ALDE swing votes compromise amendments ITRE data protection : Différence entre versions

De La Quadrature du Net
Aller à la navigationAller à la recherche
(CA 64 (!))
Ligne 223 : Ligne 223 :
 
The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller '''(deletion: and stipulating in particular that the processor shall). The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:'''
 
The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller '''(deletion: and stipulating in particular that the processor shall). The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:'''
  
=CA 64 (!)=
+
=CA 64 =
  
26.2.a
+
Article 26 - Paragraph 2 - point a
 
 
 
 
 
(619 - Valean, Creutzmann, Rohde, 620 - Kelly, Niebler)
 
(619 - Valean, Creutzmann, Rohde, 620 - Kelly, Niebler)
 
 
 
 
 +
'''REPLACING'''
 +
 +
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:
 +
 +
(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
 +
 +
 +
'''WITH'''
 +
 
the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
 
the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
  

Version du 19 février 2013 à 12:27

This page lists the Compromise Amendments (18/02/2013) currently discussed by ITRE members and for which ALDE's vote will be decisive (according to ITRE's current voting list).

For more, read our latest press release.

Call your MEPs now and free of charge with the PiPhone!

List of "compromise amendments" supported by EPP, ECR, and ALDE groups. They cannot be adopted without the votes of the Members of the ALDE group.


CA 31

Article 4 – paragraph 1 – point 1

(Replacing amendments 323, Andersdotter, 324 - Valean, Creutzmann, 325 - Rübig, and 326 - Niebler)

REPLACES

(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

WITH

(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, working together with the controller, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person and who is not acting in his/her professional capacity;

CA 33

Article 4 – paragraph 1 – point 2 a (new)

(Replacing amendments 23 - Rapporteur, and 331 - Rohde)

(2a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution

CA 34

Article 4 – paragraph 1 – point 2 b (new)

(Replacing amendments 24 - Rapporteur, 330 - Rohde, and 333 - Chichester)

(2 b) 'anonymous data' means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data

CA 35

Article 4 – paragraph 1 – point 8

(Replacing amendments 25 - Rapporteur, 338 - Niebler, 339 - Chichester, and 340 - Valean, Creutzmann)

REPLACING

(8) 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

WITH

(8) ‘the data subject's consent’ means any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;

CA 37

Article 5 - paragraph 1 - point c

(Replacing amendments 358 Valean/Creutzmann and 359 - Audy)

Personal data must be:

REPLACING

(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

WITH

(c) adequate, relevant, and proportionate and not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

CA 38

Article 6 – paragraph 1 – point a

(Replacing amendments 29 - Rapporteur, 363 - Audy, and 364 - Ticau)

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

REPLACING

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

WITH

(a) the data subject has given consent to the processing of their personal data;

CA 39

Article 6 – paragraph 1 – point f

(Replacing amendments 30 - Rapporteur, Valean, 371 - Vidal-Quadras, and 372 - Kelly, Valean, Niebler)

(1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:)

REPLACING

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

WITH

(f) processing is necessary for the purposes of the legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks or enterprises in the exercise of their legal obligations, and in order to safeguard against fraudulent behaviour.

CA 40

Article 6 – paragraph 1

(Replacing Amendments 374 - Kelly, del Castillo, Niebler, 377 - Vidal-Quadras, 380 - Rohde)

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(g) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Art. 19 (3) (new).

CA 41 - Aims at replacing the right to withdrawal of consent to collection, processing or storage by a contractual obligation, controlled by companies

Article 7 – paragraph 3

(Replacing amendments 38 - Rapporteur, 397 - Chichester)

REPLACING

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

WITH

3.The data subject shall have the right to withdraw his or her consent at any time. If the consent is part of a contractual or statutory relationship the withdrawal shall depend on the contractual or legal conditions. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

CA 43

Article 7 – paragraph 4

(Replacing amendments 39 - Rapporteur, 400 - Lange, and 401 - Rübig)

REPLACING

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

WITH

4. Consent shall not provide a legal basis for the processing, when it has not been given freely,

CA 46

Article 9 – paragraph 2 – point g

(Replacing amendments 42 - Rapporteur 416 - Andersdotter, and 417 - Rohde)

(g) processing and sharing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, Member State law, international conventions to which the Union or a Member State is a party, which shall provide for suitable measures to safeguard the data subject's fundamental rights and legitimate interests; or

CA 47

Article 9 – paragraph 2 – point j

(Replacing amendments 44 - Rapporteur, 421 - Rohde, 422 - Andersdotter and 423 - Valean, Creutzmann)

(j) processing of data relating to criminal convictions or related security measures is carried out either subject to the conditions and safeguards referred to in Article 83a or under the supervision of a supervisory authority or when the processing is necessary for compliance with or to avoid a breach of a legal or regulatory obligation or collective agreements on the labour market to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.

CA 48

Article 10 – paragraph 1

(Replacing amendments 428 - Valean, Creutzmann, 429 - Valean, Creutzmann, 430 - Rübig, 431 - Kelly, Del Castillo Vera, Niebler, 432 - Proust, and 433 - Andersdotter)

If the data processed by a controller do not permit the controller, through means used by the controller to identify a data subject, in particular when rendered anonymous or pseudonymous, the controller shall not acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.

CA 50

Article 14 – paragraph 3

(Replacing amendments 52 - Rapporteur, 459 - Andersdotter, and 460 - Lange)


3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, as far as possible, in addition to the information referred to in paragraph 1, from which source the personal data originate, except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.

CA 54

Article 17 – paragraph 1 – point b

(Replacing amendments 59 - Rapporteur, 484 - Andersdotter, and 485 - Rohde, Valean)


(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the retention period consented to has expired, and where there is no other legal ground for the processing or storage of the data;

CA 55

Article 17 – paragraph 3 – introductory part

(Replacing amendments 61 - Rapporteur, , 495 - Vidal-Quadras, and 496 - Valean, Creutzmann)

3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:

CA 57

Article 18 – paragraph 2

(Replacing amendments 66 - Rapporteur, 506 - Rohde, Valean, 507 - Andersdotter, and 508 - Ticau)

2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject, , where technically feasible and retained by an automated processing system

CA 59 (?)

CA 60

Article 20 – paragraph 1

(Replacing amendments 523 - Kelly, 524 - Rohde, 525 - Chichester, 526 - Valean, Chichester, and 527 - Andersdotter)

1. A data subject shall have the right not to be subject to a measure which adversely affects this data subject, both offline and online which is based solely on automated processing of data intended to evaluate certain personal aspects relating to a data subject or to analyse or predict in particular the data subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

CA 62 - Replaces the obligation of notification of a breach of personal data by obligation of notification of certain types of data

Article 26 - paragraph 1

(Replacing Amendments 614 - Chichester, 615 - Rohde, Valean, 616 - Kelly, Valean, Niebler)

1. Where a processing operation is to be carried out on behalf of a controller and involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

CA 63

Article 26 - Paragraph 2 - introductory part   (617 - Kelly, Niebler, 618 - Valean, Creutzman, Rohde)   The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller (deletion: and stipulating in particular that the processor shall). The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:

CA 64

Article 26 - Paragraph 2 - point a   (619 - Valean, Creutzmann, Rohde, 620 - Kelly, Niebler)   REPLACING

2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:

(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;


WITH

the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;

CA 65 (!)

Article 26 - Paragraph 2 - Point e   (627 - Valean, Creutzmann, Rohde, 628 - Kelly, Niebler)   "insofar as this is possible given the nature of the processing and the processor's ability to assist with reasonable effort, an agreement as to the appropriate and relevant technical and organisational requirements which support the ability of the controller to respond to requests for exercising the subject's rights laid down in Chapter III"

CA 66 (!)

26.2.f   (629 - Valean, Creutzmann, Rohde, 630 - Kelly, Niebler)   insofar as this is possible given the nature of processing, the information available to the processor and his ability to assist with reasonable effort, an agreement on how compliance will be ensured with the obligations pursuant to Articles 30 to 34.

CA 67 (!)

26.2.g   (631 - Valean, Creutzmann, Rohde, 632 - Kelly, Niebler)   hand over all results to the controller after the end of the processing and/or destroy it in a commercially accepted manner.

CA 68

Article 28 – paragraph 1

(Replacing amendments 82 - Rapporteur, 641 - Del Castillo Vera, 642 - Valean, Creutzmann, 643 - Chichester, and 644 - Rohde, Valean)

1. Each controller and, if any, the controller's representative, shall maintain appropriate documentation of the measures taken to ensure that the processing of personal data under its responsibility is in compliance with this Regulation.

CA 69 (!)

669 (Valean, Creutzmann) and 670 (Kelly, Valean, Niebler)

The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, consitute a legitimate interest pursued by or on behalf of a data controller or processor, as referred to in Article 6 (1) f.

CA 70

Article 31 – paragraph 1

(Replacing amendments 88 - Rapporteur, 674 - Valean, Creutzmann, and 676 - Rohde, Valean)

1. In the case of a personal data breach relating to special categories of personal date, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.

CA 72

Article 32 paragraph 3   (686 - Rohde, Valean, 687 - Valean, Creutzmann, Kelly)   The communication of a personal data breach to the data subject shall not be required if the data breach has not produced significant harm and the controller (deletion: demonstrates to the satisfaction of the supervisory authority that it) has implemented appropriate technological protection measures, and that those measures where applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible, unusable or anonymised to any person whi is not authorised access to it.

CA 73

Article 33 – paragraph 1

(Replacing amendments 691 - Kelly, Valean, 692 - Rohde, Valean, 693 - Valean, Creutzmann, Kelly, and 695 - Del Castillo Vera)

1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks. SMEs shall only be required to perform an impact assessment after their third year of incorporation where data processing is deemed as a core activity of their business.

CA 76

Article 34 – paragraph 2 – introductory part

(Replacing amendments 96 - Rapporteur, 721 - Valean, Creutzmann, Rohde)

2. The controller or processor acting on the controller's behalf may consult the supervisory authority prior to the processing of special categories of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:

CA 77

Article 34 - paragraph 3   (726 - Valean, Creutzmann, 727 - Kelly, Valean)   Where the competent supervisory authority determines in accordance with its power (deletion: is of the opinion) that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.

CA 78

Article 36 - paragraph 1   (100 - Rapporteur, 747 - Ticau, 748 - Valean, Creutzmann)   The executive management of the controller or the processor shall support the data protection organisation or data protection officer in performing their duties and shall provide staff, premises, equipment and any other resources necessary to carry out the roles and duties referred to in Article 37.

CA 79

Article 36 - paragraph 2   (749 - Rohde, 750 - Valean, Creutzmann)   The data protection organisation or data protection officer shall perform his or her duties and tasks independently and shall directly report to the management of the controller or the processor.

CA 80

Article 42 – paragraph 1

(Replacing amendments 107 - Rapporteur, 774 - Valean, Creutzmann, 775 - Chichester, and 776 - Andersdotter)

1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with paragraph 5 of this Article, a controller or processor may transfer personal data to a third country or an international organisation transferring data on an international basis only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.

These safeguards shall, at least, guarantee the observance of the principles of personal data processing as established in Article 5 and guarantee data subject rights as established in Chapter III.

CA 82

Article 43 - paragraph. 1, intro

(Replacing amendments 110 - Rapporteur, and 790 - Valean, Creutzmann)

The competent supervisory authority shall authorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multiple intracompany international transfers in and out of Europe, provided that they:

CA 85

Article 61 - paragraph 1

(Replacing amendments 122 - Rapporteur, 841 - Rohde, Valean, and 842 - Valean, Creutzmann)

1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. This supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board, the Commission and the controller or processor concerned.

CA 86

Article 77 - paragraph 1

(Replacing amendments 860 - Andersdotter, 861 - Valean, Creutzmann, Rohde, Kelly, and 862 - Del Castillo Vera)

1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller (deletion: or the processor) for the damage suffered.

CA 87

Article 77 - paragraph 2

(Replacing amendments 863 - Andersdotter, 864 - Valean, Creutzmann, Kelly, and 865 - Del Castillo Vera)

2. Where more than one controller is involved in the processing, each controller shall be jointly and severally liable for the entire amount of the damage to the extent that the joint controllers' respective liability has not been determined in the legal arrangement referred to in Article 24. In the case of a group of undertakings, the entire group shall be liable as a single economic entity.

CA 90

Article 89 - paragraph 2

(Replacing amendments 164 - Rapporteur, and 915 - Proust)

2. Article 1(2), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.