or by an association lodged by any a data subject, or representing that data subject in representing that data subject in body, organisation or by an accordance with Article 73, accordance with Article 73, association representing that a investigate, to the extent investigate, to the extent appropriate, data subject in accordance with appropriate, the matter and inform the matter and inform the data subject Article 73, and investigate, to the the data subject or the association or the association of the progress and extent appropriate, the subject of the progress and the outcome of the outcome of the complaint within a matter of the complaint and the complaint within a reasonable reasonable period, in particular if inform the data subject or the period, in particular if further further investigation or coordination body, organisation or association investigation or coordination with with another supervisory authority is of the progress and the outcome of another supervisory authority is necessary; the complaint investigation within necessary; a reasonable period, in particular if
further investigation or coordination with another supervisory authority is necessary;
DGD 2C LIMITE EN
(c) share information with and (c) share information with and provide (c) share cooperate with, provide mutual assistance to other mutual assistance to other supervisory including sharing information supervisory authorities and ensure authorities and ensure the consistency with and provide mutual assistance the consistency of application and of application and enforcement of this to other supervisory authorities enforcement of this Regulation; Regulation; with a view to and ensure
ensuring the consistency of application and enforcement of this Regulation;
Amendment 151
(d) conduct investigations either (d) conduct investigations, either on its (d) conduct investigations either on its own initiative or on the basis own initiative or on the basis of a on its own initiative or on the basis of a complaint or on request of complaint or of specific and of a complaint or on request of another supervisory authority, and documented information received another supervisory authority, and inform the data subject concerned, alleging unlawful processing or on inform the data subject concerned, if the data subject has addressed a request of another supervisory if the data subject has addressed a complaint to this supervisory authority, and inform the data subject complaint to this on the authority, of the outcome of the concerned, if the data subject has application of this Regulation, investigations within a reasonable addressed a complaint to this including on the basis of period; supervisory authority, of the outcome information received from
of the investigations within a another supervisory authority, of
reasonable period; the outcome of the investigations
within a reasonable period or
other public authority;
DGD 2C LIMITE EN
(e) monitor relevant developments, (e) monitor relevant developments, (e) monitor relevant developments, insofar as they have an impact on insofar as they have an impact on the insofar as they have an impact on the protection of personal data, in protection of personal data, in the protection of personal data, in particular the development of particular the development of particular the development of information and communication information and communication information and communication technologies and commercial technologies and commercial technologies and commercial practices; practices; practices;
(f) be consulted by Member State (f) be consulted by Member State (f) be consulted by Member State institutions and bodies on institutions and bodies on legislative institutions and bodies on legislative and administrative and administrative measures relating legislative and administrative measures relating to the protection to the protection of individuals' rights measures relating to the protection of individuals' rights and freedoms and freedoms with regard to the of individuals' rights and freedoms with regard to the processing of processing of personal data; with regard to the processing of personal data; personal data adopt standard
contractual clauses referred to in Article 26(2c);
(fa) establish and make a list in relation to the requirement for data protection impact assessment pursuant to Article 33(2a);
(g) authorise and be consulted on (g) authorise and be consulted on the (g) authorise and be consulted give the processing operations referred processing operations referred to in advice on the processing to in Article 34; Article 34; operations referred to in Article
34(3);
DGD 2C LIMITE EN
(ga) encourage the drawing up of codes of conduct pursuant to Article 38 and give an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 38 (2);
(gb) promote the establishment of data protection certification mechanisms and of data protection seals and marks, and approve the criteria of certification pursuant to Article 39 (2a);
(gc) where applicable, carry out a periodic review of certifications issued in accordance with Article 39(4);
(h) issue an opinion on the draft (h) issue an opinion on the draft codes (h) issue an opinion on the draft codes of conduct pursuant to of conduct pursuant to Article 38(2); and publish the criteria for Article 38(2); accreditation of a body for
monitoring codes of conduct pursuant to Article 38(2)a and of a certification body pursuant to Article 39a;
DGD 2C LIMITE EN
(ha) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 38a and of a certification body pursuant to Article 39a;
(hb) authorise contractual clauses referred to in Article 42(2a)(a);
(i) approve binding corporate rules (i) approve binding corporate rules (i) approve binding corporate rules pursuant to Article 43; pursuant to Article 43; pursuant to Article 43;
(j) participate in the activities of (j) participate in the activities of the (j) participate in contribute to the the European Data Protection European Data Protection Board. activities of the European Data Board. Protection Board.;
(k) fulfil any other tasks related to the protection of personal data.
Amendment 152
(ja) certify controllers and processors pursuant to Article 39.
DGD 2C LIMITE EN
Amendment 153
-
2.Each supervisory authority shall 2. Each supervisory authority shall deleted promote the awareness of the promote the awareness of the public public on risks, rules, safeguards on risks, rules, safeguards and rights in and rights in relation to the relation to the processing of personal processing of personal data. data and on appropriate measures for
Activities addressed specifically to personal data protection. Activities children shall receive specific addressed specifically to children shall attention. receive specific attention.
Amendment 154
2a. Each supervisory authority shall together with the European Data Protection Board promote the awareness for controllers and processors on risks, rules, safeguards and rights in relation to the processing of personal data. This includes keeping a register of sanctions and breaches. The register should enrol both all warnings and sanctions as detailed as possible and the resolving of breaches. Each supervisory authority shall provide micro, small and medium sized enterprise controllers and processors on request with general information on their responsibilities and obligations in accordance with this Regulation.
DGD 2C LIMITE EN
-
3.The supervisory authority shall, 3. The supervisory authority shall, deleted upon request, advise any data upon request, advise any data subject subject in exercising the rights in exercising the rights under this under this Regulation and, if Regulation and, if appropriate, coappropriate, co-operate with the operate with the supervisory supervisory authorities in other authorities in other Member States to
Member States to this end. this end.
-
4.For complaints referred to in 4. For complaints referred to in point 4. For Each supervisory authority point (b) of paragraph 1, the (b) of paragraph 1, the supervisory shall facilitate the submission of supervisory authority shall provide authority shall provide a complaint complaints referred to in point (b) a complaint submission form, submission form, which can be of paragraph 1, the supervisory which can be completed completed electronically, without authority shall provide a by electronically, without excluding excluding other means of measures such as providing a other means of communication. communication. complaint submission form, which
can be completed also electronically, without excluding other means of communication.
-
5.The performance of the duties 5. The performance of the duties of the 5. The performance of the of the supervisory authority shall supervisory authority shall be free of dutiestasks of the each be free of charge for the data charge for the data subject. supervisory authority shall be free subject. of charge for the data subject and
for the data protection officer, if any.
DGD 2C LIMITE EN
Amendment 155
-
6.Where requests are manifestly 6. Where requests are manifestly 6. Where requests are manifestly excessive, in particular due to their excessive, in particular due to their unfounded or excessive, in repetitive character, the repetitive character, the supervisory particular due to because of their supervisory authority may charge authority may charge a reasonable fee repetitive character, the a fee or not take the action or not take the action requested by the supervisory authority may charge requested by the data subject. The data subject. Such a fee shall not a fee or not take the action supervisory authority shall bear exceed the costs of taking the action requested by the data the burden of proving the requested. The supervisory authority subjectrefuse to act on the manifestly excessive character of shall bear the burden of proving the request. The supervisory authority the request. manifestly excessive character of the shall bear the burden of proving
request. demonstrating the manifestly unfounded or excessive character of the request.
DGD 2C LIMITE EN
Article 53 Article 53 Article 53
Powers Powers Powers
Amendment 156
-
1.Each supervisory authority shall 1. Each supervisory authority shall, in 1. Each Member State shall have the power: line with this Regulation, have the provide by law that its supervisory
power: authority shall have at least the following investigative powers:
(a) to notify the controller or the (a) to notify the controller or the (a) to notify order the controller or processor of an alleged breach of processor of an alleged breach of the and the processor of an alleged the provisions governing the provisions governing the processing of breach of the provisions governing processing of personal data, and, personal data, and, where appropriate, the processing of personal data, where appropriate, order the order the controller or the processor to and, where appropriate applicable, controller or the processor to remedy that breach, in a specific order the controller’s or the remedy that breach, in a specific manner, in order to improve the processor to remedy that breach, in manner, in order to improve the protection of the data subject, or to a specific manner, in order to protection of the data subject; order the controller to communicate a improve the protection of the data
personal data breach to the data subject representative to provide subject; any information it requires for the performance of its tasks;
(aa) to carry out investigations in the form of data protection audits;
(ab) to carry out a review on certifications issued pursuant to Article 39(4);
DGD 2C LIMITE EN
(b) to order the controller or the (b) to order the controller or the deleted processor to comply with the data processor to comply with the data subject's requests to exercise the subject's requests to exercise the rights rights provided by this Regulation; provided by this Regulation;
(c) to order the controller and the (c) to order the controller and the deleted processor, and, where applicable, processor, and, where applicable, the the representative to provide any representative to provide any information relevant for the information relevant for the performance of its duties; performance of its duties;
(d) to ensure the compliance with (d) to ensure the compliance with prior (d) to ensure notify the compliance
prior authorisations and prior authorisations and prior consultations with prior authorisations and prior
consultations referred to in Article
34; referred to in Article 34;
consultations referred to in Article 34 controller or the processor of an alleged infringment of this Regulation;
(da) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
(db) to obtain access to any premises of the controller and the processor , including to any data processing equipment and means, in conformity with Union law or Member State procedural law.
DGD 2C LIMITE EN
1a.
1b. Each Member State shall provide by law that its supervisory authority shall have the following corrective powers:
(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(b) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
(c)
(ca) to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation
DGD 2C LIMITE EN
(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; in particular by ordering the rectification, restriction or erasure of data pursuant to Articles 16, 17 and 17a and the notification of such actions to recipients to whom the data have been disclosed pursuant to Articles 17(2a) and 17b;
(e) to warn or admonish the (e) to warn or admonish the controller (e) to impose a temporary or controller or the processor; or the processor; definitive limitation on
processing;
(f) to order the rectification, (f) to order the rectification, erasure or (f) deleted erasure or destruction of all data destruction of all data when they have when they have been processed in been processed in breach of the breach of the provisions of this provisions of this Regulation and the
Regulation and the notification of notification of such actions to third such actions to third parties to parties to whom the data have been whom the data have been disclosed; disclosed;
DGD 2C LIMITE EN
(g) to impose a temporary or (g) to impose a temporary or definitive (g) to impose a temporary or definitive ban on processing; ban on processing; definitive ban on processing;an
administrative fine pursuant to Articles 79 and 79a, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case.
(h) to suspend data flows to a (h) to suspend data flows to a recipient (h) to order the suspend recipient in a third country or to an in a third country or to an international suspension of data flows to a international organisation; organisation; recipient in a third country or to an
international organisation;
(i) to issue opinions on any issue (i) to issue opinions on any issue deleted related to the protection of related to the protection of personal personal data; data;
(ia) to certify controllers and processors pursuant to Article 39;
(j) to inform the national (j) to inform the national parliament, deleted parliament, the government or the government or other political other political institutions as well institutions as well as the public on as the public on any issue related any issue related to the protection of to the protection of personal data. personal data;
DGD 2C LIMITE EN
(ja) to put in place effective mechanisms to encourage confidential reporting of breaches of this Regulation, taking into account guidance issued by the European
Data Protection Board pursuant to
Article 66(4b).
1c. Each Member State shall provide by law that its supervisory authority shall have the following authorisation and advisory powers:
(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 34;
(aa) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with national law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;
DGD 2C LIMITE EN
(ab) to authorise processing referred to in Article 34(7a), if the law of the Member State requires such prior authorisation;
(ac) to issue an opinion and approve draft codes of conduct pursuant to Article 38(2);
(ad) to accredit certification bodies under the terms of Article 39a;
(ae) to issue certifications and approve criteria of certification in accordance with Article 39(2a);
(b) to adopt standard data protection clauses referred to in point (c) of Article 42(2);
(c) to authorise contractual clauses referred to in point (a) of Article 42(2a);
(ca) to authorise administrative agreements referred to in point (d) of Article 42 (2a);
(d) to approve binding corporate rules pursuant to Article 43.
DGD 2C LIMITE EN
-
2.Each supervisory authority shall 2. Each supervisory authority shall 2. Each supervisory authority shall have the investigative power to have the investigative power to obtain have the investigative power to obtain from the controller or the from the controller or the processor obtain from the controller or the processor: without prior notice: processor: The exercise of the
powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter of Fundamental Rights of the European Union.
(a) access to all personal data and (a) access to all personal data and to deleted to all information necessary for the all documents and information performance of its duties; necessary for the performance of its
duties;
(b) access to any of its premises, (b) access to any of its premises, deleted including to any data processing including to any data processing equipment and means, where there equipment and means, where there are are reasonable grounds for reasonable grounds for presuming that presuming that an activity in an activity in violation of this violation of this Regulation is Regulation is being carried out there. being carried out there.
The powers referred to in point (b) The powers referred to in point (b) deleted shall be exercised in conformity shall be exercised in conformity with with Union law and Member State Union law and Member State law. law.
DGD 2C LIMITE EN
-
3.Each supervisory authority shall 3. Each supervisory authority shall 3. Each Member State shall have the power to bring violations have the power to bring violations of provide by law that its supervisory of this Regulation to the attention this Regulation to the attention of the authority shall have the power to of the judicial authorities and to judicial authorities and to engage in bring violations infringements of engage in legal proceedings, in legal proceedings, in particular this Regulation to the attention of particular pursuant to Article 74(4) pursuant to Article 74(4) and Article the judicial authorities and where and Article 75(2). 75(2). appropriate, to commence or
engage otherwise in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2), in order to enforce the provisions of this Regulation.
-
4.Each supervisory authority shall 4. Each supervisory authority shall deleted have the power to sanction have the power to sanction administrative offences, in administrative offences, in particular particular those referred to in those referred to in accordance with
Article 79(4), (5) and (6). Article 79(4), (5) and (6). This power shall be exercised in an effective,
proportionate and dissuasive manner.
DGD 2C LIMITE EN
Article 54 Article 54 Article 54
Activity report Activity report Activity report
Amendment 157
Each supervisory authority must Each supervisory authority must draw Each supervisory authority must draw up an annual report on its up an annual a report on its activities shall draw up an annual report on activities. The report shall be at least every two years. The report its activities. The report shall be presented to the national shall be presented to the national presented transmitted to the parliament and shall be made be respective parliament and shall be national pParliament, the available to the public, the made be available to the public, the government and other authorities Commission and the European Commission and the European Data as designated by national law. and Data Protection Board. Protection Board. It shall be made be available to the
public, the European Commission and the European Data Protection Board.
DGD 2C LIMITE EN
Amendment 157
Article 54a (new)
Lead Authority
1. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the
Union, and the controller or processor is established in more than one Member State, or where personal data of the residents of several
Member States are processed, the supervisory authority of the main establishment of the controller or processor shall act as the lead authority responsible for the supervision of the processing activities of the controller or the processor in all Member States, in accordance with the provisions of
Chapter VII of this Regulation.
DGD 2C LIMITE EN
2. The lead supervisory authority shall take appropriate measures for the supervision of the processing activities of the controller or processor for which it is responsible only after consulting all other competent supervisory authorities within the meaning of paragraph 1 of
Article 51(1) in an endeavour to reach a consensus. For that purpose it shall in particular submit any relevant information and consult the other authorities before it adopts a measure intended to produce legal effects vis-à-vis a controller or a processor within the meaning of paragraph 1 of Article 51(1). The lead authority shall take the utmost account of the opinions of the authorities involved. The lead authority shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities of the controller or processor for which it is responsible
DGD 2C LIMITE EN
3. The European Data Protection
Board shall, at the request of a competent supervisory authority, issue an opinion on the identification of the lead authority responsible for a controller or processor, in cases where:
(a) it is unclear from the facts of the case where the main establishment of the controller or processor is located; or
(b) the competent authorities do not agree on which supervisory authority shall act as lead authority; or
(c) the controller is not established in the Union, and residents of different
Member States are affected by processing operations within the scope of this Regulation.
DGD 2C LIMITE EN
3a. Where the controller exercises also activities as a processor, the supervisory authority of the main establishment of the controller shall act as lead authority for the supervision of processing activities.
4. The European Data Protection
Board may decide on the identification of the lead authority.
DGD 2C LIMITE EN
CHAPTER VII CHAPTER VII CHAPTER VII
CO-OPERATION AND CO-OPERATION AND CO-OPERATION AND
CONSISTENCY CONSISTENCY CONSISTENCY
SECTION 1 SECTION 1 SECTION 1 CO-OPERATION CO-OPERATION CO-OPERATION
Article 54a
Cooperation between the lead supervisory authority and other concerned supervisory authorities
1. The lead supervisory authority shall cooperate with the other concerned supervisory authorities in accordance with this article in an endeavour to reach consensus. The lead supervisory authority and the concerned supervisory authorities shall exchange all relevant information with each other.
DGD 2C LIMITE EN
1a. The lead supervisory authority may request at any time other concerned supervisory authorities to provide mutual assistance pursuant to Article 55 and may conduct joint operations pursuant to Article 56, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.
2. The lead supervisory authority shall, without delay communicate the relevant information on the matter to the other concerned supervisory authorities. It shall without delay submit a draft decision to the other concerned supervisory authorities for their opinion and take due account of their views.
DGD 2C LIMITE EN
3. Where any of the other concerned supervisory authorities within a period of four weeks after having been consulted in accordance with paragraph 2, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the objection or is of the opinion it is not relevant and reasoned, submit the matter to the consistency mechanism referred to in Article 57.
3a. Where the lead supervisory authority intends to follow the objection made, it shall submit to the other concerned supervisory authorities a revised draft decision for their opinion. This revised draft decision shall be subject to the procedure referred to in paragraph 3 within a period of two weeks.
DGD 2C LIMITE EN
4. Where none of the other concerned supervisory authority has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 3 and 3a, the lead supervisory authority and the concerned supervisory authorities shall be deemed to be in agreement with this draft decision and shall be bound by it.
4a. The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other concerned supervisory authorities and the European Data Protection Board of the decision in question including a summary of the relevant facts and grounds. The supervisory authority to which a complaint has been lodged shall inform the complainant on the decision.
DGD 2C LIMITE EN
4b. By derogation from paragraph 4a, where a complaint is dismissed or rejected, the supervisory authority to which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.
4bb. Where the lead supervisory authority and the concerned supervisory authorities are in agreement to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter.The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller and notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part
DGD 2C LIMITE EN
concerning dismissal or rejection of that complaint and notify it on that complainant and shall inform the controller or processor thereof.
4c. After being notified of the decision of the lead supervisory authority pursuant to paragraph 4a and 4bb, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards the processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other concerned supervisory authorities.
4d. Where, in exceptional circumstances, a concerned supervisory authority has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 61 shall apply.
DGD 2C LIMITE EN
5. The lead supervisory authority and the supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
DGD 2C LIMITE EN
Article 55 Article 55 Article 55
Mutual assistance Mutual assistance Mutual assistance
Amendment 159
-
1.Supervisory authorities shall 1. Supervisory authorities shall 1. Supervisory authorities shall provide each other relevant provide each other relevant provide each other with relevant information and mutual assistance information and mutual assistance information and mutual assistance in order to implement and apply in order to implement and apply in order to implement and apply this Regulation in a consistent this Regulation in a consistent this Regulation in a consistent manner, and shall put in place manner, and shall put in place manner, and shall put in place measures for effective comeasures for effective co-operation measures for effective cooperation with one another. with one another. Mutual operation with one another.
Mutual assistance shall cover, in assistance shall cover, in particular, Mutual assistance shall cover, in particular, information requests information requests and particular, information requests and supervisory measures, such as supervisory measures, such as and supervisory measures, such as requests to carry out prior requests to carry out prior requests to carry out prior authorisations and consultations, authorisations and consultations, authorisations and consultations, inspections and prompt inspections and investigations and inspections and prompt information on the opening of prompt information on the opening information on the opening of cases and ensuing developments of cases and ensuing developments cases and ensuing developments where data subjects in several where the controller or processor where data subjects in several
Member States are likely to be has establishments in several Member States are likely to be affected by processing operations. Member States or where data affected by processing operations
subjects in several Member States investigations. are likely to be affected by processing operations. The lead authority as defined in Article 54a
DGD 2C LIMITE EN
shall ensure the coordination with involved supervisory authorities and shall act as the single contact point for the controller or processor.
-
2.Each supervisory authority shall 2. Each supervisory authority shall 2. Each supervisory authority shall take all appropriate measures take all appropriate measures take all appropriate measures required to reply to the request of required to reply to the request of required to reply to the request of another supervisory authority another supervisory authority another supervisory authority without delay and no later than without delay and no later than one without undue delay and no later one month after having received month after having received the than one month after having the request. Such measures may request. Such measures may received the request. Such include, in particular, the include, in particular, the measures may include, in transmission of relevant transmission of relevant particular, the transmission of information on the course of an information on the course of an relevant information on the course investigation or enforcement investigation or enforcement conduct of an investigation or measures to bring about the measures to bring about the enforcement measures to bring cessation or prohibition of cessation or prohibition of about the cessation or prohibition processing operations contrary to processing operations contrary to of processing operations contrary this Regulation. this Regulation. to this Regulation.
-
3.The request for assistance shall 3. The request for assistance shall 3. The request for assistance shall contain all the necessary contain all the necessary contain all the necessary information, including the purpose information, including the purpose information, including the purpose of the request and reasons for the of the request and reasons for the of the request and reasons for the request. Information exchanged request. Information exchanged request. Information exchanged shall be used only in respect of the shall be used only in respect of the shall be used only in respect of the matter for which it was requested. matter for which it was requested. matter for the purpose for which it
was requested.
DGD 2C LIMITE EN
-
4.A supervisory authority to 4. A supervisory authority to which 4. A supervisory authority to which a request for assistance is a request for assistance is which a request for assistance is addressed may not refuse to addressed may not refuse to addressed may not refuse to comply with it unless: comply with it unless: comply with it unless:
(a) it is not competent for the (a) it is not competent for the (a) it is not competent for the request; or request; or subject-matter of the request or
for the measures it is requested to execute; or
(b) compliance with the request (b) compliance with the request (b) compliance with the request would be incompatible with the would be incompatible with the would be incompatible with the provisions of this Regulation. provisions of this Regulation. provisions of this Regulation or
with Union or Member State law to which the supervisory authority receiving the request is subject.
-
5.The requested supervisory 5. The requested supervisory 5. The requested supervisory authority shall inform the authority shall inform the authority shall inform the requesting supervisory authority of requesting supervisory authority of requesting supervisory authority of the results or, as the case may be, the results or, as the case may be, the results or, as the case may be, of the progress or the measures of the progress or the measures of the progress or the measures taken in order to meet the request taken in order to meet the request taken in order to meet respond to by the requesting supervisory by the requesting supervisory the request by the requesting authority. authority. supervisory authority. In cases of
a refusal under paragraph 4, it shall explain its reasons for refusing the request.
DGD 2C LIMITE EN
-
6.Supervisory authorities shall 6. Supervisory authorities shall 6. Supervisory authorities shall, as supply the information requested supply the information requested a rule, supply the information by other supervisory authorities by by other supervisory authorities by requested by other supervisory electronic means and within the electronic means and within the authorities by electronic means shortest possible period of time, shortest possible period of time, and within the shortest possible using a standardised format. using a standardised format. period of time, using a
standardised format.
Amendment 160
-
7.No fee shall be charged for any 7. No fee shall be charged to the 7. No fee shall be charged for any action taken following a request requesting supervisory authority action taken following a request for mutual assistance. for any action taken following a for mutual assistance. Supervisory
request for mutual assistance. authorities may agree with other supervisory authorities rules for indemnification by other
supervisory authorities for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.
Amendment 161
-
8.Where a supervisory authority 8. Where a supervisory authority 8. Where a supervisory authority does not act within one month on does not act within one month on does not act provide the request of another supervisory request of another supervisory information referred to in authority, the requesting authority, the requesting paragraph 5 within one month of supervisory authorities shall be supervisory authorities shall be receiving the on request of another competent to take a provisional competent to take a provisional supervisory authority, the measure on the territory of its measure on the territory of its requesting supervisory authoritiesy Member State in accordance with Member State in accordance with shall be competent to take may
DGD 2C LIMITE EN
Article 51(1) and shall submit the Article 51(1) and shall submit the adopt a provisional measure on the matter to the European Data matter to the European Data territory of its Member State in
Protection Board in accordance Protection Board in accordance accordance with Article 51(1) and with the procedure referred to in with the procedure referred to in shall submit the matter to the
Article 57. Article 57. Where no definitive European Data Protection Board in measure is yet possible because accordance with the procedure
the assistance is not yet consistency mechanism referred completed, the requesting to in Article 57. supervisory authority may take interim measures under Article 53 in the territory of its Member State.
Amendment 162
-
9.The supervisory authority shall 9. The supervisory authority shall 9. The supervisory authority shall specify the period of validity of specify the period of validity of specify the period of validity of such provisional measure. This such provisional measure. This such provisional measure which . period shall not exceed three period shall not exceed three This period shall not exceed three months. The supervisory authority months. The supervisory authority months. The supervisory authority shall, without delay, communicate shall, without delay, communicate shall, without delay, communicate those measures, with full reasons, those measures, with full reasons, those such a measures, together to the European Data Protection to the European Data Protection with full its reasons for adopting Board and to the Commission. Board and to the Commission in it, to the European Data Protection
accordance with the procedure Board and to the Commission in referred to in Article 57. accordance with the consistency mechanism referred to in Article 57.
DGD 2C LIMITE EN
Amendment 163
-
10.The Commission may specify 10. The Commission European 10. The Commission may specify the format and procedures for Data Protection Board may the format and procedures for mutual assistance referred to in specify the format and procedures mutual assistance referred to in this article and the arrangements for mutual assistance referred to in this article and the arrangements for the exchange of information by this article and the arrangements for the exchange of information by electronic means between for the exchange of information by electronic means between supervisory authorities, and electronic means between supervisory authorities, and between supervisory authorities supervisory authorities, and between supervisory authorities and the European Data Protection between supervisory authorities and the European Data Protection Board, in particular the and the European Data Protection Board, in particular the standardised format referred to in Board, in particular the standardised format referred to in paragraph 6. Those implementing standardised format referred to in paragraph 6. Those implementing acts shall be adopted in accordance paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). with the examination procedure referred to in Article 87(2).
referred to in Article 87(2).
DGD 2C LIMITE EN
Article 56 Article 56 Article 56
Joint operations of supervisory Joint operations of supervisory Joint operations of supervisory authorities authorities authorities
-
1.In order to step up co-operation 1. In order to step up co-operation 1. In order to step up co-operation and mutual assistance, the and mutual assistance, the and mutual assistance, Tthe supervisory authorities shall carry supervisory authorities shall carry supervisory authorities shall carry out joint investigative tasks, joint out joint investigative tasks, joint out may, where appropriate, enforcement measures and other enforcement measures and other conduct joint operations joint operations, in which joint operations, in which including joint investigations and designated members or staff from designated members or staff from investigative tasks, joint other Member States' supervisory other Member States' supervisory enforcement measures and other authorities are involved. authorities are involved. joint operations, in which
designated members or staff from other Member States' supervisory authorities are involved.
Amendment 164
-
2.In cases where data subjects in 2. In cases where the controller or 2. In cases where the controller or several Member States are likely processor has establishments in procecssor has establishments in to be affected by processing several Member States or where several Member States or where a operations, a supervisory authority data subjects in several Member significant number of data of each of those Member States States are likely to be affected by subjects in several more than one shall have the right to participate processing operations, a Member States are likely to be in the joint investigative tasks or supervisory authority of each of substantially affected by joint operations, as appropriate. those Member States shall have the processing operations, a
The competent supervisory right to participate in the joint supervisory authority of each of authority shall invite the investigative tasks or joint those Member States shall have supervisory authority of each of operations, as appropriate. The the right to participate in the joint
DGD 2C LIMITE EN
those Member States to take part competent supervisory authority investigative tasks or joint in the respective joint investigative lead authority as defined in operations, as appropriate. The tasks or joint operations and Article 54a shall invite involve the competent supervisory authority respond to the request of a supervisory authority of each of shall invite the supervisory supervisory authority to participate those Member States to take part in authority of each of those Member in the operations without delay. the respective joint investigative States to take part in the respective
tasks or joint operations and joint investigative tasks or joint respond to the request of a operations concerned and respond supervisory authority to participate without delay to the request of a in the operations without delay. supervisory authority to participate The lead authority shall act as the in the operations without delay. single contact point for the controller or processor.
-
3.Each supervisory authority may, 3. Each supervisory authority may, 3. Each A supervisory authority as a host supervisory authority, in as a host supervisory authority, in may, as a host supervisory compliance with its own national compliance with its own national authority, in compliance with its law, and with the seconding law, and with the seconding own national Member State law, supervisory authority’s supervisory authority’s and with the seconding authorisation, confer executive authorisation, confer executive supervisory authority’s powers, including investigative powers, including investigative authorisation, confer executive tasks on the seconding supervisory tasks on the seconding supervisory powers, including investigative authority’s members or staff authority’s members or staff tasks powers on the seconding involved in joint operations or, in involved in joint operations or, in supervisory authority’s members so far as the host supervisory so far as the host supervisory or staff involved in joint authority’s law permits, allow the authority’s law permits, allow the operations or, in so far as the law seconding supervisory authority’s seconding supervisory authority’s of the Member State of the host members or staff to exercise their members or staff to exercise their supervisory authority’s law executive powers in accordance executive powers in accordance permits, allow the seconding with the seconding supervisory with the seconding supervisory supervisory authority’s members
DGD 2C LIMITE EN
authority’s law. Such executive authority’s law. Such executive or staff to exercise their executive powers may be exercised only powers may be exercised only investigative powers in accordance under the guidance and, as a rule, under the guidance and, as a rule, with the law of the Member State in the presence of members or in the presence of members or staff of the seconding supervisory staff from the host supervisory from the host supervisory authority’s law. Such executive authority. The seconding authority. The seconding investigative powers may be supervisory authority's members or supervisory authority's members or exercised only under the guidance staff shall be subject to the host staff shall be subject to the host and, as a rule, in the presence of supervisory authority's national supervisory authority's national members or staff from of the host law. The host supervisory law. The host supervisory authority supervisory authority. The authority shall assume shall assume responsibility for seconding supervisory authority's responsibility for their actions. their actions. members or staff shall be subject
to the host supervisory authority's national law. The host supervisory authority shall assume responsibility for their actions.
3a. Where, in accordance with paragraph 1, staff of a seconding supervisory authority are operating in another Member State, the Member State of the host supervisory authority shall be liable for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.
DGD 2C LIMITE EN
3b. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory authority whose staff has caused damage to any person in the territory of another Member State shall reimburse the latter in full any sums it has paid to the persons entitled on their behalf.
3c. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 3b, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement of damages it has sustained from another Member State.
-
4.Supervisory authorities shall lay 4. Supervisory authorities shall lay deleted down the practical aspects of down the practical aspects of specific co-operation actions. specific co-operation actions.
DGD 2C LIMITE EN
-
5.Where a supervisory authority 5. Where a supervisory authority 5. Where a joint operation is does not comply within one month does not comply within one month intended and a supervisory with the obligation laid down in with the obligation laid down in authority does not comply within paragraph 2, the other supervisory paragraph 2, the other supervisory one month with the obligation laid authorities shall be competent to authorites shall be competent to down in the second sentence of take a provisional measure on the take a provisional measure on the paragraph 2, the other supervisory territory of its Member State in territory of its Member State in authorities shall be competent to accordance with Article 51(1). accordance with Article 51(1). take may adopt a provisional
measure on the territory of its Member State in accordance with Article 51(1).
-
6.The supervisory authority shall 6. The supervisory authority shall 6. The supervisory authority shall specify the period of validity of a specify the period of validity of a specify the period of validity of a provisional measure referred to in provisional measure referred to in provisional measure referred to in paragraph 5. This period shall not paragraph 5. This period shall not paragraph 5 which . This period exceed three months. The exceed three months. The shall not exceed three months. The supervisory authority shall, without supervisory authority shall, without supervisory authority shall, without delay, communicate those delay, communicate those delay, communicate those such a measures, with full reasons, to the measures, with full reasons, to the measures, together with full its
European Data Protection Board European Data Protection Board reasons for adopting it, to the and to the Commission and shall and to the Commission and shall European Data Protection Board submit the matter in the mechanism submit the matter in the mechanism and to the Commission and shall referred to in Article 57. referred to in Article 57. submit the matter in the in
accordance with the consistency mechanism referred to in Article 57.
DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2 CONSISTENCY CONSISTENCY CONSISTENCY
Article 57 Article 57 Article 57
Consistency mechanism Consistency mechanism Consistency mechanism
Amendment 165
For the purposes set out in Article For the purposes set out in Article 1. For the purposes set out in
46(1), the supervisory authorities 46(1), the supervisory authorities Article 46(1a), the supervisory shall co-operate with each other and shall co-operate with each other and authorities shall co-operate with the Commission through the the Commission through the each other and the Commission consistency mechanism as set out in consistency mechanism as set out through the consistency mechanism this section. both on matters of general as set out in this section.
application and in individual cases in accordance with the provisions of in this section.
2. The European Data Protection Board shall issue an opinion whenever a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the European Data Protection Board, when it:
DGD 2C LIMITE EN
(a)
(b)
(c) aims at adopting a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 33(2a); or
(ca) concerns a matter pursuant to Article 38(2b) whether a draft code of conduct or an amendment or extension to a code of conduct is in compliance with this Regulation; or
(cb) aims at approving the criteria for accreditation of a body pursuant to paragraph 3 of Article 38a or a certification body pursuant to paragraph 3 of Article 39a;
(d) aims at determining standard data protection clauses referred to in point (c) of Article 42(2); or
(e) aims to authorising contractual clauses referred to in point (d) of Article 42(2); or
DGD 2C LIMITE EN
(f) aims at approving binding corporate rules within the meaning of Article 43.
3. The European Data Protection Board shall adopt a binding decision in the following cases:
a) Where, in a case referred to in paragraph 3 of Article 54a, a concerned supervisory authority has expressed a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected an objection as being not relevant and/or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of the Regulation;
b) Where, there are conflicting views on which of the concerned supervisory authorities is competent for the main establishment;
c) ;
DGD 2C LIMITE EN
d) Where a competent supervisory authority does not request the opinion of the European Data Protection Board in the cases mentioned in paragraph 2 of this Article, or does not follow the opinion of the European Data Protection Board issued under Article 58. In that case, any concerned supervisory authority or the Commission may communicate the matter to the European Data Protection Board.
4. Any supervisory authority, the Chair of the European Data Protection Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
DGD 2C LIMITE EN
5. Supervisory authorities and the Commission shall electronically communicate to the European Data Protection Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other concerned supervisory authorities.
6. The chair of the European Data Protection Board shall without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the European Data Protection Board shall, where necessary, provide translations of relevant information.
DGD 2C LIMITE EN
Article 58 Article 58 Article 58
Amendment 166
Opinion by the European Data Opinion by the European Data Opinion by the European Data Protection Board Protection Board Consistency on Protection Board
matters of general application
-
1.Before a supervisory authority 1. Before a supervisory authority deleted adopts a measure referred to in adopts a measure referred to in paragraph 2, this supervisory paragraph 2, this supervisory authority shall communicate the authority shall communicate the draft measure to the European Data draft measure to the European Data
Protection Board and the Protection Board and the
Commission. Commission.
-
2.The obligation set out in 2. The obligation set out in deleted paragraph 1 shall apply to a paragraph 1 shall apply to a measure intended to produce legal measure intended to produce legal effects and which: effects and which:
(a) relates to processing activities deleted deleted which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour; or
(b) may substantially affect the free deleted deleted movement of personal data within the Union; or
DGD 2C LIMITE EN
(c) aims at adopting a list of the deleted deleted processing operations subject to prior consultation pursuant to
Article 34(5); or
(d) aims to determine standard data (d) aims to determine standard data deleted protection clauses referred to in protection clauses referred to in point (c) of Article 42(2); or point (c) of Article 42(2); or
(e) aims to authorise contractual (e) aims to authorise contractual deleted clauses referred to in point (d) of clauses referred to in point (d) of
Article 42(2); or Article 42(2); or
(f) aims to approve binding (f) aims to approve binding deleted corporate rules within the meaning corporate rules within the meaning of Article 43. of Article 43.
-
3.Any supervisory authority or the 3. Any supervisory authority or the deleted
European Data Protection Board European Data Protection Board may request that any matter shall be may request that any matter of dealt with in the consistency general application shall be dealt mechanism, in particular where a with in the consistency mechanism, supervisory authority does not in particular where a supervisory submit a draft measure referred to authority does not submit a draft in paragraph 2 or does not comply measure referred to in paragraph 2 with the obligations for mutual or does not comply with the assistance in accordance with obligations for mutual assistance in
Article 55 or for joint operations in accordance with Article 55 or for accordance with Article 56. joint operations in accordance with
Article 56.
DGD 2C LIMITE EN
-
4.In order to ensure correct and 4. In order to ensure correct and deleted consistent application of this consistent application of this
Regulation, the Commission may Regulation, the Commission may request that any matter shall be request that any matter of general dealt with in the consistency application shall be dealt with in mechanism. the consistency mechanism.
-
5.Supervisory authorities and the 5. Supervisory authorities and the deleted
Commission shall electronically Commission shall without undue communicate any relevant delay electronically communicate information, including as the case any relevant information, including may be a summary of the facts, the as the case may be a summary of draft measure, and the grounds the facts, the draft measure, and the which make the enactment of such grounds which make the enactment measure necessary, using a of such measure necessary, using a standardised format. standardised format.
-
6.The chair of the European Data 6. The chair of the European Data deleted
Protection Board shall immediately Protection Board shall immediately electronically inform the members without undue delay electronically of the European Data Protection inform the members of the
Board and the Commission of any European Data Protection Board relevant information which has and the Commission of any relevant been communicated to it, using a information which has been standardised format. The chair of communicated to it, using a the European Data Protection Board standardised format. The chair shall provide translations of secretariat of the European Data relevant information, where Protection Board shall provide necessary. translations of relevant information,
where necessary.
DGD 2C LIMITE EN
6a. The European Data Protection Board shall adopt an opinion on matters referred to it under paragraph 2.
-
7.The European Data Protection 7. The European Data Protection 7. In the cases referred to in
Board shall issue an opinion on the Board shall issue may decide by paragraphs 2 and 4 of Article 57, matter, if the European Data simple majority whether to adopt Tthe European Data Protection Protection Board so decides by an opinion on the any matter, if the Board shall issue an opinion on the simple majority of its members or European Data Protection Board so same matter., if the European Data any supervisory authority or the decides by simple majority of its Protection Board so decides by Commission so requests within one members or any supervisory simple majority of its members or week after the relevant information authority or the Commission so any supervisory authority or the has been provided according to requests within one week after the Commission so requests within one paragraph 5. The opinion shall be relevant information has been week after the relevant information adopted within one month by provided according to paragraph 5. has been provided according to simple majority of the members of The opinion shall be adopted within paragraph 5. The This opinion shall the European Data Protection one month by simple majority of be adopted within one month by Board. The chair of the European the members of the European Data simple majority of the members of Data Protection Board shall inform, Protection Board. The chair of the the European Data Protection without undue delay, the European Data Protection Board Board. The chair of the European supervisory authority referred to, as shall inform, without undue delay, Data Protection Board shall inform, the case may be, in paragraphs 1 the supervisory authority referred without undue delay, the and 3, the Commission and the to, as the case may be, in supervisory authority referred to, as supervisory authority competent paragraphs 1 and 3, the the case may be, in paragraphs 1 under Article 51 of the opinion and Commission and the supervisory and 3, the Commission and the make it public. authority competent under Article supervisory authority competent
51 of the opinion and make it under Article 51 of the opinion and public. submitted under make it public This period may be paragraphs 3 and 4 taking into extended by a further month, account : taking into account the complexity
DGD 2C LIMITE EN
of the subject matter. Regarding the draft decision circulated to the members of the Board in accordance with paragraph 6 of Article 57, a member which has not objected within the period indicated by the Chair, shall be deemed to be in agreement with the draft decision.
(a) whether the matter presents elements of novelty, taking account of legal or factual developments, in particular in information technology and in the light of the state of progress in the information society; and
(b) whether the European Data Protection Board has already issued an opinion on the same matter.
7a. Within the period referred to in paragraph 7 the competent supervisory authority shall not adopt its draft decision in accordance with paragraph 2 of Article 57.
DGD 2C LIMITE EN
7b. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 2 and 4 of Article 57 and the Commission of the opinion and make it public.
-
8.The supervisory authority 8. The supervisory authority 8. The supervisory authority referred to in paragraph 1 and the referred to in paragraph 1 and the referred to in paragraph 1 2 of supervisory authority competent supervisory authority competent Article 57 and the supervisory under Article 51 shall take account under Article 51 shall take account authority competent under Article of the opinion of the European Data of the opinion of the European Data 51 shall take utmost account of the Protection Board and shall within Protection Board and shall within opinion of the European Data two weeks after the information on two weeks after the information on Protection Board and shall within the opinion by the chair of the the opinion by the chair of the two weeks after the information on European Data Protection Board, European Data Protection Board, receiving the opinion by the chair electronically communicate to the electronically communicate to the of the European Data Protection chair of the European Data chair of the European Data Board, electronically communicate Protection Board and to the Protection Board and to the to the chair of the European Data Commission whether it maintains Commission whether it maintains Protection Board and to the or amends its draft measure and, if or amends its draft measure and, if Commission whether it maintains any, the amended draft measure, any, the amended draft measure, or will amends its draft measure using a standardised format. using a standardised formatThe decision and, if any, the amended
European Data Protection Board draft measuredecision, using a shall adopt opinions pursuant to standardised format. paragraphs 6a and 7 by a simple majority of its members. These opinions shall be made public.
DGD 2C LIMITE EN
9. Where the concerned supervisory authority informs the chair of the European Data Protection Board within the period referred to in paragraph 8 that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, paragraph 3 of Article 57 shall apply.
DGD 2C LIMITE EN
Amendment 167
Article 58a (new)
Consistency in individual cases
1. Before taking a measure intended to produce legal effects within the meaning of Article 54a, the lead authority shall share all relevant information and submit the draft measure to all other competent authorities. The lead authority shall not adopt the measure if a competent authority has, within a period of three weeks, indicated it has serious objections to the measure.
2. Where a competent authority has indicated that it has serious objections to a draft measure of the lead authority, or where the lead authority does not submit a draft measure referred to in paragraph 1 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56, the issue shall be considered by the European Data Protection Board.
DGD 2C LIMITE EN
3. The lead authority and/or other competent authorities involved and the Commission shall without undue delay electronically communicate to the European Data Protection Board using a standardised format any relevant information, including as the case may be a summary of the facts, the draft measure, the grounds which make the enactment of such measure necessary, the objections raised against it and the views of other supervisory authorities concerned.
4. The European Data Protection Board shall consider the issue, taking into account the impact of the draft measure of the lead authority on the fundamental rights and freedoms of data subjects, and shall decide by simple majority of its members whether to issue an opinion on the matter within two weeks after the relevant information has been provided pursuant to paragraph 3.
DGD 2C LIMITE EN
5. In case the European Data Protection Board decides to issue an opinion, it shall do so within six weeks and make the opinion public.
6. The lead authority shall take utmost account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format. Where the lead authority intends not to follow the opinion of the European Data Protection Board, it shall provide a reasoned justification.
DGD 2C LIMITE EN
7. In case the European Data Protection Board still objects to the measure of the supervisory authority as referred to in paragraph 5, it may within one month adopt by a two thirds majority a measure which shall be binding upon the supervisory authority.
Article 58a
Dispute Resolution by the European Data Protection Board
1. In the cases referred to in paragraph 3 of Article 57, the European Data Protection Board shall adopt a decision on the subject-matter submitted to it in order to ensure the correct and consistent application of this Regulation in individual cases. The decision shall be reasoned and addressed to the lead supervisory authority and all the concerned supervisory authorities and binding on them.
DGD 2C LIMITE EN
2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-third majority of the members of the Board. This period may be extended by a further month on account of the complexity of the subject-matter.
3. In case the Board has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. In case the members of the Board are split, the decision shall by adopted by the vote of its Chair.
4. The concerned supervisory authorities shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.
5. (…)
DGD 2C LIMITE EN
6. The Chair of the European Data Protection Board shall notify, without undue delay, the decision referred to in paragraph 1 to the concerned supervisory authorities. It shall inform the Commission thereof. The decision shall be published on the website of the European Data Protection Board without delay after the supervisory authority has notified the final decision referred to in paragraph 7.
7. The lead supervisory authority or, as the case may be, the supervisory authority to which the complaint has been lodged shall adopt their final decision on the basis of the decision referred to in paragraph 1, without undue delay and at the latest by one month after the European Data Protection Board has notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority to which the complaint has been lodged, shall inform the European Data Protection Board of the date when
DGD 2C LIMITE EN
its final decision is notified respectively to the controller or the processor and the data subject. The final decision of the concerned supervisory authorities shall be adopted under the terms of Article 54a, paragraph 4a, 4b and 4bb. The final decision shall refer to the decision referred to in paragraph 1 and shall specify that the decision referred to in paragraph 1 will be published on the website of the European Data Protection Board in accordance with paragraph 6. The final decision shall attach the decision referred to in paragraph 1.
DGD 2C LIMITE EN
Amendment 168
Article 59 Article 59 Article 59
Opinion by the Commission Opinion by the Commission Opinion by the Commission
-
1.Within ten weeks after a matter deleted deleted has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61.
-
2.Where the Commission has deleted deleted adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the
Commission’s opinion and inform the Commission and the European
Data Protection Board whether it intends to maintain or amend its draft measure.
-
3.During the period referred to in deleted deleted paragraph 1, the draft measure shall not be adopted by the supervisory authority.
DGD 2C LIMITE EN
-
4.Where the supervisory authority deleted deleted concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the
European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
DGD 2C LIMITE EN
Amendment 169
Article 60 Article 60 Article 60
Suspension of a draft measure Suspension of a draft measure Suspension of a draft measure
-
1.Within one month after the deleted deleted communication referred to in
Article 59(4), and where the
Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data
Protection Board pursuant to
Article 58(7) or Article 61(2), where it appears necessary in order to:
(a) reconcile the diverging positions deleted deleted of the supervisory authority and the
European Data Protection Board, if this still appears to be possible; or
(b) adopt a measure pursuant to deleted deleted point (a) of Article 62(1).
DGD 2C LIMITE EN
-
2.The Commission shall specify deleted deleted the duration of the suspension which shall not exceed 12 months.
-
3.During the period referred to in deleted deleted paragraph 2, the supervisory authority may not adopt the draft measure.
DGD 2C LIMITE EN
Amendment 170
Article 60a (new)
Notification of the European Parliament and the Council
The Commission shall notify the European Parliament and the Council at regular intervals, at least every six months, on the basis of a report from the Chair of the European Data Protection Board, of the matters dealt with under the consistency mechanism, setting out the conclusions drawn by the Commission and the European Data Protection Board with a view to ensuring the consistent implementation and application of this Regulation.
DGD 2C LIMITE EN
Article 61 Article 61 Article 61
Urgency procedure Urgency procedure Urgency procedure
Amendment 171
-
1.In exceptional circumstances, 1. In exceptional circumstances, 1. In exceptional circumstances, where a supervisory authority where a supervisory authority where a concerned supervisory considers that there is an urgent considers that there is an urgent authority considers that there is an need to act in order to protect the need to act in order to protect the urgent need to act in order to interests of data subjects, in interests of data subjects, in protect the interests rights and particular when the danger exists particular when the danger exists freedoms of data subjects, it may, that the enforcement of a right of a that the enforcement of a right of a in particular when the danger exists data subject could be considerably data subject could be considerably that the enforcement of a right of a impeded by means of an alteration impeded by means of an alteration data subject could be considerably of the existing state or for averting of the existing state or for averting impeded by means of an alteration major disadvantages or for other major disadvantages or for other of the existing state or for averting reasons, by way of derogation from reasons, by way of derogation from major disadvantages or for other the procedure referred to in Article the procedure referred to in Article reasons, by way of derogation from 58, it may immediately adopt 5858a, it may immediately adopt the procedure consistency provisional measures with a provisional measures with a mechanism referred to in Article specified period of validity. The specified period of validity. The 587 or the procedure referred to in supervisory authority shall, without supervisory authority shall, without Article 54a, it may immediately delay, communicate those delay, communicate those adopt provisional measures measures, with full reasons, to the measures, with full reasons, to the intended to produce legal effects European Data Protection Board European Data Protection Board within the territory of its own and to the Commission. and to the Commission. Member State, with a specified
period of validity. The supervisory authority shall, without delay, communicate those measures, with full and the reasons for adopting
DGD 2C LIMITE EN
them, to the other concerned supervisory authorities, the European Data Protection Board and to the Commission.
-
2.Where a supervisory authority 2. Where a supervisory authority 2. Where a supervisory authority has taken a measure pursuant to has taken a measure pursuant to has taken a measure pursuant to paragraph 1 and considers that final paragraph 1 and considers that final paragraph 1 and considers that final measures need urgently be adopted, measures need urgently be adopted, measures need urgently be adopted, it may request an urgent opinion of it may request an urgent opinion of it may request an urgent opinion or the European Data Protection the European Data Protection an urgent binding decision from of Board, giving reasons for Board, giving reasons for the European Data Protection requesting such opinion, including requesting such opinion, including Board, giving reasons for for the urgency of final measures. for the urgency of final measures. requesting such opinion, including
for the urgency of final measures or decision.
-
3.Any supervisory authority may 3. Any supervisory authority may 3. Any supervisory authority may request an urgent opinion where the request an urgent opinion where the request an urgent opinion or an competent supervisory authority competent supervisory authority urgent binding decision, as the has not taken an appropriate has not taken an appropriate case may be, from the European measure in a situation where there measure in a situation where there Data Protection Board where the a is an urgent need to act, in order to is an urgent need to act, in order to competent supervisory authority protect the interests of data protect the interests of data has not taken an appropriate subjects, giving reasons for subjects, giving reasons for measure in a situation where there requesting such opinion, including requesting such opinion, including is an urgent need to act, in order to for the urgent need to act. for the urgent need to act. protect the interests rights and
freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.
DGD 2C LIMITE EN
Amendment 172
-
4.By derogation from Article 4. By derogation from Article 4. By derogation from paragraph 7
58(7), an urgent opinion referred to 58(7), a An urgent opinion referred of Article 58(7) and paragraph 2 of in paragraphs 2 and 3 of this Article to in paragraphs 2 and 3 of this Article 58a, an urgent opinion or shall be adopted within two weeks Article shall be adopted within two an urgent binding decision referred by simple majority of the members weeks by simple majority of the to in paragraphs 2 and 3 of this of the European Data Protection members of the European Data Article shall be adopted within two Board. Protection Board. weeks by simple majority of the
members of the European Data Protection Board.
DGD 2C LIMITE EN
Article 62 Article 62 Article 62
Implementing acts Implementing acts Implementing acts
Amendment 173
-
1.The Commission may adopt 1. The Commission may adopt 1. The Commission may adopt implementing acts for: implementing acts of general implementing acts of general scope
application, after requesting an for: opinion of the European Data Protection Board, for:
(a) deciding on the correct deleted deleted application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or
61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article
60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;
DGD 2C LIMITE EN
(b) deciding, within the period (b) deciding, within the period deleted referred to in Article 59(1), whether referred to in Article 59(1), whether it declares draft standard data it declares draft standard data protection clauses referred to in protection clauses referred to in point (d) of Article 58(2), as having point (d) of Article 5842(2), as general validity; having general validity;
(c) specifying the format and deleted deleted procedures for the application of the consistency mechanism referred to in this section;
(d) specifying the arrangements for (d) specifying the arrangements for (d) specifying the arrangements for the exchange of information by the exchange of information by the exchange of information by electronic means between electronic means between electronic means between supervisory authorities, and supervisory authorities, and supervisory authorities, and between supervisory authorities and between supervisory authorities and between supervisory authorities and the European Data Protection the European Data Protection the European Data Protection
Board, in particular the Board, in particular the Board, in particular the standardised format referred to in standardised format referred to in standardised format referred to in Article 58(5), (6) and (8). Article 58(5), (6) and (8). Article 57(5) and (6) and in Article
58(5), (6) and (8).
Those implementing acts shall be deleted Those implementing acts shall be adopted in accordance with the adopted in accordance with the examination procedure referred to examination procedure referred to in Article 87(2). in Article 87(2).
DGD 2C LIMITE EN
-
2.On duly justified imperative deleted deleted grounds of urgency relating to the interests of data subjects in the cases referred to in point (a) of paragraph 1, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in
Article 87(3). Those acts shall remain in force for a period not exceeding 12 months.
-
3.The absence or adoption of a 3. The absence or adoption of a deleted measure under this Section does not measure under this Section does not prejudice any other measure by the prejudice any other measure by the
Commission under the Treaties. Commission under the Treaties.
DGD 2C LIMITE EN
Article 63 Article 63 Article 63
Enforcement Enforcement Enforcement
-
1.For the purposes of this 1. For the purposes of this deleted
Regulation, an enforceable measure Regulation, an enforceable measure of the supervisory authority of one of the supervisory authority of one
Member State shall be enforced in Member State shall be enforced in all Member States concerned. all Member States concerned.
Amendment 174
-
2.Where a supervisory authority 2. Where a supervisory authority deleted does not submit a draft measure to does not submit a draft measure to the consistency mechanism in the consistency mechanism in breach of Article 58(1) to (5), the breach of Article 58(1) and (2) or measure of the supervisory adopts a measure despite an authority shall not be legally valid indication of serious objection and enforceable. pursuant to Article 58a(1), the
measure of the supervisory authority shall not be legally valid and enforceable.
DGD 2C LIMITE EN
SECTION 3 SECTION 3 SECTION 3 EUROPEAN DATA EUROPEAN DATA EUROPEAN DATA PROTECTION BOARD PROTECTION BOARD PROTECTION BOARD
Article 64 Article 64 Article 64
European Data Protection Board European Data Protection Board European Data Protection Board
-
1.A European Data Protection 1. A European Data Protection 1.a A The European Data
Board is hereby set up. Board is hereby set up. Protection Board is hereby set up established as body of the Union and shall have legal personality.
1b. The European Data Protection Board shall be represented by its Chair.
-
2.The European Data Protection 2. The European Data Protection 2. The European Data Protection
Board shall be composed of the Board shall be composed of the Board shall be composed of the head of one supervisory authority head of one supervisory authority head of one supervisory authority of each Member State and of the of each Member State and of the of each Member State and or European Data Protection European Data Protection his/her representative and of the Supervisor. Supervisor. European Data Protection
Supervisor.
DGD 2C LIMITE EN
-
3.Where in a Member State more 3. Where in a Member State more 3. Where in a Member State more than one supervisory authority is than one supervisory authority is than one supervisory authority is responsible for monitoring the responsible for monitoring the responsible for monitoring the application of the provisions application of the provisions application of the provisions pursuant to this Regulation, they pursuant to this Regulation, they pursuant to this Regulation, they shall nominate the head of one of shall nominate the head of one of shall nominate the head of one of those supervisory authorities as those supervisory authorities as those supervisory authorities as a joint representative. joint representative. joint representative shall be
appointed in accordance with the national law of that Member State.
-
4.The Commission shall have the 4. The Commission shall have the 4. The Commission and the right to participate in the activities right to participate in the activities European Data Protection and meetings of the European Data and meetings of the European Data Supervisor or his/her
Protection Board and shall Protection Board and shall representative shall have the right designate a representative. The designate a representative. The to participate in the activities and chair of the European Data chair of the European Data meetings of the European Data Protection Board shall, without Protection Board shall, without Protection Board and shall delay, inform the Commission on delay, inform the Commission on designate a representative without all activities of the European Data all activities of the European Data voting right. The Commission Protection Board. Protection Board. shall designate a representative.
The chair of the European Data Protection Board shall, without delay, inform communicate to the Commission the on all activities of the European Data Protection Board.
DGD 2C LIMITE EN
Article 65 Article 65 Article 65
Independence Independence Independence
-
1.The European Data Protection 1. The European Data Protection 1. The European Data Protection
Board shall act independently when Board shall act independently when Board shall act independently when exercising its tasks pursuant to exercising its tasks pursuant to exercising performing its tasks or Articles 66 and 67. Articles 66 and 67. exercising its powers pursuant to
Articles 66 and 67.
-
2.Without prejudice to requests by 2. Without prejudice to requests by 2. Without prejudice to requests by the Commission referred to in point the Commission referred to in point the Commission referred to in point (b) of paragraph 1 and in paragraph (b) of paragraph 1 and in paragraph (b) of paragraph 1 and in paragraph 2 of Article 66, the European Data 2 of Article 66, the European Data 2 of Article 66, the European Data Protection Board shall, in the Protection Board shall, in the Protection Board shall, in the performance of its tasks, neither performance of its tasks, neither performance of its tasks or the seek nor take instructions from seek nor take instructions from exercise of its powers, neither seek anybody. anybody. nor take instructions from anybody.
DGD 2C LIMITE EN
Article 66 Article 66 Article 66
Tasks of the European Data Tasks of the European Data Tasks of the European Data Protection Board Protection Board Protection Board
Amendment 175
-
1.The European Data Protection 1. The European Data Protection 1. The European Data Protection
Board shall ensure the consistent Board shall ensure the consistent Board shall ensure the consistent application of this Regulation. To application of this Regulation. To application of this Regulation. To this effect, the European Data this effect, the European Data this effect, the European Data Protection Board shall, on its own Protection Board shall, on its own Protection Board shall, on its own initiative or at the request of the initiative or at the request of the initiative or at the request of the Commission, in particular: European Parliament, Council or Commission, in particular:
Commission, in particular:
(aa) monitor and ensure the correct application of this Regulation in the cases provided for in Article 57(3) without prejudice to the tasks of national supervisory authorities;
(a) advise the Commission on any (a) advise the Commission (a) advise the Commission on any issue related to the protection of European institutions on any issue issue related to the protection of personal data in the Union, related to the protection of personal personal data in the Union, including on any proposed data in the Union, including on any including on any proposed amendment of this Regulation; proposed amendment of this amendment of this Regulation;
Regulation;
DGD 2C LIMITE EN
(b) examine, on its own initiative or (b) examine, on its own initiative or (b) examine, on its own initiative or on request of one of its members or on request of one of its members or on request of one of its members or on request of the Commission, any on request of the European on request of the Commission, any question covering the application of Parliament, Council or the question covering the application of this Regulation and issue Commission, any question covering this Regulation and issue guidelines, recommendations and the application of this Regulation guidelines, recommendations and best practices addressed to the and issue guidelines, best practices addressed to the supervisory authorities in order to recommendations and best practices supervisory authorities in order to encourage consistent application of addressed to the supervisory encourage consistent application of this Regulation; authorities in order to encourage this Regulation;
consistent application of this Regulation, including on the use of enforcement powers;
(ba) draw up guidelines for supervisory authorities concerning the application of measures referred to in paragraph 1, 1b and 1c of Article 53 and the fixing of administrative fines pursuant to Articles 79 and 79a;
(c) review the practical application (c) review the practical application (c) review the practical application of the guidelines, recommendations of the guidelines, recommendations of the guidelines, recommendations and best practices referred to in and best practices referred to in and best practices referred to in point (b) and report regularly to the point (b) and report regularly to the point (b) and report regularly to the Commission on these; Commission on these; Commission on these(ba);
DGD 2C LIMITE EN
(ca) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 38 and 39;
(cb) carry out the accreditation of certification bodies and its periodic review pursuant to Article 39a and maintain a public register of accredited bodies pursuant to paragraph 6 of Article 39a and of the accredited controllers or processors established in third countries pursuant to paragraph 4 of Article 39;
(cd) specify the requirements mentioned in paragraph 3 of Article 39a with a view to the accreditation of certification bodies under Article 39;
(ce) give the Commission an opinion on the level of protection of personal data in third countries or international organisations, in particular in the cases referred to in Article 41;
DGD 2C LIMITE EN
(d) issue opinions on draft decisions (d) issue opinions on draft decisions (d) issue opinions on draft decisions of supervisory authorities pursuant of supervisory authorities pursuant of supervisory authorities pursuant to the consistency mechanism to the consistency mechanism to the consistency mechanism referred to in Article 57; referred to in Article 57; referred to in paragraph 2 and on
matters submitted pursuant to paragraph 4 of Article 57;
(da) provide an opinion on which authority should be the lead authority pursuant to Article 54a(3);
(e) promote the co-operation and (e) promote the co-operation and (e) promote the co-operation and the effective bilateral and the effective bilateral and the effective bilateral and multilateral exchange of multilateral exchange of multilateral exchange of information and practices between information and practices between information and practices between the supervisory authorities; the supervisory authorities, the supervisory authorities;
including the coordination of joint operations and other joint activities, where it so decides at the request of one or several supervisory authorities;
(f) promote common training (f) promote common training (f) promote common training programmes and facilitate programmes and facilitate programmes and facilitate personnel exchanges between the personnel exchanges between the personnel exchanges between the supervisory authorities, as well as, supervisory authorities, as well as, supervisory authorities, as well as, where appropriate, with the where appropriate, with the where appropriate, with the supervisory authorities of third supervisory authorities of third supervisory authorities of third countries or of international countries or of international countries or of international organisations; organisations; organisations;
DGD 2C LIMITE EN
(g) promote the exchange of (g) promote the exchange of (g) promote the exchange of knowledge and documentation on knowledge and documentation on knowledge and documentation on data protection legislation and data protection legislation and data protection legislation and practice with data protection practice with data protection practice with data protection supervisory authorities worldwide. supervisory authorities worldwide; supervisory authorities worldwide.
(ga) give its opinion to the Commission in the preparation of delegated and implementing acts based on this Regulation;
(gb) give its opinion on codes of conduct drawn up at Union level pursuant to Article 38(4);
(gc) give its opinion on criteria and requirements for the data protection certification mechanisms pursuant to Article 39(3);
(gd) maintain a public electronic register on valid and invalid certificates pursuant to Article 39(1h);
(ge) provide assistance to national supervisory authorities, at their request;
DGD 2C LIMITE EN
(gf) establish and make public a list of the processing operations which are subject to prior consultation pursuant to Article 34;
(gg) maintain a registry of sanctions imposed on controllers or processors by the competent supervisory authorities.
(h)
(i) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues dealt with in the consistency mechanism.
-
2.Where the Commission requests 2. Where the European 2. Where the Commission requests advice from the European Data Parliament, the Council or the advice from the European Data Protection Board, it may lay out a Commission requests advice from Protection Board, it may lay out time limit within which the the European Data Protection indicate a time limit within which European Data Protection Board Board, it may lay out a time limit the European Data Protection Board shall provide such advice, taking within which the European Data shall provide such advice, taking into account the urgency of the Protection Board shall provide such into account the urgency of the matter. advice, taking into account the matter.
urgency of the matter.
DGD 2C LIMITE EN
-
3.The European Data Protection 3. The European Data Protection 3. The European Data Protection
Board shall forward its opinions, Board shall forward its opinions, Board shall forward its opinions, guidelines, recommendations, and guidelines, recommendations, and guidelines, recommendations, and best practices to the Commission best practices to the European best practices to the Commission and to the committee referred to in Parliament, the Council and the and to the committee referred to in Article 87 and make them public. Commission and to the committee Article 87 and make them public.
referred to in Article 87 and make them public.
-
4.The Commission shall inform the 4. The Commission shall inform the deleted
European Data Protection Board of European Data Protection Board of the action it has taken following the the action it has taken following the opinions, guidelines, opinions, guidelines, recommendations and best practices recommendations and best practices issued by the European Data issued by the European Data
Protection Board. Protection Board.
4a. The European Data Protection Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
DGD 2C LIMITE EN
4b. The European Data Protection Board shall be entrusted with the task of issuing guidelines, recommendations and best practices in accordance with point (b) of paragraph 1 for establishing common procedures for receiving and investigating information concerning allegations of unlawful processing and for safeguarding confidentiality and sources of information received.
DGD 2C LIMITE EN
Article 67 Article 67 Article 67
Reports Reports Reports
Amendment 176
-
1.The European Data Protection 1. The European Data Protection deleted
Board shall regularly and timely Board shall regularly and timely inform the Commission about the inform the European Parliament, outcome of its activities. It shall the Council and the Commission draw up an annual report on the about the outcome of its activities. situation regarding the protection of It shall draw up an annual a report natural persons with regard to the at least every two years on the processing of personal data in the situation regarding the protection of
Union and in third countries. natural persons with regard to the processing of personal data in the Union and in third countries.
The report shall include the review The report shall include the review deleted of the practical application of the of the practical application of the guidelines, recommendations and guidelines, recommendations and best practices referred to in point best practices referred to in point
(c) of Article 66(1). (c) of Article 66(1).
DGD 2C LIMITE EN
-
2.The report shall be made public 2. The report shall be made public 2. The European Data Protection and transmitted to the European and transmitted to the European Board shall draw up an annual Parliament, the Council and the Parliament, the Council and the report regarding the protection of Commission. Commission. natural persons with regard to
the processing of personal data in the Union and, where relevant, in third countries and international organisations. The report shall be made public and be transmitted to the European Parliament, the Council and the Commission.
3. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in point (c) of Article 66(1) as well as of the binding decisions referred to in paragraph 3 of Article 57.
DGD 2C LIMITE EN
Article 68 Article 68 Article 68
Procedure Procedure Procedure
Amendment 177
-
1.The European Data Protection 1. The European Data Protection 1. The European Data Protection
Board shall take decisions by a Board shall take decisions by a Board shall take decisions adopt simple majority of its members. simple majority of its members, binding decisions referred to in
unless otherwise provided in its paragraph 3 of Article 57 in rules of procedure. accordance with majority requirements set out in paragraphs 2 and 3 of Article 58a. As regards decisions related to the other tasks listed in Article 66 hereof, they shall be taken by a simple majority of its members.
-
2.he European Data Protection 2. The European Data Protection 2. The European Data Protection
Board shall adopt its own rules of Board shall adopt its own rules of Board shall adopt its own rules of procedure and organise its own procedure and organise its own procedure by a two-third majority operational arrangements. In operational arrangements. In of its members and organise its own particular, it shall provide for the particular, it shall provide for the operational arrangements. In continuation of exercising duties continuation of exercising duties particular, it shall provide for the when a member’s term of office when a member’s term of office continuation of exercising duties expires or a member resigns, for the expires or a member resigns, for the when a member’s term of office establishment of subgroups for establishment of subgroups for expires or a member resigns, for the specific issues or sectors and for its specific issues or sectors and for its establishment of subgroups for procedures in relation to the procedures in relation to the specific issues or sectors and for its consistency mechanism referred to consistency mechanism referred to procedures in relation to the in Article 57. in Article 57. consistency mechanism referred to
in Article 57.
DGD 2C LIMITE EN
Article 69 Article 69 Article 69
Chair Chair Chair
Amendment 178
-
1.The European Data Protection 1. The European Data Protection 1. The European Data Protection
Board shall elect a chair and two Board shall elect a chair and at Board shall elect a chair and two deputy chairpersons from amongst least two deputy chairpersons from deputy chairpersons chairs from its members. One deputy amongst its members. One deputy amongst its members by simple chairperson shall be the European chairperson shall be the European majority. One deputy chairperson Data Protection Supervisor, unless Data Protection Supervisor, unless shall be the European Data he or she has been elected chair. he or she has been elected chair. Protection Supervisor, unless he or
she has been elected chair.
-
2.The term of office of the chair 2. The term of office of the chair 2. The term of office of the chair and of the deputy chairpersons shall and of the deputy chairpersons shall and of the deputy chairpersons be five years and be renewable. be five years and be renewable. chairs shall be five years and be
renewable once.
Amendment 179
2a. The position of the chair shall be a full-time position.
DGD 2C LIMITE EN
Article 70 Article 70 Article 70
Tasks of the chair Tasks of the chair Tasks of the chair
-
1.The chair shall have the 1. The chair shall have the 1. The chair shall have the following tasks: following tasks: following tasks:
(a) to convene the meetings of the (a) to convene the meetings of the (a) to convene the meetings of the
European Data Protection Board European Data Protection Board European Data Protection Board and prepare its agenda; and prepare its agenda; and prepare its agenda;
(aa) to notify decisions adopted by the European Data Protection Board pursuant to Article 58a to the lead supervisory authority and the concerned supervisory authorities;
(b) to ensure the timely fulfilment (b) to ensure the timely fulfilment (b) to ensure the timely fulfilment of the tasks of the European Data of the tasks of the European Data performance of the tasks of the Protection Board, in particular in Protection Board, in particular in European Data Protection Board, in relation to the consistency relation to the consistency particular in relation to the mechanism referred to in Article mechanism referred to in Article consistency mechanism referred to 57. 57. in Article 57.
-
2.The European Data Protection 2. The European Data Protection 2. The European Data Protection
Board shall lay down the attribution Board shall lay down the attribution Board shall lay down the attribution of tasks between the chair and the of tasks between the chair and the of tasks between the chair and the deputy chairpersons in its rules of deputy chairpersons in its rules of deputy chairpersons in its rules of procedure. procedure. procedure.
DGD 2C LIMITE EN
Article 71 Article 71 Article 71
Secretariat Secretariat Secretariat
-
1.The European Data Protection 1. The European Data Protection 1. The European Data Protection
Board shall have a secretariat. The Board shall have a secretariat. The Board shall have a secretariat,
European Data Protection European Data Protection which shall be provided by the
Supervisor shall provide that Supervisor shall provide that secretariat of . Tthe European Data secretariat. secretariat. Protection Supervisor shall provide
that secretariat.
1a. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the European Data Protection Board.
1b. The staff of the secretariat of the European Data Protection Supervisor involved in carrying out the tasks conferred on the European Data Protection Board by this Regulation shall be organizationally separated from, and subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
DGD 2C LIMITE EN
1c. Where needed, the European Data Protection Board in consultation with the European Data Protection Supervisor shall establish and publish a Code of Conduct implementing this Article and applicable to the staff of the secretariat of the European Data Protection Supervisor involved in carrying out the tasks conferred on the European Data Protection Board by this Regulation.
Amendment 180
-
2.The secretariat shall provide 2. The secretariat shall provide 2. The secretariat shall provide analytical, administrative and analytical, legal, administrative and analytical, administrative and logistical support to the European logistical support to the European logistical support to the European Data Protection Board under the Data Protection Board under the Data Protection Board under the direction of the chair. direction of the chair. direction of the chair.
-
3.The secretariat shall be 3. The secretariat shall be 3. The secretariat shall be responsible in particular for: responsible in particular for: responsible in particular for:
(a) the day-to-day business of the (a) the day-to-day business of the (a) the day-to-day business of the
European Data Protection Board; European Data Protection Board; European Data Protection Board;
DGD 2C LIMITE EN
(b) the communication between the (b) the communication between the (b) the communication between the members of the European Data members of the European Data members of the European Data Protection Board, its chair and the Protection Board, its chair and the Protection Board, its chair and the Commission and for Commission and for Commission and for communication with other communication with other communication with other institutions and the public; institutions and the public; institutions and the public;
(c) the use of electronic means for (c) the use of electronic means for (c) the use of electronic means for the internal and external the internal and external the internal and external communication; communication; communication;
(d) the translation of relevant (d) the translation of relevant (d) the translation of relevant information; information; information;
(e) the preparation and follow-up of (e) the preparation and follow-up of (e) the preparation and follow-up of the meetings of the European Data the meetings of the European Data the meetings of the European Data Protection Board; Protection Board; Protection Board;
(f) the preparation, drafting and (f) the preparation, drafting and (f) the preparation, drafting and publication of opinions and other publication of opinions and other publication of opinions, decisions texts adopted by the European Data texts adopted by the European Data on the settlement of disputes Protection Board. Protection Board. between supervisory authorities
and other texts adopted by the European Data Protection Board.
DGD 2C LIMITE EN
Article 72 Article 72 Article 72
Confidentiality Confidentiality Confidentiality
Amendment 181
-
1.The discussions of the European 1. The discussions of the European 1. The discussions of the European
Data Protection Board shall be Data Protection Board may be Data Protection Board shall be confidential. confidential where necessary, confidential.
unless otherwise provided in its rules of procedure. The agendas of the meetings of the European Protection Board shall be made public.
-
2.Documents submitted to 2. Documents submitted to 2. Access to Ddocuments submitted members of the European Data members of the European Data to members of the European Data Protection Board, experts and Protection Board, experts and Protection Board, experts and representatives of third parties shall representatives of third parties shall representatives of third parties shall be confidential, unless access is be confidential, unless access is be confidential, unless access is granted to those documents in granted to those documents in granted to those documents in accordance with Regulation (EC) accordance with Regulation (EC) accordance with governed by No 1049/2001 or the European No 1049/2001 of the European Regulation (EC) No 1049/2001 i or
Data Protection Board otherwise Parliament and of the Council 1 or the European Data Protection Board
makes them public. the European Data Protection Board otherwise makes them public. otherwise makes them public.
DGD 2C LIMITE EN
1 Regulation (EC) No 1049/2001 i of
the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L145, 31.5.2001, p.43)
-
3.The members of the European 3. The members of the European deleted
Data Protection Board, as well as Data Protection Board, as well as experts and representatives of third experts and representatives of third parties, shall be required to respect parties, shall be required to respect the confidentiality obligations set the confidentiality obligations set out in this Article. The chair shall out in this Article. The chair shall ensure that experts and ensure that experts and representatives of third parties are representatives of third parties are made aware of the confidentiality made aware of the confidentiality requirements imposed upon them. requirements imposed upon them.
DGD 2C LIMITE EN
CHAPTER VIII CHAPTER VIII CHAPTER VIII
REMEDIES, REMEDIES, REMEDIES,
LIABILITY AND LIABILITY AND LIABILITY AND
SANCTIONS SANCTIONS SANCTIONS
Article 73 Article 73 Article 73
Right to lodge a complaint with a Right to lodge a complaint with a Right to lodge a complaint with a supervisory authority supervisory authority supervisory authority
Amendment 182
-
1.Without prejudice to any other 1. Without prejudice to any other 1. Without prejudice to any other administrative or judicial remedy, administrative or judicial remedy administrative or judicial remedy, every data subject shall have the and the consistency mechanism, every data subject shall have the right to lodge a complaint with a every data subject shall have the right to lodge a complaint with a supervisory authority in any right to lodge a complaint with a single supervisory authority, in Member State if they consider that supervisory authority in any particular in any the Member the processing of personal data Member State if they consider that State of his or her habitual relating to them does not comply the processing of personal data residemce, place of work or place with this Regulation. relating to them does not comply of the alleged infringment if they
with this Regulation. the data subject considers that the processing of personal data relating to them him or her does not
comply with this Regulation.
DGD 2C LIMITE EN
-
2.Any body, organisation or 2. Any body, organisation or deleted association which aims to protect association which aims to protect data subjects’ rights and interests data subjects’ rights and interests concerning the protection of their concerning the protection of their personal data and has been properly personal data acts in the public constituted according to the law of interest and has been properly a Member State shall have the right constituted according to the law of to lodge a complaint with a a Member State shall have the right supervisory authority in any to lodge a complaint with a
Member State on behalf of one or supervisory authority in any more data subjects if it considers Member State on behalf of one or that a data subject’s rights under more data subjects if it considers this Regulation have been infringed that a data subject’s rights under as a result of the processing of this Regulation have been infringed personal data. as a result of the processing of
personal data.
-
3.Independently of a data subject's 3. Independently of a data subject's deleted complaint, any body, organisation complaint, any body, organisation or association referred to in or association referred to in paragraph 2 shall have the right to paragraph 2 shall have the right to lodge a complaint with a lodge a complaint with a supervisory authority in any supervisory authority in any
Member State, if it considers that a Member State, if it considers that a personal data breach has occurred. personal data breach of this
Regulation has occurred.
DGD 2C LIMITE EN
4.
5. The supervisory authority to which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 74.
DGD 2C LIMITE EN
Article 74 Article 74 Article 74
Right to a judicial remedy against Right to a judicial remedy against Right to a judicial remedy against a supervisory authority a supervisory authority a supervisory authority
Amendment 183
-
1.Each natural or legal person shall 1. Without prejudice to any other 1. Without prejudice to any other have the right to a judicial remedy administrative or non-judicial administrative or non-judicial against decisions of a supervisory remedy, Eeach natural or legal remedy, Eeach natural or legal authority concerning them. person shall have the right to a person shall have the right to an
judicial remedy against decisions of effective judicial remedy against a a supervisory authority concerning legally binding decisions of a them. supervisory authority concerning them.
-
2.Each data subject shall have the 2. Without prejudice to any other 2. Without prejudice to any other right to a judicial remedy obliging administrative or non-judicial administrative or non-judicial the supervisory authority to act on a remedy, Eeach data subject shall remedy, Eeach data subject shall complaint in the absence of a have the right to a judicial remedy have the right to a an effective decision necessary to protect their obliging the supervisory authority judicial remedy obliging where the rights, or where the supervisory to act on a complaint in the absence supervisory authority competent in authority does not inform the data of a decision necessary to protect accordance with Article 51 and subject within three months on the their rights, or where the Article 51a does not deal with to progress or outcome of the supervisory authority does not act on a complaint in the absence of complaint pursuant to point (b) of inform the data subject within three a decision necessary to protect their Article 52(1). months on the progress or outcome rights, or where the supervisory
of the complaint pursuant to point authority does not inform the data
(b) of Article 52(1). subject within three months or any
shorter period provided under
Union or Member State law on the
DGD 2C LIMITE EN
progress or outcome of the complaint pursuant to point (b) of lodged under Article 52(1)73.
-
3.Proceedings against a 3. Proceedings against a 3. Proceedings against a supervisory authority shall be supervisory authority shall be supervisory authority shall be brought before the courts of the brought before the courts of the brought before the courts of the Member State where the Member State where the Member State where the supervisory authority is established. supervisory authority is established. supervisory authority is established.
3a. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the European Data Protection Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
DGD 2C LIMITE EN
-
4.A data subject which is 4. Without prejudice to the deleted concerned by a decision of a consistency mechanism Aa data supervisory authority in another subject which is concerned by a
Member State than where the data decision of a supervisory authority subject has its habitual residence, in another Member State than may request the supervisory where the data subject has its authority of the Member State habitual residence, may request the where it has its habitual residence supervisory authority of the to bring proceedings on its behalf Member State where it has its against the competent supervisory habitual residence to bring authority in the other Member proceedings on its behalf against
State. the competent supervisory authority in the other Member State.
-
5.The Member States shall enforce 5. The Member States shall enforce deleted final decisions by the courts final decisions by the courts referred to in this Article. referred to in this Article.
DGD 2C LIMITE EN
Article 75 Article 75 Article 75
Right to a judicial remedy against Right to a judicial remedy against Right to an effective judicial a controller or processor a controller or processor remedy against a controller or processor
-
1.Without prejudice to any 1. Without prejudice to any 1. Without prejudice to any available administrative remedy, available administrative remedy, available administrative or nonincluding the right to lodge a including the right to lodge a judicial remedy, including the right complaint with a supervisory complaint with a supervisory to lodge a complaint with a authority as referred to in Article authority as referred to in Article supervisory authority as referred to 73, every natural person shall have 73, every natural person shall have in under Article 73, every natural the right to a judicial remedy if they the right to a judicial remedy if they person data subjects shall have the consider that their rights under this consider that their rights under this right to an effective judicial remedy Regulation have been infringed as a Regulation have been infringed as a if they consider that their rights result of the processing of their result of the processing of their under this Regulation have been personal data in non-compliance personal data in non-compliance infringed as a result of the with this Regulation. with this Regulation. processing of their personal data in
non-compliance with this Regulation.
DGD 2C LIMITE EN
Amendment 184
-
2.Proceedings against a controller 2. Proceedings against a controller 2. Proceedings against a controller or a processor shall be brought or a processor shall be brought or a processor shall be brought before the courts of the Member before the courts of the Member before the courts of the Member State where the controller or State where the controller or State where the controller or processor has an establishment. processor has an establishment. processor has an establishment. Alternatively, such proceedings Alternatively, such proceedings Alternatively, such proceedings may be brought before the courts of may be brought before the courts of may be brought before the courts of the Member State where the data the Member State where the data the Member State where the data subject has its habitual residence, subject has its habitual residence, subject has its his or her habitual unless the controller is a public unless the controller is a public residence, unless the controller or authority acting in the exercise of authority of the Union or a processor is a public authority its public powers. Member State acting in the exercise acting in the exercise of its public
of its public powers. powers.
-
3.Where proceedings are pending 3. Where proceedings are pending deleted in the consistency mechanism in the consistency mechanism referred to in Article 58, which referred to in Article 58, which concern the same measure, decision concern the same measure, decision or practice, a court may suspend the or practice, a court may suspend the proceedings brought before it, proceedings brought before it, except where the urgency of the except where the urgency of the matter for the protection of the data matter for the protection of the data subject's rights does not allow to subject's rights does not allow to wait for the outcome of the wait for the outcome of the procedure in the consistency procedure in the consistency mechanism. mechanism.
DGD 2C LIMITE EN
-
4.The Member States shall enforce 4. The Member States shall enforce deleted final decisions by the courts final decisions by the courts referred to in this Article. referred to in this Article.
DGD 2C LIMITE EN
Article 76 Article 76 Article 76
Common rules for court Common rules for court Representation of data subjects proceedings proceedings
Amendment 185
-
1.Any body, organisation or 1. Any body, organisation or 1. The data subject shall have the association referred to in Article association referred to in Article right to mandate Any a body, 73(2) shall have the right to 73(2) shall have the right to organisation or association, which exercise the rights referred to in exercise the rights referred to in has been properly constituted Articles 74 and 75 on behalf of one Articles 74 and, 75 on behalf of according to the law of a Member or more data subjects. and 77 if mandated by one or more State and whose statutory
data subjects. objectives include the protection of data subject’s rights and
freedoms with regard to the protection of their personal data to lodge the complaint on hir or her behalf and referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 73, 74 and 75 on his or her behalfof one or more data subjects.
-
2.Each supervisory authority shall 2. Each supervisory authority shall 2. Each supervisory authority shall have the right to engage in legal have the right to engage in legal have the right to engage in legal proceedings and bring an action to proceedings and bring an action to proceedings and bring an action to court, in order to enforce the court, in order to enforce the court, in order to enforce the provisions of this Regulation or to provisions of this Regulation or to provisions of this Regulation or to ensure consistency of the protection ensure consistency of the protection ensure consistency of the protection of personal data within the Union. of personal data within the Union. of personal data within the
DGD 2C LIMITE EN
UnionMember States may provide that any body, organisation or association referred to in paragraph 1, independently of a data subject's mandate, shall have in such Member State the right to lodge a complaint with the supervisory authority competent in accordance with Article 73 and to exercise the rights referred to in Articles 73, 74 and 75 if it considers that the rights of a data subject have been infringed as a result of the processing of personal data that is not in compliance with this Regulation.
-
3.Where a competent court of a 3. Where a competent court of a deleted
Member State has reasonable Member State has reasonable grounds to believe that parallel grounds to believe that parallel proceedings are being conducted in proceedings are being conducted in another Member State, it shall another Member State, it shall contact the competent court in the contact the competent court in the other Member State to confirm the other Member State to confirm the existence of such parallel existence of such parallel proceedings. proceedings.
DGD 2C LIMITE EN
-
4.Where such parallel proceedings 4. Where such parallel proceedings deleted in another Member State concern in another Member State concern the same measure, decision or the same measure, decision or practice, the court may suspend the practice, the court may suspend the proceedings. proceedings.
-
5.Member States shall ensure that 5. Member States shall ensure that deleted court actions available under court actions available under national law allow for the rapid national law allow for the rapid adoption of measures including adoption of measures including interim measures, designed to interim measures, designed to terminate any alleged infringement terminate any alleged infringement and to prevent any further and to prevent any further impairment of the interests impairment of the interests involved. involved.
DGD 2C LIMITE EN
Article 76a
Suspension of proceedings
1. Where a competent court of a Member State has information on proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, it shall contact that court in the other Member State to confirm the existence of such proceedings.
2. Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.
2a. Where these proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.
DGD 2C LIMITE EN
Article 77 Article 77 Article 77
Right to compensation and liability Right to compensation and liability Right to compensation and liability
Amendment 186
-
1.Any person who has suffered 1. Any person who has suffered 1. Any person who has suffered damage as a result of an unlawful damage, including non-pecuniary material or immaterial damage as a processing operation or of an action damage, as a result of an unlawful result of an unlawfula processing incompatible with this Regulation processing operation or of an action operation or of an action shall have the right to receive incompatible with this Regulation incompatible which is not in compensation from the controller or shall have the right to receive claim compliance with this Regulation the processor for the damage compensation from the controller or shall have the right to receive suffered. the processor for the damage compensation from the controller or
suffered. the processor for the damage suffered.
Amendment 187
-
2.Where more than one controller 2. Where more than one controller 2. Where more than one Any or processor is involved in the or processor is involved in the controller or processor is involved processing, each controller or processing, each controller of those in the processing each controller or processor shall be jointly and controllers or processor processors processor shall be jointly and severally liable for the entire shall be jointly and severally liable severally liable for the entire amount of the damage. for the entire amount of the amount of the damage caused by
damage, unless they have an the processing which is not in appropriate written agreement compliance with this Regulation. A determining the responsibilities processor shall be liable for the pursuant to Article 24. damage caused by the processing only where it has not complied with obligations of this Regulation
DGD 2C LIMITE EN
specifically directed to processors or acted outside or contrary to lawful instructions of the controller.
-
3.The controller or the processor 3. The controller or the processor 3. The A controller or the processor may be exempted from this may be exempted from this mayshall be exempted from this liability, in whole or in part, if the liability, in whole or in part, if the liability in accordance with controller or the processor proves controller or the processor proves paragraph 2, in whole or in part, if that they are not responsible for the that they are not responsible for the the controller or the processor it event giving rise to the damage. event giving rise to the damage. proves that they are it is not in any
way responsible for the event giving rise to the damage.
4. Where more than one controller or processor or a controller and a processor are involved in the same processing and, where they are, in accordance with paragraphs 2 and 3, responsible for any damage caused by the processing, each controller or processor shall be held liable for the entire damage.
DGD 2C LIMITE EN
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under national law of the Member State referred to in paragraph 2 of Article 75.
DGD 2C LIMITE EN
Article 78 Article 78 Article 78
Penalties Penalties Penalties
-
1.Member States shall lay down 1. Member States shall lay down deleted the rules on penalties, applicable to the rules on penalties, applicable to infringements of the provisions of infringements of the provisions of this Regulation and shall take all this Regulation and shall take all measures necessary to ensure that measures necessary to ensure that they are implemented, including they are implemented, including where the controller did not comply where the controller did not comply with the obligation to designate a with the obligation to designate a representative. The penalties representative. The penalties provided for must be effective, provided for must be effective, proportionate and dissuasive. proportionate and dissuasive.
-
2.Where the controller has 2. Where the controller has deleted established a representative, any established a representative, any penalties shall be applied to the penalties shall be applied to the representative, without prejudice to representative, without prejudice to any penalties which could be any penalties which could be initiated against the controller. initiated against the controller.
-
3.Each Member State shall notify 3. Each Member State shall notify deleted to the Commission those provisions to the Commission those provisions of its law which it adopts pursuant of its law which it adopts pursuant to paragraph 1, by the date to paragraph 1, by the date specified in Article 91(2) at the specified in Article 91(2) at the latest and, without delay, any latest and, without delay, any subsequent amendment affecting subsequent amendment affecting them. them.
DGD 2C LIMITE EN
Article 79 Article 79 Article 79
Administrative sanctions Administrative sanctions General conditions for imposing administrative sanctionsfines
Amendment 188
-
1.Each supervisory authority shall 1. Each supervisory authority shall 1. Each supervisory authority shall be empowered to impose be empowered to impose be empowered to impose ensure administrative sanctions in administrative sanctions in that the imposition of accordance with this Article. accordance with this Article. The administrative sanctions in
supervisory authorities shall coaccordance with fines pursuant to operate with each other in this Article in respect of accordance with Articles 46 and 57 infringements of this Regulation to guarantee a harmonized level of referred to in Article 79a shall in sanctions within the Union. each individual case be effective, proportionate and dissuasive.
-
2.The administrative sanction shall 2. The administrative sanction shall deleted be in each individual case effective, be in each individual case effective, proportionate and dissuasive. The proportionate and dissuasive. The amount of the administrative fine amount of the administrative fine shall be fixed with due regard to the shall be fixed with due regard to the nature, gravity and duration of the nature, gravity and duration of the breach, the intentional or negligent breach, the intentional or negligent character of the infringement, the character of the infringement, the degree of responsibility of the degree of responsibility of the natural or legal person and of natural or legal person and of previous breaches by this person, previous breaches by this person, the technical and organisational the technical and organisational measures and procedures measures and procedures
DGD 2C LIMITE EN
implemented pursuant to Article 23 implemented pursuant to Article 23 and the degree of co-operation with and the degree of co-operation with the supervisory authority in order to the supervisory authority in order to remedy the breach. remedy the breach.
2a. To anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:
a) a warning in writing in cases of first and non-intentional noncompliance;
b) regular periodic data protection audits;
c) a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher.
2b. If the controller or the processor is in possession of a valid "European Data Protection Seal" pursuant to Article 39, a fine pursuant to point (c) of paragraph 2a shall only be imposed in cases of intentional or negligent innoncompliance.
DGD 2C LIMITE EN
2c. The administrative sanction shall take into account the following factors:
a) the nature, gravity and duration of the innon-compliance,
b) the intentional or negligent character of the infringement,
c) the degree of responsibility of the natural or legal person and of previous breaches by this person,
d) the repetitive nature of the infringement,
e) the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement,
f) the specific categories of personal data affected by the infringement,
(g) the level of damage, including non-pecuniary damage, suffered by the data subjects,
DGD 2C LIMITE EN
(h) the action taken by the controller or processor to mitigate the damage suffered by data subjects,
(i) any financial benefits intended or gained, or losses avoided, directly or indirectly from the infringement,
(j) the degree of technical and organisational measures and procedures implemented pursuant to:
(i) Article 23 - Data protection by design and by default
(ii) Article 30 - Security of processing
(iii) Article 33 - Data protection impact assessment
(iv) Article 33a - Data protection compliance review
(v) Article 35 - Designation of the data protection officer
DGD 2C LIMITE EN
(k) the refusal to cooperate with or obstruction of inspections, audits and controls carried out by the supervisory authority pursuant to Article 53,
(l) other aggravating or mitigating factors applicable to the circumstance of the case.
2a. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (f) of paragraph 1b of Article 53. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement having regard to the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
DGD 2C LIMITE EN
(b) the intentional or negligent character of the infringement;
(c)
(d) action taken by the controller or processor to mitigate the damage suffered by data subjects;
(e) the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them pursuant to Articles 23 and 30;
(f) any relevant previous infringements by the controller or processor;
(g)
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
DGD 2C LIMITE EN
(i) in case measures referred to in and points (a), (d), (e) and (f) of paragraph 1b of Article 53, have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with these measures;
(j) adherence to approved codes of conduct pursuant to Article 38 or approved certification mechanisms pursuant to Article 39;
(k)
(l)
(m) any other aggravating or mitigating factor applicable to the circumstances of the case.
-
3.In case of a first and nondeleted deleted intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:
-
a)a natural person is processing deleted deleted
personal data without a commercial interest; or
DGD 2C LIMITE EN
-
b)an enterprise or an organisation deleted 3.b) an enterprise or an organisation employing fewer than 250 persons employing fewer than 250 persons is processing personal data only as is processing personal data only as an activity ancillary to its an activity ancillary to its main activities. main activities. Each Member
State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
-
4.The supervisory authority shall deleted 4. The exercise by the supervisory impose a fine up to 250 000 EUR, authority shall impose a fine up to or in case of an enterprise up to 0,5 250 000 EUR, or in case of an % of its annual worldwide turnover, enterprise up to 0,5 % of its annual to anyone who, intentionally or worldwide turnover, to anyone negligently: who, intentionally or negligently: of
its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.
(a) does not provide the deleted deleted mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to
Articles 12(1) and (2);
DGD 2C LIMITE EN
(b) charges a fee for the information deleted deleted or for responses to the requests of data subjects in violation of Article
12(4).
-
5.The supervisory authority shall deleted 5. The supervisory authority shall impose a fine up to 500 000 EUR, impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % or in case of an enterprise up to 1 % of its annual worldwide turnover, to of its annual worldwide turnover, to anyone who, intentionally or anyone who, intentionally or negligently: negligently: Member States may
abstain from providing rules for administrative fines as referred to in paragraphs 1, 2 and 3 of Article 79a where their legal system does not provide for administrative fines and the infringements referred to therein are already subject to criminal sanctions in their national law by [date referred to in Article 91(2)], while ensuring that these criminal sanctions are effective, proportionate and dissuasive, taking into account the level of administrative fines provided for in this Regulation.
Where they so decide, Member States shall notify, to the Commission, the relevant parts of their criminal law.
DGD 2C LIMITE EN
(a) does not provide the deleted deleted information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article
11, Article 12(3) and Article 14;
(b) does not provide access for the deleted deleted data subject or does not rectify personal data pursuant to Articles
15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13;
(c) does not comply with the right deleted deleted to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
(d) does not provide a copy of the deleted deleted personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of
Article 18;
DGD 2C LIMITE EN
(e) does not or not sufficiently deleted deleted determine the respective responsibilities with co-controllers pursuant to Article 24;
(f) does not or not sufficiently deleted deleted maintain the documentation pursuant to Article 28, Article
31(4), and Article 44(3);
(g) does not comply, in cases where deleted deleted special categories of data are not involved, pursuant to Articles 80,
82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
-
6.The supervisory authority shall deleted deleted impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2
% of its annual worldwide turnover, to anyone who, intentionally or negligently:
DGD 2C LIMITE EN
(a) processes personal data without deleted deleted any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8;
(b) processes special categories of deleted deleted data in violation of Articles 9 and
81;
(c) does not comply with an deleted deleted objection or the requirement pursuant to Article 19;
(d) does not comply with the deleted deleted conditions in relation to measures based on profiling pursuant to
Article 20;
(e) does not adopt internal policies deleted deleted or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
(f) does not designate a deleted deleted representative pursuant to
Article 25;
DGD 2C LIMITE EN
(g) processes or instructs the deleted deleted processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27;
(h) does not alert on or notify a deleted deleted personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to
Articles 31 and 32;
(i) does not carry out a data deleted deleted protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
(j) does not designate a data deleted deleted protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37;
(k) misuses a data protection seal or deleted deleted mark in the meaning of Article 39;
DGD 2C LIMITE EN
(l) carries out or instructs a data deleted deleted transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44;
(m) does not comply with an order deleted deleted or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1);
(n) does not comply with the deleted deleted obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to
Article 28(3), Article 29, Article
34(6) and Article 53(2);
(o) does not comply with the rules deleted deleted for safeguarding professional secrecy pursuant to Article 84.
DGD 2C LIMITE EN
-
7.The Commission shall be 7. The Commission shall be deleted empowered to adopt delegated acts empowered to adopt delegated acts in accordance with Article 86 for in accordance with Article 86 for the purpose of updating the the purpose of updating the amounts of the administrative fines absolute amounts of the referred to in paragraphs 4, 5 and 6, administrative fines referred to in taking into account the criteria paragraphs 4, 5 and 6paragraph 2a, referred to in paragraph 2. taking into account the criteria and
factors referred to in paragraph paragraphs 2 and 2c.
DGD 2C LIMITE EN
Article 79a
Administrative fines
1. The supervisory authority may impose a fine that shall not exceed 250 000 EUR, or in case of an undertaking 0,5 % of its total worldwide annual turnover of the preceding financial year, on a controller who, intentionally or negligently:
(a) does not respond within the period referred to in Article 12(2) to requests of the data subject;
(b) charges a fee in violation of the first sentence of paragraph 4 of Article 12.
2. The supervisory authority may impose a fine that shall not exceed 500 000 EUR, or in case of an undertaking 1% of its total worldwide annual turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:
DGD 2C LIMITE EN
(a) does not provide the information, or provides incomplete information, or does not provide the information [timely or] in a [sufficiently] transparent manner, to the data subject pursuant to Articles 12(3), 14 and 14a;
(b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16;
(c) does not erase personal data in violation of the right to erasure and 'to be forgotten' pursuant to Article 17(1)(a), 17(1)(b), 17(1)(d) or 17(1)(e)
(d)
(da) processes personal data in violation of the right to restriction of processing pursuant to Article 17a or does not inform the data subject before the restriction of processing is lifted pursuant to Article 17a(4);
DGD 2C LIMITE EN
(db) does not communicate any rectification, erasure or restriction of processing to each recipient to whom the controller has disclosed personal data, in violation of Article 17b;
(dc) does not provide the data subject’s personal data concerning him or her in violation of Article 18;
(dd) processes personal data after the objection of the data subject pursuant to Article 19(1) and does not demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
(de) does not provide the data subject with information concerning the right to object processing for direct marketing purposes pursuant to Article 19(2) or continues to process data for direct marketing purposes after the objection of the data subject in violation of Article 19(2a);
DGD 2C LIMITE EN
(e) does not or not sufficiently determine the respective responsibilities with joint controllers pursuant to Article 24;
(f) does not or not sufficiently maintain the documentation pursuant to Article 28 and Article 31(4).
3. The supervisory authority may impose a fine that shall not exceed 1 000 000 EUR or, in case of an undertaking, 2 % of its total worldwide annual turnover of the preceding financial year, on a controller or processor who, intentionally or negligently:
(a) processes personal data without a legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7, 8 and 9;
DGD 2C LIMITE EN
(b)
(c)
(d) does not comply with the conditions in relation to automated individual decision making, including profiling pursuant to Article 20;
(da) does not implement appropriate measures or is not able to demonstrate compliance pursuant to Articles 22 and 3;
(db) does not designate a representative in violation of Article 2;
(dc) processes or instructs the processing of personal data in violation of Articles 26;
(dd) does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 and 32;
DGD 2C LIMITE EN
(de) does not carry out a data protection impact assessment in violation of Article 33 or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2);
(e)
(f) misuses a data protection seal or mark in the meaning of Article 39 or does not comply with the conditions and procedures laid down in Articles 38a and 39a;
(g) carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44;
(h) does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1);
DGD 2C LIMITE EN
3a. If a controller or processor intentionally or negligently violates several provisions of this Regulation listed in paragraphs 1, 2 or 3, the total amount of the fine may not exceed the amount specified for the gravest violation.
DGD 2C LIMITE EN
Article 79b
Penalties
1. For infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 79a Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
2.
3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
DGD 2C LIMITE EN
CHAPTER IX CHAPTER IX CHAPTER IX PROVISIONS PROVISIONS PROVISIONS
RELATING TO RELATING TO RELATING TO
SPECIFIC DATA SPECIFIC DATA SPECIFIC DATA
PROCESSING PROCESSING PROCESSING
SITUATIONS SITUATIONS SITUATIONS
Article 80 Article 80 Article 80
Processing of personal data and Processing of personal data and Processing of personal data and freedom of expression freedom of expression freedom of expression and
information
Amendment 189
-
1.Member States shall provide for 1. Member States shall provide for 1. The national law of the Member exemptions or derogations from the exemptions or derogations from the States shall provide for exemptions provisions on the general principles provisions on the general principles or derogations from the provisions in Chapter II, the rights of the data in Chapter II, the rights of the data on the general principles in Chapter subject in Chapter III, on controller subject in Chapter III, on controller II, reconcile the rights of the data and processor in Chapter IV, on the and processor in Chapter IV, on the subject in Chapter III, on controller transfer of personal data to third transfer of personal data to third and processor in Chapter IV, on to countries and international countries and international the transfer protection of personal organisations in Chapter V, the organisations in Chapter V, the data pursuant to this Regulation independent supervisory authorities independent supervisory authorities to third countries and international in Chapter VI and on co-operation in Chapter VI, on co-operation and organisations in Chapter V, the and consistency in Chapter VII for consistency in Chapter VII for the independent supervisory authorities the processing of personal data processing of personal data carried in Chapter VI and on co-operation carried out solely for journalistic out solely for journalistic purposes and consistency in Chapter VII for
with the right to freedeom of
DGD 2C LIMITE EN
purposes or the purpose of artistic or the purpose of artistic or literary expression and information, or literary expression in order to expression and specific data including the processing of reconcile the right to the protection processing situations in this personal data carried out solely for of personal data with the rules Chapter IX whenever this is journalistic purposes and or the governing freedom of expression. necessary in order to reconcile the purposes of academic, artistic or
right to the protection of personal literary expression in order to data with the rules governing reconcile the right to the protection freedom of expression in of personal data with the rules accordance with the Charter of governing freedom of expression. Fundamental Rights of the European Union.
-
2.Each Member State shall notify 2. Each Member State shall notify 2. For the processing of personal to the Commission those provisions to the Commission those provisions data carried out for journalistic of its law which it has adopted of its law which it has adopted purposes or the purpose of pursuant to paragraph 1 by the date pursuant to paragraph 1 by the date academic artistic or literary specified in Article 91(2) at the specified in Article 91(2) at the expression, Member States shall latest and, without delay, any latest and, without delay, any provide for exemptions or subsequent amendment law or subsequent amendment law or derogations from the provisions in amendment affecting them. amendment affecting them. Chapter II (principles), Chapter
III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organizations), Chapter VI (independent supervisory authorities), Chapter VII (co-operation and consistency) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
DGD 2C LIMITE EN
Amendment 190
Article 80a (new)
Access to documents
1. Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Union or Member State legislation regarding public access to official documents, which reconciles the right to the protection of personal data with the principle of public access to official documents.
2. Each Member State shall notify to the Commission provisions of its law which it adopts pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
DGD 2C LIMITE EN
Article 80a
Processing of personal data and public access to official documents
Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.
DGD 2C LIMITE EN
Article 80aa
Processing of personal data and reuse of public sector information
Personal data in public sector information held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile the reuse of such official documents and public sector information with the right to the protection of personal data pursuant to this Regulation.
DGD 2C LIMITE EN
Article 80b
Processing of national identification number
Member States may determine the specific conditions for the processing of a national identification number or any other identifier of general application. In this case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
DGD 2C LIMITE EN
Article 81 Article 81 Article 81
Processing of personal data Processing of personal data Processing of personal data concerning health concerning health concerning for health- related purposes
Amendment 191
-
1.Within the limits of this 1. Within the limits of In deleted
Regulation and in accordance with accordance with the rules set out in point (h) of Article 9(2), processing this Regulation and in accordance, of personal data concerning health in particular with point (h) of must be on the basis of Union law Article 9(2), processing of personal or Member State law which shall data concerning health must be on provide for suitable and specific the basis of Union law or Member measures to safeguard the data State law which shall provide for subject's legitimate interests, and be suitable, consistent, and specific necessary for: measures to safeguard the data
subject's legitimate interests, and be fundamental rights, to the extent that these are necessary and proportionate, and of which the effects shall be foreseeable by the data subject, for:
DGD 2C LIMITE EN
(a) the purposes of preventive or (a) the purposes of preventive or deleted occupational medicine, medical occupational medicine, medical diagnosis, the provision of care or diagnosis, the provision of care or treatment or the management of treatment or the management of health-care services, and where health-care services, and where those data are processed by a health those data are processed by a health professional subject to the professional subject to the obligation of professional secrecy obligation of professional secrecy or or another person also subject to an another person also subject to an equivalent obligation of equivalent obligation of confidentiality under Member State confidentiality under Member State law or rules established by national law or rules established by national competent bodies; or competent bodies; or
(b) reasons of public interest in the (b) reasons of public interest in the deleted area of public health, such as area of public health, such as protecting against serious crossprotecting against serious crossborder threats to health or ensuring border threats to health or ensuring high standards of quality and high standards of quality and safety, safety, inter alia for medicinal inter alia for medicinal products or products or medical devices; or medical devices, and if the
processing is carried out by a person bound by a confidentiality obligation; or
DGD 2C LIMITE EN
(c) other reasons of public interest (c) other reasons of public interest deleted in areas such as social protection, in areas such as social protection, especially in order to ensure the especially in order to ensure the quality and cost-effectiveness of the quality and cost-effectiveness of the procedures used for settling claims procedures used for settling claims for benefits and services in the for benefits and services in the health insurance system. health insurance system and the
provision of health services. Such processing of personal data concerning health for reasons of public interest shall not result in data being processed for other purposes, unless with the consent of the data subject or on the basis of Union or Member State law.
1a. When the purposes referred to in points (a) to (c) of paragraph 1 can be achieved without the use of personal data, such data shall not be used for those purposes, unless based on the consent of the data subject or Member State law.
DGD 2C LIMITE EN
1b. Where the data subject's consent is required for the processing of medical data exclusively for public health purposes of scientific research, the consent may be given for one or more specific and similar researches. However, the data subject may withdraw the consent at any time.
1c. For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Directive 2001/20/EC of the European
Parliament and of the Council 1
shall apply.
1 Directive 2001/20/EC i of the
European Parliament and of the Council of 4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practices in the conduct of clinical trials on medicinal products for human use (OJ L121, 1.5.2001, p.34)
DGD 2C LIMITE EN
-
2.Processing of personal data 2. Processing of personal data deleted concerning health which is concerning health which is necessary for historical, statistical necessary for historical, statistical or scientific research purposes, or scientific research purposes, such such as patient registries set up for as patient registries set up for improving diagnoses and improving diagnoses and differentiating between similar differentiating between similar types of diseases and preparing types of diseases and preparing studies for therapies, is subject to studies for therapies, is shall be the conditions and safeguards permitted only with the consent of referred to in Article 83. the data subject, and shall be
subject to the conditions and safeguards referred to in Article 83.
2a. Member States law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 2, with regard to research that serves a high public interest, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised, or if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent unwarranted reidentification of the data subjects. However, the data subject shall have the right to object at any time in accordance with Article 19.
DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission shall be deleted empowered to adopt delegated acts empowered to adopt, after in accordance with Article 86 for requesting an opinion of the the purpose of further specifying European Data Protection Board, other reasons of public interest in delegated acts in accordance with the area of public health as referred Article 86 for the purpose of further to in point (b) of paragraph 1, as specifying other reasons of public well as criteria and requirements interest in the area of public health for the safeguards for the as referred to in point (b) of processing of personal data for the paragraph 1, as well as criteria and purposes referred to in paragraph 1. requirements for the safeguards for
the processing of personal data for the purposes referred to in paragraph 1 and high public interest in the area of research as referred to in paragraph 2a.
3a. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
DGD 2C LIMITE EN
Article 82 Article 82 Article 82
Processing in the employment Minimum standards for Processing in the employment context Pprocessing data in the employment context
context
Amendment 192
-
1.Within the limits of this 1. Within the limits of this 1. Within the limits of this
Regulation, Member States may Regulation, Member States may, in Regulation, Member States may adopt by law specific rules accordance with the rules set out in adopt by law specific rules or by regulating the processing of this Regulation, and taking into collective agreements, provide for employees' personal data in the account the principle of more specific rules to ensure the employment context, in particular proportionality, adopt by law legal protection of the rights and for the purposes of the recruitment, provisions specific rules regulating freedoms in respect of regulating the performance of the contract of the processing of employees' the processing of employees' employment, including discharge of personal data in the employment personal data in the employment obligations laid down by law or by context, in particular for but not context, in particular for the collective agreements, limited to the purposes of the purposes of the recruitment, the management, planning and recruitment and job applications performance of the contract of organisation of work, health and within the group of undertakings, employment, including discharge of safety at work, and for the purposes the performance of the contract of obligations laid down by law or by of the exercise and enjoyment, on employment, including discharge of collective agreements, an individual or collective basis, of obligations laid down by law or and management, planning and rights and benefits related to by collective agreements, in organisation of work, equality and employment, and for the purpose of accordance with national law and diversity in the workplace, health the termination of the employment practice, management, planning and and safety at work, protection of relationship. organisation of work, health and employer’s or customer’s property
safety at work, and for the purposes and for the purposes of the exercise of the exercise and enjoyment, on and enjoyment, on an individual or an individual or collective basis, of collective basis, of rights and
DGD 2C LIMITE EN
rights and benefits related to benefits related to employment, and employment, and for the purpose of for the purpose of the termination the termination of the employment of the employment relationship. relationship. Member States may allow for collective agreements to further specify the provisions set out in this Article.
1a. The purpose of processing such data must be linked to the reason it was collected for and stay within the context of employment. Profiling or use for secondary purposes shall not be allowed.
1b. Consent of an employee shall not provide a legal basis for the processing of data by the employer when the consent has not been given freely.
1c. Notwithstanding the other provisions of this Regulation, the legal provisions of Member States referred to in paragraph 1 shall include at least the following minimum standards:
DGD 2C LIMITE EN
(a) the processing of employee data without the employees' knowledge shall not be permitted. Notwithstanding the first sentence, Member States may, by law, provide for the admissibility of this practice, by setting appropriate deadlines for the deletion of data, providing there exists a suspicion based on factual indications that must be documented that the employee has committed a crime or serious dereliction of duty in the employment context, providing also the collection of data is necessary to clarify the matter and providing finally the nature and extent of this data collection are necessary and proportionate to the purpose for which it is intended. The privacy and private lives of employees shall be protected at all times. The investigation shall be carried out by the competent authority;
DGD 2C LIMITE EN
(b) the open optical-electronic and/or open acoustic-electronic monitoring of parts of an undertaking which are not accessible to the public and are used primarily by employees for private activities, especially in bathrooms, changing rooms, rest areas, and bedrooms, shall be prohibited. Clandestine surveillance shall be inadmissible under all circumstances;
(c) where undertakings or authorities collect and process personal data in the context of medical examinations and/or aptitude tests, they must explain to the applicant or employee beforehand the purpose for which these data are being used, and ensure that afterwards they are provided with these those data together with the results, and that they receive an explanation of their significance on request. Data collection for the purpose of genetic testing and analyses shall be prohibited as a matter of principle;
DGD 2C LIMITE EN
(d) whether and to what extent the use of telephone, e-mail, internet and other telecommunications services shall also be permitted for private use may be regulated by collective agreement. Where there is no regulation by collective agreement, the employer shall reach an agreement on this matter directly with the employee. In so far as private use is permitted, the processing of accumulated traffic data shall be permitted in particular to ensure data security, to ensure the proper operation of telecommunications networks and telecommunications services and for billing purposes.
Notwithstanding the third sentence, Member States may, by law, provide for the admissibility of this practice, by setting appropriate deadlines for the deletion of data, providing there exists a suspicion based on factual indications that must be documented that the employee has committed a crime or serious dereliction of duty in the employment context, providing also
DGD 2C LIMITE EN
the collection of data is necessary to clarify the matter and providing finally the nature and extent of this data collection are necessary and proportionate to the purpose for which it is intended. The privacy and private lives of employees shall be protected at all times. The investigation shall be carried out by the competent authority;
(e) workers’ personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, may under no circumstances be used to put workers on so-called ‘blacklists’, and to vet or bar them from future employment. The processing, the use in the employment context, the drawing-up and passing-on of blacklists of employees or other forms of discrimination shall be prohibited. Member States shall conduct checks and adopt adequate sanctions in accordance with Article 79(6) to ensure effective implementation of this point.
DGD 2C LIMITE EN
1d. Transmission and processing of personal employee data between legally independent undertakings within a group of undertakings and with professionals providing legal and tax advice shall be permitted, providing it is relevant to the operation of the business and is used for the conduct of specific operations or administrative procedures and is not contrary to the interests and fundamental rights of the person concerned which are worthy of protection. Where employee data are transmitted to a third country and/or to an international organization, Chapter V shall apply.
-
2.Each Member State shall notify 2. Each Member State shall notify 2. Each Member State shall notify to the Commission those provisions to the Commission those provisions to the Commission those provisions of its law which it adopts pursuant of its law which it adopts pursuant of its law which it adopts pursuant to paragraph 1, by the date to paragraph paragraphs 1 and 1b, to paragraph 1, by the date specified in Article 91(2) at the by the date specified in Article specified in Article 91(2) at the latest and, without delay, any 91(2) at the latest and, without latest and, without delay, any subsequent amendment affecting delay, any subsequent amendment subsequent amendment affecting them. affecting them. them.
DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission shall be 3. The Commission shall be empowered to adopt delegated acts empowered, after requesting an empowered to adopt delegated acts in accordance with Article 86 for opinion from the European Data in accordance with Article 86 for the purpose of further specifying Protection Board, to adopt the purpose of further specifying the criteria and requirements for the delegated acts in accordance with the criteria and requirements for the safeguards for the processing of Article 86 for the purpose of further safeguards for the processing of personal data for the purposes specifying the criteria and personal data for the purposes referred to in paragraph 1. requirements for the safeguards for referred to in paragraph 1 Member
the processing of personal data for States may by law determine the
the purposes referred to in conditions under which personal
paragraph 1. data in the employment context
may be processed on the basis of
the consent of the employee.
DGD 2C LIMITE EN
Amendment 193
Article 82a
Processing in the social security context
1. Member States may, in accordance with the rules set out in this Regulation, adopt specific legislative rules particularising the conditions for the processing of personal data by their public institutions and departments in the social security context if carried out in the public interest.
2. Each Member State shall notify to the Commission those provisions which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
DGD 2C LIMITE EN
Article 83 Article 83 Article 83
Processing for historical, Processing for historical, statistical Derogations applying to statistical and scientific research and scientific research purposes Pprocessing of personal data for
purposes archiving purposes in the public interest or for, historical,
statistical and scientific, research statistical and historical purposes
Amendment 194
-
1.Within the limits of this 1. Within the limits ofIn 1. Within the limits of this
Regulation, personal data may be accordance with the rules set out in Regulation, Where personal data processed for historical, statistical this Regulation, personal data may may be are processed for or scientific research purposes only be processed for historical, scientific, statistical or historical, if: statistical or scientific research statistical or scientific research
purposes only if: purposes only if: Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18 and 19, insofar as such derogation is necessary for the fulfilment of the specific purposes.
(a) these purposes cannot be (a) these purposes cannot be deleted otherwise fulfilled by processing otherwise fulfilled by processing data which does not permit or not data which does not permit or not any longer permit the identification any longer permit the identification of the data subject; of the data subject;
DGD 2C LIMITE EN
1a. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may, subject to appropriate safeguards for the rights and freedoms of the data subject, provide for derogations from Articles 14a(1) and (2), 15, 16, 17, 17a, 17b, 18, 19, 23, 32, 33 and 53 (1b)(d) and (e), insofar as such derogation is necessary for the fulfilment of these purposes.
(b) data enabling the attribution of (b) data enabling the attribution of deleted information to an identified or information to an identified or identifiable data subject is kept identifiable data subject is kept separately from the other separately from the other information as long as these information as long as these purposes can be fulfilled in this purposes can be fulfilled in this manner. manner under the highest technical
standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.
1b. In case a type of processing referred to in paragraphs 1 and 1a serves at the same time another purpose, the derogations allowed for apply only to the processing for the purposes referred to in those paragraphs
DGD 2C LIMITE EN
-
2.Bodies conducting historical, deleted 2. Bodies conducting historical, statistical or scientific research may statistical or scientific research may publish or otherwise publicly publish or otherwise publicly disclose personal data only if: disclose personal data only if: The
appropriate safeguards referred to in paragraphs 1 and 1a shall be laid down in Union or Member State law and be such to ensure that technological and/or organisational protection measures pursuant to this Regulation are applied to the personal data, to minimise the processing of personal data in pursuance of the proportionality and necessity principles, such as pseudonymising the data, unless those measures prevent achieving the purpose of the processing and such purpose cannot be otherwise fulfilled within reasonable means.
(a) the data subject has given deleted deleted consent, subject to the conditions laid down in Article 7;
DGD 2C LIMITE EN
(b) the publication of personal data deleted deleted is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or
(c) the data subject has made the deleted deleted data public.
-
3.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
DGD 2C LIMITE EN
Amendment 195
Article 83a
Processing of personal data by archive services
1. Once the initial processing for which they were collected has been completed, personal data may be processed by archive services whose main or mandatory task is to collect, conserve, provide information about, exploit and disseminate archives in the public interest, in particular in order to substantiate individuals’ rights or for historical, statistical or scientific research purposes. These tasks shall be carried out in accordance with the rules laid down by Member States concerning access to and the release and dissemination of administrative or archive documents and in accordance with the rules set out in this Regulation, specifically with regard to consent and the right to object.
DGD 2C LIMITE EN
2. Each Member State shall notify to the Commission provisions of its law which it adopts pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
DGD 2C LIMITE EN
Article 84 Article 84 Article 84
Obligations of secrecy Obligations of secrecy Obligations of secrecy
Amendment 196
-
1.Within the limits of this 1. Within the limits of In 1. Within the limits of this
Regulation, Member States may accordance with the rules set out in Regulation, Member States may adopt specific rules to set out the this Regulation, Member States may adopt specific rules to set out the investigative powers by the adopt shall ensure that specific investigative powers by the supervisory authorities laid down in rules to set are in place setting out supervisory authorities laid down in Article 53(2) in relation to the investigative powers by the points (da) and (db) of Article controllers or processors that are supervisory authorities laid down in 53(21) in relation to controllers or subjects under national law or rules Article 53(2) in relation to processors that are subjects under established by national competent controllers or processors that are national Union or Member State bodies to an obligation of subjects under national law or rules law or rules established by national professional secrecy or other established by national competent competent bodies to an obligation equivalent obligations of secrecy, bodies to an obligation of of professional secrecy or other where this is necessary and professional secrecy or other equivalent obligations of secrecy or proportionate to reconcile the right equivalent obligations of secrecy, to a code of professional ethics of the protection of personal data where this is necessary and supervised and enforced by with the obligation of secrecy. proportionate to reconcile the right professional bodies, where this is These rules shall only apply with of the protection of personal data necessary and proportionate to regard to personal data which the with the obligation of secrecy. reconcile the right of the protection controller or processor has received These rules shall only apply with of personal data with the obligation from or has obtained in an activity regard to personal data which the of secrecy. These rules shall only covered by this obligation of controller or processor has received apply with regard to personal data secrecy. from or has obtained in an activity which the controller or processor
covered by this obligation of has received from or has obtained secrecy. in an activity covered by this obligation of secrecy.
DGD 2C LIMITE EN
-
2.Each Member State shall notify 2. Each Member State shall notify 2. Each Member State shall notify to the Commission the rules to the Commission the rules to the Commission the rules adopted pursuant to paragraph 1, by adopted pursuant to paragraph 1, by adopted pursuant to paragraph 1, by the date specified in Article 91(2) at the date specified in Article 91(2) at the date specified in Article 91(2) at the latest and, without delay, any the latest and, without delay, any the latest and, without delay, any subsequent amendment affecting subsequent amendment affecting subsequent amendment affecting them. them. them.
DGD 2C LIMITE EN
Article 85 Article 85 Article 85
Existing data protection rules of Existing data protection rules of Existing data protection rules of churches and religious churches and religious churches and religious
associations associations associations
Amendment 197
-
1.Where in a Member State, 1. Where in a Member State, 1. Where in a Member State, churches and religious associations churches and religious associations churches and religious associations or communities apply, at the time or communities apply, at the time of or communities apply, at the time of entry into force of this entry into force of this Regulation, of entry into force of this
Regulation, comprehensive rules comprehensive adequate rules Regulation, comprehensive rules relating to the protection of relating to the protection of relating to the protection of individuals with regard to the individuals with regard to the individuals with regard to the processing of personal data, such processing of personal data, such processing of personal data, such rules may continue to apply, rules may continue to apply, rules may continue to apply, provided that they are brought in provided that they are brought in provided that they are brought in line with the provisions of this line with the provisions of this line with the provisions of this Regulation. Regulation. Regulation.
-
2.Churches and religious 2. Churches and religious 2. Churches and religious associations which apply associations which apply associations which apply comprehensive rules in accordance comprehensive adequate rules in comprehensive rules in accordance with paragraph 1 shall provide for accordance with paragraph 1 shall with paragraph 1, shall be subject the establishment of an independent provide for the establishment of an to the control provide for the supervisory authority in accordance independent supervisory authority establishment of an independent with Chapter VI of this Regulation. in accordance with Chapter VI of supervisory authority which may be
this Regulation obtain a specific, provided that fulfils the compliance opinion pursuant to conditions laid down in accordance Article 38. with Chapter VI of this Regulation.
DGD 2C LIMITE EN
Amendment 198
Article 85a (new)
Respect of fundamental rights
This Regulation shall not have the effect of modifying the obligation to respect fundamental rights and fundamental legal principles as enshrined in Article 6 of the TEU.
DGD 2C LIMITE EN
Amendment 199
Article 85b (new)
Standard Forms
1. The Commission may, taking into account the specific features and necessities of various sectors and data processing situations, lay down standard forms for:
(a) specific methods to obtain verifiable consent referred to in Article 8(1),
(b) the communication referred to in Article 12(2), including the electronic format,
(c) providing the information referred to in paragraphs 1 to 3 of Article 14,
(d) requesting and granting access to the information referred to in Article 15(1), including for communicating the personal data to the data subject,
(e) documentation referred to in paragraph 1 of Article 28,
DGD 2C LIMITE EN
(f) breach notifications pursuant to Article 31 to the supervisory authority and the documentation referred to in Article 31(4),
(g) prior consultations referred to in Article 34, and for informing the supervisory authorities pursuant to Article 34(6).
2. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises.
3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
DGD 2C LIMITE EN
CHAPTER X CHAPTER X CHAPTER X
DELEGATED ACTS DELEGATED ACTS DELEGATED ACTS
AND IMPLEMENTING AND IMPLEMENTING AND IMPLEMENTING
ACTS ACTS ACTS
Article 86 Article 86 Article 86
Exercise of the delegation Exercise of the delegation Exercise of the delegation
-
1.The power to adopt delegated 1. The power to adopt delegated 1. The power to adopt delegated acts is conferred on the acts is conferred on the acts is conferred on the
Commission subject to the Commission subject to the Commission subject to the conditions laid down in this Article. conditions laid down in this Article. conditions laid down in this Article.
Amendment 200
-
2.The delegation of power referred 2. The delegation of power power 2. The delegation of power referred to in Article 6(5), Article 8(3), to adopt delegated acts referred to to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article in Article 6(5), Article 8(3), Article Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), 9(3), Article 12(5), Article 14(7), 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article Article 15(3), Article 13a(5), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 17(9), Article 20(6), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 22(4), Article 23(3), Article 26(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(8), Article 28(5), Article 30(3), Article 32(5), Article 336), Article 34(8), Article 35(11), Article 37(2), 31(5), Article 32(5), Article 336), Article 35(11), Article 37(2),
Article 39(2), Article 43(3), Article Article 34(8), Article 35(11), Article 39a(27), Article 43(3),
44(7), Article 79(6), Article 81(3), Article 37(2), Article 38(4), Article Article 44(7), Article 79(6), Article
Article 82(3) and Article 83(3) 39(2), Article 41(3), Article 41(5), 81(3), Article 82(3) and Article shall be conferred on the Article 43(3), Article 44(7), Article 83(3) shall be conferred on the
DGD 2C LIMITE EN
Commission for an indeterminate 79(6)Article 79(7), Article 81(3), Commission for an indeterminate period of time from the date of and Article 82(3) and Article 83(3) period of time from the date of entry into force of this Regulation. shall be conferred on the entry into force of this Regulation.
Commission for an indeterminate period of time from the date of entry into force of this Regulation.
Amendment 201
-
3.The delegation of power referred 3. The delegation of power referred 3. The delegation of power referred to in Article 6(5), Article 8(3), to in Article 6(5), Article 8(3), to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article Article 9(3), Article 12(5), Article Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), 14(7), Article 15(3), Article 13a(5), 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article Article 17(9), Article 20(6), Article Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), 22(4), Article 23(3), Article 26(5), 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article Article 28(5), Article 30(3), Article Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), 31(5), Article 32(5), Article 33(6), 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 34(8), Article 35(11), Article 35(11), Article 37(2),
Article 39(2), Article 43(3), Article Article 37(2), Article 38(4), Article Article 39a(27), Article 43(3),
44(7), Article 79(6), Article 81(3), 39(2), Article 41(3), Article 41(5), Article 44(7), Article 79(6), Article
Article 82(3) and Article 83(3) may Article 43(3), Article 44(7), Article 81(3), Article 82(3) and Article be revoked at any time by the 79(6)Article 79(7), Article 81(3), 83(3) may be revoked at any time European Parliament or by the and Article 82(3) and Article 83(3) by the European Parliament or by Council. A decision of revocation may be revoked at any time by the the Council. A decision of shall put an end to the delegation of European Parliament or by the revocation shall put an end to the power specified in that decision. It Council. A decision of revocation delegation of power specified in shall take effect the day following to revoke shall put an end to the that decision. It shall take effect the the publication of the decision in delegation of power specified in day following the publication of the the Official Journal of the that decision. It shall take effect the decision in the Official Journal of European Union or at a later date day following the publication of the the European Union or at a later
DGD 2C LIMITE EN
specified therein. It shall not affect decision in the Official Journal of date specified therein. It shall not the validity of any delegated acts the European Union or at a later affect the validity of any delegated already in force. date specified therein. It shall not acts already in force.
affect the validity of any delegated acts already in force.
-
4.As soon as it adopts a delegated 4. As soon as it adopts a delegated 4. As soon as it adopts a delegated act, the Commission shall notify it act, the Commission shall notify it act, the Commission shall notify it simultaneously to the European simultaneously to the European simultaneously to the European Parliament and to the Council. Parliament and to the Council. Parliament and to the Council.
Amendment 202
-
5.A delegated act adopted pursuant 5. A delegated act adopted pursuant 5. A delegated act adopted pursuant to Article 6(5), Article 8(3), Article to Article 6(5), Article 8(3), Article to Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), 9(3), Article 12(5), Article 14(7), 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article Article 15(3), Article 13a(5), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 17(9), Article 20(6), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 22(4), Article 23(3), Article 26(5), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 28(5), Article 30(3), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 31(5), Article 32(5), Article 33(6), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 34(8), Article 35(11), 35(11), Article 37(2), Article
Article 43(3), Article 44(7), Article Article 37(2), Article 38(4), Article 39a(27), Article 43(3), Article
79(6), Article 81(3), Article 82(3) 39(2), Article 41(3), Article 41(5), 44(7), Article 79(6), Article 81(3), and Article 83(3) shall enter into Article 43(3), Article 44(7), Article Article 82(3) and Article 83(3) force only if no objection has been 79(6), Article 79(7), Article shall enter into force only if no expressed either by the European 81(3),and Article 82(3) and Article objection has been expressed either Parliament or the Council within a 83(3) shall enter into force only if by the European Parliament or the period of two months of no objection has been expressed Council within a period of two notification of that act to the either by the European Parliament months of notification of that act to European Parliament and the or the Council within a period of the European Parliament and the
DGD 2C LIMITE EN
Council or if, before the expiry of twosix months of notification of Council or if, before the expiry of that period, the European that act to the European Parliament that period, the European
Parliament and the Council have and the Council or if, before the Parliament and the Council have both informed the Commission that expiry of that period, the European both informed the Commission that they will not object. That period Parliament and the Council have they will not object. That period shall be extended by two months at both informed the Commission that shall be extended by two months at the initiative of the European they will not object. That period the initiative of the European
Parliament or the Council. shall be extended by two six Parliament or the Council. months at the initiative of the
European Parliament or of the Council.
DGD 2C LIMITE EN
Article 87 Article 87 Article 87
Committee procedure Committee procedure Committee procedure
-
1.The Commission shall be 1. The Commission shall be 1. The Commission shall be assisted by a committee. That assisted by a committee. That assisted by a committee. That committee shall be a committee committee shall be a committee committee shall be a committee within the meaning of Regulation within the meaning of Regulation within the meaning of Regulation (EU) No 182/2011 i. (EU) No 182/2011. (EU) No 182/2011 i.
-
2.Where reference is made to this 2. Where reference is made to this 2. Where reference is made to this paragraph, Article 5 of Regulation paragraph, Article 5 of Regulation paragraph, Article 5 of Regulation (EU) No 182/2011 i shall apply. (EU) No 182/2011 shall apply. (EU) No 182/2011 shall apply.
Amendment 203
-
3.Where reference is made to this deleted 3. Where reference is made to this paragraph, Article 8 of Regulation paragraph, Article 8 of Regulation (EU) No 182/2011 i, in conjunction (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply. with Article 5 thereof, shall apply.
DGD 2C LIMITE EN
CHAPTER XI CHAPTER XI CHAPTER XI
FINAL PROVISIONS FINAL PROVISIONS FINAL PROVISIONS
Article 88 Article 88 Article 88
Repeal of Directive 95/46/EC i Repeal of Directive 95/46/EC i Repeal of Directive 95/46/EC i
-
1.Directive 95/46/EC i is repealed. 1. Directive 95/46/EC i is repealed. 1. Directive 95/46/EC i is repealed.
-
2.References to the repealed 2. References to the repealed 2. References to the repealed
Directive shall be construed as Directive shall be construed as Directive shall be construed as references to this Regulation. references to this Regulation. references to this Regulation. References to the Working Party on References to the Working Party on References to the Working Party on the Protection of Individuals with the Protection of Individuals with the Protection of Individuals with regard to the Processing of Personal regard to the Processing of Personal regard to the Processing of Personal Data established by Article 29 of Data established by Article 29 of Data established by Article 29 of Directive 95/46/EC i shall be Directive 95/46/EC i shall be Directive 95/46/EC i shall be construed as references to the construed as references to the construed as references to the European Data Protection Board European Data Protection Board European Data Protection Board established by this Regulation. established by this Regulation. established by this Regulation.
DGD 2C LIMITE EN
Article 89 Article 89 Article 89
Relationship to and amendment of Relationship to and amendment of Relationship to and amendment of Directive 2002/58/EC i Directive 2002/58/EC i Directive 2002/58/EC i
-
1.This Regulation shall not impose 1. This Regulation shall not impose 1. This Regulation shall not impose additional obligations on natural or additional obligations on natural or additional obligations on natural or legal persons in relation to the legal persons in relation to the legal persons in relation to the processing of personal data in processing of personal data in processing of personal data in connection with the provision of connection with the provision of connection with the provision of publicly available electronic publicly available electronic publicly available electronic communications services in public communications services in public communications services in public communication networks in the communication networks in the communication networks in the Union in relation to matters for Union in relation to matters for Union in relation to matters for which they are subject to specific which they are subject to specific which they are subject to specific obligations with the same objective obligations with the same objective obligations with the same objective set out in Directive 2002/58/EC i. set out in Directive 2002/58/EC i. set out in Directive 2002/58/EC i.
Amendment 204
-
2.Article 1(2) of Directive 2. ArticleArticles 1(2), 4 and 15 of deleted
2002/58/EC shall be deleted. Directive 2002/58/EC i shall be deleted.
DGD 2C LIMITE EN
Amendment 205
2a. The Commission shall present, without delay and by the date referred to in Article 91(2) at the latest, a proposal for the revision of the legal framework for the processing of personal data and the protection of privacy in electronic communications, in order to align the law with this Regulation and ensure consistent and uniform legal provisions on the fundamental right to protection of personal data in the European Union.
DGD 2C LIMITE EN
Amendment 206
Article 89a (new)
Relationship to and amendment of Regulation (EC) No 45/2001 i
1. The rules set out in this Regulation shall apply to the processing of personal data by Union institutions, bodies, offices and agencies in relation to matters for which they are not subject to additional rules set out in Regulation (EC) No 45/2001 i.
2. The Commission shall present, without delay and by the date specified in Article 91(2) at the latest, a proposal for the revision of the legal framework applicable to the processing of personal data by the Union institutions, bodies, offices and agencies.
DGD 2C LIMITE EN
Article 89a
Relationship to previously concluded Agreements
International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to the entry into force of this Regulation, and which are in compliance with Directive 95/46/EC, shall remain in force until amended, replaced or revoked.
DGD 2C LIMITE EN
Article 90 Article 90 Article 90
Evaluation Evaluation Evaluation
The Commission shall submit The Commission shall submit 1. The Commission shall submit reports on the evaluation and reports on the evaluation and reports on the evaluation and review of this Regulation to the review of this Regulation to the review of this Regulation to the European Parliament and the European Parliament and the European Parliament and the
Council at regular intervals. The Council at regular intervals. The Council at regular intervals. first report shall be submitted no first report shall be submitted no
later than four years after the entry later than four years after the entry 2. In the context of these into force of this Regulation. into force of this Regulation. evaluations the Commission shall Subsequent reports shall be Subsequent reports shall be examine, in particular, the submitted every four years submitted every four years application and functioning of the thereafter. The Commission shall, if thereafter. The Commission shall, if provisions of Chapter VII on Conecessary, submit appropriate necessary, submit appropriate operation and Consistency.
proposals with a view to amending proposals with a view to amending
this Regulation, and aligning other this Regulation, and aligning other 3. The first report shall be legal instruments, in particular legal instruments, in particular submitted no later than four years taking account of developments in taking account of developments in after the entry into force of this information technology and in the information technology and in the Regulation. Subsequent reports light of the state of progress in the light of the state of progress in the shall be submitted every four years information society. The reports information society. The reports thereafter. The reports shall be shall be made public. shall be made public. made public.
DGD 2C LIMITE EN
4. The Commission shall, if necessary, submit appropriate proposals with a view to amending this Regulation, and aligning other legal instruments, in particular taking account of developments in information technology and in the light of the state of progress in the information society. The reports shall be made public.
DGD 2C LIMITE EN
Article 91 Article 91 Article 91
Entry into force and application Entry into force and application Entry into force and application
-
1.This Regulation shall enter into 1. This Regulation shall enter into 1. This Regulation shall enter into force on the twentieth day force on the twentieth day force on the twentieth day following that of its publication in following that of its publication in following that of its publication in the Official Journal of the the Official Journal of the the Official Journal of the
European Union. European Union. European Union.
-
2.It shall apply from [two years 2. It shall apply from [two years 2. It shall apply from [two years from the date referred to in from the date referred to in from the date referred to in paragraph 1]. paragraph 1]…*. paragraph 1].
* OJ: insert the date: two years from the date of entry into force of this Regulation
This Regulation shall be binding in This Regulation shall be binding in This Regulation shall be binding in its entirety and directly applicable its entirety and directly applicable its entirety and directly applicable in all Member States. in all Member States. in all Member States.
Done at …, Done at Brussels
For the European Parliament For the European Parliament
The President The President
For the Council For the Council
The President The President
DGD 2C LIMITE EN
Amendment 207
Annex (new)
Presentation of the particulars referred to in Article 13a
1) Having regard to the proportions referred to in point 6, particulars shall be provided as follows:
DGD 2C LIMITE EN
ICON ESSENTIAL INFORMATION FULFILLED
No personal data are
collected beyond the
minimum necessary for each
specific purpose of the
processing
No personal data are retained
beyond the minimum
necessary for each specific
purpose of the processing
No personal data are
processed for purposes other
than the purposes for which
they were collected
No personal data are
disseminated to commercial
third parties
No personal data are sold or
rented out
No personal data are retained
in unencrypted form
COMPLIANCE WITH ROWS 1-3 IS REQUIRED BY EU LAW
2) The following words in the rows in the second column of the table in point 1, entitled
"ESSENTIAL INFORMATION", shall be formatted as bold:
a) the word "collected" in the first row of the second column;
b) the word "retained" in the second row of the second column;
c) the word "processed" in the third row of the second column;
d) the word "disseminated” in the fourth row of the second column;
e) the word "sold and rented out” in the fifth row of the second column;
f) the word "unencrypted" in the sixth row of the second column.
3) Having regard to the proportions referred to in point 6, the rows in the third column of the table in point 1, entitled "FULFILLED", shall be completed with one of the following two graphical forms in accordance with the conditions laid down under point 4:
a)
b)
4) a) If no personal data are collected beyond the minimum necessary for each specific purpose of the processing, the first row of the third column of the table in point 1 shall entail the graphical form referred to in point 3a.
b) If personal data are collected beyond the minimum necessary for each specific purpose of the processing, the first row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
c) If no personal data are retained beyond the minimum necessary for each specific purpose of the processing, the second row of the third column of the table in point 1 shall entail the graphical form referred to in point 3a.
d) If personal data are retained beyond the minimum necessary for each specific purpose of the processing, the second row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
e) If no personal data are processed for purposes other than the purposes for which they were collected, the third row of the third column of the table in point 1 shall entail the graphical form referred to in point 3a.
f) If personal data are processed for purposes other than the purposes for which they were collected, the third row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
g) If no personal data are disseminated to commercial third parties, the fourth row of the third column of the table in point 1 shall entail the graphical form referred to in point 3a.
h) If personal data are disseminated to commercial third parties, the fourth row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
i) If no personal data are sold or rented out, the fifth row of the third column of the table in point
1 shall entail the graphical form referred to in point 3a.
j) If personal data are sold or rented out, the fifth row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
k) If no personal data are retained in unencrypted form, the sixth row of the third column of the table in point 1 shall entail the graphical form referred to in point 3a.
l) If personal data are retained in unencrypted form, the sixth row of the third column of the table in point 1 shall entail the graphical form referred to in point 3b.
5) The reference colours of the graphical forms in point 1 in Pantone are Black Pantone No
7547 and Red Pantone No 485. The reference colour of the graphical form in point 3a in
Pantone is Green Pantone No 370. The reference colour of the graphical form in point 3b in
Pantone is Red Pantone No 485.
6) The proportions given in the following graduated drawing shall be respected, even where the table is reduced or enlarged:
The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.