ALDE swing votes compromise amendments ITRE data protection
This page lists the compromise amendments voted by the ITRE committee that would have not been adopted without the votes of the Members of the ALDE group.
For more, read our press release.
- 1 CA 31 - Sets out the scope of the Regulation individuals who are acting in their professional capacity
- 2 CA 33 - Inserts dangerous concept of "pseudonymous data" as an exemption to data protection
- 3 CA 34 - Sets out the scope of the Regulation so-called anonymous data
- 4 CA 35 - Mays make a non-explicit consent, such as a passive action, admitted as a valid acceptance from the data subject
- 5 CA 37
- 6 CA 38 - Deletes the requirement that a consent can only be given for a specific and explained purpose
- 7 CA 39 - Expands the use of the 'legitimate interest' ground to almost any case where one of the involved companies pursues some sort of interest
- 8 CA 40 - Enables pseudonymised data (defined by CA 33) to be collected without the consent of the data subject
- 9 CA 41 - Aims at replacing the right to withdrawal of consent to collection, processing or storage by a contractual obligation, controlled by companies
- 10 CA 43
- 11 CA 46
- 12 CA 47
- 13 CA 48
- 14 CA 50
- 15 CA 54
- 16 CA 55
- 17 CA 57
- 18 CA 59
- 19 CA 60 - Lifts the ban on profiling measures that the data subject cannot prove to actively suffer from
- 20 CA 62
- 21 CA 63
- 22 CA 64
- 23 CA 65
- 24 CA 66
- 25 CA 67
- 26 CA 68
- 27 CA 69
- 28 CA 70 - Replaces the obligation of notification of a breach of personal data by obligation of notification of a breach of certain types of personal data
- 29 CA 72 - Substantially reduces the cases where a controller must inform data subjects of a data breach
- 30 CA 73
- 31 CA 76
- 32 CA 77
- 33 CA 78
- 34 CA 79
- 35 CA 80
- 36 CA 82
- 37 CA 85
- 38 CA 86
- 39 CA 87
- 40 CA 90
CA 31 - Sets out the scope of the Regulation individuals who are acting in their professional capacity
+ Sets out the scope of the Regulation individuals who cannot be identified by the persons who collect their data but who can be identified by third parties which are not working with these persons.
Article 4 – paragraph 1 – point 1 (Replacing amendments 323, Andersdotter, 324 - Valean, Creutzmann, 325 - Rübig, and 326 - Niebler)
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, working together with the controller, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person and who is not acting in his/her professional capacity;
CA 33 - Inserts dangerous concept of "pseudonymous data" as an exemption to data protection
Article 4 – paragraph 1 – point 2 a (new) (Replacing amendments 23 - Rapporteur, and 331 - Rohde)
(2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution
CA 34 - Sets out the scope of the Regulation so-called anonymous data
Article 4 – paragraph 1 – point 2 b (new) (Replacing amendments 24 - Rapporteur, 330 - Rohde, and 333 - Chichester)
(2 b) 'anonymous data' means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data
CA 35 - Mays make a non-explicit consent, such as a passive action, admitted as a valid acceptance from the data subject
Article 4 – paragraph 1 – point 8 (Replacing amendments 25 - Rapporteur, 338 - Niebler, 339 - Chichester, and 340 - Valean, Creutzmann)
(8) ‘the data subject's consent’ means any freely given specific, informed and
explicit unambiguous indication of his or her wishes by which the data subject , either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
Article 5 - paragraph 1 - point c (Replacing amendments 358 Valean/Creutzmann and 359 - Audy)
Personal data must be:
(c) adequate, relevant, and
limited to the minimum necessary proportionate and not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
CA 38 - Deletes the requirement that a consent can only be given for a specific and explained purpose
Article 6 – paragraph 1 – point a (Replacing amendments 29 - Rapporteur, 363 - Audy, and 364 - Ticau)
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of their personal data
for one or more specific purposes;
CA 39 - Expands the use of the 'legitimate interest' ground to almost any case where one of the involved companies pursues some sort of interest
Article 6 – paragraph 1 – point f (Replacing amendments 30 - Rapporteur, Valean, 371 - Vidal-Quadras, and 372 - Kelly, Valean, Niebler)
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.
CA 40 - Enables pseudonymised data (defined by CA 33) to be collected without the consent of the data subject
Article 6 – paragraph 1 (Replacing Amendments 374 - Kelly, del Castillo, Niebler, 377 - Vidal-Quadras, 380 - Rohde)
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(g) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Art. 19 (3) (new).
CA 41 - Aims at replacing the right to withdrawal of consent to collection, processing or storage by a contractual obligation, controlled by companies
Article 7 – paragraph 3 (Replacing amendments 38 - Rapporteur, 397 - Chichester)
3.The data subject shall have the right to withdraw his or her consent at any time. If the consent is part of a contractual or statutory relationship the withdrawal shall depend on the contractual or legal conditions. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Article 7 – paragraph 4 (Replacing amendments 39 - Rapporteur, 400 - Lange, and 401 - Rübig)
4. Consent shall not provide a legal basis for the processing,
where there is a significant imbalance between the position of the data subject and the controller when it has not been given freely,
Article 9 – paragraph 2 – point g (Replacing amendments 42 - Rapporteur 416 - Andersdotter, and 417 - Rohde)
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
2. Paragraph 1 shall not apply where:
(g) processing and sharing is necessary for the performance of a task carried out in the public interest, on the basis of Union law,
or Member State law, international conventions to which the Union or a Member State is a party, which shall provide for suitable measures to safeguard the data subject's fundamental rights and legitimate interests; or
Article 9 – paragraph 2 – point j (Replacing amendments 44 - Rapporteur, 421 - Rohde, 422 - Andersdotter and 423 - Valean, Creutzmann)
(j) processing of data relating to criminal convictions or related security measures is carried out either subject to the conditions and safeguards referred to in Article 83a or under the
control of official supervision of a supervisory authority or when the processing is necessary for compliance with or to avoid a breach of a legal or regulatory obligation or collective agreements on the labour market to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.
Article 10 – paragraph 1 (Replacing amendments 428 - Valean, Creutzmann, 429 - Valean, Creutzmann, 430 - Rübig, 431 - Kelly, Del Castillo Vera, Niebler, 432 - Proust, and 433 - Andersdotter)
If the data processed by a controller do not permit the controller, through means used by the controller to identify a
natural person data subject, in particular when rendered anonymous or pseudonymous, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Article 14 – paragraph 3 (Replacing amendments 52 - Rapporteur, 459 - Andersdotter, and 460 - Lange)
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, as far as possible, in addition to the information referred to in paragraph 1, from which source the personal data originate, except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
Article 17 – paragraph 1 – point b (Replacing amendments 59 - Rapporteur, 484 - Andersdotter, and 485 - Rohde, Valean)
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the
storage retention period consented to has expired, and where there is no other legal ground for the processing or storage of the data;
Article 17 – paragraph 3 – introductory part (Replacing amendments 61 - Rapporteur, , 495 - Vidal-Quadras, and 496 - Valean, Creutzmann)
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:
Article 18 – paragraph 2 (Replacing amendments 66 - Rapporteur, 506 - Rohde, Valean, 507 - Andersdotter, and 508 - Ticau)
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject, , where technically feasible and retained by an automated processing system
, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
CA 60 - Lifts the ban on profiling measures that the data subject cannot prove to actively suffer from
Article 20 – paragraph 1 (Replacing amendments 523 - Kelly, 524 - Rohde, 525 - Chichester, 526 - Valean, Chichester, and 527 - Andersdotter)
Every natural person A data subject shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and adversely affects this data subject, both offline and online which is based solely on automated processing of data intended to evaluate certain personal aspects relating to this natural person a data subject or to analyse or predict in particular the natural person's data subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Article 26 - paragraph 1 (Replacing Amendments 614 - Chichester, 615 - Rohde, Valean, 616 - Kelly, Valean, Niebler)
1. Where a processing operation is to be carried out on behalf of a controller and involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
Article 26 - Paragraph 2 - introductory part (Replacing amendments 617 - Kelly, Niebler, 618 - Valean, Creutzman, Rohde)
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller
and stipulating in particular that the processor shall:. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:
Article 26 - Paragraph 2 - point a (619 - Valean, Creutzmann, Rohde, 620 - Kelly, Niebler)
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller (and stipulating in particular that the processor shall:)
(a) The processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
Article 26 - Paragraph 2 - Point e (627 - Valean, Creutzmann, Rohde, 628 - Kelly, Niebler)
(e) insofar as this is possible given the nature of the processing
, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment and the processor's ability to assist with reasonable effort, an agreement as to the appropriate and relevant technical and organisational requirements which support the ability of the controller to respond to requests for exercising the subject's rights laid down in Chapter III
Article 26 - Paragraph 2 - Point f (629 - Valean, Creutzmann, Rohde, 630 - Kelly, Niebler)
assist the controller in ensuring compliance insofar as this is possible given the nature of processing, the information available to the processor and his ability to assist with reasonable effort, an agreement on how compliance will be ensured with the obligations pursuant to Articles 30 to 34.
Article 26 - Paragraph 2 - point g (631 - Valean, Creutzmann, Rohde, 632 - Kelly, Niebler)
(g) hand over all results to the controller after the end of the processing
and not process the personal data otherwise; and/or destroy it in a commercially accepted manner.
Article 28 – paragraph 1 (Replacing amendments 82 - Rapporteur, 641 - Del Castillo Vera, 642 - Valean, Creutzmann, 643 - Chichester, and 644 - Rohde, Valean)
1. Each controller and, if any, the controller's representative, shall maintain appropriate documentation of
all the measures taken to ensure that the processing operations of personal data under its responsibility is in compliance with this Regulation.
Article 30 – paragraph 2 a (new) (Replacing amendments 669 - Valean, Creutzmann and 670 - Kelly, Valean, Niebler)
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.
(a) The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, consitute a legitimate interest pursued by or on behalf of a data controller or processor, as referred to in Article 6 (1) f.
CA 70 - Replaces the obligation of notification of a breach of personal data by obligation of notification of a breach of certain types of personal data
Article 31 – paragraph 1 (Replacing amendments 88 - Rapporteur, 674 - Valean, Creutzmann, and 676 - Rohde, Valean)
1. In the case of a personal data breach relating to special categories of personal data, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay
and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
CA 72 - Substantially reduces the cases where a controller must inform data subjects of a data breach
Article 32 paragraph 3 (686 - Rohde, Valean, 687 - Valean, Creutzmann, Kelly)
3. The communication of a personal data breach to the data subject shall not be required if the
controller demonstrates to the satisfaction of the supervisory authority that it data breach has not produced significant harm and the controller has implemented appropriate technological protection measures, and that those measures where applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person who is not authorised to access it.
Article 33 – paragraph 1 (Replacing amendments 691 - Kelly, Valean, 692 - Rohde, Valean, 693 - Valean, Creutzmann, Kelly, and 695 - Del Castillo Vera)
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller
or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks. SMEs shall only be required to perform an impact assessment after their third year of incorporation where data processing is deemed as a core activity of their business.
Article 34 – paragraph 2 – introductory part (Replacing amendments 96 - Rapporteur, 721 - Valean, Creutzmann, Rohde)
2. The controller or processor acting on the controller's behalf
shallmay consult the supervisory authority prior to the processing of special categories of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Article 34 - paragraph 3 (726 - Valean, Creutzmann, 727 - Kelly, Valean)
3. Where the competent supervisory authority
is of the opinion determines in accordance with its power that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
Article 36 - paragraph 1 (100 - Rapporteur, 747 - Ticau, 748 - Valean, Creutzmann)
1. The executive management of the controller or the processor shall support the data protection organisation or data protection officer in performing
the tasks their duties and shall provide staff, premises, equipment and any other resources necessary to carry out the roles and duties and tasks referred to in Article 37.
Article 36 - Paragraph 2 (749 - Rohde, 750 - Valean, Creutzmann)
controller or processor shall ensure that the data protection organisation or data protection officer shall perform s the his or her duties and tasks independently and deos not receive any instructions as regards the exercise of the function. The data protection officers shall directly report to the management of the controller or the processor.
Article 42 – paragraph 1 (Replacing amendments 107 - Rapporteur, 774 - Valean, Creutzmann, 775 - Chichester, and 776 - Andersdotter)
1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with paragraph 5 of this Article, a controller or processor may transfer personal data to a third country or an international organisation transferring data on an international basis only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.
These safeguards shall, at least, guarantee the observance of the principles of personal data processing as established in Article 5 and guarantee data subject rights as established in Chapter III.
Article 43 - paragraph. 1, intro (Replacing amendments 110 - Rapporteur, and 790 - Valean, Creutzmann)
A The competent supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve authorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multiple intracompany international transfers in and out of Europe, provided that they:
Article 61 - paragraph 1 (Replacing amendments 122 - Rapporteur, 841 - Rohde, Valean, and 842 - Valean, Creutzmann)
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects,
in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. This supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board, the Commission and the controller or processor concerned.
Article 77 - paragraph 1 (Replacing amendments 860 - Andersdotter, 861 - Valean, Creutzmann, Rohde, Kelly, and 862 - Del Castillo Vera)
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller
or the processor for the damage suffered.
Article 77 - paragraph 2 (Replacing amendments 863 - Andersdotter, 864 - Valean, Creutzmann, Kelly, and 865 - Del Castillo Vera)
2. Where more than one controller
or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage to the extent that the joint controllers' respective liability has not been determined in the legal arrangement referred to in Article 24. In the case of a group of undertakings, the entire group shall be liable as a single economic entity.
Article 89 - paragraph 2 (Replacing amendments 164 - Rapporteur, and 915 - Proust)
2. Article 1(2), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.