dnb0n9up, no title

Topics: General Data Protection Regulation
Organisations: BOF

bits of freedomgdprproposalamendments

1

Comparision COM-proposal vs. Rapporteur vs. Bits of Freedom

Amendment 12 Proposal for a regulation Recital 20

Text proposed by the Commission

Amendment

(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects.

(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services, including services offered free of charge, to such data ubjects, or to the monitoring of such data ubjects.

Bits of Freedom

In order to ensure that individuals are not deprived o f the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union hould be subject to this Regulation where the processing activities are related to the o f fering o f goods or services, including services offered free of charge, to such data subjects, or to the monitoring o f the behaviour o f such data ubjects.

Amendment 13 Proposal for a regulation Recital 21

Text proposed by the Commission

Amendment

(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it hould be ascertained whether individuals are tracked on the internet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions

(21) In order to determine whether a processing activity can be considered to ‘monitor’ data subjects, it should be ascertained whether individuals are tracked on the internet or through other means, or if other data about them is collected, including from public registers and announcements in the Union that are

2

concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

accessible from outside of the Union, including with the intention to use, or potential of subsequent use of data processing techniques which consist of applying a ‘profile’, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Bits of Freedom

In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ o f data subjects, it should be ascertained whether individuals are tracked with the intention to use, or potential of ubsequent use of data processing techniques which consist o f applying a profile, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Amendment 14 Proposal for a regulation Recital 23

Text proposed by the Commission

Amendment

(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. This Regulation hould not apply to anonymous data, meaning any data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed.

Bits of Freedom

The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely to be used either by the controller or by any other person to identif y the individual.

3

The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable, taking full account of the technological “state of the art” and technological trends.

Amendment 15 Proposal for a regulation Recital 24

Text proposed by the Commission

Amendment

(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.

(24) When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, uch as Internet Protocol addresses, cookie identifiers and other unique identifiers. Since such identifiers leave traces and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless those identifiers demonstrably do no relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered as 'personal data' as defined in this Regulation.

Bits of Freedom

When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers and other unique identifiers . Since t hese identifiers leave traces and can be used to single out natural persons, this Regulation should be applicable

to

processing involving such data, unless these identifiers demonstrably do no relate to natural persons, uch as for example the IP addresses used by companies, which cannot be considered as 'personal data' as defined in article 4(2).

4

Amendment 18 Proposal for a regulation Recital 32

Text proposed by the Commission

Amendment

(32) Where processing is based on the data ubject's consent, the controller should have the burden of proving that the data ubject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.

(32) Where processing is based on the data ubject’s consent, the controller should have the burden of proving that the data ubject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. To comply with the principle of data minimisation, the burden of proof should not be understood as requiring the positive identification of data subjects unless necessary.

Bits of Freedom

Where processing is based on the data subject’s consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context o f a written declaration on another matter, sa feguards should ensure that the data ubject is aware that and to what extent consent is given. To comply with the principle of data minimisation, this burden of proof should not be understood as requiring positive identification of data subjects, unless necessary.

Amendment 20 Proposal for a regulation Recital 34

Text proposed by the Commission

Amendment

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data ubject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data ubject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in

5

the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data ubject.

the employment context, where the processor or controller is in a dominant market position with respect to the products or services offered to the data ubject or where a unilateral and nonessential change in terms of service gives a data subject no option other than to accept the change or abandon an online resource in which they have invested ignificant time. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data ubject.

Bits of Freedom

Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation o f dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context or where a controller has substantial market power with respect to certain products or services and where these products or ervices are offered on condition of consent to the processing of personal data, or where a unilateral and non-essential change in terms of service gives a data subject no realistic option other than to accept the change or abandon an online resource in which they have invested significant time. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.

6

Amendment 30 Proposal for a regulation Recital 47

Text proposed by the Commission

Amendment

(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data ubject within a fixed deadline and give reasons, in case he does not comply with the data subject's request.

(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to obtain free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data ubject within a fixed deadline and give reasons, in case he cannot comply with the data subject’s request.

Bits of Freedom

Modalities should be provided for facilitating the data subject’s exercise o f their rights provided by this Regulation, including mechanisms to obtain, free o f charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests o f the data subject within a fixed deadline and give reasons, in case he cannot comply with the data subject’s request.

Amendment 31 Proposal for a regulation Recital 50

Text proposed by the Commission

Amendment

(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or where the provision of information to the data subject proves impossible or would involve disproportionate efforts. The latter could be particularly the case where processing is for historical, statistical or cientific research purposes; in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration.

(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or where the provision of information to the data subject proves impossible or would involve disproportionate efforts.

7

Bits of Freedom

However, it is not necessary to impose this obligation where the data subject already disposes o f this information, or where the recording or disclosure o f the data is expressly laid down by law, or where the provision o f information to the data subject proves impossible or would involve disproportionate e f forts.

Amendment 32 Proposal for a regulation Recital 51

Text proposed by the Commission

Amendment

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data ubject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations hould not be that all information is refused to the data subject.

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data ubject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property, such as in relation to the copyright protecting the software. However, the result of these considerations hould not be that all information is refused to the data subject.

Bits of Freedom

Any person should have the right o f access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verif y the lawfulness of

the

processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic o f the data that are undergoing the processing and what might be, at least when based on pro filing, the consequences o f such processing. This right should not adversely a f fect the rights and freedoms o f others, including trade ecrets or intellectual property such as the copyright protecting the software. However, the

8

result o f these considerations should not be that all in formation is re fused to the data subject.

Amendment 33 Proposal for a regulation Recital 52

Text proposed by the Commission

Amendment

(52) The controller should use all reasonable measures to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.

(52) The controller should use all reasonable measures to verify the authenticity of a subject access request, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.

Bits of Freedom

The controller should use all reasonable measures to verif y the authenticity of a ubjects access request, in particular in the context o f online services and online identifiers. A controller hould not retain personal data for the unique purpose of being able to react to potential requests.

Amendment 36 Proposal for a regulation Recital 55

Text proposed by the Commission

Amendment

(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the

(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, to obtain free of charge the data concerning them also in commonly used, interoperable, and where possible open ource electronic format. The data subject hould also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Providers of information society services should not make the transfer of those data

9

data to the automated processing system, based on their consent or in the performance of a contract

mandatory for the provision of their ervices. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.

Bits of Freedom

To further strengthen the control over their own data and their right o f access, data subjects hould have the right, where personal data are processed by electronic means and in a tructured and commonly used format, to obtain a copy o f the data concerning them also in commonly used, interoperable, and where possible open source electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Providers of information ociety services should not make the transfer of those data mandatory for the provision of their services. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.

Amendment 82 Proposal for a regulation Article 3 – paragraph 2 – point a)

Text proposed by the Commission

Amendment

(a) the offering of goods or services to such data subjects in the Union; or

(a) the offering of goods or services to such data subjects in the Union, irrespective of whether payment is required for theose goods or services; or

Bits of Freedom

(a) the of fering of goods or services to such data ubjects in the Union, irrespective of whether payment for these goods or services is required; or

Amendment 84 Proposal for a regulation Article 4 – point 1

Text proposed by the Commission

Amendment

(1) 'data subject' means an identified

(1) 'data subject' means an identified

10

natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors pecific to the physical, physiological, genetic, mental, economic, cultural or ocial identity of that person;

natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, social or gender identity or sexual orientation of that person;

Bits of Freedom

1. Definitions: data subject 'data subject' means an identified natural person or a natural person who can be identified or ingled out, directly or indirectly, b y means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or a unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity o f that person;'

Amendment 87 Proposal for a regulation Article 4 – point 3 b (new)

Text proposed by the Commission

Amendment

(3b) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour;

Bits of Freedom

Definitions: profiling 'profiling' means any form of automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location,

health,

personal preferences, reliability or behaviour.

11

Amendment 90 Proposal for a regulation Article 4 – point 9

Text proposed by the Commission

Amendment

(9) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(9) 'personal data breach' means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Bits of Freedom

Definitions: personal data breach 'personal data breach' means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure o f, or access to, personal data transmitted, stored or otherwise processed;

Amendment 103 Proposal for a regulation Article 6 – paragraph 4

Text proposed by the Commission

Amendment

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

deleted

Bits of Freedom

deleted.

Amendment 135 Proposal for a regulation Article 14 – paragraph 8

Text proposed by the Commission

Amendment

8. The Commission may lay down standard forms for providing the information

8. The Commission shall lay down tandard forms for providing the

12

referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary as well as the needs of the relevant stakeholders. Those implementing acts shall be adopted, after requesting an opinion of the European Protection Board, in accordance with the examination procedure referred to in Article 87(2).

Bits of Freedom

8. The Commission shall lay down standard forms for providing the information re ferred to in paragraphs 1 to 3, taking into account the pecific characteristics and needs o f various sectors and data processing situations where necessary, as well as the needs of the relevant takeholders, including the possible use of layered notices. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

Amendment 137 Proposal for a regulation Article 15 – paragraph 1 – point c)

Text proposed by the Commission

Amendment

(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;

(c) the recipients to whom the personal data are to be or have been disclosed, including to recipients in third countries;

Bits of Freedom

(c) the recipients to whom the personal data are to be or have been disclosed to, including all recipients in third countries;

Amendment 140 Proposal for a regulation Article 15 – paragraph 1 – point h b (new)

Text proposed by the Commission

Amendment

(hb) in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been

13

made, information about whether or not the request has been fully or partly complied with and an overview of the data that were requested or disclosed.

Bits of Freedom

(k) in case of disclosure of personal data to a public authority as a result of a public authority request for personal data, a confirmation of the fact that such a request has been made, information about whether or not the request has been fully or partly complied with and an overview of the data that were requested or disclosed.

Amendment 156 Proposal for a regulation Article 19 – paragraph 2

Text proposed by the Commission

Amendment

2. Where personal data are processed for direct marketing purposes, the data subject hall have the right to object free of charge to the processing of their personal data for uch marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.

2. Where personal data are processed based on Article 6(1a), the data subject shall have the right to object free of charge in all cases to the processing of their personal data. This right shall be explicitly offered to the data subject in an intelligible manner, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child, and shall be clearly distinguishable from other information.

Bits of Freedom

2. Where personal data processing is based on article 6(1)(f), the data subject shall have the right to object free of charge at any time including at the time of the collection of their data , to the processing of their personal data for such marketing. This right shall be explicitly o f fered to the data subject at least via the same channel that is used to collect the data, in an intelligible manner using clear and plain language, adapted to the data subject, and shall be clearly distinguishable from other information.

14

Amendment 162 Proposal for a regulation Article 20– paragraph 3

Text proposed by the Commission

Amendment

3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.

2. Profiling activities relating to a natural person shall not include or generate any data that fall under the special categories of personal data referred to in Article 9, except when falling within the exceptions listed in Article 9(2).

Bits of Freedom

3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not include or generate any data that fall under the special categories o f personal data re ferred to in Article 9, except when falling under the exceptions listed in Article 9(2).

Amendment 163 Proposal for a regulation Article 20– paragraph 2 a (new)

Text proposed by the Commission

Amendment

2a. Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity, or that results in measures which have such effect, shall be prohibited.

Bits of Freedom

4. Profiling that (whether intentionally or otherwise) has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation, or that (whether intentionally or otherwise) result in measures which have uch effect, shall be prohibited.

15

Amendment 168 Proposal for a regulation Article 21 – paragraph 1 – point c)

Text proposed by the Commission

Amendment

(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;

(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters;

Bits of Freedom

(c) other important public interests o f the Union or of a Member State, in particular an important economic or financial interest o f the Union or of a Member State, including monetary, budgetary and taxation matters;

Amendment 170 Proposal for a regulation Article 21– paragraph 2

Text proposed by the Commission

Amendment

2. In particular, any legislative measure referred to in paragraph 1 shall contain pecific provisions at least as to the objectives to be pursued by the processing and the determination of the controller.

2. In particular, any legislative measure referred to in paragraph 1 must be necessary and proportionate in a democratic society and shall contain pecific provisions at least as to:

(a) the objectives to be pursued by the processing;

(b) the determination of the controller;

(c) the specific purposes and means of processing;

(d) the categories of persons authorised to process the data;

(e) the procedure to be followed for the processing;

(f) the safeguards to prevent abuse;

(g) the right of data subjects to be informed about the restriction.

16

Bits of Freedom

2. In particular, any legislative measure re ferred to in paragraph 1 must comply with the standards of necessity and proportionality and shall contain specific provisions at least as to: (a) the objectives to be pursued by the processing; (b) the determination of the controller; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards

against any

arbitrary

interferences by public authorities; (g) the right of data subjects to be informed about the restriction

Amendment 176 Proposal for a regulation Article 23 – paragraph 1

Text proposed by the Commission

Amendment

1. Having regard to the state of the art and the cost of implementation, the controller hall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data ubject

1. Having regard to the state of the art and the cost of implementation, the controller hall, both at the time of the determination of the purposes and means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in uch a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular with regard to the principles laid out in Article 5. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures.

Bits of Freedom

1. Having regard to the state o f the art and the cost o f implementation, the controller shall, both at the time of the determination o f the means for processing and at the time of the processing itself, implement appropriate measures and procedures in such a way that the processing will meet the requirements o f this Regulation and ensure the protection o f the rights o f the data subject. This shall include both: (a) technical measures

relating

to

the

technical design and architecture of the product or

17

ervice; and (b) organisational measures which relate to the operational policies of the controller. Where a controller has carried out a data protection impact assessment pursuant to Article 33, the results of this shall be taken into account when developing the measures referred to in points (a) and (b) of this paragraph.

Amendment 177 Proposal for a regulation Article 23 – paragraph 2

Text proposed by the Commission

Amendment

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

2. Where the data subject is given a choice regarding the processing of personal data, the controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that data subjects are able to control the distribution of their personal data.

Bits of Freedom

2. The controller shall implement mechanisms for ensuring that, by de fault, only those personal data are processed which are necessary for each pecific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms o f the amount o f the data and the time o f their storage. This shall be ensured using technical and organisational measures, as appropriate. In particular, those mechanisms hall ensure that b y de fault personal data are not made accessible to an inde finite number o f individuals and that data subjects can control the distribution of their personal data .

18

Amendment 183 Proposal for a regulation Article 25 -– paragraph 3

Text proposed by the Commission

Amendment

3. The representative shall be established in one of those Member States where the data ubjects whose personal data are processed in relation to the offering of goods or ervices to them, or whose behaviour is monitored, reside.

3. The representative shall be established in one of those Member States where the data ubjects whose personal data are processed as referred to in Article 3(2) reside.

Bits of Freedom

3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the o f fering o f goods or services to them, or whose behaviour is monitored, reside.

Amendment 198 Proposal for a regulation Article 31 – paragraphe 4 a (new)

Text proposed by the Commission

Amendment

4a. The supervisory authority shall keep a public register of the types of breaches notified

Bits of Freedom

6. The supervisory authority maintains public register of all notified data breaches which can be accessed free of charge.

Amendment 324 Proposal for a regulation Article 80– paragraph 1

Text proposed by the Commission

Amendment

1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data

1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data

19

to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out olely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.

to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII whenever this is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression in accordance with the Charter of Fundamental Rights of the European Union and its referral to the ECHR.

Bits of Freedom

1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights o f the data ubject in Chapter III, on controller and processor in Chapter IV, on the trans fer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII whenever this is necessary in order to reconcile the right to the protection o f personal data with the rules governing freedom o f expression.

Amendment 334 Proposal for a regulation Article 83 – paragraph 1

Text proposed by the Commission

Amendment

1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

1. Within the limits of this Regulation, personal data not falling within the categories of data covered by Articles 8 and 9 may be processed for historical, tatistical or scientific research purposes only if:

Bits of Freedom

1. Within the limits o f this Regulation, personal data not falling within the categories of data covered by Articles 8 and 9 may be processed for historical, statistical or scientific research purposes only if:

20

Amendment 335 Proposal for a regulation Article 83 – paragraph 1 - point b)

Text proposed by the Commission

Amendment

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.

(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information.

Bits of Freedom

(b) data enabling the attribution of in formation to an identified or identifiable data subject is kept eparately from the other in formation as long as these purposes can be fulfilled in this manner.

Amendment 336 Proposal for a regulation Article 83 – paragraph 1 a (new)

Text proposed by the Commission

Amendment

1a. Subject to the exception in paragraph 1b, data falling within the categories of data covered by Articles 8 and 9 may be processed for historical, statistical or cientific research only with the consent of the data subjects.

Bits of Freedom

2. Subject only to the exception in paragraph (3), data falling within the categories of data covered by Articles 8 and 9 of the Regulation may be processed for historical, statistical or cientific research only with the consent of the data subjects, given in accordance with Article 4(8).

Document Info

  • Title: COM/Rapporteur/Bits of Freedom
  • Language: en
  • Created: February 11, 2013 11:53 AM
  • Last Modified: February 11, 2013 11:53 AM
  • Pages: 20
  • Encrypted: No
  • Dimensions: 595.2 × 841.8
  • Filesize: 251.92 KB
  • SHA1 Hash: 635d4cd2fc3cce1c986a2564f5c1c3517095830b