IMCO is the European Parliament committee on Internal Market and Consumer Protection issues. As such, it is usualy asked to express its opinion about Regulation, Directive or anything the Parliament has to vote, focusing on matters relating to consumer protection.

The opinion it issued on the proposed Regulation is aimed to assist LIBE in the drafting of its report (which will contain the amendements the Parliament will vote on).

You can find a detailed list of its members here on Memopol.

This page aims to show and analyse the main points IMCO (Consumers) opinion focuses on.

Material scope - 52

Article 2 - Material scope

2. This Regulation does not apply to the processing of personal data:

• ...
• (eb) of a natural person which are made public in the course of exercising professional duties such as name, contact details and function;

Pseudonymous data

Article 4

(3b) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort

Consent

Article 4'

(8) ‘the data subject's consent’ means any freely given indication that must be specific, informed and as explicit as possible according to the context, of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, explicitly whenever the data referred to in Article 9(1) are to be processed, signifies agreement to personal data relating to them being processed;

Data breach

Article 4

(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; strongly encrypted data, where there is evidence that the encryption key has not been compromised fall outside this legislation

Purpose limitation

Article 5

(c) adequate, relevant, and limited to the minimum necessary not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

Exceptions to consent

Article 6

Amendment 69

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the performance of a task carried out for assessing creditworthiness or for fraud

Amendment 70

f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

Amendment 71

(fa) the data are collected from public registers, lists or documents accessible by everyone;

Amendment 73

(fc) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice;

Amendment 74

(fd) the processing is necessary to defend an interest, collecting evidences as judicial proofs or file an action;

Amendment 75

(fe) only pseudonymous data is processed.

Purpose limitation

Amendment 77

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

Consent

Article 7

Amendment 81

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

Amendment 82

4a. The execution of a contract or the provision of a service may not be made dependent on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service according to Article 6 (1) (b).

Special category of personal data

Article 9 - 2

Amendment 94

(e) the processing relates to personal data which are manifestly made public by the data subject or which are freely transferred to the controller on the initiative of data subject and which are processed for the specific purpose determined by data subject and in his interest; or

Information

Amendment 109

Article 14 - 1

(c) the criteria and/or legal requirements for determining the period for which the personal data will be stored for each purpose;

Amendment 111

Article 14 - 5

(b) the data are meant to serve solely the purposes of art. 83, are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or

Right to be forgotten

Amendment 117

Article 16

Paragraph 1 shall not apply to pseudonymous data.

Profiling

Amendments 130-131

Article 20

• 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour A data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.

2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:

(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.

Controller's liability

Amendment 144

Article 26 - 1

1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.

Data breach

Amendment 162

Article 31 -1

1. In the case of a personal data breach, which would have a significantly adverse impact on the protection of the personal data or privacy of the data subject, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.

Amendment 163

3. The notification referred to in paragraph 1 must at least if possible:

Amendment 167

Article 32 -1

1. When the personal data breach is likely to adversely affect have a significantly adverse impact on the protection of the personal data or privacy of the data subject, for example identity theft or fraud, physical harm, significant humiliation or damage to the reputation, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject in a clear and concise manner and without undue delay.

Amendment 169

3. The communication of a personal data breach to the data subject shall not be required if the data breach does not have significant risk of harm to citizens and the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

Data Protection Officer

Amendment 181

Article 35 -1

(b) the processing is carried out by an enterprise employing 250 persons or more; or

Transfer to third countries

Amendment 192

Artcile 44 -1

(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive or where, prior to such transfer, the personal data is already made public in the third country, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.

Complaint

Amendment 198

Article 73 -2

2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.

Amendment 200

Article 74 -4

4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.

Sanctions

Amendment 208-209-210

Delete Article 78 §4-5-6 (administrative sanctions)