41g556js, no title

Topics: General Data Protection Regulation
Organisations: EDRi

edrigdprproposalamendments

European Digital Rights

http://www.edri.org

EDRi's suggested amendments to the Commission's

Proposal for a Regulation on the Protection of individuals with regard to

the processing of personal data, and the free movement of such data

(General Data Protection Regulation)

COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)

Last update: 12/12/2012

Amendments created with

For the originals and additional information,

please go to http://www.protectmydata.eu

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Amendment

1

Proposal for a regulation Recital 5

Text proposed by the Commission

Amendment

(5) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The cale of data sharing and collecting has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and requires to further facilitate the free flow of data within the Union and the transfer to third countries and international organisations, while ensuring an high level of the protection of personal data.

(5) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The cale of data sharing and collection has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and requires improved legal afeguards which will facilitate the free flow of data within the Union and the transfer to third countries and international organisations, ensuring an high level of the protection of personal data.

Or. en

Justification

While the Regulation has two aims – protecting personal data and allowing their free flow within the Union -, the first objective should be stressed more. Amendment2 Proposal for a regulation Recital 7

Text proposed by the Commission

Amendment

(7) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant

(7) The objectives and principles of Directive 95/46/EC remain sound, but this has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union and inevitably lead to breaches of the fundamental rights to privacy and data protection. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

Or. en

Justification

Inconsistent application of data protection legislation inevitably lead to restrictions on the fundamental rights of citizens. Amendment3 Proposal for a regulation Recital 8

Text proposed by the Commission

Amendment

(8) In order to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with

(8) In order to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States and identical where possible. Consistent and homogenous application of the rules for the protection of the fundamental rights and

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

regard to the processing of personal data hould be ensured throughout the Union.

freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union.

Or. en

Justification

Rules for processing of data are already theoretically “equivalent” in all Member States. The failure of this approach is the logic behind this proposal being a Regulation. This recital should adequately reflect this thinking. Amendment4 Proposal for a regulation Recital 9

Text proposed by the Commission

Amendment

(9) Effective protection of personal data throughout the Union requires trengthening and detailing the rights of data subjects and the obligations of those who process and determine the processing of personal data, but also equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent anctions for offenders in the Member States.

(9) Effective protection of personal data throughout the Union requires trengthening and detailing the rights of data subjects and the obligations of those who process and determine the processing of personal data, but also equivalent powers and technical and operational capacity for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent anctions for offenders in the Member States.

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. It is not enough to have the legal powers to implement the legislation properly, technical and operational capacity are also essential. Amendment5 Proposal for a regulation Recital 11

Text proposed by the Commission

Amendment

(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the upervisory authorities of different Member States. To take account of the pecific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, mall and medium-sized enterprises should draw upon Commission Recommendation

(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the upervisory authorities of different Member States. Where demonstrably necessary and without undermining either protection of personal data or ingle market principles, to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

2003/361/EC of 6 May 2003 concerning the definition of micro, small and mediumized enterprises.

of this Regulation. The notion of micro, mall and medium-sized enterprises should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and mediumized enterprises.

Or. en

Justification

Exceptions for micros, small and medium-sized businesses should only be given when necessary. They should also be implemented in a way which does not undermine either predictability and legal certainty for citizens or the single market for businesses. Amendment6 Proposal for a regulation Recital 14

Text proposed by the Commission

Amendment

(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the cope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/200145 , or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the cope of Union law.

Or. en

Justification

The logic put forward by the Commission when proposing a Regulation – namely, the need for a consistent approach to protection of the fundamental right to privacy – is contradicted by this very broad set of exceptions. Consequently, these exceptions must, in the interest of consistency, be deleted. See also the proposed amendments to Article 2.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

7

Proposal for a regulation Recital 16

Text proposed by the Commission

Amendment

(16) The protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, is subject of a pecific legal instrument at Union level. Therefore, this Regulation should not apply to the processing activities for those purposes. However, data processed by public authorities under this Regulation when used for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties should be governed by the more specific legal instrument at Union level (Directive XX/YYY).

(16) The protection of individuals with regard to the processing of personal data by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, is subject of a specific legal instrument at Union level. Therefore, this Regulation should not apply to the processing activities for those purposes. However, data processed by public authorities under this Regulation when used for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties should be governed by the more specific legal instrument at Union level (Directive XX/YYY).

Or. en

Justification

Clarification in line with proposed amendment to Article 2. Amendment8 Proposal for a regulation Recital 17

Text proposed by the Commission

Amendment

(17) This Regulation should be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

(17) The liability limitations of the Directive on Electronic Commerce 2000/31/EC are horizontal in nature and therefore apply to relevant activities of all information society service providers. This Regulation establishes the rules for the processing of personal data while the

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Directive on Electronic Commerce sets out the conditions by which an information service provider is liable for third party infringements of the law. In the interest of legal certainty for European citizens and businesses, the clear and distinct roles of the two instruments need to be consistently respected. This Regulation should be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

Or. en

Justification

In the interest of legal certainty for citizens and for businesses, the delineation of roles between this Regulation and the 2000/31/ec Directive should be as clear as possible. Amendment9 Proposal for a regulation Recital 21

Text proposed by the Commission

Amendment

(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it hould be ascertained whether individuals are tracked on the internet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(21) In order to determine whether a processing activity can be considered to 'monitor the behaviour' of data subjects, it hould be ascertained whether individuals are tracked with the intention to use, or potential of subsequent use of, data processing techniques which consist of applying a 'profile', particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Tracking does not necessarily take place on the internet (e.g “smart CCTV” tracking customers in a mall, or tracking via RFID tags), thus removing the words “on the internet” ensures technological neutrality. Additionally, data collection and their use for profiling are not necessarily imultaneous. Data may be collected for one purpose in the first place, and could then afterwards be used for profiling. Amendment

10

Proposal for a regulation Recital 23

Text proposed by the Commission

Amendment

(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable taking full account of the technological "state of the art" and technological trends.

Or. en

Justification

To ensure good protection, it is important that the terms "personal data" and "data subject" are not defined too narrowly. The Regulation should clearly apply to data that only allow "singling out" and it should be clear that online identifiers should in most cases be considered personal data. Since technology is steadily advancing, de-anonymisation attacks will become more sophisticated. Having wide definitions of "personal data" and "data subject" is important for future-proof protection. Removing “reasonably” widens the scope of the measures to be considered when assessing whether an individual is identifiable. This is also important, since the “state of the art” in de-anonymisation is continuously developing. There is a significant risk for protection of personal data if this fact is not taken into account.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

11

Proposal for a regulation Recital 24

Text proposed by the Commission

Amendment

(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.

(24) When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, uch as Internet Protocol addresses, cookie identifiers, or other unique identifiers. Since these identifiers leave traces and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless these identifiers demonstrably do not relate to natural persons, such as for example the IP addresses of web servers and thus cannot be considered as 'personal data' as defined in Article 4(2).

Or. en

Justification

To ensure good protection, it is important that the terms "personal data" and "data subject" are not defined too narrowly. The Regulation should clearly apply to data that only allow "singling out" and it should be clear that online identifiers should in most cases be considered personal data. Since technology is steadily advancing, de-anonymisation attacks will become more sophisticated. Having wide definitions of "personal data" and "data subject" is important for future-proof protection. The Commission proposal significantly reduces the applicability of data protection principles to uch online identifiers. It should be noted that the leaked draft for the interservice consultation tated that such online identifiers should always be considered personal data. The proposed amendment makes it clear that such identifiers should be considered personal data, unless they demonstrably are not. Amendment

12

Proposal for a regulation Recital 25

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a tatement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the ame purpose or purposes. If the data ubject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a tatement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Informed consent should be facilitated insofar as possible by user-friendly information about the types of processing to be carried out. Silence, mere use of a ervice, or inactivity, such as not unticking pre-ticked boxes, should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the ervice for which it is provided.

Or. en

Justification

Informed consent depends on information being freely available to the data subject in a userfriendly format. Additionally, the principle that consent cannot be inferred from inaction, such as not removing pre-ticked boxes, needs to be strengthened. Amendment13 Proposal for a regulation Recital 27

Text proposed by the Commission

Amendment

(27) The main establishment of a controller in the Union should be determined according to objective criteria and should

(27) The main establishment of a controller in the Union should be determined according to objective criteria and should

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion hould not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute uch main establishment and are therefore no determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union.

imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion hould not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute uch main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union.

Or. en

Justification

Linguistic correction. Amendment

14

Proposal for a regulation Recital 29

Text proposed by the Commission

Amendment

(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.

(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. No reference to child protection in this Regulation should be understood as an implicit instruction that protection of personal data of adults should be treated with less care than would have been the case if the reference was not included.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Particular attention to the treatment of the personal data of children should not be used or useable as a means of downgrading personal data protection more generally. Amendment15 Proposal for a regulation Recital 32

Text proposed by the Commission

Amendment

(32) Where processing is based on the data ubject's consent, the controller should have the burden of proving that the data ubject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.

(32) Where processing is based on the data ubject's consent, the controller should have the burden of proving that the data ubject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. To comply with the principle of data minimisation, this burden of proof should not be understood as requiring positive identification of data ubjects unless necessary.

Or. en

Justification

It is important that such obligations not have the perverse effect of causing more data to be processed than otherwise have been the case. Amendment16 Proposal for a regulation Recital 33

Text proposed by the Commission

Amendment

(33) In order to ensure free consent, it hould be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment.

(33) In order to ensure free consent, it hould be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. Consent should also not provide a legal

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

basis for data processing when the data ubject has no access to different equivalent services. Default settings such as pre-ticked boxes, silence, or the simple use of a service do not imply consent. Consent can only be obtained for processing that is lawful and thus not excessive in relation to the purpose. Disproportional data processing cannot be legitimised though obtaining consent.

Or. en

Justification

This addition serves to avoid situations in which controllers try to obtain consent for processing that is clearly disproportional. This should give regulators and judges an entry to discuss ubstantive rather than procedural fairness. Such a look beyond the procedural rules can also be found in general contract law, where principles like ‘good faith’ and reasonableness and fairness ultimately govern relations between parties in cases where specific terms of contract are found to breach these principles. Amendment

17

Proposal for a regulation Recital 34

Text proposed by the Commission

Amendment

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data ubject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees‘ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data ubject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context, or where a controller has a substantial market power with respect to certain products or ervices and where these products or ervices are offered on condition of consent to the processing of personal data, or where a unilateral and nonessential change in terms of service gives

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

ubject.

a data subject no option other than accept the change or abandon an online resource in which they have invested ignificant time. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data ubject.

Or. en

Justification

Many social media sites lead users to invest significant time and energy in developing online profiles. There would be a clear imbalance, in the sense of the Commission’s proposal, in any ituation where the user was given the choice between accepting new and unnecessary data processing and abandoning the work they have already put into their profile. Another case of clear imbalance would be if the market for the service in question is monopolistic/oligopolistic, so that the data subject does not in fact have a real possibility to choose a privacy-respecting service provider . Data portability would not fully address this issue, as it does not resolve the loss of the network effects in larger social networks. Amendment18 Proposal for a regulation Recital 36

Text proposed by the Commission

Amendment

(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national

(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the exercise of official authority should be a

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association.

public administration or another natural or legal person governed by public law, or by private law such as a professional association.

Or. en

Justification

The deletion adds clarity to the text. As the text currently stands, it appears to imply that there are non-obligatory data processing tasks that could be have a legal basis in EU law. Either processing is mandated by EU law and it is obligatory or it is not, in which case it is not authorised and must fall outside the scope of this exception. Amendment19 Proposal for a regulation Recital 38

Text proposed by the Commission

Amendment

(38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular ituation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data ubject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the

deleted

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

performance of their tasks.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. This exception, as proposed by the European Commission, grants a very wide exception to data controllers to process data if they feel justified in undertaking such processing. This risks creating legal uncertainty and barriers to the single market. The European Data Protection Board should establish guidelines for acceptable “legitimate interests” in this context. Amendment20 Proposal for a regulation Recital 40

Text proposed by the Commission

Amendment

(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, tatistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller hould obtain the consent of the data ubject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.

(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, tatistical or scientific research purposes. In any case, the application of the principles set out by this Regulation and in particular the information of the data ubject on those other purposes should be ensured.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

This amendment reflects the amendment proposed to Article 6. Amendment21 Proposal for a regulation Recital 41

Text proposed by the Commission

Amendment

(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition hould be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit and informed consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms of the data ubjects in question.

Or. en

Justification

This amendment seeks to clarify and narrow the scope of this exception. Amendment22 Proposal for a regulation Recital 42

Text proposed by the Commission

Amendment

(42) Derogating from the prohibition on processing sensitive categories of data hould also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular

(42) Derogating from the prohibition on processing sensitive categories of data hould also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, tatistical and scientific research purposes.

for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system.

Or. en

Justification

Processing of sensitive data for historical, statistical and scientific research purposes is not as urgent or compelling as public health or social protection. Consequently, there is no need to introduce an exception, based on national law, which would put them on the same level as the other listed justifications, which risks undermining fundamental rights, legal certainty and the single market. Amendment

23

Proposal for a regulation Recital 45

Text proposed by the Commission

Amendment

(45) If the data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data ubject for the sole purpose of complying with any provision of this Regulation. In case of a request for access, the controller hould be entitled to ask the data subject for further information to enable the data controller to locate the personal data which that person seeks.

(45) If the data processed by a controller do not permit the controller to identify a natural person, nothing in this Regulation may be construed by the data controller as an obligation to acquire additional information in order to identify the data ubject for the sole purpose of complying with any provision of this Regulation. In case of a request for access, the controller hould be entitled to ask the data subject for further information to enable the data controller to locate the personal data which that person seeks. If it is possible for the data subject to provide such data, controllers should not be able to invoke a lack of information to refuse an access request.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

The amendment clarifies the text proposed by the Commission. Amendment24 Proposal for a regulation Recital 47

Text proposed by the Commission

Amendment

(47) Modalities should be provided for facilitating the data subject's exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data ubject within a fixed deadline and give reasons, in case he does not comply with the data subject's request.

(47) Modalities should be provided for facilitating the data subject's exercise of their rights provided by this Regulation, including mechanisms to obtain, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data ubject within a fixed deadline and give reasons, in case he cannot comply with the data subject's request.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.This amendment stresses the rights of the data subjects, focusing on the outcome of them invoking their rights. Amendment25 Proposal for a regulation Recital 50

Text proposed by the Commission

Amendment

(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or

(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

where the provision of information to the data subject proves impossible or would involve disproportionate efforts. The latter could be particularly the case where processing is for historical, statistical or cientific research purposes; in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration.

where the provision of information to the data subject proves impossible or would involve disproportionate efforts.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.This amendment deletes text which may be misunderstood as promoting a lower level of protection for certain kinds of data processing. Amendment26 Proposal for a regulation Recital 51

Text proposed by the Commission

Amendment

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data ubject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data ubject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

intellectual property and in particular the copyright protecting the software. However, the result of these considerations hould not be that all information is refused to the data subject.

intellectual property, such as in relation to the copyright protecting the software. However, the result of these considerations hould not be that all information is refused to the data subject.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. This amendment aims at clarifying the intention behind the Commission’s proposal. Amendment27 Proposal for a regulation Recital 52

Text proposed by the Commission

Amendment

(52) The controller should use all reasonable measures to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.

(52) The controller should use all reasonable measures to verify the authenticity of a subject access request, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. It is entirely possible that in some circumstances positive identification of the data ubject would not be strictly necessary to provide access.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

28

Proposal for a regulation Recital 53

Text proposed by the Commission

Amendment

(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data ubject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, tatistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.

(53) Any person should have the right to have personal data concerning them rectified and erased. In particular, data ubjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. However, the further retention of the data may be allowed where it is necessary for historical, statistical and cientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access,

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. As the rights being accorded to all citizens in this recital are comprehensive, there appears to be little specific value to demand “particular” attention for children. The text proposed by the Commission could have the perverse effect of implying a less than comprehensive protection for adults. Further retention and processing of personal data should not be automatically permitted simply on the basis that they are being processed ostensibly for historical, statistical or scientific research processes. Such uses must be subject to adequate safeguards. Amendment29 Proposal for a regulation Recital 54

Text proposed by the Commission

Amendment

(54) To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in uch a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable teps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.

(54) To strengthen the 'right to erasure' in the online environment, it should also be extended in such a way that a controller who has made the personal data public hould be obliged to inform third parties of the data subject's request for erasure. The controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. The text proposed by the Commission is far too broad to be implemented “as is” without significant dangers for freedom of communication. Amendment30 Proposal for a regulation Recital 55

Text proposed by the Commission

Amendment

(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.

(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means, to obtain, free of charge, a copy of the data concerning them in an electronic, interoperable and structured format which is commonly used. The data subject hould also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Providers of information society services should not make the transfer of those data mandatory for the provision of their ervices. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. The easier that it is to change providers, the less citizens will feel tied to a particular ervice, particularly if they are unhappy with the way their data is being used. The electronic

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

formats in which data subjects obtain data should therefore be interoperable, structured and commonly used in order to avoid lock-in effects due to use of non-interoperable formats. However, providers should not make use of their services conditional on transferring data from previous ervice providers. Amendment

31

Proposal for a regulation Recital 57

Text proposed by the Commission

Amendment

(57) Where personal data are processed for the purposes of direct marketing, the data ubject should have the right to object to uch processing free of charge and in a manner that can be easily and effectively invoked..

(57) Where personal data are processed for the purposes of direct marketing, the data ubject should have the right to object to uch processing in advance, free of charge and in a manner that can be easily and effectively invoked.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. There are no acceptable grounds to argue that processing for the purpose of direct marketing hould be subject to fewer safeguards than other forms of processing. Amendment32 Proposal for a regulation Recital 58

Text proposed by the Commission

Amendment

(58) Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or

(58) Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, any such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

when the data subject has given his consent. In any case, such processing hould be subject to suitable safeguards, including specific information of the data ubject and the right to obtain human intervention and that such measure should not concern a child.

when the data subject has given his consent. In any case, such processing hould be subject to suitable safeguards, including specific information of the data ubject and the right to obtain human intervention and that such measure should not concern a child. Specifically, such processing should never, whether intentionally or not, lead to the discrimination of data subjects on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation. Given the risk of discrimination, such processing should not be used in order to predict very rare characteristics.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. This amendment adapts the recital to reflect proposed amendments in Article 20. Amendment33 Proposal for a regulation Recital 59

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public ecurity, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the protection of the data ubject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as strictly necessary and proportionate in a democratic society to afeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the protection of the data subject or the rights and freedoms of others. Those restrictions hould be in compliance with requirements et out by the Charter of Fundamental Rights of the European Union, and by the European Convention for the Protection of Human Rights and Fundamental Freedoms. Any such measure should be notified to the Data Protection Board for an opinion which, if negative, should result in a referral to the Commission with view to tarting an infringement procedure before the European Court of Justice.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

very limited. It takes too long for egregious breaches of fundamental rights to be processed by the courts. An immediate review of the case by the Data Protection Board should help to eliminate abuses of this exception at an early stage. If the Board comes to the conclusion that the measure is not compatible with the Regulation, it should inform the Commission, so that it can start proceedings against the Member State in question. Amendment34 Proposal for a regulation Recital 60

Text proposed by the Commission

Amendment

(60) Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf hould be established. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.

(60) Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf hould be established in order to ensure accountability. In particular, the controller hould ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation. Otherwise unnecessary data processing may not be justified on the basis of the need to respect this obligation.

Or. en

Justification

The concept of accountability should be mentioned explicitly. It must be rigorously avoided that any measure in this Regulation leads to additional data processing. Amendment35 Proposal for a regulation Recital 61

Text proposed by the Commission

Amendment

(61) The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organisational measures are taken, both at the time of the

(61) The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organizational measures are taken, both at the time of the

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default.

design of the processing and its underlying technologies as well as at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default. Data protection by design is the process by which data protection and privacy are integrated in the development of products and services through both technical and organisational measures. Data protection by default means that products and ervices are by default configured in a way that limits the processing and especially the disclosure of personal data. In particular, personal data should not be disclosed to an unlimited number of persons by default.

Or. en

Justification

If “privacy by design” is going to be effective, it needs to be rigorously implemented at all stages in the design process and should be defined more clearly. Both “data protection by design” and “data protection by default” should be defined more clearly, as the amendment proposes. Amendment36 Proposal for a regulation Recital 63

Text proposed by the Commission

Amendment

(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data ubjects, or to the monitoring their behaviour, the controller should designate a

(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data ubjects, or to the monitoring their behaviour, the controller should designate a

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprise or a public authority or body or where the controller is only occasionally offering goods or services to such data ubjects. The representative should act on behalf of the controller and may be addressed by any supervisory authority.

representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is an enterprise processing data on a small number of data subjects or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by any upervisory authority.

Or. en

Justification

In the digital environment, it is no longer appropriate to use employee numbers as a measure of the ize of a company. A photo-manipulation company was recently purchased for one billion dollars and had 13 employees at the time. What matters is the number of data subjects. Amendment37 Proposal for a regulation Recital 66

Text proposed by the Commission

Amendment

(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor hould evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures hould ensure an appropriate level of ecurity, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation, and, where appropriate, cooperate with third countries.

(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor hould evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures hould ensure an appropriate level of ecurity, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, technological neutrality, interoperability and innovation should be promoted, and, where appropriate, third countries should be encouraged.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

There appears to be no valid reason that the measures to be promoted should be restricted to the European Commission. Amendment

38

Proposal for a regulation Recital 76

Text proposed by the Commission

Amendment

(76) Associations or other bodies representing categories of controllers hould be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain ectors.

(76) Associations or other bodies representing categories of controllers hould be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain ectors. Such codes should make compliance easier for industry.

Or. en

Justification

It should be made clear that such codes of conduct are beneficial for industry and not a gesture which needs to be reciprocated with less oversight by DPAs. Amendment39 Proposal for a regulation Recital 77

Text proposed by the Commission

Amendment

(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly, reliably and verifiably assess the level of data protection of relevant products and services.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Such tools must be rigorously tested, learning from successes and failures experienced with this approach. Amendment

40

Proposal for a regulation Recital 79

Text proposed by the Commission

Amendment

(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects.

(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects ensuring an equivalent level of protection for the fundamental rights of citizens.

Or. en

Justification

This amendment ensures compatibility with the approach elsewhere in the Regulation. Amendment41 Proposal for a regulation Recital 80

Text proposed by the Commission

Amendment

(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing ector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level

(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing ector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation.

of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation. The Commission may also decide, having given notice and a complete justification to the third country, to revoke such a decision

Or. en

Justification

It would be illogical to imagine that the data protection situation in such a third country could not ubsequently deteriorate. Amendment42 Proposal for a regulation Recital 82

Text proposed by the Commission

Amendment

(82) The Commission may equally recognise that a third country, or a territory or a processing sector within a third country, or an international organisation offers no adequate level of data protection. Consequently the transfer of personal data to that third country hould be prohibited. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.

deleted

Or. en

Justification

It follows that any country that has not deemed to have an adequate level of data protection should not receive data transfers of EU data. This recital therefore adds no clarity or meaning. Amendment43 Proposal for a regulation Recital 87

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial upervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences.

(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial upervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer needs to be carried out.

Or. en

Justification

The public interest exception needs to be circumscribed more closely, in parallel to the proposed amendment to Article 44. Amendment44 Proposal for a regulation Recital 88

Text proposed by the Commission

Amendment

(88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For the purposes of processing for historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of

deleted

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

knowledge should be taken into consideration.

Or. en

Justification

Deleting this recital would echo the proposed amendment to Article 44, which would delete this exception for “legitimate interests” of the controller. Amendment45 Proposal for a regulation Recital 89

Text proposed by the Commission

Amendment

(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of olutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred.

(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of olutions that provide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred.This guarantee will include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of local legislation, to provide full details of all access to the data by public authorities in the third country.

Or. en

Justification

The Commission’s text is too vague and out of step with the rest of the Regulation. Amendment46 Proposal for a regulation Recital 90

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act.

(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments must, by default, be considered to be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers hould only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act. The mere existence of legislation in a country which would even theoretically, regardless of its application, permit extraterritorial access to European citizens' data, is a sufficient reason to revoke recognition of adequacy of that data protection regime or any equivalent bilateral arrangement of that country.

Or. en

Justification

The text of this amendment comes from a leaked interservice consultation draft. It protects against third countries wanting to enforce their laws extra-territorially. This protection is needed because ome third countries have laws forcing controllers to disclose personal data without proper afeguards. Third-country authorities may only have access to personal data held by European controllers through the procedures for mutual legal assistance. It is logically impossible to consider that a country which has active legislation that could

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

undermine European citizens’ rights could be simultaneously capable of having legislation in place that could abuse personal data hosted in Europe and be considered to have “adequate” data protection for European data hosted in that jurisdiction. See also Article 44a (new). Amendment47 Proposal for a regulation Recital 92

Text proposed by the Commission

Amendment

(92) The establishment of supervisory authorities in Member States, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of their personal data. Member States may establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

(92) The establishment of supervisory authorities in Member States, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of their personal data. Member States may establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. Independence hall be understood as not having direct or indirect political involvement in election of leadership and having adequate financial personal and legal resources to carry out its role fully.

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

taff with technical expertise.This provision must be as clear as possible, particularly bearing in mind existing political, personnel and legal limitations of DPAs under the current Directive. Amendment48 Proposal for a regulation Recital 94

Text proposed by the Commission

Amendment

(94) Each supervisory authority should be provided with the adequate financial and human resources, premises and infrastructure, which is necessary for the effective performance of their tasks, including for the tasks related to mutual assistance and co-operation with other upervisory authorities throughout the Union.

(94) Each supervisory authority should be provided with the adequate financial and human resources, paying particular attention to ensuring adequate technical kills of staff, premises and infrastructure, which is are necessary for the effective performance of their tasks, including for the tasks related to mutual assistance and co-operation with other supervisory authorities throughout the Union.

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. The increasing technical challenges facing supervisory authority staff must be recognised and addressed.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

49

Proposal for a regulation Recital 95

Text proposed by the Commission

Amendment

(95) The general conditions for the members of the supervisory authority hould be laid down by law in each Member State and should in particular provide that those members should be either appointed by the parliament or the government of the Member State, and include rules on the personal qualification of the members and the position of those members.

(95) The general conditions for the members of the supervisory authority hould be laid down by law in each Member State and should in particular provide that those members should be either appointed by the parliament or the government of the Member State taking due care to minimise the possibility of political interference, and include rules on the personal qualification of the members, the avoidance of conflicts of interest and the position of those members.

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. Amendment50 Proposal for a regulation Recital 97

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.

(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors. When carrying out these activities, this upervisory authority should take appropriate steps to cooperate with its counterparts in other Member States where there are data subjects likely to be affected by the processing operations, involving the European Data Protection Board where appropriate, including by carrying out joint investigations. Appropriate mechanisms should be put in place to ensure that smaller supervisory authorities have the financial, administrative and human resources capacity to deal with any extra burdens that this places on them.

Or. en

Justification

There is a trend for multinational online companies to establish in some smaller EU Member States. Without a mechanism to ensure that these DPAs are not overwhelmed by the cost of providing adequate supervision in such circumstances significant gaps in supervision may occur. DPAs responsible for supervising controllers who process personal data in multiple Member States hould take appropriate steps to cooperate with their counterparts in the other Member States. In ome cases, it might be useful to involve the Board here. Amendment51 Proposal for a regulation Recital 104

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

(104) Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period.

(104) Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period. The European Data Protection Board should be able to coordinate such activities, where the concerned supervisory authorities so wish.Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period.

Or. en

Justification

In order to make cooperation more efficient, the Board could be entrusted with coordinating joint investigations, where the DPAs concerned so wish. See also the related proposed amendment to Article 66. Amendment

52

Proposal for a regulation Recital 107

Text proposed by the Commission

Amendment

(107) In order to ensure compliance with this Regulation, the Commission may adopt an opinion on this matter, or a decision, requiring the supervisory authority to suspend its draft measure.

(107) In order to ensure compliance with this Regulation, the Commission may adopt an opinion on this matter, or in urgent cases a decision, requiring the upervisory authority to suspend its draft measure.

Or. en

Justification

The Commission’s proposal fails to respect Commission’s own position on independence of DPAs.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

53

Proposal for a regulation Recital 110

Text proposed by the Commission

Amendment

(110) At Union level, a European Data Protection Board should be set up. It hould replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission hould participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission and promoting co-operation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.

(110) At Union level, a European Data Protection Board should be set up. It hould replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission hould participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the institutions of the European Union and promoting cooperation of the supervisory authorities throughout the Union, including the coordination of joint operations. The European Data Protection Board should act independently when exercising its tasks.

Or. en

Justification

There is no obvious reason why the Board should restrict its advisory activities to the Commission. The second addition enables the Board to play a bigger role in coordinating joint operations of DPAs. Amendment

54

Proposal for a regulation Recital 118

Text proposed by the Commission

Amendment

(118) Any damage which a person may uffer as a result of unlawful processing hould be compensated by the controller or processor, who may be exempted from

(118) Any damage which a person may uffer as a result of unlawful processing hould be compensated by the controller or processor, who may be exempted from

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure.

liability if they prove that they are not responsible for the damage, in particular where he establishes that the balance of fault is on the part of the data subject or in case of force majeure.

Or. en

Justification

The existence of any level of fault on the part of the data subject should not automatically remove all responsibility from the data controller or processor if they share the fault. Amendment55 Proposal for a regulation Recital 121

Text proposed by the Commission

Amendment

(121) The processing of personal data olely for journalistic purposes, or for the purposes of artistic or literary expression hould qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations hould be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay

(121) The processing of personal data olely for journalistic purposes, or for the purposes of artistic or literary expression hould qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations hould be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for nonprofit making purposes.

down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as "journalistic" for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the analysis and disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non-profit making purposes.

Or. en

Justification

This – and all – exceptions need to be clearly circumscribed. Amendment56 Proposal for a regulation Recital 121 a (new)

Text proposed by the Commission

Amendment

(121 a) This Regulation allows the principle of public access to official documents to be taken into account when applying the provisions set out in this Regulation. Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation to which the public authority or public body is subject. Such legislation hall reconcile the right to the protection of personal data with the principle of public access to official documents.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

It is essential to ensure that public oversight of public affairs is not unduly hampered by data protection rules. As expressed in opinions by the EDPS, the Article 29 Working Party and the FRA, the principle of public access to official documents should therefore be guaranteed. Amendment57 Proposal for a regulation Recital 126

Text proposed by the Commission

Amendment

(126) Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research and in addition should take into account the Union's objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area.

(126) Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research in the meaning of Article 13 of the Charter of Fundamental Rights of the European Union and in addition should take into account the Union's objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. It should not include market research.

Or. en

Justification

It should be clarified that the research exemption is meant for research in a strict sense, and not for market research. Amendment

58

Proposal for a regulation Article 2 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

2 a. Subject to the rules in this Regulation, the European Parliament and the Council, and the Commission where this is provided for in this Regulation,

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

may adopt specific rules further clarifying the rules in this Regulation with regards to specific areas or to processing by pecific entities. Within a period of one year from the coming into force of this Regulation, the European Parliament and the Council shall adopt such specific ubsidiary rules with regard to the processing of personal data by: (a) by providers of publicly available electronic communications services, both generally and as concerns the preservation of communications data for purposes of law enforcement; (b) by the the Union institutions, bodies, offices and agencies.

Or. en

Justification

The aim of this proposal is to establish a general data protection regulation. In order to achieve this aim and to avoid fragmentation of the legal framework, the scope should thus be wide. There is no a priori reason why Union institutions, bodies, offices and agencies should excluded; the same applies for providers of publicly available electronic communications services, both generally and as concerns the preservation of communications data for purposes of law enforcement. Existing legislation covering such entities should be brought in line with this Regulation. Until then, it hould be applied in the spirit of the Regulation Amendment59 Proposal for a regulation Article 2 – paragraph 2 b (new)

Text proposed by the Commission

Amendment

2 b. To the extent that processing referred to in paragraph 2a is already subject to Union law at the time of coming into force of this Regulation, those rules shall remain in force pending the adoption of ubsidiary rules mentioned in that paragraph, but shall be applied in accordance with this Regulation. Any rules in such pre-existing law that

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

contravene this Regulation shall be invalid to the extent that they contravene this Regulation.

Or. en

Justification

The aim of this proposal is to establish a general data protection regulation. In order to achieve this aim and to avoid fragmentation of the legal framework, the scope should thus be wide. There is no a priori reason why Union institutions, bodies, offices and agencies should excluded; the same applies for providers of publicly available electronic communications services, both generally and as concerns the preservation of communications data for purposes of law enforcement. Existing legislation covering such entities should be brought in line with this Regulation. Until then, it hould be applied in the spirit of the Regulation Amendment60 Proposal for a regulation Article 2 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;

deleted

Or. en

Justification

Activities outside the scope of Union law are excluded by definition. Repeating this does not add anything. Amendment

61

Proposal for a regulation Article 2 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) by the Union institutions, bodies, offices and agencies;

deleted

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

This follows from the insertion of paragraphs 2a and 2b. Amendment62 Proposal for a regulation Article 3 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) the offering of goods or services to such data subjects in the Union; or

(a) the offering of goods or services to such data subjects in the Union, irrespective of whether a payment of the data subject is required; or

Or. en

Justification

The notion of “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union” could be clarified. This question has already been raised under the current framework (see e.g. Opinion of the Working Party 29 on applicable law). While under a Regulation, questions of applicable law become less complicated, there should still be explicit rules on the applicability of national law building on the Regulation, e.g. specific rules in the employment context (see Article 82).It should be clarified that controllers established outside the Union are also subject to the Regulation when offering goods or services without a payment (e.g. because the service is paid for by advertising) to data subjects in the Union. Amendment63 Proposal for a regulation Article 4 – paragraph 1 – point 1

Text proposed by the Commission

Amendment

(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(1) 'data subject' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors pecific to the gender, physical, physiological, genetic, mental, economic,

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

cultural or social identity or sexual orientation of that person;

Or. en

Justification

To ensure good protection, it is important that the terms "personal data" and "data subject" are not defined too narrowly. The Regulation should clearly apply to data that only allow "singling out" and it should be clear that online identifiers should in most cases be considered personal data. Since technology is steadily advancing, de-anonymisation attacks will become more sophisticated. Having wide definitions of "personal data" and "data subject" is important for future-proof protection. Amendment

64

Proposal for a regulation Article 4 – paragraph 1 – point 3 a (new)

Text proposed by the Commission

Amendment

(3 a) 'profiling' means any form of automated processing intended to evaluate, or generate data about, aspects relating to natural persons or to analyse or predict a natural person's performance at work, economic situation, location, health, preferences, reliability, behaviour or personality;

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

65

Proposal for a regulation Article 4 – paragraph 1 – point 9

Text proposed by the Commission

Amendment

(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(9) ‘personal data breach’ means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches. Amendment

66

Proposal for a regulation Article 4 – paragraph 1 – point 13

Text proposed by the Commission

Amendment

(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions

(13) 'main establishment' means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken or the place of its establishment which

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;

exercises dominant influence over other establishments of the controller; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, 'main establishment' means the place of its central administration in the Union;

Or. en

Amendment

67

Proposal for a regulation Article 6 – paragraph 1 – point f

Text proposed by the Commission

Amendment

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where uch interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

deleted

Or. en

Justification

As drafted, this provision could offer controllers a way to avoid many restrictions, since experience uggests that few data subjects will test reliance on this ground in court. Moreover, the broadness of the term creates legal uncertainty. This is also likely to lead to divergences in practice between Member States and therefore fail to achieve harmonisation. Points (a) to (e) already offer ample grounds for lawfulness, so "legitimate interest" should be removed as a ground for processing. The vagueness of the term "legitimate interests" would encourage controllers to try to cover as much processing as possible under this ground, even though it could be covered under other grounds, notably consent, as well. This in turn would make it harder for data subjects to enforce their rights

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

– while consent can easily be revoked, objecting to processing based on "legitimate interest" requires more effort on part of the data subject. Having such an ill-defined term be one of the grounds for lawfulness could also contribute to legal uncertainty, as it is quite likely that interpretations by supervisory authorities and courts will differ between Member States. Amendment68 Proposal for a regulation Article 6 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

3 a. In the case referred to in point (f) of paragraph 1, the controller shall inform the data subject about this explicitly and eparately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.

Or. en

Amendment

69

Proposal for a regulation Article 6 – paragraph 4

Text proposed by the Commission

Amendment

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

deleted

Or. en

Amendment

70

Proposal for a regulation Article 8 – paragraph 1

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

1. For the purposes of this Regulation, in relation to the offering of information ociety services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

1. For the purposes of this Regulation, in relation to the offering of services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

Or. en

Amendment

71

Proposal for a regulation Article 8 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and mediumized enterprises.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1.

Or. en

Amendment

72

Proposal for a regulation Article 9 – paragraph 1

Text proposed by the Commission

Amendment

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or

1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data or data

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

criminal convictions or related security measures shall be prohibited.

concerning health or sex life or criminal convictions, criminal offences and matters which have not led to a conviction, or related security measures hall be prohibited.

Or. en

Amendment

73

Proposal for a regulation Article 9 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8; or

Or. en

Amendment

74

Proposal for a regulation Article 9 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate afeguards; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate afeguards for the fundamental rights and the interests of the data subject; or

Or. en

Amendment

75

Proposal for a regulation Article 9 – paragraph 2 – point g

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data ubject's legitimate interests; or

(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data ubject's fundamental rights and legitimate interests; or

Or. en

Amendment

76

Proposal for a regulation Article 9 – paragraph 2 – point j

Text proposed by the Commission

Amendment

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

(j) processing of data relating to criminal convictions, criminal offences and matters which have not led to a conviction, or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights of the data subject. A complete register of criminal convictions hall be kept only under the control of official authority.

Or. en

Amendment

77

Proposal for a regulation Article 10 – paragraph 1

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.

If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.

Or. en

(This Article follows from the principle of data minimisation. It could be further strengthened by the

wording proposed.)

Amendment

78

Proposal for a regulation Article 14 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(b) the specific purposes of the processing for which the personal data are intended as well as information regarding the actual processing of personal data, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller, as well as the reasons why the controller thinks that this interest overrides the interests or fundamental rights and freedoms of the data subject, where the processing is based on point (f) of Article 6(1);

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

79

Proposal for a regulation Article 14 – paragraph 1 – point f

Text proposed by the Commission

Amendment

(f) the recipients or categories of recipients of the personal data;

(f) the recipients of the personal data;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

80

Proposal for a regulation Article 14 – paragraph 1 – point g a (new)

Text proposed by the Commission

Amendment

(g a) where the controller processes personal data as described in Article 20(1), information about the existence of processing for a measure of the kind referred to in Article 20(1) and the intended effects of such processing on the data subject;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

81

Proposal for a regulation Article 14 – paragraph 1 – point g b (new)

Text proposed by the Commission

Amendment

(g b) information regarding specific ecurity measures taken to protect personal data;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

82

Proposal for a regulation Article 14 – paragraph 8

Text proposed by the Commission

Amendment

8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

8. The Commission shall lay down tandard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary, as well as the needs of the relevant stakeholders, including the possible use of layered notices. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

83

Proposal for a regulation Article 15 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller hall provide the following information:

1. The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to whether the controller takes measures in respect of the data subject that are based on profiles as referred to in Article 20(1). This shall also apply to data which only permit singling out, where the data subject can verifiably authentify him/herself. Where such personal data are being processed, and/or uch measures are taken, the controller hall provide the following information:

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

84

Proposal for a regulation Article 15 – paragraph 1 – point c

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;

(c) the recipients to whom the personal data are to be or have been disclosed, including all recipients in third countries;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

85

Proposal for a regulation Article 15 – paragraph 1 – point h a (new)

Text proposed by the Commission

Amendment

(h a) in the case of measures based on profiles, meaningful information about the logic about the logic used in the profiling;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

86

Proposal for a regulation Article 15 – paragraph 1 – point h b (new)

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

(h b) where applicable, in what manner and for what specific purposes the data will be processed for statistical purposes and how will be ensured that data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

87

Proposal for a regulation Article 17 – title

Text proposed by the Commission

Amendment

Right to be forgotten and to erasure

Right to erasure

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

88

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Proposal for a regulation Article 17 – paragraph 2

Text proposed by the Commission

Amendment

2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

deleted

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.

Amendment 89

Proposal for a regulation Article 18 – paragraph 1

Text proposed by the Commission

Amendment

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.

1. The data subject shall have the right, where personal data are processed by electronic means, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data ubject.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited as the right to data portability is a corollary to the right of access. When replying to access requests, controllers must not provide data in formats which limits further use by the data ubject. The right to data portability may contribute to a more competitive environment, especially for social networks and other online services, by allowing people to change service providers without difficulty. Amendment

90

Proposal for a regulation Article 18 – paragraph 2

Text proposed by the Commission

Amendment

2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data ubject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing ystem, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.

2. Where the data subject has provided the personal data, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

91

Proposal for a regulation Article 18 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

2 a. This right is without prejudice to the obligation to delete data when they are no longer necessary under Article 5(e).

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

92

Proposal for a regulation Article 19 – paragraph 1

Text proposed by the Commission

Amendment

1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d) and (e) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

93

Proposal for a regulation Article 19 – paragraph 2

Text proposed by the Commission

Amendment

2. Where personal data are processed for direct marketing purposes, the data subject hall have the right to object free of charge to the processing of their personal data for uch marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.

2. Where personal data are processed for direct marketing purposes or where processing is based on Article 6(1)(f), the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data ubject in an intelligible manner, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child, and shall be clearly distinguishable from other information.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

94

Proposal for a regulation Article 20 – paragraph 1

Text proposed by the Commission

Amendment

1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this

1. Every natural person shall have the right, both off-line and online, not to be ubject to a measure which produces legal

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

effects concerning this natural person or ignificantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

95

Proposal for a regulation Article 20 – paragraph 2 – introductory part

Text proposed by the Commission

Amendment

2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:

2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

paragraph 1 only if the processing:

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

96

Proposal for a regulation Article 20 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or

(a) is necessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where uitable measures to safeguard the data ubject's legitimate interests have been adduced, including the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

97

Proposal for a regulation Article 20 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) is expressly authorized by a Union or Member State law which also lays down uitable measures to safeguard the data ubject's legitimate interests; or

(b) is expressly authorized by a Union or Member State law which also lays down uitable measures to safeguard the data ubject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

98

Proposal for a regulation Article 20 – paragraph 2 – point c

Text proposed by the Commission

Amendment

(c) is based on the data subject's consent, ubject to the conditions laid down in Article 7 and to suitable safeguards.

(c) is based on the data subject's consent, ubject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

99

Proposal for a regulation Article 20 – paragraph 3

Text proposed by the Commission

Amendment

3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.

3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not include or generate any data that fall under the special categories of personal data referred to in Article 9, except when falling under the exceptions listed in Article 9(2).

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

100

Proposal for a regulation Article 20 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

3 a. Profiling that (whether intentionally or otherwise) has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation, or that (whether intentionally or otherwise) result in measures which have such effect, shall be prohibited.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

101

Proposal for a regulation Article 20 – paragraph 3 b (new)

Text proposed by the Commission

Amendment

3 b. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be used to identify or individualise children.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

102

Proposal for a regulation Article 20 – paragraph 4

Text proposed by the Commission

Amendment

4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include

4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 and 15 shall

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.

include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject, as well as the access to the logic underpinning the data undergoing processing.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

103

Proposal for a regulation Article 20 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and conditions for uitable measures to safeguard the data ubject's legitimate interests referred to in paragraph 2.

5. Within six months of the coming into force of this Regulation, the Commission hall adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and conditions for uitable measures to safeguard the data ubjects' legitimate interests referred to in

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

paragraph 2. The Commission shall consult representatives of data subjects and the Data Protection Board on its proposals before issuing them.

Or. en

Justification

Profiling can entail serious risks for data subjects. It is prone to reinforcing discriminations, making decisions less transparent and carries an unavoidable risk of wrong decisions. For these reasons, it should be tightly regulated: its use should be clearly limited, and in those cases where it can be used, there should be safeguards against discrimination and data subjects should be able to receive clear and meaningful information on the logic of the profiling and its consequences. While ome circles see profiling as a panacea for many problems, it should be noted that there is a ignificant body of research addressing its limitations. Notably, profiling tends to be useless for very rare characteristics, due to the risk of false positives. Also, profiles can be hard or impossible to verify. Profiles are based on complex and dynamic algorithms that evolve constantly and that are hard to explain to data subjects. Often, these algorithms qualify as commercial secrets and will not be easily provided to data subjects. However, when natural persons are subject to profiling, they hould be entitled to information about the logic used in the measure, as well as an explanation of the final decision if human intervention has been obtained. This helps to reduce intransparency, which could undermine trust in data processing and may lead to loss or trust in especially online ervices. There is also a serious risk of unreliable and (in effect) discriminatory profiles being widely used, in matters of real importance to individuals and groups, which is the motivation behind several suggested changes in this Article that aim to improve the protection of data subjects against discrimination. In relation to this, the use of sensitive data in generating profiles should also be restricted. Amendment

104

Proposal for a regulation Article 21 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic ociety to safeguard:

1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 19 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic ociety to safeguard:

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

105

Proposal for a regulation Article 21 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;

(c) other important public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters;

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

106

Proposal for a regulation Article 21 – paragraph 1 – point e

Text proposed by the Commission

Amendment

(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);

deleted

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

107

Proposal for a regulation Article 21 – paragraph 2

Text proposed by the Commission

Amendment

2. In particular, any legislative measure referred to in paragraph 1 shall contain pecific provisions at least as to the objectives to be pursued by the processing and the determination of the controller.

2. In particular, any legislative measure referred to in paragraph 1 must comply with the standards of necessity and proportionality and shall contain specific provisions at least as to: (a) the objectives to be pursued by the processing; (b) the determination of the controller; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards against any arbitrary interferences by public authorities; (g) the right of data subjects to be informed about the restriction.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

108

Proposal for a regulation Article 21 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

2 a. Legislative measures referred to in paragraph 1 shall not impose obligations on private controllers to retain data additional to those strictly necessary for the original purpose.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

109

Proposal for a regulation Article 21 – paragraph 2 b (new)

Text proposed by the Commission

Amendment

2 b. Legislative measures referred to in paragraph 1 shall be notified to the European Data Protection Board for opinion. If the European Data Protection Board considers that the notified measure does not comply with the requirements of paragraph 2, it shall inform the Commission. The Commission shall then consider launching the procedure established under Article 258 of the Treaty on the Functioning of the

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

European Union.

Or. en

Justification

Data subject rights are indispensable for empowering data subjects to take the protection of their data into their own hands and enforce their rights against controllers. They are one of the main levers to hold controllers accountable. For this reason, the rights to information, access, rectification, deletion, and data portability should be strengthened to allow users to understand what happens to their data and to exercise control over it. Exceptions and exemptions should be very limited. Amendment

110

Proposal for a regulation Article 22 – paragraph 2 – point e a (new)

Text proposed by the Commission

Amendment

(e a) establishing and documenting the measures referred to in Article 11.

Or. en

Amendment

111

Proposal for a regulation Article 22 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

3 a. The controller shall make public a ummary of the measures referred to in paragraphs 1 and 2.

Or. en

Amendment

112

Proposal for a regulation Article 23 – paragraph 1

Text proposed by the Commission

Amendment

1. Having regard to the state of the art and

1. Having regard to the state of the art and

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

the cost of implementation, the controller hall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data ubject.

the cost of implementation, the controller hall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate measures and procedures in uch a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. This shall include both: (a) technical measures relating to the technical design and architecture of the product or service; and (b) organisational measures which relate to operational policies of the controller. Where a controller has carried out a data protection impact assessment pursuant to Article 33, the results of this shall be taken into account when developing the measures referred to in points (a) and (b) of this paragraph.

Or. en

Amendment

113

Proposal for a regulation Article 23 – paragraph 2

Text proposed by the Commission

Amendment

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. This shall be ensured using technical and/or organisational measures, as appropriate. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

individuals and that data subjects can control the distribution of their personal data.

Or. en

Amendment

114

Proposal for a regulation Article 25 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or

deleted

Or. en

Amendment

115

Proposal for a regulation Article 25 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) an enterprise employing fewer than 250 persons; or

(b) an enterprise processing personal data relating to fewer than 250 data subjects; or

Or. en

Amendment

116

Proposal for a regulation Article 26 – paragraph 2 – point h a (new)

Text proposed by the Commission

Amendment

(h a) take into account the principle of data protection by design.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

117

Proposal for a regulation Article 28 – paragraph 4 – point b

Text proposed by the Commission

Amendment

(b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

(b) an enterprise or an organisation processing personal data relating to fewer than 250 data subjects that is processing personal data only as an activity ancillary to its main activities.

Or. en

Amendment

118

Proposal for a regulation Article 30 – paragraph 2

Text proposed by the Commission

Amendment

2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.

2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. Where a controller has carried a data protection impact assessment pursuant to Article 33, the results of this assessment shall be taken into account in the evaluation of the risks.

Or. en

Amendment

119

Proposal for a regulation Article 31 – paragraph 1

Text proposed by the Commission

Amendment

1. In the case of a personal data breach, the controller shall without undue delay and,

1. In the case of a personal data breach, the controller shall without undue delay and,

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the upervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the upervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours.

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches. Amendment

120

Proposal for a regulation Article 31 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

4 a. The supervisory authority shall keep a public register of the types of breaches notified.

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches. Amendment

121

Proposal for a regulation Article 32 – paragraph 1

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.

1. When the personal data breach is likely to adversely or seriously affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches. Amendment

122

Proposal for a regulation Article 32 – paragraph 2

Text proposed by the Commission

Amendment

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b) and (c) of Article 31(3).

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (a) to (e) of Article 31(3).

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

123

Proposal for a regulation Article 32 – paragraph 5

Text proposed by the Commission

Amendment

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.

5. The Commission shall be empowered to adopt, after consulting the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.

Or. en

Justification

Data breach notifications are an important tool for ensuring that controllers live up to their obligations on data security. They also empower data subjects to take steps to protect themselves against the consequences of breaches. This package of amendments aims at improving the provisions on data breaches by making the time limits for notification more manageable for controllers, preventing data subjects from developing "breach fatigue", and creating a public register of breaches. Amendment

124

Proposal for a regulation Article 33 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic ituation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or ignificantly affect the individual;

(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic ituation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or ignificantly affect the individual, including any further processing operation of the kind referred to in Article

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

20(1) of this Regulation;

Or. en

Amendment

125

Proposal for a regulation Article 33 – paragraph 2 – point b

Text proposed by the Commission

Amendment

(b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or urveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;

(b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or urveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals;

Or. en

Amendment

126

Proposal for a regulation Article 33 – paragraph 2 – point c

Text proposed by the Commission

Amendment

(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large cale;

(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance);

Or. en

Amendment

127

Proposal for a regulation Article 33 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d) personal data in large scale filing ystems on children, genetic data or biometric data;

(d) personal data in filing systems on children, genetic data or biometric data;

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

128

Proposal for a regulation Article 33 – paragraph 3

Text proposed by the Commission

Amendment

3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data ubjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data ubjects, including in particular the risk of discrimination being embedded in or reinforced by the operation, the measures envisaged to address the risks, safeguards, ecurity measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

Or. en

Amendment

129

Proposal for a regulation Article 33 – paragraph 7

Text proposed by the Commission

Amendment

7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

7. Subject to the previous provisions, within six months of the coming into force of this Regulation, the Commission hall specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Or. en

Amendment

130

Proposal for a regulation Article 34 – paragraph 1

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate afeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.

1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects

(a) where a controller performs any processing operation of the kind referred to in Article 20(1) of this Regulation in relation to minors; (b) where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2); (c) where a controller does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation; (d) where a controller or processor transfers personal to a third country or an international organisation based on the derogations in Article 44; (e) where a controller performs processing operations referred to in Article 81(3) or Article 83(3).

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

131

Proposal for a regulation Article 34 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

2 a. The supervisory authority shall seek the views of representatives of the data ubjects and of the Data Protection Board on the intended processing.

Or. en

Amendment

132

Proposal for a regulation Article 34 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks; or

(a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks, including in particular the risk that the operations may have a discriminatory impact; or

Or. en

Amendment

133

Proposal for a regulation Article 34 – paragraph 3 a (new)

Text proposed by the Commission

Amendment

3 a. Where the supervisory authority is of the opinion that the intended processing may pose a risk of discriminatory treatment of data subjects, it shall order that the actual effects of the processing hall be monitored for such effects, and that it shall be provided with all the necessary information to assess this, at regular intervals.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Amendment

134

Proposal for a regulation Article 35 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) the processing is carried out by an enterprise employing 250 persons or more; or

(b) the processing is carried out by an enterprise processing personal data relating to more than 250 data subjects; or

Or. en

Amendment

135

Proposal for a regulation Article 37 – paragraph 1 – point c

Text proposed by the Commission

Amendment

(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;

(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design and data protection by default according to Article 23, data ecurity according to Articles 30 to 32, and the information of data subjects and their requests in exercising their rights according to Articles 11 to 20 under this Regulation;

Or. en

Amendment

136

Proposal for a regulation Article 40 – paragraph 1

Text proposed by the Commission

Amendment

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall be prohibited unless, subject to the other

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. This amendment clarifies that the starting point is the prohibition of transfers to third countries, unless the exceptions in this Chapter are applicable. Amendment137 Proposal for a regulation Article 41 – paragraph 1

Text proposed by the Commission

Amendment

1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing ector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further

1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing ector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

authorisation.

authorisation. Such decisions shall not affect the level of protection under this Regulation.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

138

Proposal for a regulation Article 41 – paragraph 2 a (new)

Text proposed by the Commission

Amendment

2 a. The Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To this end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the government of the third country or the international organisation.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

139

Proposal for a regulation Article 41 – paragraph 2 – point a

Text proposed by the Commission

Amendment

(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;

(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, as well as the implementation of this legislation, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data ubjects, in particular for those data ubjects residing in the Union whose personal data are being transferred;

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

140

Proposal for a regulation Article 41 – paragraph 3

Text proposed by the Commission

Amendment

3. The Commission may decide that a third country, or a territory or a processing ector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

3. The Commission may decide that a third country, or a territory or a processing ector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2, taking the opinion of the European Data Protection Board into utmost account. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

141

Proposal for a regulation Article 41 – paragraph 4 a (new)

Text proposed by the Commission

Amendment

4 a. The Commission shall, on an ongoing basis, monitor developments that could affect the fulfilment of the elements listed in paragraph 2 in third countries and international organisations concerning which a decision pursuant to paragraph 3 has been adopted.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

142

Proposal for a regulation Article 41 – paragraph 4 b (new)

Text proposed by the Commission

Amendment

4 b. If the Commission has grounds to believe, either because of the monitoring pursuant to paragraph 4a or any other ource, that a country or international organisation concerning which a decision pursuant to paragraph 3 has been adopted no longer provides an adequate level of protection within the meaning of paragraph 2, it shall review this decision.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

143

Proposal for a regulation Article 41 – paragraph 6

Text proposed by the Commission

Amendment

6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a

6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

processing sector within that third country, or the international organisation in question hall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

processing sector within that third country, or the international organisation in question hall be prohibited, unless it is subject to adequate safeguards pursuant to Articles 42 or falls under the derogatios in Article 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the ituation resulting from the Decision made pursuant to paragraph 5 of this Article.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

144

Proposal for a regulation Article 42 – paragraph 1

Text proposed by the Commission

Amendment

1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate afeguards with respect to the protection of

1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate afeguards with respect to the protection of

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

personal data in a legally binding instrument.

personal data in a legally binding instrument. These safeguards shall, at least, guarantee the observance of the principles of personal data processing as established in Article 5 and guarantee data subject rights as established in Chapter III.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

145

Proposal for a regulation Article 42 – paragraph 3

Text proposed by the Commission

Amendment

3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

deleted

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

146

Proposal for a regulation Article 42 – paragraph 4

Text proposed by the Commission

Amendment

4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or ubstantially affect the free movement of personal data within the Union, the upervisory authority shall apply the consistency mechanism referred to in Article 57.

4. The controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority for transfers according to this Article. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or ubstantially affect the free movement of personal data within the Union, the upervisory authority shall apply the consistency mechanism referred to in Article 57.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

147

Proposal for a regulation Article 42 – paragraph 5

Text proposed by the Commission

Amendment

5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor hall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority hall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data ubjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that upervisory authority.

5. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that upervisory authority.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

148

Proposal for a regulation Article 43 – paragraph 1 – point b

Text proposed by the Commission

Amendment

(b) expressly confer enforceable rights on data subjects;

(b) expressly confer enforceable rights on data subjects and are transparent for data ubjects;

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

149

Proposal for a regulation Article 43 – paragraph 2 – point d

Text proposed by the Commission

Amendment

(d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

(d) the general data protection principles, in particular purpose limitation, data minimisation, limited retention periods, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

150

Proposal for a regulation Article 43 – paragraph 3

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further pecifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, including transparency for data subjects, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data ubjects concerned.

Or. en

Justification

Transfers to third countries should be tightly regulated, as they often do not provide for an appropriate level of protection. This package of amendments provides improved rules for adequacy decisions and appropriate safeguards. It should be clear that while "adequacy" does not mean that the rules are identical, such decisions should still guarantee a high standard of protection. Similarly, appropriate safeguards should not offer loopholes for circumventing data protection tandards. With technological process, it has become easier to outsource processing operations to third countries. However, controllers should not be able to use this to avoid European data protection tandards, so the rules for third-country transfers should provide for good protection. Adequacy decisions are one way for legitimising third-country transfers, but should be improved by including a role for the EDPB and an assessment of the practical application of data protection law in the third country, as well as constant monitoring of any changes. Appropriate safeguards should confer enforceable rights on data subjects and should make sure that the principles of data protection are obeyed. Amendment

151

Proposal for a regulation Article 44 a (new)

Text proposed by the Commission

Amendment Article 44 a

Disclosures not authorised by Union law

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data hall be recognised or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State. 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the upervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the upervisory authority in accordance with point (d) of Article 34(1). 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44. 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the upervisory authority. 5. The Commission may lay down the tandard format of the notifications to the upervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

procedure referred to in Article 87(2).

Or. en

Justification

The text of this amendment comes from a leaked interservice consultation draft. It protects against third countries wanting to enforce their laws extra-territorially. This protection is needed because ome third countries have laws forcing controllers to disclose personal data without proper afeguards. Third-country authorities may only have access to personal data held by European controllers through the procedures for mutual legal assistance. Amendment152 Proposal for a regulation Article 44 – paragraph 1 – point g

Text proposed by the Commission

Amendment

(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or

(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case and the controller or processor has obtained prior authorisation for the transfer or set of transfers by the supervisory authority in accordance with Article 34.

Or. en

Amendment

153

Proposal for a regulation Article 44 – paragraph 1 – point h

Text proposed by the Commission

Amendment

(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the

deleted

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate afeguards with respect to the protection of personal data, where necessary.

Or. en

Amendment

154

Proposal for a regulation Article 44 – paragraph 3

Text proposed by the Commission

Amendment

3. Where the processing is based on point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.

deleted

Or. en

Amendment

155

Proposal for a regulation Article 44 – paragraph 4

Text proposed by the Commission

Amendment

4. Points (b), (c) and (h) of paragraph 1 hall not apply to activities carried out by public authorities in the exercise of their public powers.

4. Points (b) and (c) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

156

Proposal for a regulation Article 44 – paragraph 5

Text proposed by the Commission

Amendment

5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.

5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject. This derogation shall only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer needs to be carried out.

Or. en

Amendment

157

Proposal for a regulation Article 44 – paragraph 6

Text proposed by the Commission

Amendment

6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the upervisory authority of the transfer.

deleted

Or. en

Amendment

158

Proposal for a regulation Article 48 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.

1. Member States shall provide that the members of the supervisory authority must be appointed by the parliament of the Member State concerned.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. From the perspective of ensuring full political independence of DPAs, it would be advisable to introduce an explicit clause in the Regulation that would forbid the appointment of members of the upervisory authority by the government. National parliaments should be the only political bodies allowed to appoint DPAs due to their representative nature. This can further help to remove DPAs from political pressure. Amendment

159

Proposal for a regulation Article 52 – paragraph 1 – point j a (new)

Text proposed by the Commission

Amendment

(j a) develop guidelines on the use of enforcement powers, where necessary coordinated at the level of the European Data Protection Board.

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. Amendment160 Proposal for a regulation Article 56 – paragraph 2

Text proposed by the Commission

Amendment

2. In cases where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States hall have the right to participate in the joint investigative tasks or joint operations, as appropriate. The competent supervisory authority shall invite the supervisory authority of each of those Member States to take part in the respective joint investigative tasks or joint operations and respond to the request of a supervisory authority to participate in the operations without delay.

2. In cases where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States hall participate in the joint investigative tasks or joint operations, as appropriate. The competent supervisory authority shall invite the supervisory authority of each of those Member States to take part in the respective joint investigative tasks or joint operations and respond to the request of a upervisory authority to participate in the operations without delay.

Or. en

Justification

Strengthening the obligation of DPAs to cooperate with their peers in cross-border cases can help to ensure that smaller DPAs are not excessively burdened by cases where large companies fall under their jurisdiction. In addition, it would help to prevent the danger of forum shopping when it comes to the enforcement of the new data protection standards, i.e. choosing the place of establishment for the sake of being under the authority of a DPA that does not have the capacity to undertake large-scale investigations on its own.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

161

Proposal for a regulation Article 58 – paragraph 2 – point f a (new)

Text proposed by the Commission

Amendment

(f a) permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3). permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3).

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection. Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. Amendment162 Proposal for a regulation Article 58 – paragraph 6

Text proposed by the Commission

Amendment

6. The chair of the European Data Protection Board shall immediately electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair of the

6. The chair of the European Data Protection Board shall without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

European Data Protection Board shall provide translations of relevant information, where necessary.

of the European Data Protection Board hall provide translations of relevant information, where necessary.

Or. en

Amendment

163

Proposal for a regulation Article 58 – paragraph 7

Text proposed by the Commission

Amendment

7. The European Data Protection Board hall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any upervisory authority or the Commission o requests within one week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within one month by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the upervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authority competent under Article 51 of the opinion and make it public.

7. The European Data Protection Board hall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any upervisory authority or the Commission o requests within one week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within two months by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the upervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authority competent under Article 51 of the opinion and make it public.

Or. en

Amendment

164

Proposal for a regulation Article 59 – paragraph 2

Text proposed by the Commission

Amendment

2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission's opinion and inform the Commission and the European Data Protection Board

2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take account of the Commission's opinion and inform the Commission and the European Data Protection Board whether it

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

whether it intends to maintain or amend its draft measure.

intends to maintain or amend its draft measure.

Or. en

Justification

The Commission proposal gives the Commission the power to exert significant pressure on DPAs to comply with its recommendations. In order to limit political influence on DPAs, this should either be deleted or rephrased to the effect that opinions issued by the Commission are treated in the same way as any other opinions received by DPAs in the course of their work. Amendment165 Proposal for a regulation Article 62 – paragraph 1 – subparagraph 1 – point a

Text proposed by the Commission

Amendment

(a) deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or 61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article 60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;

deleted

Or. en

Justification

Strong, independent supervisory authorities are one of the necessary conditions for effective data protection. They should be free from external influence, as confirmed by the ECJ (C-518/07 and C- 614/10), and should have the necessary resources – financial and human – to ensure enforcement of data protection legislation. These changes aim to provide supervisory authorities with the independence and resources they need to effectively protect the fundamental right to data protection.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Supervisory authorities are needed to ensure enforcement of data protection legislation. As Article 16(2) TFEU states, they shall be independent in the exercise of their duties. Experience with the current framework has shown that this level of independence is not always provided in practice. It hould be noted that this should not only be seen as referring to interference by Member States, but also by the Commission. Independence on paper alone is not enough, supervisory authorities also need the means to put their powers into action. This implies a need for appropriate resources and skilled staff, including taff with technical expertise. The Commision proposal would in fact allow the Commission to overrule any opinion of the EDPB. This would be a breach of the independence of the DPAs, as it would allow the Commission to decide on the application of the regulation in specific cases. See also the EDPS opinion, pt. 248. Amendment166 Proposal for a regulation Article 66 – paragraph 1 – point a

Text proposed by the Commission

Amendment

(a) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

(a) advise the European Institutions on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

Or. en

Amendment

167

Proposal for a regulation Article 66 – paragraph 1 – point e

Text proposed by the Commission

Amendment

(e) promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities;

(e) promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities, including the coordination of joint operations and other common activities, where it so decides upon request of one or everal supervisory authorities;

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

168

Proposal for a regulation Article 66 – paragraph 1 – point g a (new)

Text proposed by the Commission

Amendment

(g a) issue opinions on measures notified to it under Article 21(4).

Or. en

Amendment

169

Proposal for a regulation Article 69 – paragraph 1

Text proposed by the Commission

Amendment

1. The European Data Protection Board hall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.

1. The European Data Protection Board hall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.2. The term of office of the chair and of the deputy chairpersons shall be four years and be renewable. Their terms shall end when their service as head of a upervisory authority of a Member State ends.

Or. en

Justification

Given that Article 49(d) specifies only a minimum term length of four years for members of national DPAs. This will make it unlikely that all Member States adopt term lengths of five years or more, so mandating a term length that exceeds the length at national level would make it unlikely for members to serve out a full term. Similarly, it should be clarified that the terms of EDPB chairs are tied to their function at the national level.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

170

Proposal for a regulation Article 73 – paragraph 3

Text proposed by the Commission

Amendment

3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a upervisory authority in any Member State, if it considers that a personal data breach has occurred.

3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a upervisory authority in any Member State, if it considers that a personal data breach has occurred or when it considers that a controller has breached its obligations under Article 23.

Or. en

Amendment

171

Proposal for a regulation Article 75 – paragraph 2

Text proposed by the Commission

Amendment

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data ubject has its habitual residence, unless the controller is a public authority acting in the exercise of its public powers.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data ubject has its habitual residence, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

Or. en

Amendment

172

Proposal for a regulation Article 76 – paragraph 1

Text proposed by the Commission

Amendment

1. Any body, organisation or association

1. Any body, organisation or association

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.

referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74, 75 and 77 on behalf of one or more data subjects.

Or. en

Amendment

173

Proposal for a regulation Article 77 – paragraph 1

Text proposed by the Commission

Amendment

1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.

1. Any person who has suffered monetary damage or non-monetary damages such as distress or time loss as a result of an unlawful processing operation or of an action incompatible with this Regulation hall have the right to receive compensation from the controller or the processor for the damage suffered.

Or. en

Amendment

174

Proposal for a regulation Article 77 – paragraph 2

Text proposed by the Commission

Amendment

2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.

2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. In the case of a group of undertakings, the entire group shall be liable as a single economic entity.

Or. en

Amendment

175

Proposal for a regulation Article 80 a (new)

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Text proposed by the Commission

Amendment Article 80 a

Processing of personal data and the

principle of public access to official

documents

Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation regarding public access to official documents, which reconciles the right to the protection of personal data with the principle of public access to official documents.

Or. en

Justification

It is essential to ensure that public oversight of public affairs is not unduly hampered by data protection rules. As expressed in opinions by the EDPS, the Article 29 Working Party and the FRA, the principle of public access to official documents should therefore be guaranteed. Amendment176 Proposal for a regulation Article 80 – paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent upervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the

1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent upervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII whenever this is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

right to the protection of personal data with the rules governing freedom of expression.

Or. en

Amendment

177

Proposal for a regulation Article 80 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

1 a. The European Data Protection Board hall issue guidance on when such exemptions or derogations may be necessary, after consultation with representatives of the press, authors and artists, data subjects and relevant civil ociety organisations.

Or. en

Amendment

178

Proposal for a regulation Article 81 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1. Within the limits of this Regulation and in accordance with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which hall provide for suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:

1. Without prejudice to this Regulation and in accordance with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which hall provide for suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:

Or. en

Amendment

179

Proposal for a regulation Article 81 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

1 a. When the purposes mentioned in points (a) – (c), above, can be achieved without the use of personal data, such data shall not be used for those purposes.

Or. en

Amendment

180

Proposal for a regulation Article 82 – paragraph 1

Text proposed by the Commission

Amendment

1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

1. Without prejudice to this Regulation, Member States may adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Or. en

Amendment

181

Proposal for a regulation Article 83 – paragraph 1 – introductory part

Text proposed by the Commission

Amendment

1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

1. Within the limits of this Regulation, personal data not falling within the categories of data covered by Articles 8 and 9 of the Regulation may be processed for historical, statistical or scientific

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

research purposes only if:

Or. en

Amendment

182

Proposal for a regulation Article 83 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

1 a. Subject only to the exception in paragraph (3), data falling within the categories of data covered by Articles 8 and 9 of the Regulation may be processed for historical, statistical or scientific research only with the consent of the data ubjects, given in accordance with Article 4(8).

Or. en

Amendment

183

Proposal for a regulation Article 83 – paragraph 1 b (new)

Text proposed by the Commission

Amendment

1 b. Member States may by law provide for exceptions to the requirement of consent for research, stipulated in paragraph (2), with regard to research that serves exceptionally high public interests, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised or pseudonymised to the highest possible tandards, and all possible measures shall be taken to prevent re-identification of the data subjects. Such processing shall be ubject to prior authorisation of the relevant national supervisory authority or authorities, in accordance with Article 34(1) of this Regulation, and to the Consistency Mechanism provided for in Chapter VII, Section 2, of this Regulation.

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Or. en

Amendment

184

Proposal for a regulation Article 83 – paragraph 2 – introductory part

Text proposed by the Commission

Amendment

2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:

2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only with the consent of the data subjects, given in accordance with Article 4(8).

Or. en

Amendment

185

Proposal for a regulation Article 84 – paragraph 1

Text proposed by the Commission

Amendment

1. Within the limits of this Regulation, Member States may adopt specific rules to et out the investigative powers by the upervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules hall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.

1. Without prejudice to this Regulation, Member States may adopt specific rules to et out the investigative powers by the upervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules hall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Amendment

186

Proposal for a regulation Article 85 – paragraph 2

Text proposed by the Commission

Amendment

2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall provide for the establishment of an independent upervisory authority in accordance with Chapter VI of this Regulation.

2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall be ubject to supervision by an independent upervisory authority in accordance with Chapter VI of this Regulation.

Or. en

European Digital Rights

Rue Belliard 20, 1040 Brussels

Tel:+32 2 274 25 70

E-Mail: brussels@edri.org, http://www.edri.org

Version:

12/12/2012

Document Info

  • Language: en
  • Created: December 12, 2012 9:26 AM
  • Last Modified: Invalid date
  • Pages: 122
  • Encrypted: No
  • Dimensions: 595 × 842
  • Filesize: 561.93 KB
  • SHA1 Hash: a46a50ce759a977e2f60705dfb1bc7d9dc151857