Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (first reading) - Preparation of trilogue - Chapters II, III, IV and V - Hoofdinhoud
Contents
| Documentdatum | 16-11-2015 |
|---|---|
| Publicatiedatum | 17-11-2015 |
| Kenmerk | 14076/15 |
| Van | Presidency |
| Externe link | origineel bericht |
| Originele document in PDF |  |
Council of the European Union
Brussels, 16 November 2015
PUBLIC
(OR. en)
14076/15
Interinstitutional File:
2012/0011 (COD) i LIMITE
DATAPROTECT 200 JAI 852 MI 722 DIGIT 91 DAPIX 208 FREMP 260 COMIX 582 CODEC 1512
NOTE
From: Presidency
To: Permanent Representatives Committee
No. prev. doc.: 10391/15, 13914/15
Subject: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection
Regulation) (first reading)
-
-Preparation of trilogue - Chapters II, III, IV and V
DOCUMENT PARTIALLY ACCESSIBLE TO THE PUBLIC (27.11.2015)
Delegations will find in Annex a comparative table which compares in 4 columns the Commission
proposal, the position of the European Parliament in 1 st reading, the Council’s General Approach
and compromises tentatively agreed at previous trilogues as well as compromise suggestions by the
Presidency. Text marked in brackets will be discussed by the Permanent Representatives
Committee at a later stage in relation to other provisions of the text.
ANNEX
COM (2012)0011 i EP Position / First Reading Council General Approach Tentative agreement in trilogue (15/06/2015)
(19) Any processing of personal (19) Any processing of personal (19) Any processing of personal DELETED FROM THIS POINT data in the context of the activities data in the context of the activities data in the context of the activities UNTIL THE END OF THE of an establishment of a controller of an establishment of a controller of an establishment of a controller COLUMN or a processor in the Union should or a processor in the Union should or a processor in the Union should be carried out in accordance with be carried out in accordance with be carried out in accordance with this Regulation, regardless of this Regulation, regardless of this Regulation, regardless of whether the processing itself takes whether the processing itself takes whether the processing itself takes place within the Union or not. place within the Union or not. place within the Union or not. Establishment implies the effective Establishment implies the effective Establishment implies the effective and real exercise of activity and real exercise of activity and real exercise of activity through stable arrangements. The through stable arrangements. The through stable arrangements. The legal form of such arrangements, legal form of such arrangements, legal form of such arrangements, whether through a branch or a whether through a branch or a whether through a branch or a subsidiary with a legal personality, subsidiary with a legal personality, subsidiary with a legal personality, is not the determining factor in this is not the determining factor in this is not the determining factor in this respect. respect. respect.
ANNEX DGD 2C LIMITE EN
-
20)In order to ensure that (20) In order to ensure that (20) In order to ensure that individuals are not deprived of the individuals are not deprived of the individuals are not deprived of the protection to which they are protection to which they are protection to which they are entitled under this Regulation, the entitled under this Regulation, the entitled under this Regulation, the processing of personal data of data processing of personal data of data processing of personal data of data subjects residing in the Union by a subjects residing in the Union by a subjects residing in the Union by a controller not established in the controller not established in the controller not established in the Union should be subject to this Union should be subject to this Union should be subject to this Regulation where the processing Regulation where the processing Regulation where the processing activities are related to the offering activities are related to the offering activities are related to the offering of goods or services to such data of goods or services, irrespective of of goods or services to such data subjects, or to the monitoring of the whether connected to a payment subjects, or to the monitoring of the behaviour of such data subjects. or not, to such data subjects, or to behaviour of such data subjects the monitoring of the behaviour of irrespective of whether connected such data subjects. In order to to a payment or not, which takes determine whether such a place in the Union. In order to controller is offering goods or determine whether such a services to such data subjects in controller is offering goods or the Union, it should be ascertained services to such data subjects in whether it is apparent that the the Union, it should be ascertained controller is envisaging the whether it is apparent that the offering of services to data controller is envisaging doing subjects in one or more Member business with data subjects States in the Union. residing in one or more Member States in the Union. Whereas the mere accessibility of the controller’s or an intermediary’s website in the Union or of an email address and of other contact details or the use of a language generally used in the third country where the controller is established,
ANNEX DGD 2C LIMITE EN
is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers or users residing in the Union, may make it apparent that the controller envisages offering goods or services to such data subjects in the Union.
(21) In order to determine whether (21) In order to determine whether (21) The processing of personal a processing activity can be a processing activity can be data of data subjects residing in considered to ‘monitor the considered to ‘monitor the the Union by a controller not behaviour’ of data subjects, it behaviour’ of data subjects, it established in the Union should should be ascertained whether should be ascertained whether also be subject to this Regulation individuals are tracked on the individuals are tracked on the when it is related to the internet with data processing internet with, regardless of the monitoring of their behaviour techniques which consist of origins of the data, or if other data taking place within the European applying a ‘profile’ to an about them are collected, Union. In order to determine individual, particularly in order to including from public registers whether a processing activity can take decisions concerning her or and announcements in the Union be considered to ‘monitor the him or for analysing or predicting that are accessible from outside of behaviour’ of data subjects, it her or his personal preferences, the Union, including with the should be ascertained whether behaviours and attitudes. intention to use, or potential of individuals are tracked on the subsequent use of data processing internet with data processing techniques which consist of techniques which consist of applying a ‘profile’ to an applying a ‘profile’ to profiling an individual, particularly in order to individual, particularly in order to take decisions concerning her or take decisions concerning her or
ANNEX DGD 2C LIMITE EN
him or for analysing or predicting him or for analysing or predicting her or his personal preferences, her or his personal preferences, behaviours and attitudes. behaviours and attitudes.
(22) Where the national law of a (22) Where the national law of a (22) Where the national law of a Member State applies by virtue of Member State applies by virtue of Member State applies by virtue of public international law, this public international law, this public international law, this Regulation should also apply to a Regulation should also apply to a Regulation should also apply to a controller not established in the controller not established in the controller not established in the Union, such as in a Member State's Union, such as in a Member State's Union, such as in a Member State's diplomatic mission or consular diplomatic mission or consular diplomatic mission or consular post. post. post.
(23a) The application of pseudonymisation to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their data protection obligations. The explicit introduction of ‘pseudonymisation’ through the articles of this Regulation is thus not intended to preclude any other measures of data protection. 23b) (…) (23c) In order to create incentives for applying pseudonymisation when processing personal data, measures of pseudonymisation whilst allowing general analysis should be possible within the same
ANNEX DGD 2C LIMITE EN
controller when the controller has taken technical and organisational measures necessary to ensure that the provisions of this Regulation are implemented, taking into account the respective data processing and ensuring that additional information for attributing the personal data to a specific data subject is kept separately. The controller who processes the data shall also refer to authorised persons within the same controller. In such case however the controller shall make sure that the individual(s) performing the pseudonymisation are not referenced in the metadata.
ANNEX DGD 2C LIMITE EN
Amendment 8
(25) Consent should be given (25) Consent should be given (25) Consent should be given explicitly by any appropriate explicitly by any appropriate explicitly unambiguously by any method enabling a freely given method enabling a freely given appropriate method enabling a specific and informed indication of specific and informed indication of freely given specific and informed the data subject's wishes, either by the data subject's wishes, either by indication of the data subject's a statement or by a clear a statement or by a clear wishes, either by a written, affirmative action by the data affirmative action that is the result including electronic, oral or other subject, ensuring that individuals of choice by the data subject, statement or, if required by specific are aware that they give their ensuring that individuals are aware circumstances, by any other clear consent to the processing of that they give their consent to the affirmative action by the data personal data, including by ticking processing of personal data, subject, signifying his or her a box when visiting an Internet including by. Clear affirmative agreement to ensuring that website or by any other statement action could include ticking a box individuals are aware that they give or conduct which clearly indicates when visiting an Internet website or their consent to the processing in this context the data subject's by any other statement or conduct ofpersonal data relating to him or acceptance of the proposed which clearly indicates in this her being processed., This could processing of their personal data. context the data subject's including include by ticking a box Silence or inactivity should acceptance of the proposed when visiting an Internet website or therefore not constitute consent. processing of his or her personal by any other statement or conduct Consent should cover all data. Silence, mere use of a service which clearly indicates in this processing activities carried out for or inactivity should therefore not context the data subject's the same purpose or purposes. If constitute consent. Consent should acceptance of the proposed the data subject's consent is to be cover all processing activities processing of their personal data. given following an electronic carried out for the same purpose or Silence or inactivity should request, the request must be clear, purposes. If the data subject's therefore not constitute consent. concise and not unnecessarily consent is to be given following an Where it is technically feasible disruptive to the use of the service electronic request, the request must and effective, the data subject's for which it is provided. be clear, concise and not consent to processing may be unnecessarily disruptive to the use given by using the appropriate of the service for which it is settings of a browser or other provided. application. In such cases it is
ANNEX DGD 2C LIMITE EN
sufficient that the data subject receives the information needed to give freely specific and informed consent when starting to use the service. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, unambiguous consent should be granted for all of the processing purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
ANNEX DGD 2C LIMITE EN
(25a) Genetic data should be defined as personal data relating to the genetic characteristics of an individual which have been inherited or acquired as they result from an analysis of a biological sample from the individual in question, in particular by chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained.
ANNEX DGD 2C LIMITE EN
(26) Personal data relating to (26) Personal data relating to health (26) Personal data relating to
health should include in particular should include in particular all data concerning health should include in all data pertaining to the health pertaining to the health status of a particular all data pertaining to the status of a data subject; data subject; information about the health status of a data subject which information about the registration registration of the individual for the reveal information relating to the of the individual for the provision provision of health services; past, current or future physical or of health services; information information about payments or mental health of the data subject; about payments or eligibility for eligibility for healthcare with including information about the healthcare with respect to the respect to the individual; a number, registration of the individual for the individual; a number, symbol or symbol or particular assigned to an provision of health services; particular assigned to an individual individual to uniquely identify the information about payments or to uniquely identify the individual individual for health purposes; any eligibility for healthcare with respect for health purposes; any information about the individual to the individual; a number, symbol information about the individual collected in the course of the or particular assigned to an collected in the course of the provision of health services to the individual to uniquely identify the provision of health services to the individual; information derived individual for health purposes; any individual; information derived from the testing or examination of a information about the individual
from the testing or examination of body part or bodily substance, collected in the course of the provision of health services to the
a body part or bodily substance, including biological samples; individual; information derived from including biological samples; identification of a person as the testing or examination of a body identification of a person as provider of healthcare to the part or bodily substance, including provider of healthcare to the individual; or any information on genetic data and biological individual; or any information on e.g. a disease, disability, disease samples; identification of a person e.g. a disease, disability, disease risk, medical history, clinical as provider of healthcare to the risk, medical history, clinical treatment, or the actual individual; or any information on treatment, or the actual physiological or biomedical state of e.g. for example a disease, physiological or biomedical state the data subject independent of its disability, disease risk, medical of the data subject independent of source, such as e.g. from a history, clinical treatment, or the its source, such as e.g. from a physician or other health actual physiological or biomedical physician or other health professional, a hospital, a medical state of the data subject professional, a hospital, a medical device, or an in vitro diagnostic independent of its source, such as device, or an in vitro diagnostic test. e.g. for example from a physician test. or other health professional, a
hospital, a medical device, or an in vitro diagnostic test.
ANNEX DGD 2C LIMITE EN
(28) A group of undertakings (28) A group of undertakings (28) A group of undertakings should cover a controlling should cover a controlling should cover a controlling undertaking and its controlled undertaking and its controlled undertaking and its controlled undertakings, whereby the undertakings, whereby the undertakings, whereby the controlling undertaking should be controlling undertaking should be controlling undertaking should be the undertaking which can exercise the undertaking which can exercise the undertaking which can exercise a dominant influence over the other a dominant influence over the other a dominant influence over the other undertakings by virtue, for undertakings by virtue, for undertakings by virtue, for example, of ownership, financial example, of ownership, financial example, of ownership, financial participation or the rules which participation or the rules which participation or the rules which govern it or the power to have govern it or the power to have govern it or the power to have personal data protection rules personal data protection rules personal data protection rules implemented. implemented. implemented. A central
undertaking which controls the processing of personal data in undertakings affiliated to it forms together with these undertakings an entity which may be treated as “group of undertakings”.
ANNEX DGD 2C LIMITE EN
(29) Children deserve specific (29) Children deserve specific (29) Children deserve specific protection of their personal data, as protection of their personal data, as protection of their personal data, as they may be less aware of risks, they may be less aware of risks, they may be less aware of risks, consequences, safeguards and their consequences, safeguards and their consequences, safeguards and their rights in relation to the processing rights in relation to the processing rights in relation to the processing of personal data. To determine of personal data. To determine of personal data. To determine when an individual is a child, this when an individual is a child, this when an individual is a child, this Regulation should take over the Regulation should take over the Regulation should take over the definition laid down by the UN definition laid down by the UN definition laid down by the UN Convention on the Rights of the Convention on the Rights of the Convention on the Rights of the Child. Child. Where data processing is Child. This concerns especially the based on the data subject’s use of personal data of children consent in relation to the offering for the purposes of marketing or of goods or services directly to a creating personality or user child, consent should be given or profiles and the collection of child authorised by the child’s parent or data when using services offered legal guardian in cases where the directly to a child. child is below the age of 13. Ageappropriate language should be used where the intended audience is children. Other grounds of lawful processing such as grounds of public interest should remain applicable, such as for processing in the context of preventive or counselling services offered directly to a child.
ANNEX DGD 2C LIMITE EN
(30) Any processing of personal (30) Any processing of personal (30) Any processing of personal data should be lawful, fair and data should be lawful, fair and data should be lawful and, fair. and transparent in relation to the transparent in relation to the It should be transparent in relation individuals concerned. In individuals concerned. In to for the individuals concerned. In particular, the specific purposes for particular, the specific purposes for particular, the specific purposes for which the data are processed which the data are processed which the data are processed should be explicit and legitimate should be explicit and legitimate should be explicit and legitimate and determined at the time of the and determined at the time of the and determined at the time of the collection of the data. The data collection of the data. The data collection of the data. The data should be adequate, relevant and should be adequate, relevant and should be adequate, relevant and limited to the minimum necessary limited to the minimum necessary limited to the minimum necessary for the purposes for which the data for the purposes for which the data for the purposes for which the data are processed; this requires in are processed; this requires in are processed; this requires in particular ensuring that the data particular ensuring that the data particular ensuring that the data collected are not excessive and that collected are not excessive and that collected are not excessive and that the period for which the data are the period for which the data are the period for which the data are stored is limited to a strict stored is limited to a strict stored is limited to a strict minimum. Personal data should minimum. Personal data should minimum. Personal data should only be processed if the purpose of only be processed if the purpose of only be processed if the purpose of the processing could not be the processing could not be the processing could not be fulfilled by other means. Every fulfilled by other means. Every fulfilled by other means. that reasonable step should be taken to reasonable step should be taken to personal data concerning them are ensure that personal data which are ensure that personal data which are collected, used, consulted or inaccurate are rectified or deleted. inaccurate are rectified or deleted. otherwise processed and to which In order to ensure that the data are In order to ensure that the data are extent the data are processed or not kept longer than necessary, not kept longer than necessary, will be processed. The principle of time limits should be established time limits should be established by transparency requires that any by the controller for erasure or for the controller for erasure or for a information and communication a periodic review. periodic review. relating to the processing of those
ANNEX DGD 2C LIMITE EN
data should be easily accessible and easy to understand, and that clear and plain language is used. This concerns in particular the information of the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the individuals concerned and their right to get confirmation and communication of personal data being processed concerning them. Individuals should be made aware on risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise his or her rights in relation to the processing. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate and relevant
ANNEX DGD 2C LIMITE EN
for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or the use of personal data and the equipment used for the processing.
ANNEX DGD 2C LIMITE EN
Amendment 10 (31) In order for processing to be (31) In order for processing to be (31) In order for processing to be lawful, personal data should be lawful, personal data should be lawful, personal data should be processed on the basis of the processed on the basis of the processed on the basis of the consent of the person concerned or consent of the person concerned or consent of the person concerned or some other legitimate basis, laid some other legitimate basis, laid some other legitimate basis, laid down by law, either in this down by law, either in this down by law, either in this Regulation or in other Union or Regulation or in other Union or Regulation or in other Union or Member State law as referred to in Member State law as referred to in Member State law as referred to in this Regulation. this Regulation. In case of a child this Regulation, including the
or a person lacking legal capacity, necessity for compliance with the relevant Union or Member State legal obligation to which the law should determine the controller is subject or the conditions under which consent is necessity for the performance of a given or authorised by that person. contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
ANNEX DGD 2C LIMITE EN
Amendment 11 (32) Where processing is based on (32) Where processing is based on (32) Where processing is based on the data subject's consent, the the data subject’s consent, the the data subject's consent, the controller should have the burden controller should have the burden controller should have the burden of proving that the data subject has of proving that the data subject has of proving be able to demonstrate given the consent to the processing given the consent to the processing that the data subject has given the operation. In particular in the operation. In particular in the consent to the processing operation. context of a written declaration on context of a written declaration on In particular in the context of a another matter, safeguards should another matter, safeguards should written declaration on another ensure that the data subject is ensure that the data subject is aware matter, safeguards should ensure aware that and to what extent that and to what extent consent is that the data subject is aware that consent is given. given. To comply with the and to what the extent to which
principle of data minimisation, the consent is given. A declaration of burden of proof should not be consent pre-formulated by the understood as requiring the controller should be provided in positive identification of data an intelligible and easily subjects unless necessary. Similar accessible form, using clear and to civil law terms (e.g. Council plain language and its content
Directive 93/13/EEC i 1 ), data should not be unusual within the
protection policies should be as overall context. For consent to be clear and transparent as possible. informed, the data subject should They should not contain hidden or be aware at least of the identity of disadvantageous clauses. Consent the controller and the purposes of cannot be given for the processing the processing for which the of personal data of third persons. personal data are intended; ______________________ consent should not be regarded as
1 Council Directive 93/13/EEC i of 5 freely-given if the data subject has
April 1993 on unfair terms in no genuine and free choice and is consumer contracts (OJ L 95, unable to refuse or withdraw 21.4.1993, p. 29). consent without detriment.
ANNEX DGD 2C LIMITE EN
Amendment 12 (33) In order to ensure free (33) In order to ensure free consent, (33) deleted
consent, it should be clarified that it should be clarified that consent consent does not provide a valid does not provide a valid legal legal ground where the individual ground where the individual has no
has no genuine and free choice and genuine and free choice and is
is subsequently not able to refuse subsequently not able to refuse or or withdraw consent without withdraw consent without
detriment. detriment. This is especially the case if the controller is a public
authority that can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given. The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent. Consent for the processing of additional personal data that are not necessary for the provision of a service should not be required for using the service. When consent is withdrawn, this may allow the termination or non-execution of a service which is dependent on the data. Where the conclusion of the intended purpose is unclear, the controller should in regular intervals provide the data subject with information about the processing and request a reaffirmation of their his or her consent.
ANNEX DGD 2C LIMITE EN
Amendment 13 (34) Consent should not provide a deleted (34) In order to safeguard that valid legal ground for the Consent consent has been freelyprocessing of personal data, where given, consent should not provide a there is a clear imbalance between valid legal ground for the the data subject and the controller. processing of personal data in a This is especially the case where specific case, where there is a clear the data subject is in a situation of imbalance between the data subject dependence from the controller, and the controller and This this is among others, where personal data especially the case where the data are processed by the employer of subject is in a situation of employees' personal data in the dependence from the controller, employment context. Where the among others, where personal data controller is a public authority, are processed by the employer of there would be an imbalance only employees' personal data in the in the specific data processing employment context. Where the operations where the public controller is a public authority, authority can impose an obligation there would be an imbalance only by virtue of its relevant public in the specific data processing powers and the consent cannot be operations where the public deemed as freely given, taking into authority can impose an obligation account the interest of the data by virtue of its relevant public subject. powers and makes it unlikely that
the consent cannot be deemed was given as freely- given, taking into account the interest of the data subject in all the circumstances of that specific situation. Consent is presumed not to be freely given, if it does not allow separate consent to be given to different data processing operations despite it is
ANNEX DGD 2C LIMITE EN
appropriate in the individual case, or if the performance of a contract is made dependent on the consent despite this is not necessary for such performance and the data subject cannot reasonably obtain equivalent services from another source without consent.
(35) Processing should be lawful (35) Processing should be lawful (35) Processing should be lawful where it is necessary in the context where it is necessary in the context where it is necessary in the context of a contract or the intended of a contract or the intended of a contract or the intended entering into a contract. entering into a contract. entering into a contract. (37) The processing of personal (37) The processing of personal (37) The processing of personal data should equally be regarded as data should equally be regarded as data should equally be regarded as lawful where it is necessary to lawful where it is necessary to lawful where it is necessary to protect an interest which is protect an interest which is protect an interest which is essential for the data subject's life. essential for the data subject's life. essential for the data subject's life or that of another person. Some types of data processing may serve both important grounds of public interest and the vital interests of the data subject as, for instance when processing is necessary for humanitarian purposes, including for monitoring epidemic and its spread or in situations of humanitarian emergencies, in particular in situations of natural disasters.
ANNEX DGD 2C LIMITE EN
Amendment 15 (38) The legitimate interests of a (38) The legitimate interests of a (38) The legitimate interests of a controller may provide a legal the controller, or in case of controller including of a controller basis for processing, provided that disclosure, of the third party to to which the data may be disclosed the interests or the fundamental whom the data is are disclosed, or of a third party may provide a rights and freedoms of the data may provide a legal basis for legal basis for processing, provided subject are not overriding. This processing, provided that they meet that the interests or the would need careful assessment in the reasonable expectations of the fundamental rights and freedoms particular where the data subject is data subject based on his or her of the data subject are not a child, given that children deserve relationship with the controller overriding. This would need specific protection. The data and that the interests or the careful assessment including subject should have the right to fundamental rights and freedoms of whether a data subject can expect object the processing, on grounds the data subject are not overriding. at the time and in the context of relating to their particular situation This would need careful assessment the collection of the data that and free of charge. To ensure in particular where the data subject processing for this purpose may transparency, the controller should is a child, given that children take place. Legitimate interest be obliged to explicitly inform the deserve specific protection. could exist for example when data subject on the legitimate Provided that the interests or the there is a relevant and appropriate interests pursued and on the right fundamental rights and freedoms connection between the data to object, and also be obliged to of the data subject are not subject and the controller in document these legitimate overriding, processing limited to situations such as the data subject interests. Given that it is for the pseudonymous data should be being a client or in the service of legislator to provide by law the presumed to meet the reasonable the controller. At any rate the legal basis for public authorities to expectations of the data subject existence of a legitimate interest process data, this legal ground based on his or her relationship would need careful assessment should not apply for the processing with the controller. The data including whether a data subject by public authorities in the subject should have the right to can expect at the time and in the performance of their tasks. object the processing, on grounds context of the collection of the
relating to their particular situation data that processing for this and free of charge. To ensure purpose may take place. iIn transparency, the controller should particular where such assessment be obliged to explicitly inform the must take into account whether
ANNEX DGD 2C LIMITE EN
data subject on the legitimate the data subject is a child, given interests pursued and on the right to that children deserve specific object, and also be obliged to protection. The data subject should document these legitimate interests. have the right to object to the The interests and fundamental processing, on grounds relating to rights of the data subject could in their particular situation and free of particular override the interest of charge. To ensure transparency, the the data controller where personal controller should be obliged to data are processed in explicitly inform the data subject circumstances where data subjects on the legitimate interests pursued do not reasonably expect further and on the right to object, and also processing. Given that it is for the be obliged to document these legislator to provide by law the legitimate interests. Given that it is legal basis for public authorities to for Union or national law the process data, this legal ground legislator to provide by law the should not apply for the processing legal basis for public authorities to by public authorities in the process data, this legal ground performance of their tasks. should not apply for the processing by public authorities in the exercise performance of their tasksduties.
ANNEX DGD 2C LIMITE EN
(38a) Controllers that are part of a group of undertakings or institution affiliated to a central body may have a legitimate interest to transmit personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.
ANNEX DGD 2C LIMITE EN
Amendment 16 (39) The processing of data to the (39) The processing of data to the (39) The processing of data to the extent strictly necessary for the extent strictly necessary and extent strictly necessary for the purposes of ensuring network and proportionate for the purposes of purposes of ensuring network and information security, i.e. the ability ensuring network and information information security, i.e. the ability of a network or an information security, i.e. the ability of a of a network or an information system to resist, at a given level of network or an information system system to resist, at a given level of confidence, accidental events or to resist, at a given level of confidence, accidental events or unlawful or malicious actions that confidence, accidental events or unlawful or malicious actions that compromise the availability, unlawful or malicious actions that compromise the availability, authenticity, integrity and compromise the availability, authenticity, integrity and confidentiality of stored or authenticity, integrity and confidentiality of stored or transmitted data, and the security confidentiality of stored or transmitted data, and the security of of the related services offered by, transmitted data, and the security of the related services offered by, or or accessible via, these networks the related services offered by, or accessible via, these networks and and systems, by public authorities, accessible via, these networks and systems, by public authorities, Computer Emergency Response systems, by public authorities, Computer Emergency Response Teams – CERTs, Computer Computer Emergency Response Teams – CERTs, Computer Security Incident Response Teams Teams – CERTs, Computer Security Incident Response Teams – CSIRTs, providers of electronic Security Incident Response Teams – CSIRTs, providers of electronic communications networks and – CSIRTs, providers of electronic communications networks and services and by providers of communications networks and services and by providers of security technologies and services, services and by providers of security technologies and services, constitutes a legitimate interest of security technologies and services constitutes a legitimate interest of the concerned data controller. This constitutes a legitimate interest of the concerned data controller could, for example, include the concerned data controller. This concerned. This could, for preventing unauthorised access to could, for example, include example, include preventing electronic communications preventing unauthorised access to unauthorised access to electronic networks and malicious code electronic communications communications networks and distribution and stopping ‘denial of networks and malicious code malicious code distribution and service’ attacks and damage to distribution and stopping ‘denial of stopping ‘denial of service’ attacks computer and electronic service’ attacks and damage to and damage to computer and
ANNEX DGD 2C LIMITE EN
communication systems. computer and electronic electronic communication systems. communication systems. This The processing of personal data
principle also applies to processing strictly necessary for the purposes of personal data to restrict abusive of preventing fraud also access to and use of publicly constitutes a legitimate interest of available network or information the data controller concerned. The systems, such as the blacklisting of processing of personal data for electronic identifiers. direct marketing purposes may be regarded as carried out for a legitimate interest.
ANNEX DGD 2C LIMITE EN
Amendment 17 (39a) Provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, the prevention or limitation of damages on the side of the data controller should be presumed as carried out for the legitimate interest of the data controller or, in case of disclosure, of the third party to whom the data is are disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller. The same principle also applies to the enforcement of legal claims against a data subject, such as debt collection or civil damages and remedies.
ANNEX DGD 2C LIMITE EN
Amendment 18 (39b) Provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, the processing of personal data for the purpose of direct marketing for own or similar products and services or for the purpose of postal direct marketing should be presumed as carried out for the legitimate interest of the controller, or in case of disclosure, of the third party to whom the data are disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller if highly visible information on the right to object and on the source of the personal data is given. The processing of business contact details should be generally regarded as carried out for the legitimate interest of the controller, or in case of disclosure, of the third party to whom the data are disclosed, and as meeting the reasonable expectations of the data subject based on his or her relationship with the controller. The same should apply to the processing of personal data made manifestly public by the data subject.
ANNEX DGD 2C LIMITE EN
Amendment 19 (40) The processing of personal deleted (40) The processing of personal data for other purposes should be data for other purposes than the only allowed where the processing purposes for which the data have is compatible with those purposes been initially collected should be for which the data have been only allowed where the processing initially collected, in particular is compatible with those purposes where the processing is necessary for which the data have been for historical, statistical or initially collected, . in In such case scientific research purposes. Where no separate legal basis is required the other purpose is not compatible other than the one which allowed with the initial one for which the the collection of the data. If data are collected, the controller particular where the processing is should obtain the consent of the necessary for the performance of a data subject for this other purpose task carried out in the public or should base the processing on interest or in the exercise of another legitimate ground for official authority vested in the lawful processing, in particular controller, Union law or Member where provided by Union law or State law may determine and the law of the Member State to specify the tasks and purposes for which the controller is subject. In which the further processing shall any case, the application of the be regarded as lawful. The further principles set out by this processing for archiving purposes Regulation and in particular the in the public interest, or historical, information of the data subject on statistical, or scientific research or those other purposes should be historical purposes or in view of ensured. future dispute resolution should
be considered as compatible lawful processing operations. The legal basis provided by Union or Member State law for the collection and processing of
ANNEX DGD 2C LIMITE EN
personal data may also provide a legal basis for further processing for other purposes if these purposes are in line with the assigned task and the controller is entitled legally to collect the data for these other purposes. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account inter alia any link between those purposes and the purposes of the intended further processing, the context in which the data have been collected, including the reasonable expectations of the data subject as to their further use, the nature of the personal data, the consequences of the intended further processing for data subjects, and the existence of appropriate safeguards in both the original and intended processing operations. Where the intended other purpose is not compatible with the initial one for which the
ANNEX DGD 2C LIMITE EN
data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting these data to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
ANNEX DGD 2C LIMITE EN
Amendment 20 (41) Personal data which are, by deleted (41) Personal data which are, by
their nature, particularly sensitive their nature, particularly sensitive and vulnerable in relation to and vulnerable in relation to fundamental rights or privacy, fundamental rights and freedomsor
deserve specific protection. Such privacy, deserve specific protection
data should not be processed, as the context of their processing unless the data subject gives his may create important risks for the
explicit consent. However, fundamental rights and freedoms. derogations from this prohibition These data should also include
should be explicitly provided for in personal data revealing racial or ethnic origin, whereby the use of
respect of specific needs, in the term ‘racial origin’ in this particular where the processing is Regulation does not imply an
carried out in the course of acceptance by the European legitimate activities by certain Union of theories which attempt to
associations or foundations the determine the existence of
purpose of which is to permit the separate human races. Such data
exercise of fundamental freedoms. should not be processed, unless processing is allowed in specific
cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should
ANNEX DGD 2C LIMITE EN
apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided inter alia where the data subject gives his or her explicit consent . However, derogations from this prohibition should be explicitly provided for or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms. Special categories of personal data may also be processed where the data have manifestly been made public or voluntarily and at the request of the data subject transferred to the controller for a specific purpose specified by the data subject, where the processing is done in the interest of the data subject. Member State and Union Law may provide that the general prohibition for processing such special categories of personal data in certain cases may not be lifted by the data subject’s explicit consent.
ANNEX DGD 2C LIMITE EN
Amendment 21 (42) Derogating from the (42) Derogating from the (42) Derogating from the prohibition on processing sensitive prohibition on processing sensitive prohibition on processing sensitive categories of data should also be categories of data should also be categories of data should also be allowed if done by a law, and allowed if done by a law, and allowed if done by a when subject to suitable safeguards, so as subject to suitable safeguards, so as provided for in Union or Member to protect personal data and other to protect personal data and other State law, and subject to suitable fundamental rights, where grounds fundamental rights, where grounds safeguards, so as to protect of public interest so justify and in of public interest so justify and in personal data and other particular for health purposes, particular for health purposes, fundamental rights, where grounds including public health and social including public health and social of public interest so justify, in protection and the management of protection and the management of particular processing data in the health-care services, especially in health-care services, especially in field of employment law, social order to ensure the quality and order to ensure the quality and costsecurity and social protection law, cost-effectiveness of the effectiveness of the procedures including pensions and for health procedures used for settling claims used for settling claims for benefits security, monitoring and alert for benefits and services in the and services in the health insurance purposes, the prevention or health insurance system, or for system, for historical, statistical and control of communicable diseases historical, statistical and scientific scientific research purposes, or for and other serious threats to research purposes. archive services. health or ensuring high
standards of quality and safety of health care and services and of medicinal products or medical devices or assessing public policies adopted in the field of health, also by producing quality and activity indicators. and in particular This may be done for health purposes, including public health and social protection and the management of health-care services, especially in order to
ANNEX DGD 2C LIMITE EN
ensure the quality and costeffectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving in the public interest or historical, statistical and scientific research purposes. A derogation should also allow processing of such data where necessary for the establishment, exercise or defence of legal claims, regardless of whether in a judicial procedure or whether in an administrative or any out-ofcourt procedure. (42a) Special categories of personal data which deserve higher protection, may only be processed for health-related purposes where necessary to achieve those purposes for the benefit of individuals and society as a whole, in particular in the context of the management of health or social care services and systems including the processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local
ANNEX DGD 2C LIMITE EN
supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes or for archiving purposes in the public interest, for historical, statistical or scientific purposes as well as for studies conducted in the public interest in the area of public health. Therefore this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of individuals.
ANNEX DGD 2C LIMITE EN
(42b) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. This processing is subject to suitable and specific measures so as to protect the rights and freedoms of individuals. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 i of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work, meaning all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of personal data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties
ANNEX DGD 2C LIMITE EN
such as employers, insurance and banking companies.
(43) Moreover, the processing of (43) Moreover, the processing of (43) Moreover, the processing of personal data by official authorities personal data by official authorities personal data by official authorities for achieving aims, laid down in for achieving aims, laid down in for achieving aims, laid down in constitutional law or international constitutional law or international constitutional law or international public law, of officially recognised public law, of officially recognised public law, of officially recognised religious associations is carried out religious associations is carried out religious associations is carried out on grounds of public interest. on grounds of public interest. on grounds of public interest. (44) Where in the course of (44) Where in the course of (44) Where in the course of electoral activities, the operation of electoral activities, the operation of electoral activities, the operation of the democratic system requires in a the democratic system requires in a the democratic system requires in a Member State that political parties Member State that political parties Member State that political parties compile data on people's political compile data on people's political compile data on people's political opinions, the processing of such opinions, the processing of such opinions, the processing of such data may be permitted for reasons data may be permitted for reasons data may be permitted for reasons of public interest, provided that of public interest, provided that of public interest, provided that appropriate safeguards are appropriate safeguards are appropriate safeguards are established. established. established.
ANNEX DGD 2C LIMITE EN
Amendment 22 (45) If the data processed by a (45) If the data processed by a (45) If the data
controller do not permit the controller do not permit the processed by a controller do not
controller to identify a natural controller to identify a natural permit the controller to identify a person, the data controller should person, the data controller should natural person, the data controller
not be obliged to acquire additional not be obliged to acquire additional should not be obliged to acquire
information in order to identify the information in order to identify the additional information in order to data subject for the sole purpose of data subject for the sole purpose of identify the data subject for the
complying with any provision of complying with any provision of sole purpose of complying with
this Regulation. In case of a request this Regulation. In case of a request any provision of this Regulation. In for access, the controller should be case of a request for access, the
for access, the controller should be entitled to ask the data subject for controller should be entitled to ask
entitled to ask the data subject for further information to enable the the data subject for further
further information to enable the data controller to locate the information to enable the data
data controller to locate the personal data which that person controller to locate the personal personal data which that person seeks. If it is possible for the data data which that person seeks
seeks. subject to provide such data, However, the controller should controllers should not be able to not refuse to take additional
invoke a lack of information to information provided by the data refuse an access request. subject in order to support the exercise of his or her rights.
ANNEX DGD 2C LIMITE EN
(46) The principle of transparency
requires that any information (46) The principle of transparency (46) The principle of transparency addressed to the public or to the requires that any information requires that any information data subject should be easily addressed to the public or to the addressed to the public or to the accessible and easy to understand, data subject should be easily data subject should be easily and that clear and plain language is accessible and easy to understand, accessible and easy to understand, used. This is in particular relevant and that clear and plain language is and that clear and plain language where in situations, such as online used. This is in particular relevant and, additionally, where advertising, the proliferation of where in situations, such as online appropriate, visualisation is used. actors and the technological advertising, the proliferation of This information could be complexity of practice makes it actors and the technological provided in electronic form, for difficult for the data subject to complexity of practice makes it example, when addressed to the know and understand if personal difficult for the data subject to public, through a website. This is data relating to them are being know and understand if personal in particular relevant where in collected, by whom and for what data relating to him or her are situations, such as online purpose. Given that children being collected, by whom and for advertising, the proliferation of deserve specific protection, any what purpose. Given that children actors and the technological information and communication, deserve specific protection, any complexity of practice makes it where processing is addressed information and communication, difficult for the data subject to specifically to a child, should be in where processing is addressed know and understand if personal such a clear and plain language that specifically to a child, should be in data relating to them are being
the child can easily understand. such a clear and plain language that collected, by whom and for what the child can easily understand. purpose. Given that children
deserve specific protection, any information and communication, where processing is addressed specifically to a child, should be in such a clear and plain language that the child can easily understand.
ANNEX DGD 2C LIMITE EN
Amendment 23
(47) Modalities should be provided (47) Modalities should be provided (47) Modalities should be provided for facilitating the data subject’s for facilitating the data subject’s for facilitating the data subject’s exercise of their rights provided by exercise of his or her rights exercise of their rights provided by this Regulation, including provided by this Regulation, this Regulation, including mechanisms to request, free of including mechanisms to request mechanisms to request, free of charge, in particular access to data, obtain, free of charge, in particular charge, in particular access to data, rectification, erasure and to access to data, rectification, erasure rectification, erasure and to exercise the right to object. The and to exercise the right to object. exercise the right to object. Thus controller should be obliged to The controller should be obliged to the controller should also provide respond to requests of the data respond to requests of the data means for requests to be made subject within a fixed deadline and subject within a fixed reasonable electronically, especially where give reasons, in case he does not deadline and give reasons, in case personal data are processed by comply with the data subject's he does not comply with the data electronic means. The controller request. subject’s request. should be obliged to respond to requests of the data subject without undue delay and at the latest within a fixed deadline of one month and give reasons where the controller , in case he does not intend to comply with the data subject's request.
ANNEX DGD 2C LIMITE EN
Amendment 24
(48) The principles of fair and (48) The principles of fair and (48) The principles of fair and transparent processing require that transparent processing require that transparent processing require that the data subject should be informed the data subject should be informed the data subject should be informed in particular of the existence of the in particular of the existence of the in particular of the existence of the processing operation and its processing operation and its processing operation and its
purposes, how long the data will be purposes, how long the data will be purposes, how long the data will be stored, on the existence of the right likely stored for each purpose, if the stored, on the existence of the right of access, rectification or erasure data are to be transferred to third of access, rectification or erasure and on the right to lodge a parties or third countries, on the and on the right to lodge a complaint. Where the data are existence of measures to object and complaint. The controller should collected from the data subject, the of the right of access, rectification or provide the data subject with any
data subject should also be erasure and on the right to lodge a further information necessary to informed whether they are obliged complaint. Where the data are guarantee fair and transparent to provide the data and of the collected from the data subject, the processing. Furthermore the data consequences, in cases they do not data subject should also be informed provide such data. whether they are obliged to provide
subject should be informed about
the data and of the consequences, in the existence of profiling, and the
cases they do not provide such data. consequences of such profiling.
This information should be Where the data are collected from provided, which can also mean the data subject, the data subject made readily available, to the data should also be informed whether subject after the provision of they are obliged to provide the data
simplified information in the form and of the consequences, in cases of standardised icons. This should they do not provide such data. also mean that personal data are processed in a way that effectively allows the data subject to exercise his or her rights.
ANNEX DGD 2C LIMITE EN
(49) The information in relation to (49) The information in relation to (49) The information in relation to the processing of personal data the processing of personal data the processing of personal data relating to the data subject should relating to the data subject should relating to the data subject should be given to them at the time of be given to them at the time of be given to them at the time of collection, or, where the data are collection, or, where the data are collection, or, where the data are not collected from the data subject, not collected from the data subject, not collected from the data subject, within a reasonable period, within a reasonable period, within a reasonable period, depending on the circumstances of depending on the circumstances of depending on the circumstances of the case. Where data can be the case. Where data can be the case. Where data can be legitimately disclosed to another legitimately disclosed to another legitimately disclosed to another recipient, the data subject should be recipient, the data subject should recipient, the data subject should be informed when the data are first be informed when the data are first informed when the data are first disclosed to the recipient. disclosed to the recipient. disclosed to the recipient. Where the controller intends to process the data for a purpose other than the one for which the data were collected the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the data could not be provided to the data subject because various sources have been used, the information should be provided in a general manner.
ANNEX DGD 2C LIMITE EN
Amendment 25
(50) However, it is not necessary to (50) However, it is not necessary to (50) However, it is not necessary to impose this obligation where the impose this obligation where the impose this obligation where the data subject already disposes of this data subject already disposes of data subject already disposes information, or where the recording knows this information, or where possesses of this information, or or disclosure of the data is the recording or disclosure of the where the recording or disclosure expressly laid down by law, or data is expressly laid down by law, of the data is expressly laid down where the provision of information or where the provision of by law, or where the provision of to the data subject proves information to the data subject information to the data subject impossible or would involve proves impossible or would involve proves impossible or would involve disproportionate efforts. The latter disproportionate efforts. The latter disproportionate efforts. The latter could be particularly the case could be particularly the case could be particularly the case where processing is for historical, where processing is for historical, where processing is for archiving statistical or scientific research statistical or scientific research purpose in the public interest, for purposes; in this regard, the number purposes; in this regard, the number historical, statistical or scientific of data subjects, the age of the data, of data subjects, the age of the data, researchpurposes; in this regard, and any compensatory measures and any compensatory measures the number of data subjects, the age adopted may be taken into adopted may be taken into of the data, and any compensatory consideration. consideration. measures appropriate safeguards adopted may be taken into consideration.
ANNEX DGD 2C LIMITE EN
Amendment 26
(51) Any person should have the (51) Any person should have the (51) Any A natural person should right of access to data which has right of access to data which have have the right of access to data been collected concerning them, been collected concerning them, which has been collected and to exercise this right easily, in and to exercise this right easily, in concerning themhim or her, and to order to be aware and verify the order to be aware and verify the exercise this right easily and at lawfulness of the processing. Every lawfulness of the processing. Every reasonable intervals, in order to be data subject should therefore have data subject should therefore have aware of and verify the lawfulness the right to know and obtain the right to know and obtain of the processing. This includes communication in particular for communication in particular for the right for individuals to have what purposes the data are what purposes the data are access to their personal data processed, for what period, which processed, for what estimated concerning their health, for recipients receive the data, what is period, which recipients receive the example the data in their medical the logic of the data that are data, what is the general logic of records containing such undergoing the processing and the data that are undergoing the information as diagnosis, what might be, at least when based processing and what might be, at examination results, assessments on profiling, the consequences of least when based on profiling, the by treating physicians and any such processing. This right should consequences of such processing. treatment or interventions not adversely affect the rights and This right should not adversely provided. Every data subject freedoms of others, including trade affect the rights and freedoms of should therefore have the right to secrets or intellectual property and others, including trade secrets or know and obtain communication in in particular the copyright intellectual property and in particular for what purposes the protecting the software. However, particular, such as in relation to data are processed, where possible the result of these considerations the copyright protecting the for what period, which recipients should not be that all information is software. However, the result of receive the data, what is the logic refused to the data subject. these considerations should not be involved in any automatic of the that all information is refused to the data that are undergoing the data subject. processing and what might be, at least when based on profiling, the consequences of such processing.
ANNEX DGD 2C LIMITE EN
This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller may request that before the information is delivered the data subject specify to which information or to which processing activities the request relates.
ANNEX DGD 2C LIMITE EN
(52) The controller should use all (52) The controller should use all (52) The controller should use all reasonable measures to verify the reasonable measures to verify the reasonable measures to verify the identity of a data subject that identity of a data subject that identity of a data subject thatwho requests access, in particular in the requests access, in particular in the requests access, in particular in the context of online services and context of online services and context of online services and online identifiers. A controller online identifiers. A controller online identifiers. Identification should not retain personal data for should not retain personal data for should include the digital the unique purpose of being able to the unique purpose of being able to identification of a data subject, for react to potential requests. react to potential requests. example through authentication mechanism such as the same credentials, used by the data subject to log-into the on-line service offered by the data controller. A controller should not retain personal data for the unique sole purpose of being able to react to potential requests.
ANNEX DGD 2C LIMITE EN
Amendment 27
(53) Any person should have the (53) Any person should have the (53) Any A natural person should right to have personal data right to have personal data have the right to have personal data concerning them rectified and a concerning them rectified and a concerning them rectified and a 'right to be forgotten' where the 'right to be forgotten erasure' 'right to be forgotten' where the retention of such data is not in where the retention of such data is retention of such data is not in compliance with this Regulation. In not in compliance with this compliance with this Regulation or particular, data subjects should Regulation. In particular, data with Union or Member State law have the right that their personal subjects should have the right that to which the controller is subject. data are erased and no longer their personal data are erased and In particular, data subjects should processed, where the data are no no longer processed, where the data have the right that their personal longer necessary in relation to the are no longer necessary in relation data are erased and no longer purposes for which the data are to the purposes for which the data processed, where the data are no collected or otherwise processed, are collected or otherwise longer necessary in relation to the where data subjects have processed, where data subjects purposes for which the data are withdrawn their consent for have withdrawn their consent for collected or otherwise processed, processing or where they object to processing or where they object to where data subjects have the processing of personal data the processing of personal data withdrawn their consent for concerning them or where the concerning them or where the processing or where they object to processing of their personal data processing of their personal data the processing of personal data otherwise does not comply with otherwise does not comply with concerning them or where the this Regulation. This right is this Regulation. This right is processing of their personal data particularly relevant, when the data particularly relevant, otherwise does not comply with subject has given their consent as a this Regulation. This right is child, when not being fully aware particularly in particular of the risks
ANNEX DGD 2C LIMITE EN
involved by the processing, and when the data subject has given relevant, when the data subject has later wants to remove such personal their consent as a child, when not given their consent as a child, when data especially on the Internet. being fully aware of the risks not being fully aware of the risks However, the further retention of involved by the processing, and involved by the processing, and the data should be allowed where it later wants to remove such personal later wants to remove such personal is necessary for historical, data especially on the Internet. data especially on the Internet. The statistical and scientific research However, the further retention of data subject should be able to
purposes, for reasons of public the data should be allowed where it exercise this right notwithstanding interest in the area of public health, is necessary for historical, the fact that he or she is no longer a
for exercising the right of freedom statistical and scientific research child. However, the further of expression, when required by purposes, for reasons of public retention of the data should be law or where there is a reason to interest in the area of public health, allowed lawful where it is restrict the processing of the data for exercising the right of freedom necessary for historical, statistical instead of erasing them. of expression, when required by and scientific research purposes, law or where there is a reason to for reasons of public interest in the restrict the processing of the data area of public health, for exercising instead of erasing them. Also, the the right of freedom of expression right to erasure should not apply and information, for compliance when the retention of personal with a legal obligation, for the data is necessary for the performance of a task carried out performance of a contract with the in the public interest or in the data subject, or when there is a exercise of official authority vested
legal obligation to retain this data. in the controller, for reasons of public interest in the area of
public health, for archiving purposes in the public interest, for historical, statistical and scientific purposes or for the establishment, exercise or defence of legal claims when required by law or where there is a reason to restrict the processing of the data
ANNEX DGD 2C LIMITE EN
instead of erasing them.
ANNEX DGD 2C LIMITE EN
Amendment 28
(54) To strengthen the 'right to be (54) To strengthen the 'right to be (54) To strengthen the 'right to be forgotten' in the online forgotten erasure' in the online forgotten' in the online environment, the right to erasure environment, the right to erasure environment, the right to erasure should also be extended in such a should also be extended in such a should also be extended in such a way that a controller who has made way that a controller who has made way that a controller who has made the personal data public should be the personal data public without the personal data public should be obliged to inform third parties legal justification should be obliged to inform third parties the which are processing such data that obliged to inform third parties controllers which are processing a data subject requests them to which are processing such data that such data that a data subject erase any links to, or copies or a data subject requests them to requests them to erase any links to, replications of that personal data. erase any links to, or copies or or copies or replications of that To ensure this information, the replications of that personal data. personal data. To ensure this the controller should take all To ensure this information, the above mentioned information, the reasonable steps, including controller should take all controller should take allreasonable technical measures, in relation to reasonable steps, including steps, taking into account data for the publication of which technical measures, in relation to available technology and the the controller is responsible. In data for the publication of which means available to the controller, relation to a third party publication the controller is responsible. In including technical measures, in of personal data, the controller relation to a third party publication relation to data for the publication should be considered responsible of personal data, the controller of which the controller is for the publication, where the should be considered responsible responsible. In relation to a third controller has authorised the for the publication, where the party publication of personal data, publication by the third party. controller has authorised the the controller should be considered publication by the third party take responsible for the publication, all necessary steps to have the data where the controller has authorised erased, including by third parties, the publication by the third party. without prejudice to the right of the data subject to claim compensation.
ANNEX DGD 2C LIMITE EN
Amendment 29
(54a) Data which are contested by the data subject and whose accuracy or inaccuracy cannot be determined should be blocked until the issue is cleared.
(54a) Methods to restrict processing of personal data could include, inter alia, temporarily moving the selected data to another processing system or making the selected data unavailable to users or temporarily removing published data from a website. In automated filing systems the restriction of processing of personal data should in principle be ensured by technical means; the fact that the processing of personal data is restricted should be indicated in the system in such a way that it is clear that the processing of the personal data is restricted.
ANNEX DGD 2C LIMITE EN
Amendment 30
(55) To further strengthen the (55) To further strengthen the (55) To further strengthen the control over their own data and control over their own data and control over their own data and their right of access, data subjects their right of access, data subjects their right of access, data subjects should have the right, where should have the right, where should have the right, where the personal data are processed by personal data are processed by processing of personal data are electronic means and in a electronic means and in a processed is carried out by structured and commonly used structured and commonly used electronic automated means and in format, to obtain a copy of the data format, to obtain a copy of the data a structured and commonly used concerning them also in commonly concerning them also in commonly format, to obtain a copy of the data used electronic format. The data used electronic format. The data concerning them also in commonly subject should also be allowed to subject should also be allowed to used electronic format. The the transmit those data, which they transmit those data, which they data subject should also be allowed have provided, from one automated have provided, from one automated to transmit receivethose the application, such as a social application, such as a social personal data concerning him or network, into another one. This network, into another one. Data her, which they have he or she has should apply where the data subject controllers should be encouraged provided , from one automated provided the data to the automated to develop interoperable formats application, such as a social processing system, based on their that enable data portability. This network, into to a controller, in a consent or in the performance of a should apply where the data subject structured and commonly used contract. provided the data to the automated and machine-readable format and processing system, based on transmit to another onecontroller. theirhis or her consent or in the
performance of a contract. This right should apply where the Providers of information society data subject provided the personal services should not make the data to the automated processing transfer of those data mandatory system, based on their his or her for the provision of their services. consent or in the performance of a
contract. It should not apply where processing is based on another legal ground other than consent or
ANNEX DGD 2C LIMITE EN
contract. By its very nature this right should not be exercised against controllers processing data in the exercise of their public duties. It should therefore in particular not apply where processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
The data subject’s right to transmit personal data does not create an obligation for the controllers to adopt or maintain data processing systems which are technically compatible.
Where, in a certain set of personal data, more than one data subject is concerned, the right to transmit the data should be without prejudice to the requirements on the lawfulness of the processing of personal data related to another data subject in accordance with this Regulation. This right should also not prejudice the right of the data subject to obtain the erasure
ANNEX DGD 2C LIMITE EN
of personal data and the limitations of that right as set out in this Regulation and should in particular not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract, to the extent and as long as the data are necessary for the performance of that contract.
ANNEX DGD 2C LIMITE EN
Amendment 31
(56) In cases where personal data (56) In cases where personal data (56) In cases where personal data might lawfully be processed to might lawfully be processed to might lawfully be processed to protect the vital interests of the data protect the vital interests of the data protect the vital interests of the data subject, or on grounds of public subject, or on grounds of public subject, or because processing is interest, official authority or the interest, official authority or the necessary for the performance of a legitimate interests of a controller, legitimate interests of a controller, task carried out in the public any data subject should any data subject should interest or in the exercise of nevertheless be entitled to object to nevertheless be entitled to object to official authority vested in the the processing of any data relating the processing of any data relating controller or on grounds of public to them. The burden of proof to themhim or her, free of charge interest, official authority or the should be on the controller to and in a manner that can be easily legitimate interests of a controller demonstrate that their legitimate and effectively invoked. The or a third party, any data subject interests may override the interests burden of proof should be on the should nevertheless be entitled to or the fundamental rights and controller to demonstrate that their object to the processing of any data freedoms of the data subject. legitimate interests may override relating to themtheir particular the interests or the fundamental situation. The burden of proof It rights and freedoms of the data should be on for the controller to subject. demonstrate that their compelling legitimate interests may override the interests or the fundamental rights and freedoms of the data subject.
ANNEX DGD 2C LIMITE EN
Amendment 32
(57) Where personal data are (57) Where personal data are (57) Where personal data are processed for the purposes of direct processed for the purposes of direct processed for the purposes of direct marketing, the data subject should marketing, the data subject should marketing, the data subject should have the right to object to such have has the right to object to such have the right to object to such processing free of charge and in a the processing free of charge and in processing, whether the initial or manner that can be easily and a manner that can be easily and further processing, free of charge effectively invoked. effectively invoked, the controller and in a manner that can be easily should explicitly offer it to the data and effectively invoked. subject in an intelligible manner and form, using clear and plain language and should clearly distinguish it from other information.
ANNEX DGD 2C LIMITE EN
Amendment 33
(58) Every natural person should (58) Without prejudice to the (58) Every natural person The data have the right not to be subject to a lawfulness of the data processing, subject should have the right not to measure which is based on every natural person should have be subject to a measure a decision profiling by means of automated the right not to be subject to object evaluating personal aspects processing. However, such measure to a measure which is based on relating to him or her which is should be allowed when expressly profiling by means of automated based solely on profiling by means authorised by law, carried out in processing. However, such of automated processing, which the course of entering or measure. Profiling which leads to produces legal effects concerning performance of a contract, or when measures producing legal effects him or her or significantly affects the data subject has given his concerning the data subject or him or her, like automatic refusal consent. In any case, such does similarly significantly affect of an on-line credit application or processing should be subject to the interests, rights or freedoms of e-recruiting practices without any suitable safeguards, including the concerned data subject should human intervention. Such specific information of the data only be allowed when expressly processing includes also subject and the right to obtain authorised by law, carried out in 'profiling' consisting in any form human intervention and that such the course of entering or of automated processing of measure should not concern a child. performance of a contract, or when personal data evaluating personal the data subject has given his aspects relating to a natural consent. The In any case, such person, in particular to analyse or processing should be subject to predict aspects concerning suitable safeguards, including performance at work, economic specific information of the data situation, health, personal subject and the right to obtain preferences or interests, reliability human intervention assessment and or behaviour, location or that such measure should not movements as long as it produces concern a child. Such measures legal effects concerning him or should not lead to discrimination her or significantly affects him or against individuals on the basis of her. However, such measure race or ethnic origin, political decision making based on such opinions, religion or beliefs, trade processing, including profiling,
ANNEX DGD 2C LIMITE EN
union membership, sexual should be allowed when expressly
orientation or gender identity. authorised by Union or Member
State law, carried out in the course
of to which the controller is
subject, including for fraud and
tax evasion monitoring and
prevention purposes and to ensure
the security and reliability of a
service provided by the controller,
or necessary for the entering or
performance of a contract between
the data subject and a controller,
or when the data subject has given
his or her explicit consent. In any
case, such processing should be
subject to suitable safeguards,
including specific information of
the data subject and the right to
obtain human intervention and
that such measure should not
concern a child, to express his or
her point of view, to get an
explanation of the decision
reached after such assessment and
the right to contest the decision. In
order to ensure fair and
transparent processing in respect
of the data subject, having regard
to the specific circumstances and
context in which the personal data
are processed, the controller
should use adequate mathematical
ANNEX DGD 2C LIMITE EN
or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure in particular that factors which result in data inaccuracies are corrected and the risk of errors is minimized, secure personal data in a way which takes account of the potential risks involved for the interests and rights of the data subject and which prevents inter alia discriminatory effects against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic or health status, sexual orientation or that result in measures having such effect. Automated decision making and profiling based on special categories of personal data should only be allowed under specific conditions.
ANNEX DGD 2C LIMITE EN
Amendment 34
(58a) Profiling based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject. Where profiling, whether based on a single source of pseudonymous data or on the aggregation of pseudonymous data from different sources, permits the controller to attribute pseudonymous data to a specific data subject, the processed data should no longer be considered to be pseudonymous.
ANNEX DGD 2C LIMITE EN
(58a) Profiling as such is subject to the (general) rules of this Regulation governing processing of personal data (legal grounds of processing, data protection principles etc.) with specific safeguards (for instance the obligation to conduct an impact assessment in some cases or provisions concerning specific information to be provided to the concerned individual). The European Data Protection Board should have the possibility to issue guidance in this context.
ANNEX DGD 2C LIMITE EN
(60) Comprehensive responsibility (60) Comprehensive responsibility (60) Comprehensive The and liability of the controller for and liability of the controller for responsibility and liability of the any processing of personal data any processing of personal data controller for any processing of carried out by the controller or on carried out by the controller or on personal data carried out by the the controller's behalf should be the controller's behalf should be controller or on the controller's established. In particular, the established, in particular with behalf should be established. In controller should ensure and be regard to documentation, data particular, the controller should obliged to demonstrate the security, impact assessments, the ensure and be obliged to implement compliance of each processing data protection officer and appropriate measures and be able operation with this Regulation. oversight by data protection to demonstrate the compliance of authorities. In particular, the each processing operation activities controller should ensure and be with this Regulation. These obliged able to demonstrate the measures should take into account compliance of each processing the nature, scope, context and operation with this Regulation. purposes of the processing and the This should be verified by risk for the rights and freedoms of independent internal or external individuals. auditors.
ANNEX DGD 2C LIMITE EN
(60a) Such risks, of varying likelihood and severity, may result from data processing which could lead to physical, material or moral damage, in particular where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage; or where data subjects might be deprived of their rights and freedoms or from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions and
ANNEX DGD 2C LIMITE EN
offences or related security measures; where personal aspects are evaluated, in particular analysing and prediction of aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable individuals, in particular of children, are processed; where processing involves a large amount of personal data and affects a large number of data subjects.
ANNEX DGD 2C LIMITE EN
(60b) The likelihood and severity of the risk should be determined in function of the nature, scope, context and purposes of the data processing. Risk should be evaluated on an objective assessment, by which it is established whether data processing operations involve a high risk. A high risk is a particular risk of prejudice to the rights and freedoms of individuals. (60c) Guidance for the implementation of appropriate measures, and for demonstrating the compliance by the controller or processor, especially as regards the identification of the risk related to the processing, their assessment in terms of their origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by approved codes of conduct, approved certifications,
ANNEX DGD 2C LIMITE EN
guidelines of the European Data Protection Board or through the indications provided by a data protection officer. The European Data Protection Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk for the rights and freedoms of individuals and indicate what measures may be sufficient in such cases to address such risk.
ANNEX DGD 2C LIMITE EN
Amendment 37
(61) The protection of the rights (61) The protection of the rights (61) The protection of the rights and freedoms of data subjects with and freedoms of data subjects with and freedoms of data subjects regard to the processing of regard to the processing of personal individuals with regard to the personal data require that data require that appropriate processing of personal data require appropriate technical and technical and organisational that appropriate technical and organisational measures are taken, measures are taken, both at the time organisational measures are taken, both at the time of the design of the of the design of the processing and both at the time of the design of the processing and at the time of the at the time of the processing itself, processing and at the time of the processing itself, to ensure that the to ensure that the requirements of processing itself, to ensure that the requirements of this Regulation are this Regulation are met. In order to requirements of this Regulation are met. In order to ensure and ensure and demonstrate compliance met. In order to ensure andbe able demonstrate compliance with this with this Regulation, the controller to demonstrate compliance with Regulation, the controller should should adopt internal policies and this Regulation, the controller adopt internal policies and implement appropriate measures, should adopt internal policies and implement appropriate measures, which meet in particular the implement appropriate measures, which meet in particular the principles of data protection by which meet in particular the principles of data protection by design and data protection by principles of data protection by design and data protection by default. The principle of data design and data protection by default. protection by design requires data default. Such measures could protection to be embedded within consist inter alia of minimising the the entire life cycle of the processing of personal data, technology, from the very early pseudonymising personal data as design stage, right through to its soon as possible, transparency ultimate deployment, use and final
ANNEX DGD 2C LIMITE EN
disposal. This should also include with regard to the functions and the responsibility for the products processing of personal data, and services used by the controller enabling the data subject to or processor. The principle of data monitor the data processing, protection by default requires enabling the controller to create privacy settings on services and and improve security features. products which should by default When developing, designing, comply with the general principles selecting and using applications, of data protection, such as data services and products that are minimisation and purpose either based on the processing of limitation. personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.
ANNEX DGD 2C LIMITE EN
Amendment 38
(62) The protection of the rights (62) The protection of the rights (62) The protection of the rights and freedoms of data subjects as and freedoms of data subjects as and freedoms of data subjects as well as the responsibility and well as the responsibility and well as the responsibility and liability of controllers and liability of controllers and liability of controllers and processor, also in relation to the processor, also in relation to the processors, also in relation to the monitoring by and measures of monitoring by and measures of monitoring by and measures of supervisory authorities, requires a supervisory authorities, requires a supervisory authorities, requires a clear attribution of the clear attribution of the clear attribution of the responsibilities under this responsibilities under this responsibilities under this Regulation, including where a Regulation, including where a Regulation, including where a controller determines the purposes, controller determines the purposes, controller determines the purposes, conditions and means of the conditions and means of the conditions and means of the processing jointly with other processing jointly with other processing jointly with other controllers or where a processing controllers or where a processing controllers or where a processing operation is carried out on behalf operation is carried out on behalf of operation is carried out on behalf of of a controller. a controller. The arrangement a controller. between the joint controllers should reflect the joint controllers' effective roles and relationships. The processing of personal data under this Regulation should include the permission for a controller to transmit the data to a joint controller or to a processor for the processing of the data on their his or her behalf.
ANNEX DGD 2C LIMITE EN
Amendment 39
(63) Where a controller not (63) Where a controller not (63) Where a controller not established in the Union is established in the Union is established in the Union is processing personal data of data processing personal data of data processing personal data of data subjects residing in the Union subjects residing in the Union subjects residing in the Union whose processing activities are whose processing activities are whose processing activities are related to the offering of goods or related to the offering of goods or related to the offering of goods or services to such data subjects, or to services to such data subjects, or to services to such data subjects, or to the monitoring their behaviour, the the monitoring their behaviour, the the monitoring of their behaviour controller should designate a controller should designate a in the Union, the controller should representative, unless the controller representative, unless the controller designate a representative, unless is established in a third country is established in a third country the processing it carries out is ensuring an adequate level of ensuring an adequate level of occasional and unlikely to result protection, or the controller is a protection, or the controller is a in a risk for the rights and small or medium sized enterprise small or medium sized enterprise or freedoms of data subjects, taking or a public authority or body or processing relates to fewer than into account the nature, scope, where the controller is only 5000 data subjects during any context and purposes of the occasionally offering goods or consecutive 12-month period and processing or the controller is services to such data subjects. The is not carried out on special established in a third country representative should act on behalf categories of personal data, or is a ensuring an adequate level of of the controller and may be public authority or body or where protection, or the controller is a addressed by any supervisory the controller is only occasionally small or medium sized enterprise or authority. offering goods or services to such a public authority or body or where data subjects. The representative the controller is only occasionally should act on behalf of the offering goods or services to such controller and may be addressed by data subjects. The any supervisory authority.
ANNEX DGD 2C LIMITE EN
representative should act on behalf of the controller and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller to act on its behalf with regard to the latter's obligations under this Regulation. The designation of such representative does not affect the responsibility and liability of the controller under this Regulation. Such representative should perform its tasks according to the received mandate from the controller, including to cooperate with the competent supervisory authorities on any action taken in ensuring compliance with this Regulation. The designated representative should be subjected to enforcement actions in case of non-compliance by the controller.
ANNEX DGD 2C LIMITE EN
(63a) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. Adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying out of processing by a processor should be governed by a contract or other legal act under Union or
ANNEX DGD 2C LIMITE EN
Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk for the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission, or which are part of a certification granted in the certification mechanism. After the completion of the processing on behalf of the controller, the processor should return or delete the personal
ANNEX DGD 2C LIMITE EN
data, unless there is a requirement to store the data under Union or Member State law to which the processor is subject.
Amendment 39
(64) In order to determine whether (64) In order to determine whether deleted a controller is only occasionally a controller is only occasionally offering goods and services to data offering goods and services to data subjects residing in the Union, it subjects residing in the Union, it should be ascertained whether it is should be ascertained whether it is apparent from the controller's apparent from the controller's overall activities that the offering overall activities that the offering of goods and services to such data of goods and services to such data subjects is ancillary to those main subjects is ancillary to those main activities. activities.
ANNEX DGD 2C LIMITE EN
Amendment 41
(65) In order to demonstrate (65) In order to be able to (65) In order to demonstrate compliance with this Regulation, demonstrate compliance with this compliance with this Regulation, the controller or processor should Regulation, the controller or the controller or processor should document each processing processor should document each document each maintain records operation. Each controller and processing operation maintain the regarding all categories of processor should be obliged to codocumentation necessary in order processing operationactivities operate with the supervisory to fulfill the requirements laid under its responsibility. Each authority and make this down in this Regulation. Each controller and processor should be documentation, on request, controller and processor should be obliged to co-operate with the available to it, so that it might obliged to co-operate with the supervisory authority and make this serve for monitoring those supervisory authority and make this documentationthese records, on processing operations. documentation, on request, request, available to it, so that it available to it, so that it might serve might serve for monitoring those for monitoring those processing processing operations. operations evaluating the compliance with this Regulation. However, equal emphasis and significance should be placed on good practice and compliance and not just the completion of documentation.
ANNEX DGD 2C LIMITE EN
Amendment 42
(66) In order to maintain security (66) In order to maintain security (66) In order to maintain security and to prevent processing in breach and to prevent processing in breach and to prevent processing in breach of this Regulation, the controller or of this Regulation, the controller or of this Regulation, the controller or processor should evaluate the risks processor should evaluate the risks processor should evaluate the risks inherent to the processing and inherent to the processing and inherent to the processing and implement measures to mitigate implement measures to mitigate implement measures to mitigate those risks. These measures should those risks. These measures should those risks. These measures should ensure an appropriate level of ensure an appropriate level of ensure an appropriate level of security, taking into account the security, taking into account the security including confidentiality, state of the art and the costs of state of the art and the costs of their taking into account available their implementation in relation to implementation in relation to the technology the state of the art and the risks and the nature of the risks and the nature of the personal the costs of their implementation in personal data to be protected. data to be protected. When relation to the risks and the nature When establishing technical establishing technical standards and of the personal data to be protected. standards and organisational organisational measures to ensure When establishing technical measures to ensure security of security of processing, the standards and organisational processing, the Commission should Commission should promote measures to ensure security of promote technological neutrality, technological neutrality, processing, the Commission should interoperability and innovation, interoperability and innovation promote technological neutrality, and, where appropriate, cooperate should be promoted and, where interoperability and innovation, with third countries. appropriate, cooperate cooperation and, where appropriate, cooperate with third countries should be with third countries In assessing encouraged. data security risk, consideration
ANNEX DGD 2C LIMITE EN
should be given to the risks that are presented by data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, which may in particular lead to physical, material or moral damage. (66a) In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance
ANNEX DGD 2C LIMITE EN
with this Regulation. Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Amendment 43
(67) A personal data breach may, if (67) A personal data breach may, if (67) A personal data breach may, if not addressed in an adequate and not addressed in an adequate and not addressed in an adequate and timely manner, result in substantial timely manner, result in substantial timely manner, result in physical, economic loss and social harm, economic loss and social harm, material or moral damage to including identity fraud, to the including identity fraud, to the individuals such as substantial individual concerned. Therefore, as individual concerned. Therefore, as economic loss of control over their soon as the controller becomes soon as the controller becomes personal data or limitation of their aware that such a breach has aware that such a breach has rights, discrimination, identity occurred, the controller should occurred, the controller should theft or fraud, financial loss, notify the breach to the supervisory notify the breach to the supervisory unauthorized reversal of authority without undue delay and, authority without undue delay and, pseudonymisation, damage to the where feasible, within 24 hours. where feasible, within 24,which reputation, loss of confidentiality Where this cannot should be presumed to be not later
ANNEX DGD 2C LIMITE EN
achieved within 24 hours, an than 72 hours. Where this cannot of data protected by professional explanation of the reasons for the achieved within 24 hours If secrecy or any other economic or delay should accompany the applicable, an explanation of the and social harm, including identity notification. The individuals whose reasons for the delay should fraud, disadvantage to the personal data could be adversely accompany the notification. The individual concerned. Therefore, as affected by the breach should be individuals whose personal data soon as the controller becomes notified without undue delay in could be adversely affected by the aware that such a personal data order to allow them to take the breach should be notified without breach which may result in necessary precautions. A breach undue delay in order to allow them physical, material or moral should be considered as adversely to take the necessary precautions. A damage has occurred, the affecting the personal data or breach should be considered as controller should notify the breach privacy of a data subject where it adversely affecting the personal to the supervisory authority without could result in, for example, data or privacy of a data subject undue delay and, where feasible, identity theft or fraud, physical where it could result in, for within 24 72 hours. Where this harm, significant humiliation or example, identity theft or fraud, cannot be achieved within 24 72 damage to reputation. The physical harm, significant hours, an explanation of the reasons notification should describe the humiliation or damage to for the delay should accompany the nature of the personal data breach reputation. The notification should notification. The individuals whose as well as recommendations as describe the nature of the personal rights and freedoms personal data well as recommendations for the data breach and formulate as well could be adversely severely individual concerned to mitigate as recommendations as well as affected by the breach should be potential adverse effects. recommendations for the individual notified without undue delay in Notifications to data subjects concerned to mitigate potential order to allow them to take the should be made as soon as adverse effects. Notifications to necessary precautions. A breach reasonably feasible, and in close data subjects should be made as should be considered as adversely cooperation with the supervisory soon as reasonably feasible, and in affecting the personal data or authority and respecting guidance close cooperation with the privacy of a data subject where it provided by it or other relevant supervisory authority and could result in, for example, authorities (e.g. law enforcement respecting guidance provided by it identity theft or fraud, physical authorities). For example, the or other relevant authorities (e.g. harm, significant humiliation or chance for data subjects to mitigate law enforcement authorities). For damage to reputation. The an immediate risk of harm would example, the chance for data notification should describe the
ANNEX DGD 2C LIMITE EN
call for a prompt notification of subjects to mitigate an immediate nature of the personal data breach data subjects whereas the need to risk of harm would call for a as well as recommendations as well implement appropriate measures prompt notification of data subjects as recommendations for the against continuing or similar data whereas the need to implement individual concerned to mitigate breaches may justify a longer appropriate measures against potential adverse effects. delay. continuing or similar data breaches Notifications to data subjects may justify a longer delay. should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects need to mitigate an immediate risk of harmdamage would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
ANNEX DGD 2C LIMITE EN
(68) In order to determine whether (68) In order to determine whether (68) In order to determine It must a personal data breach is notified to a personal data breach is notified to whether a personal data breach is the supervisory authority and to the the supervisory authority and to the notified to the supervisory authority data subject without undue delay, it data subject without undue delay, it and to the data subject without should be ascertained whether the should be ascertained whether the undue delay, it should be controller has implemented and controller has implemented and ascertained whether the controller applied appropriate technological applied appropriate technological has implemented and applied all protection and organisational protection and organisational appropriate technological measures to establish immediately measures to establish immediately protection and organisational whether a personal data breach has whether a personal data breach has measures have been implemented taken place and to inform promptly taken place and to inform promptly to establish immediately whether a the supervisory authority and the the supervisory authority and the personal data breach has taken data subject, before a damage to data subject, before a damage to place and to inform promptly the personal and economic interests personal and economic interests supervisory authority and the data occurs, taking into account in occurs, taking into account in subject ., before a damage to particular the nature and gravity of particular the nature and gravity of personal and economic interests the personal data breach and its the personal data breach and its occurs, The fact that the consequences and adverse effects consequences and adverse effects notification was made without for the data subject. for the data subject. undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
ANNEX DGD 2C LIMITE EN
(68a) The communication of a personal data breach to the data subject should not be required if the controller has implemented appropriate technological protection measures, and that those measures were applied to the data affected by the personal data breach. Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data.
ANNEX DGD 2C LIMITE EN
(69) In setting detailed rules (69) In setting detailed rules (69) In setting detailed rules concerning the format and concerning the format and concerning the format and procedures applicable to the procedures applicable to the procedures applicable to the notification of personal data notification of personal data notification of personal data breaches, due consideration should breaches, due consideration should breaches, due consideration should be given to the circumstances of be given to the circumstances of the be given to the circumstances of the the breach, including whether or breach, including whether or not breach, including whether or not not personal data had been personal data had been protected by personal data had been protected by protected by appropriate technical appropriate technical protection appropriate technical protection protection measures, effectively measures, effectively limiting the measures, effectively limiting the limiting the likelihood of identity likelihood of identity fraud or other likelihood of identity fraud or other fraud or other forms of misuse. forms of misuse. Moreover, such forms of misuse. Moreover, such Moreover, such rules and rules and procedures should take rules and procedures should take procedures should take into into account the legitimate interests into account the legitimate interests account the legitimate interests of of law enforcement authorities in of law enforcement authorities in law enforcement authorities in cases where early disclosure could cases where early disclosure could cases where early disclosure could unnecessarily hamper the unnecessarily hamper the unnecessarily hamper the investigation of the circumstances investigation of the circumstances investigation of the circumstances of a breach. of a breach. of a breach.
ANNEX DGD 2C LIMITE EN
(70) Directive 95/46/EC i provided (70) Directive 95/46/EC i provided (70) Directive 95/46/EC i provided for a general obligation to notify for a general obligation to notify for a general obligation to notify processing of personal data to the processing of personal data to the processing of personal data to the supervisory authorities. While this supervisory authorities. While this supervisory authorities. While this obligation produces administrative obligation produces administrative obligation produces administrative and financial burdens, it did not in and financial burdens, it did not in and financial burdens, it did not in all cases contribute to improving all cases contribute to improving all cases contribute to improving the protection of personal data. the protection of personal data. the protection of personal data. Therefore such indiscriminate Therefore such indiscriminate Therefore such indiscriminate general notification obligation general notification obligation general notification obligations should be abolished, and replaced should be abolished, and replaced should be abolished, and replaced by effective procedures and by effective procedures and by effective procedures and mechanism which focus instead on mechanism which focus instead on mechanisms which focus instead on those processing operations which those processing operations which those types of processing are likely to present specific risks are likely to present specific risks operations which are likely to to the rights and freedoms of data to the rights and freedoms of data present specificresult in a high subjects by virtue of their nature, subjects by virtue of their nature, risks to the rights and freedoms of their scope or their purposes. In their scope or their purposes. In data subjectsindividuals by virtue such cases, a data protection such cases, a data protection impact of their nature, their scope, context impact assessment should be assessment should be carried out by and or their purposes. In such carried out by the controller or the controller or processor prior to cases, a data protection impact processor prior to the processing, the processing, which should assessment should be carried out by which should include in particular include in particular the envisaged the controller or processor prior to the envisaged measures, safeguards measures, safeguards and the types of processing, operations and mechanisms for ensuring the mechanisms for ensuring the may be those which should include protection of personal data and for protection of personal data and for in particular, involve using new demonstrating the compliance with demonstrating the compliance with technologies, or are of a new kind this Regulation. this Regulation. and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time
ANNEX DGD 2C LIMITE EN
that has elapsed since the initial processingthe envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation. (70a) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk, which should include in particular the envisaged measures, safeguards and mechanisms for mitigating that risk and for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
ANNEX DGD 2C LIMITE EN
(71) This should in particular apply (71) This should in particular apply (71) This should in particular apply to newly established large scale to newly established large scale to newly established large-scale filing systems, which aim at filing systems, which aim at filing systemsprocessing processing a considerable amount processing a considerable amount operations, which aim at of personal data at regional, of personal data at regional, processing a considerable amount national or supranational level and national or supranational level and of personal data at regional, which could affect a large number which could affect a large number national or supranational level and of data subjects. of data subjects. which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk for the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made in cases where data are processed for taking decisions regarding specific individuals following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special
ANNEX DGD 2C LIMITE EN
categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk for the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data irrespective of the volume or the nature of the data, should not be considered as being on a large scale, if the processing of these data is protected by professional secrecy, such as the processing of personal data from patients or clients by an individual doctor, health care professional, hospital or attorney. In these cases a data protection impact assessment should not be mandatory.
ANNEX DGD 2C LIMITE EN
Amendment 44
(71a) Impact assessments are the essential core of any sustainable data protection framework, making sure that businesses are aware from the outset of all possible consequences of their data processing operations. If impact assessments are thorough, the likelihood of any data breach or privacy-intrusive operation can be fundamentally limited. Data protection impact assessments should consequently have regard to the entire lifecycle management of personal data from collection to processing to deletion, describing in detail the envisaged processing operations, the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure compliance with the this Rregulation.
ANNEX DGD 2C LIMITE EN
Amendment 45
(71b) Controllers should focus on the protection of personal data throughout the entire data lifecycle from collection to processing to deletion by investing from the outset in a sustainable data management framework and by following it up with a comprehensive compliance mechanism.
(72) There are circumstances under (72) There are circumstances under (72) There are circumstances under which it may be sensible and which it may be sensible and which it may be sensible and economic that the subject of a data economic that the subject of a data economic that the subject of a data protection impact assessment protection impact assessment protection impact assessment should be broader than a single should be broader than a single should be broader than a single project, for example where public project, for example where public project, for example where public authorities or bodies intend to authorities or bodies intend to authorities or bodies intend to establish a common application or establish a common application or establish a common application or processing platform or where processing platform or where processing platform or where several controllers plan to several controllers plan to introduce several controllers plan to introduce introduce a common application or a common application or a common application or processing environment across an processing environment across an processing environment across an industry sector or segment or for a industry sector or segment or for a industry sector or segment or for a widely used horizontal activity. widely used horizontal activity. widely used horizontal activity.
ANNEX DGD 2C LIMITE EN
Amendment 46
(73) Data protection impact deleted (73) Data protection impact assessments should be carried out assessments should may be carried by a public authority or public out by a public authority or public body if such an assessment has not body if such an assessment has not already been made in the context already been made in the context of of the adoption of the national law the adoption of the national law on on which the performance of the which the performance of the tasks tasks of the public authority or of the public authority or public public body is based and which body is based and which regulates regulates the specific processing the specific processing operation or operation or set of operations in set of operations in question. question.
Amendment 47
(74) Where a data protection (74) Where a data protection (74) Where a data protection impact assessment indicates that impact assessment indicates that impact assessment indicates that processing operations involve a processing operations involve a the processing would, despite the high degree of specific risks to the high degree of specific risks to the envisaged safeguards, security rights and freedoms of data rights and freedoms of data measures and mechanisms to subjects, such as excluding subjects, such as excluding mitigate the operations involve a individuals from their right, or by individuals from their right, or by high degree of specific risks to the the use of specific new the use of specific new result in a high risk to the rights technologies, the supervisory technologies, the data protection and freedoms of data authority should be consulted, prior officer or the supervisory authority subjectsindividuals and the to the start of operations, on a risky should be consulted, prior to the controller is of the opinion that the processing which might not be in start of operations, on a risky risk cannot be mitigated by compliance with this Regulation, processing which might not be in reasonable means in terms of and to make proposals to remedy compliance with this Regulation, available technologies and costs of such situation. Such consultation and to make proposals to remedy implementation, such as excluding should equally take place in the such situation. Such A consultation individuals from their right, or by course of the preparation either of of the supervisory authority should the use of specific new
ANNEX DGD 2C LIMITE EN
a measure by the national equally take place in the course of technologies, the supervisory parliament or of a measure based the preparation either of a measure authority should be consulted, prior on such legislative measure which by the national parliament or of a to the start of operationsprocessing defines the nature of the processing measure based on such legislative activities, on a risky processing and lays down appropriate measure which defines the nature which might not be in compliance safeguards. of the processing and lays down with this Regulation, and to make appropriate safeguards. proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards. Such high risk is likely to result from certain types of data processing and certain extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the data subject. The supervisory authority should respond to the request for consultation in a defined period. However, the absence of a reaction of the supervisory authority within this period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this
ANNEX DGD 2C LIMITE EN
Regulation, including the power to prohibit processing operations. As part of this consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue pursuant to Article 33 may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk for the rights and freedoms of individuals.
Amendment 48
(74a) Impact assessments can only be of help if controllers make sure that they comply with the promises originally laid down in them. Data controllers should therefore conduct periodic data protection compliance reviews demonstrating that the data processing mechanisms in place comply with assurances made in the data protection impact assessment. It should further demonstrate the ability of the data controller to comply with the autonomous choices of data subjects. In addition, in case the review finds compliance inconsistencies, it should highlight these and present recommendations on how to achieve
ANNEX DGD 2C LIMITE EN
full compliance.
ANNEX DGD 2C LIMITE EN
(74a) The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority. (74b) A consultation with the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.
ANNEX DGD 2C LIMITE EN
Amendment 49
(75) Where the processing is (75) Where the processing is (75) Where the processing is carried out in the public sector or carried out in the public sector or carried out in the public sector or where, in the private sector, where, in the private sector, where, in the private sector, processing is carried out by a large processing is carried out by a large processing is carried out by a large enterprise, or where its core enterprise relates to more than enterprise, or where its core activities, regardless of the size of 5000 data subjects within 12 activities, regardless of the size of the enterprise, involve processing months, or where its core activities, the enterprise, involve processing operations which require regular regardless of the size of the operations which require regular and systematic monitoring, a enterprise, involve processing and systematic monitoring, a person should assist the controller operations on sensitive data, or person should with expert or processor to monitor internal processing operations which knowledge of data protection law compliance with this Regulation. require regular and systematic and practices may assist the Such data protection officers, monitoring, a person should assist controller or processor to monitor whether or not an employee of the the controller or processor to internal compliance with this controller, should be in a position monitor internal compliance with Regulation. Such data protection to perform their duties and tasks this Regulation. When establishing officers, whether or not an independently. whether data about a large employee of the controller, should number of data subjects are be in a position to perform their processed, archived data that are duties and tasks in an restricted in such a way that they independently manner. are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection
ANNEX DGD 2C LIMITE EN
officers, whether or not an employee of the controller and whether or not performing that task full time, should be in a position to perform their duties and tasks independently and enjoy special protection against dismissal. Final responsibility should stay with the management of an organisation. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
ANNEX DGD 2C LIMITE EN
Amendment 50
( 75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties. The designation as a data protection officer does not necessarily require fulltime occupation of the respective employee.
ANNEX DGD 2C LIMITE EN
Amendment 51
(76) Associations or other bodies (76) Associations or other bodies (76) Associations or other bodies representing categories of representing categories of representing categories of controllers should be encouraged to controllers should be encouraged, controllers or processors should be draw up codes of conduct, within after consultation of the encouraged to draw up codes of the limits of this Regulation, so as representatives of the employees, conduct, within the limits of this to facilitate the effective to draw up codes of conduct, within Regulation, so as to facilitate the application of this Regulation, the limits of this Regulation, so as effective application of this taking account of the specific to facilitate the effective Regulation, taking account of the characteristics of the processing application of this Regulation, specific characteristics of the carried out in certain sectors. taking account of the specific processing carried out in certain characteristics of the processing sectors and the specific needs of carried out in certain sectors. Such micro, small and medium codes should make compliance enterprises. In particular such with this Regulation easier for codes of conduct could calibrate industry. the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of individuals.
ANNEX DGD 2C LIMITE EN
(76a) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult with relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.
Amendment 52
(77) In order to enhance (77) In order to enhance (77) In order to enhance transparency and compliance with transparency and compliance with transparency and compliance with this Regulation, the establishment this Regulation, the establishment this Regulation, the establishment of certification mechanisms, data of certification mechanisms, data of certification mechanisms, data protection seals and marks should protection seals and standardised protection seals and marks should be encouraged, allowing data marks should be encouraged, be encouraged, allowing data subjects to quickly assess the level allowing data subjects to quickly, subjects to quickly assess the level of data protection of relevant reliably and verifiably assess the of data protection of relevant products and services. level of data protection of relevant products and services. products and services. A "European Data Protection Seal" should be established on the European level to create trust among data subjects, legal certainty for controllers, and at the same time export European data protection standards by allowing non-European companies to more
ANNEX DGD 2C LIMITE EN
easily enter European markets by being certified.
(78) Cross-border flows of personal (78) Cross-border flows of personal (78) Cross-border flows of personal data are necessary for the expansion data are necessary for the expansion data to and from countries outside of international trade and of international trade and the Union and international international co-operation. The international co-operation. The organisations are necessary for the increase in these flows has raised increase in these flows has raised expansion of international trade and new challenges and concerns with new challenges and concerns with international co-operation. The respect to the protection of personal respect to the protection of personal increase in these flows has raised data. However, when personal data data. However, when personal data new challenges and concerns with are transferred from the Union to are transferred from the Union to respect to the protection of personal third countries or to international third countries or to international data. However, when personal data organisations, the level of protection organisations, the level of protection are transferred from the Union to of individuals guaranteed in the of individuals guaranteed in the controllers, processors or other Union by this Regulation should not Union by this Regulation should not recipients in third countries or to be undermined. In any event, be undermined. In any event, international organisations, the level transfers to third countries may only transfers to third countries may only of protection of individuals be carried out in full compliance be carried out in full compliance guaranteed in the Union by this with this Regulation. with this Regulation. Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer may only take place if, subject to the other provisions of this Regulation, the conditions laid down in Chapter V are complied
ANNEX DGD 2C LIMITE EN
with by the controller or processor.
Amendment 53
(79) This Regulation is without (79) This Regulation is without (79) This Regulation is without prejudice to international prejudice to international prejudice to international
agreements concluded between the agreements concluded between the agreements concluded between the Union and third countries Union and third countries Union and third countries regulating the transfer of personal regulating the transfer of personal regulating the transfer of personal data including appropriate data including appropriate data including appropriate safeguards for the data subjects. safeguards for the data subjects safeguards for the data subjects. ensuring an adequate level of Member States may conclude protection for the fundamental international agreements which rights of citizens involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of EU law and include safeguards to protect the rights of the data subjects.
ANNEX DGD 2C LIMITE EN
Amendment 54
(80) The Commission may decide (80) The Commission may decide (80) The Commission may decide with effect for the entire Union that with effect for the entire Union that with effect for the entire Union that certain third countries, or a certain third countries, or a territory certain third countries, or a territory territory or a processing sector or a processing sector within a third or a processing specified sector,
within a third country, or an country, or an international such as the private sector or one international organisation, offer an organisation, offer an adequate or more specific economic sectors adequate level of data protection, level of data protection, thus within a third country, or an thus providing legal certainty and providing legal certainty and international organisation, offer an uniformity throughout the Union as uniformity throughout the Union as adequate level of data protection, regards the third countries or regards the third countries or thus providing legal certainty and international organisations which international organisations which uniformity throughout the Union as are considered to provide such are considered to provide such regards the third countries or level of protection. In these cases, level of protection. In these cases, international organisations, which transfers of personal data to these transfers of personal data to these are considered to provide such countries may take place without countries may take place without level of protection. In these cases, needing to obtain any further needing to obtain any further transfers of personal data to these authorisation. authorisation. The Commission countries may take place without may also decide, having given needing to obtain any further notice and a complete justification authorisation. to the third country, to revoke such a decision.
ANNEX DGD 2C LIMITE EN
(81) In line with the fundamental (81) In line with the fundamental (81) In line with the fundamental values on which the Union is values on which the Union is values on which the Union is
founded, in particular the founded, in particular the founded, in particular the protection of human rights, the protection of human rights, the protection of human rights, the Commission should, in its Commission should, in its Commission should, in its assessment of the third country, assessment of the third country, assessment of the a third country or take into account how a given third take into account how a given third of a territory or of a specified country respects the rule of law, country respects the rule of law, sector within a third country, take access to justice as well as access to justice as well as into account how a given third international human rights norms international human rights norms country respects the rule of law, and standards. and standards. access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision to a territory or a specified sector in a third country should take into account clear and objective criteria , such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees that ensure an adequate level of protection in particular when data are processed in one or several specific sectors. In particular, the third country should ensure
ANNEX DGD 2C LIMITE EN
effective data protection supervision and should provide for cooperation mechanisms with the European data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(81a) Apart from the international commitments the third country or international organisation has entered into, the Commission should also take account of obligations arising from the third country’s or international organisation’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular the third country’s accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult with the European Data Protection
ANNEX DGD 2C LIMITE EN
Board when assessing the level of protection in third countries or international organisations.
ANNEX DGD 2C LIMITE EN
(81b) The Commission should monitor the functioning of decisions on the level of protection in a third country or a territory or specified sector within a third country, or an international organisation, including decisions adopted on the basis of Article 25(6) or Article 26 (4) of Directive 95/46/EC. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any pertinent findings to the Committee within the meaning of Regulation (EU) No 182/2011 i as established under this Regulation.
ANNEX DGD 2C LIMITE EN
Amendment 55
(82) The Commission may equally (82) The Commission may equally (82) The Commission may equally recognise that a third country, or a recognise that a third country, or a recognise that a third country, or a territory or a processing sector territory or a processing sector territory or a processing specified within a third country, or an within a third country, or an sector within a third country, or an international organisation offers no international organisation offers no international organisation offers no adequate level of data protection. adequate level of data protection. longer ensures an adequate level
Consequently the transfer of Any legislation which provides for of data protection. Consequently personal data to that third country extra-territorial access to personal the transfer of personal data to that should be prohibited. In that case, data processed in the Union third country or international provision should be made for without authorisation under organisation should be prohibited, consultations between the Union or Member State law unless the requirements of Articles Commission and such third should be considered as an 42 to 44 are fulfilled. In that case, countries or international indication of a lack of adequacy. provision should be made for organisations. Consequently the transfer of consultations between the personal data to that third country Commission and such third should be prohibited. In that case, countries or international provision should be made for organisations. The Commission consultations between the should, in a timely manner, Commission and such third inform the third country or countries or international international organisation of the organisations. reasons and enter into consultations with it in order to remedy the situation.
ANNEX DGD 2C LIMITE EN
Amendment 56
(83) In the absence of an adequacy (83) In the absence of an adequacy (83) In the absence of an adequacy decision, the controller or decision, the controller or processor decision, the controller or processor processor should take measures to should take measures to should take measures to
compensate for the lack of data compensate for the lack of data compensate for the lack of data protection in a third country by protection in a third country by way protection in a third country by way way of appropriate safeguards for of appropriate safeguards for the of appropriate safeguards for the the data subject. Such appropriate data subject. Such appropriate data subject. Such appropriate safeguards may consist of making safeguards may consist of making safeguards may consist of making use of binding corporate rules, use of binding corporate rules, use of binding corporate rules, standard data protection clauses standard data protection clauses standard data protection clauses adopted by the Commission, adopted by the Commission, adopted by the Commission, standard data protection clauses standard data protection clauses standard data protection clauses adopted by a supervisory authority adopted by a supervisory authority adopted by a supervisory authority or contractual clauses authorised or contractual clauses authorised by or ad hoc contractual clauses by a supervisory authority, or other a supervisory authority, or other authorised by a supervisory suitable and proportionate suitable and proportionate authority, or other suitable and measures justified in the light of all measures justified in the light of all proportionate measures justified in the circumstances surrounding a the circumstances surrounding a the light of all the circumstances data transfer operation or set of data transfer operation or set of surrounding a data transfer data transfer operations and where data transfer operations and where operation or set of data transfer authorised by a supervisory authorised by a supervisory operations and where authorised by authority. authority. Those appropriate a supervisory authority. Those safeguards should uphold a safeguards should ensure respect of the data subject’s rights compliance with data protection adequate to intra-EU processing, requirements and the rights of the in particular relating to purpose data subjects, including the right limitation, right to access, to obtain effective administrative rectification, erasure and to claim or judicial redress. They should compensation. Those safeguards relate in particular to compliance should in particular guarantee the with the general principles
ANNEX DGD 2C LIMITE EN
observance of the principles of relating to personal data personal data processing, processing, the availability of safeguard the data subject’s rights enforceable data subject's rights and provide for effective redress and of effective legal remedies and mechanisms, ensure the the principles of data protection by observance of the principles of design and by default. Transfers data protection by design and by may be carried out also by public default, guarantee the existence of authorities or bodies with public a data protection officer. authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding. The authorisation of the competent supervisory authority should be obtained when the safeguards are adduced in non legally binding administrative arrangements.
ANNEX DGD 2C LIMITE EN
Amendment 57
(84) The possibility for the (84) The possibility for the (84) The possibility for the controller or processor to use controller or processor to use controller or processor to use standard data protection clauses standard data protection clauses standard data protection clauses adopted by the Commission or by a adopted by the Commission or by a adopted by the Commission or by a supervisory authority should supervisory authority should supervisory authority should neither prevent the possibility for neither prevent the possibility for neither prevent the possibility for controllers or processors to include controllers or processors to include controllers or processors to include the standard data protection clauses the standard data protection clauses the standard data protection clauses in a wider contract nor to add other in a wider contract nor to add other in a wider contract, including in a clauses as long as they do not clauses or supplementary contract between the processor contradict, directly or indirectly, safeguards as long as they do not and another processor, nor to add the standard contractual clauses contradict, directly or indirectly, other clauses or additional adopted by the Commission or by a the standard contractual clauses safeguards as long as they do not supervisory authority or prejudice adopted by the Commission or by a contradict, directly or indirectly, the fundamental rights or freedoms supervisory authority or prejudice the standard contractual clauses of the data subjects. the fundamental rights or freedoms adopted by the Commission or by a of the data subjects. The standard supervisory authority or prejudice data protection clauses adopted by the fundamental rights or freedoms the Commission could cover of the data subjects.
different situations, namely transfers from controllers established in the Union to controllers established outside the Union and from controllers established in the Union to processors, including subprocessors, established outside the Union. Controllers and processors should be encouraged to provide even more robust safeguards via
ANNEX DGD 2C LIMITE EN
additional contractual commitments that supplement standard protection clauses.
Amendment 58
(85) A corporate group should be (85) A corporate group should be (85) A corporate group or a group able to make use of approved able to make use of approved of enterprises engaged in a joint binding corporate rules for its binding corporate rules for its economic activity should be able to international transfers from the international transfers from the make use of approved binding
Union to organisations within the Union to organisations within the corporate rules for its international same corporate group of same corporate group of transfers from the Union to undertakings, as long as such undertakings, as long as such organisations within the same corporate rules include essential corporate rules include all essential corporate group of undertakings or principles and enforceable rights to principles and enforceable rights to group of enterprises, as long as ensure appropriate safeguards for ensure appropriate safeguards for such corporate rules include transfers or categories of transfers transfers or categories of transfers essential principles and enforceable of personal data. of personal data rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
ANNEX DGD 2C LIMITE EN
Amendment 59
(86) Provisions should be made for (86) Provisions should be made for (86) Provisions should be made for the possibility for transfers in the possibility for transfers in the possibility for transfers in
certain circumstances where the certain circumstances where the certain circumstances where the data subject has given his consent, data subject has given his consent, data subject has given his explicit where the transfer is necessary in where the transfer is necessary in consent, where the transfer is relation to a contract or a legal relation to a contract or a legal necessary occasional in relation to claim, where important grounds of claim, where important grounds of a contract or a legal claim, public interest laid down by Union public interest laid down by Union regardless of whether in a judicial or Member State law so require or or Member State law so require or procedure or whether in an where the transfer is made from a where the transfer is made from a administrative or any out-of-court register established by law and register established by law and procedure, including procedures intended for consultation by the intended for consultation by the before regulatory bodies. public or persons having a public or persons having a Provision should also be made for legitimate interest. In this latter legitimate interest. In this latter the possibility for transfers where case such a transfer should not case such a transfer should not important grounds of public interest involve the entirety of the data or involve the entirety of the data or laid down by Union or Member entire categories of the data entire categories of the data State law so require or where the contained in the register and, when contained in the register and, when transfer is made from a register the register is intended for the register is intended for established by law and intended for consultation by persons having a consultation by persons having a consultation by the public or legitimate interest, the transfer legitimate interest, the transfer persons having a legitimate should be made only at the request should be made only at the request interest. In this latter case such a of those persons or if they are to be of those persons or if they are to be transfer should not involve the the recipients. the recipients, taking into full entirety of the data or entire account the interests and categories of the data contained in fundamental rights of the data the register and, when the register subject. is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those
ANNEX DGD 2C LIMITE EN
persons or if they are to be the recipients.
ANNEX DGD 2C LIMITE EN
Amendment 60
(87) These derogations should in (87) These derogations should in (87) These derogations rules particular apply to data transfers particular apply to data transfers should in particular apply to data required and necessary for the required and necessary for the transfers required and necessary for protection of important grounds of protection of important grounds of the protection of important grounds public interest, for example in public interest, for example in cases reasons of public interest, for cases of international data transfers of international data transfers example in cases of international between competition authorities, between competition authorities, data transfers exchange between tax or customs administrations, tax or customs administrations, competition authorities, tax or financial supervisory authorities, financial supervisory authorities, customs administrations, between between services competent for between services competent for financial supervisory authorities, social security matters, or to social security matters or for public between services competent for competent authorities for the health, or to competent public social security matters, or to prevention, investigation, detection authorities for the prevention, competent authorities for the and prosecution of criminal investigation, detection and prevention, investigation, detection offences. prosecution of criminal offences , and prosecution of criminal including for the prevention of offencesfor public health, for money laundering and the fight example in case of contact tracing against terrorist financing. A for contagious diseases or in order transfer of personal data should to reduce and/or eliminate doping equally be regarded as lawful in sport. A transfer of personal where it is necessary to protect an data should equally be regarded as interest which is essential for the lawful where it is necessary to data subject’s or another person’s protect an interest which is life, if the data subject is incapable essential for the data subject’s or of giving consent. Transferring another person’s vital interests, personal data for such important including physical integrity or life, grounds of public interest should if the data subject is incapable of only be used for occasional giving consent. In the absence of transfers. In each and every case, an adequacy decision, Union law a careful assessment of all or Member State law may, for
ANNEX DGD 2C LIMITE EN
circumstances of the transfer important reasons of public should be carried out. interest, expressly set limits to the transfer of specific categories of data to a third country or an international organization. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation, such as a National Society of the Red Cross or to the ICRC of personal data of a data subject who is physically or legally incapable of giving consent, with the view to accomplishing a task incumbent upon the International Red Cross and Red Crescent Movement under the Geneva Conventions and/or to work for the faithful application of international humanitarian law applicable in armed conflicts could be considered as necessary for an important reason of public interest or being in the vital interest of the data subject.
ANNEX DGD 2C LIMITE EN
(88) Transfers which cannot be (88) Transfers which cannot be (88) Transfers which cannot be qualified as frequent or massive, qualified as frequent or massive, qualified as large scale or frequent could also be possible for the could also be possible for the or massive, could also be possible purposes of the legitimate interests purposes of the legitimate interests for the purposes of the legitimate pursued by the controller or the pursued by the controller or the interests pursued by the controller processor, when they have assessed processor, when they have assessed or the processor, when they have all the circumstances surrounding all the circumstances surrounding those interests are not overridden the data transfer. For the purposes the data transfer. For the purposes by the interests or rights and of processing for historical, of processing for historical, freedoms of the data subject and statistical and scientific research statistical and scientific research when the controller or the purposes, the legitimate purposes, the legitimate processor has assessed all the expectations of society for an expectations of society for an circumstances surrounding the data increase of knowledge should be increase of knowledge should be transfer. The controller or taken into consideration. taken into consideration. processor should give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced suitable safeguards to protect fundamental rights and freedoms of natural persons with respect to processing of their personal data. For the purposes of processing for historical, statistical and scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. To assess whether a transfer is large scale or
ANNEX DGD 2C LIMITE EN
frequent the amount of personal data and number of data subjects should be taken into account and whether the transfer takes place on an occasional or regular basis.
ANNEX DGD 2C LIMITE EN
Amendment 62
(89) In any case, where the (89) In any case, where the (89) In any case, where the Commission has taken no decision Commission has taken no decision Commission has taken no decision on the adequate level of data on the adequate level of data on the adequate level of data protection in a third country, the protection in a third country, the protection in a third country, the controller or processor should controller or processor should make controller or processor should make make use of solutions that provide use of solutions that provide data use of solutions that provide data data subjects with a guarantee that subjects with a legally binding subjects with a guarantee that they they will continue to benefit from guarantee that they will continue to will continue to benefit from the the fundamental rights and benefit from the fundamental rights fundamental rights and safeguards safeguards as regards processing of and safeguards as regards as regards processing of their data their data in the Union once this processing of their data in the in the Union once this data has data has been transferred. Union once those data have been been transferred.
transferred, to the extent that the processing is not massive, not repetitive and not structural. That guarantee should include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country.
ANNEX DGD 2C LIMITE EN
Amendment 63
(90) Some third countries enact (90) Some third countries enact (90) Some third countries enact laws, regulations and other laws, regulations and other laws, regulations and other legislative instruments which legislative instruments which legislative instruments which purport to directly regulate data purport to directly regulate data purport to directly regulate data processing activities of natural and processing activities of natural and processing activities of natural and legal persons under the jurisdiction legal persons under the jurisdiction legal persons under the jurisdiction of the Member States. The of the Member States. The of the Member States. The extraterritorial application of these extraterritorial application of these extraterritorial application of these laws, regulations and other laws, regulations and other laws, regulations and other legislative instruments may be in legislative instruments may be in legislative instruments may be in breach of international law and breach of international law and breach of international law and may impede the attainment of the may impede the attainment of the may impede the attainment of the protection of individuals protection of individuals protection of individuals guaranteed in the Union by this guaranteed in the Union by this guaranteed in the Union by this Regulation. . Transfers should only Regulation. Transfers should only Regulation. Transfers should only be allowed where the conditions of be allowed where the conditions of be allowed where the conditions of this Regulation for a transfer to this Regulation for a transfer to this Regulation for a transfer to third countries are met. This may third countries are met. This may third countries are met. This may inter alia be the case where the inter alia be the case where the inter alia be the case where the disclosure is necessary for an disclosure is necessary for an disclosure is necessary for an important ground of public interest important ground of public interest important ground of public interest recognised in Union law or in a recognised in Union law or in a recognised in Union law or in a Member State law to which the Member State law to which the Member State law to which the controller is subject. The controller is subject. The conditions controller is subject. The conditions conditions under which an under which an important ground under which an important ground important ground of public interest of public interest exists should be of public interest exists should be exists should be further specified further specified by the further specified by the by the Commission in a delegated Commission in a delegated act. In Commission in a delegated act. act. cases where controllers or processors are confronted with
ANNEX DGD 2C LIMITE EN
conflicting compliance requirements between the jurisdiction of the Union on the one hand, and that of a third country on the other, the Commission should ensure that Union law takes precedence at all times. The Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
ANNEX DGD 2C LIMITE EN
(91) When personal data moves (91) When personal data moves (91) When personal data moves across borders it may put at across borders it may put at across borders outside the Union it increased risk the ability of increased risk the ability of may put at increased risk the ability individuals to exercise data individuals to exercise data of individuals to exercise data protection rights in particular to protection rights in particular to protection rights in particular to protect themselves from the protect themselves from the protect themselves from the unlawful use or disclosure of that unlawful use or disclosure of that unlawful use or disclosure of that information. At the same time, information. At the same time, information. At the same time, supervisory authorities may find supervisory authorities may find supervisory authorities may find that they are unable to pursue that they are unable to pursue that they are unable to pursue complaints or conduct complaints or conduct complaints or conduct investigations relating to the investigations relating to the investigations relating to the activities outside their borders. activities outside their borders. activities outside their borders. Their efforts to work together in Their efforts to work together in the Their efforts to work together in the the cross-border context may also cross-border context may also be cross-border context may also be be hampered by insufficient hampered by insufficient hampered by insufficient preventative or remedial powers, preventative or remedial powers, preventative or remedial powers, inconsistent legal regimes, and inconsistent legal regimes, and inconsistent legal regimes, and practical obstacles like resource practical obstacles like resource practical obstacles like resource constraints. Therefore, there is a constraints. Therefore, there is a constraints. Therefore, there is a need to promote closer coneed to promote closer coneed to promote closer cooperation among data protection operation among data protection operation among data protection supervisory authorities to help supervisory authorities to help them supervisory authorities to help them them exchange information and exchange information and carry out exchange information and carry out carry out investigations with their investigations with their investigations with their international counterparts. international counterparts. international counterparts. For the purposes of developing international co-operation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of
ANNEX DGD 2C LIMITE EN
personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in compliance with the provisions of this Regulation, including those laid down in Chapter V.
ANNEX DGD 2C LIMITE EN
Article 3 Article 3 Article 3
Territorial scope Territorial scope Territorial scope
Amendment 97
1.This Regulation applies to the 1. This Regulation applies to the 1.This Regulation applies to the processing of personal data in the processing of personal data in the processing of personal data in the context of the activities of an context of the activities of an context of the activities of an establishment of a controller or a establishment of a controller or a establishment of a controller or a processor in the Union. processor in the Union, whether processor in the Union. the processing takes place in the Union or not.
ANNEX DGD 2C LIMITE EN
2.This Regulation applies to the 2. This Regulation applies to the 2.This Regulation applies to the processing of personal data of data processing of personal data of data processing of personal data of data subjects residing in the Union by a subjects residing in the Union by a subjects residing in the Union by a controller not established in the controller or processor not controller not established in the Union, where the processing established in the Union, where the Union, where the processing activities are related to: processing activities are related to: activities are related to:
(a) the offering of goods or services (a) the offering of goods or (a) the offering of goods or to such data subjects in the Union; services, irrespective of whether a services, irrespective of whether a or payment of the data subject is payment by the data subject is required, to such data subjects in required, to such data subjects in the Union; or the Union; or
(b) the monitoring of their (b) the monitoring of their (b) the monitoring of their behaviour. behaviour such data subjects. behaviour as far as their behaviour takes place within the European Union.
ANNEX DGD 2C LIMITE EN
-
3.This Regulation applies to the 3. This Regulation applies to the 3. This Regulation applies to the processing of personal data by a processing of personal data by a processing of personal data by a controller not established in the controller not established in the controller not established in the Union, but in a place where the Union, but in a place where the Union, but in a place where the national law of a Member State national law of a Member State national law of a Member State applies by virtue of public applies by virtue of public applies by virtue of public international law. international law. international law.
ANNEX DGD 2C LIMITE EN
Article 4 Article 4 Article 4
Definitions Definitions Definitions
Amendment 98 For the purposes of this Regulation: For the purposes of this Regulation: For the purposes of this Regulation:
(2a) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution; (2b) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access them;
ANNEX DGD 2C LIMITE EN
(3a) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour; (3a) 'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
ANNEX DGD 2C LIMITE EN
(3b) pseudonymisation' means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure nonattribution to an identified or identifiable person.
(4) ' filing system' means any (4) 'filing system' means any (4) 'filing system' means any structured set of personal data structured set of personal data structured set of personal data which are accessible according to which are accessible according to which are accessible according to specific criteria, whether specific criteria, whether specific criteria, whether centralized, decentralized or centralized, decentralized or centralized, decentralized or dispersed on a functional or dispersed on a functional or dispersed on a functional or geographical basis; geographical basis; geographical basis;
ANNEX DGD 2C LIMITE EN
(5) 'controller' means the natural or (5) 'controller' means the natural or (5) 'controller' means the natural or legal person, public authority, legal person, public authority, legal person, public authority, agency or any other body which agency or any other body which agency or any other body which alone or jointly with others alone or jointly with others alone or jointly with others determines the purposes, determines the purposes, conditions determines the purposes, conditions conditions and means of the and means of the processing of and means of the processing of processing of personal data; where personal data; where the purposes, personal data; where the purposes, the purposes, conditions and means conditions and means of processing conditions and means of processing of processing are determined by are determined by Union law or are determined by Union law or Union law or Member State law, Member State law, the controller or Member State law, the controller or the controller or the specific the specific criteria for his the specific criteria for his criteria for his nomination may be nomination may be designated by nomination may be designated by designated by Union law or by Union law or by Member State law; Union law or by Member State law; Member State law;
ANNEX DGD 2C LIMITE EN
(6) 'processor' means a natural or (6) 'processor' means a natural or (6) 'processor' means a natural or legal person, public authority, legal person, public authority, legal person, public authority, agency or any other body which agency or any other body which agency or any other body which processes personal data on behalf processes personal data on behalf processes personal data on behalf of the controller; of the controller; of the controller;
(7a) ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
(8) 'the data subject's consent' (8) 'the data subject's consent' (8) 'the data subject's consent' means any freely given specific, means any freely given specific, means any freely given, specific, informed and explicit indication of informed and explicit indication of and informed and explicit his or her wishes by which the data his or her wishes by which the data indication of his or her wishes by subject, either by a statement or by subject, either by a statement or by which the data subject, either by a a clear affirmative action, signifies a clear affirmative action, signifies statement or by a clear affirmative agreement to personal data relating agreement to personal data relating action, signifies agreement to to them being processed; to them being processed; personal data relating to them being processed;
ANNEX DGD 2C LIMITE EN
(9) 'personal data breach' means a (9) 'personal data breach' means a (9) 'personal data breach' means a breach of security leading to the breach of security leading to the breach of security leading to the accidental or unlawful destruction, accidental or unlawful destruction, accidental or unlawful destruction, loss, alteration, unauthorised loss, alteration, unauthorised loss, alteration, unauthorised disclosure of, or access to, personal disclosure of, or access to, personal disclosure of, or access to, personal data transmitted, stored or data transmitted, stored or data transmitted, stored or otherwise processed; otherwise processed; otherwise processed; (10) 'genetic data' means all data, of (10) 'genetic data' means all (10) 'genetic data' means all whatever type, concerning the personal data, of whatever type, personal data, of whatever type, characteristics of an individual concerning relating to the genetic concerning relating to the genetic which are inherited or acquired characteristics of an individual characteristics of an individual during early prenatal development; which are have been inherited or which are inherited or acquired acquired during early prenatal during early prenatal development development as they result from that have been inherited or an analysis of a biological sample acquired, which give unique from the individual in question, in information about the physiology particular by chromosomal, or the health of that individual, desoxyribonucleic acid (DNA) or resulting in particular from an ribonucleic acid (RNA) analysis or analysis of a biological sample analysis of any other element from the individual in question; enabling equivalent information to be obtained;
ANNEX DGD 2C LIMITE EN
(11) 'biometric data' means any (11) 'biometric data' means any (11) 'biometric data' means any data relating to the physical, personal data relating to the personal data resulting from physiological or behavioural physical, physiological or specific technical processing characteristics of an individual behavioural characteristics of an relating to the physical, which allow their unique individual which allow his or her physiological or behavioural identification, such as facial unique identification, such as facial characteristics of an individual images, or dactyloscopic data; images, or dactyloscopic data; which allows or confirms the their unique identification of that individual, such as facial images, or dactyloscopic data; (12) ‘data concerning health’ (12) ‘data concerning health’ (12) ‘data concerning health’ means any information which means any information personal means data related any information relates to the physical or mental data which relate to the physical or which relates to the physical or health of an individual, or to the mental health of an individual, or to mental health of an individual, provision of health services to the the provision of health services to which reaveal information about individual; the individual; his or her health statusor to the provision of health services to the individual;
(12a) 'profiling' means any form of automated processing of personal data consisting of using those data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements;
ANNEX DGD 2C LIMITE EN
(14) ‘representative’ means any (14) ‘representative’ means any (14) ‘representative’ means any natural or legal person established natural or legal person established natural or legal person established in the Union who, explicitly in the Union who, explicitly in the Union who, explicitly designated by the controller, acts designated by the controller, acts designated by the controller in and may be addressed by any and may be addressed by any writing pursuant to Article 25, supervisory authority and other supervisory authority and other represents acts and may be bodies in the Union instead of the bodies in the Union instead of addressed by any supervisory controller, with regard to the represents the controller, with authority and other bodies in the obligations of the controller under regard to the obligations of the Union instead of the controller, this Regulation; controller under this Regulation; with regard to the obligations of the controller under this Regulation;
(15) ‘enterprise’ means any entity (15) ‘enterprise’ means any entity (15) ‘enterprise’ means any natural engaged in an economic activity, engaged in an economic activity, or legal person entity engaged in irrespective of its legal form, thus irrespective of its legal form, thus an economic activity, irrespective including, in particular, natural and including, in particular, natural and of its legal form, thus including, in legal persons, partnerships or legal persons, partnerships or particular, natural and legal associations regularly engaged in associations regularly engaged in persons, partnerships or an economic activity; an economic activity; associations regularly engaged in an economic activity;
(16) 'group of undertakings' means (16) 'group of undertakings' means (16) 'group of undertakings' means a controlling undertaking and its a controlling undertaking and its a controlling undertaking and its controlled undertakings; controlled undertakings; controlled undertakings;
ANNEX DGD 2C LIMITE EN
(17) ‘binding corporate rules’ (17) ‘binding corporate rules’ (17) ‘binding corporate rules’ means personal data protection means personal data protection means personal data protection policies which are adhered to by a policies which are adhered to by a policies which are adhered to by a controller or processor established controller or processor established controller or processor established on the territory of a Member State on the territory of a Member State on the territory of a Member State of the Union for transfers or a set of of the Union for transfers or a set of of the Union for transfers or a set of transfers of personal data to a transfers of personal data to a transfers of personal data to a controller or processor in one or controller or processor in one or controller or processor in one or more third countries within a group more third countries within a group more third countries within a group of undertakings; of undertakings; of undertakings or group of enterprises engaged in a joint economic activity;
(18) 'child' means any person below (18) 'child' means any person below deleted the age of 18 years; the age of 18 years; (20) 'Information Society service' means any service as defined by Article 1 (2) of Directive 98/34/EC i of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services.
ANNEX DGD 2C LIMITE EN
(21) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;
ANNEX DGD 2C LIMITE EN
CHAPTER II CHAPTER II CHAPTER II PRINCIPLES PRINCIPLES PRINCIPLES
Article 5 Article 5 Article 5 Principles relating to personal data Principles relating to personal Principles relating to personal
processing data processing data processing Amendment 99
Personal data must be: 1. Personal data mustshall be: Personal data must be: (a) processed lawfully, fairly and in a (a) processed lawfully, fairly and (a) processed lawfully, fairly and transparent manner in relation to the in a transparent manner in relation in a transparent manner in relation data subject; to the data subject (lawfulness, to the data subject; fairness and transparency); (b) collected for specified, explicit (b) collected for specified, explicit (b) collected for specified, explicit and legitimate purposes and not and legitimate purposes and not and legitimate purposes and not further processed in a way further processed in a way further processed in a way incompatible with those purposes; incompatible with those purposes incompatible with those purposes; (purpose limitation); further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes;
ANNEX DGD 2C LIMITE EN
(c) adequate, relevant, and limited to (c) adequate, relevant, and limited (c) adequate, relevant, and not the minimum necessary in relation to to the minimum necessary in excessive limited to the minimum the purposes for which they are relation to the purposes for which necessary in relation to the processed; they shall only be they are processed; they shall only purposes for which they are processed if, and as long as, the be processed if, and as long as, the processed; they shall only be purposes could not be fulfilled by purposes could not be fulfilled by processed if, and as long as, the processing information that does not processing information that does purposes could not be fulfilled by involve personal data; not involve personal data (data processing information that does minimisation); not involve personal data; (d) accurate and kept up to date; (d) accurate and, where necessary, (d) accurate and, where necessary, every reasonable step must be taken kept up to date; every reasonable kept up to date; every reasonable to ensure that personal data that are step must be taken to ensure that step must be taken to ensure that inaccurate, having regard to the personal data that are inaccurate, personal data that are inaccurate, purposes for which they are having regard to the purposes for having regard to the purposes for processed, are erased or rectified which they are processed, are which they are processed, are without delay; erased or rectified without delay erased or rectified without delay; (accuracy). (e) kept in a form which permits (e) kept in a form which permits (e) kept in a form which permits identification of data subjects for no direct or indirect identification of identification of data subjects for longer than is necessary for the data subjects for no longer than is no longer than is necessary for the purposes for which the personal data necessary for the purposes for purposes for which the personal are processed; personal data may be which the personal data are data are processed; personal data stored for longer periods insofar as processed; personal data may be may be stored for longer periods the data will be processed solely for stored for longer periods insofar as insofar as the data will be historical, statistical or scientific the data will be processed solely processed solely for archiving research purposes in accordance with for historical, statistical or purposes in the public interest, or the rules and conditions of Article 83 scientific research or for archive scientific, historical, statistical, or and if a periodic review is carried out purposes in accordance with the scientific research or historical to assess the necessity to continue the rules and conditions of Article purposes in accordance with the storage; Articles 83 and 83a and if a rules and conditions of Article 83 periodic review is carried out to and if a periodic review is carried assess the necessity to continue out to assess the necessity to the storage, and if appropriate continue the storagesubject to
ANNEX DGD 2C LIMITE EN
technical and organizational implementation of the measures are put in place to limit appropriate technical and access to the data only for these organisational measures required purposes (storage minimisation); by the Regulation in order to safeguard the rights and freedoms of data subject; (ea) processed in a way that effectively allows the data subject to exercise his or her rights (effectiveness); (eb) processed in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity); (ee) processed in a manner that ensures appropriate security of the personal data.
ANNEX DGD 2C LIMITE EN
(f) processed under the responsibility (f) processed under the deleted and liability of the controller, who responsibility and liability of the shall ensure and demonstrate for each controller, who shall ensure and processing operation the compliance be able to demonstrate for each with the provisions of this processing operation the Regulation. compliance with the provisions of this Regulation (accountability). 2. The controller shall be responsible for compliance with paragraph 1.
ANNEX DGD 2C LIMITE EN
Article 6 Article 6 Article 6
Lawfulness of processing Lawfulness of processing Lawfulness of processing
Amendment 100 1. Processing of personal data shall 1. Processing of personal data 1. Processing of personal data be lawful only if and to the extent that shall be lawful only if and to the shall be lawful only if and to the at least one of the following applies: extent that at least one of the extent that at least one of the
following applies: following applies: (a) the data subject has given consent (a) the data subject has given (a) the data subject has given to the processing of their personal consent to the processing of their unambiguous consent to the data for one or more specific personal data for one or more processing of their personal data purposes; specific purposes; for one or more specific purposes; (b) processing is necessary for the (b) processing is necessary for the (b) processing is necessary for the performance of a contract to which performance of a contract to performance of a contract to the data subject is party or in order to which the data subject is party or which the data subject is party or take steps at the request of the data in order to take steps at the request in order to take steps at the request subject prior to entering into a of the data subject prior to of the data subject prior to contract; entering into a contract; entering into a contract; (c) processing is necessary for (c) processing is necessary for (c) processing is necessary for compliance with a legal obligation to compliance with a legal obligation compliance with a legal obligation which the controller is subject; to which the controller is subject; to which the controller is subject;
ANNEX DGD 2C LIMITE EN
(d) processing is necessary in order to (d) processing is necessary in (d) processing is necessary in protect the vital interests of the data order to protect the vital interests order to protect the vital interests subject; of the data subject; of the data subject or of another person; (e) processing is necessary for the (e) processing is necessary for the (e) processing is necessary for the performance of a task carried out in performance of a task carried out performance of a task carried out the public interest or in the exercise in the public interest or in the in the public interest or in the of official authority vested in the exercise of official authority exercise of official authority controller; vested in the controller; vested in the controller; (f) processing is necessary for the (f) processing is necessary for the (f) processing is necessary for the purposes of the legitimate interests purposes of the legitimate interests purposes of the legitimate interests pursued by a controller, except where pursued by the controller or, in pursued by a the controller or by a such interests are overridden by the case of disclosure, by the third third party, except where such interests or fundamental rights and party to whom the data is are interests are overridden by the freedoms of the data subject which disclosed, and which meet the interests or fundamental rights and require protection of personal data, in reasonable expectations of the freedoms of the data subject which particular where the data subject is a data subject based on his or her require protection of personal child. This shall not apply to relationship with the controller, data, in particular where the data processing carried out by public except where such interests are subject is a child. This shall not authorities in the performance of their overridden by the interests or apply to processing carried out by tasks. fundamental rights and freedoms public authorities in the of the data subject which require performance exercise of their protection of personal data, in tasks. particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
ANNEX DGD 2C LIMITE EN
-
2.Processing of personal data which 2. Processing of personal data 2. Processing of personal data is necessary for the purposes of which is necessary for the which is necessary for archiving historical, statistical or scientific purposes of historical, statistical or thepurposes in the public interest, research shall be lawful subject to the scientific research shall be lawful or offor historical, statistical or conditions and safeguards referred to subject to the conditions and scientific research purposes shall in Article 83. safeguards referred to in Article be lawful subject also to the 83. conditions and safeguards referred to in Article 83. […] […] […]
ANNEX DGD 2C LIMITE EN
3a. In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take into account, unless the data subject has given consent, inter alia: (a) any link between the purposes for which the data have been collected and the purposes of the intended further processing; (b) the context in which the data have been collected;
ANNEX DGD 2C LIMITE EN
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9; (d) the possible consequences of the intended further processing for data subjects; (e) the existence of appropriate safeguards.
ANNEX DGD 2C LIMITE EN
-
4.Where the purpose of further deleted 4. Where the purpose of further processing is not compatible with the processing is not incompatible one for which the personal data have with the one for which the been collected, the processing must personal data have been collected have a legal basis at least in one of by the same controller, the the grounds referred to in points (a) further processing must have a to (e) of paragraph 1. This shall in legal basis at least in one of the particular apply to any change of grounds referred to in points (a) to terms and general conditions of a (e) of paragraph 1. This shall in contract. particular apply to any change of
terms and general conditions of a contract. Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
ANNEX DGD 2C LIMITE EN
Article 7 Article 7 Article 7
Conditions for consent Conditions for consent Conditions for consent Amendment 101
-
1.The controller shall bear the 1. Where processing is based on 1. Where Article 6(1)(a) applies burden of proof for the data subject's consent, Tthe controller shall bear the controller shall bear the burden consent to the processing of their the burden of proof for the data of proof for the data subject's be personal data for specified purposes. subject's consent to the processing able to demonstrate that of their his or her personal data unambiguous consent to the for specified purposes. processing of their personal data for specified purposes was given by the data subject. 1a. Where Article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject. 2. If the data subject's consent is to be 2. If the data subject's consent is 2. If the data subject's consent is to given in the context of a written given in the context of a written be given in the context of a written declaration which also concerns declaration which also concerns declaration which also concerns another matter, the requirement to another matter, the requirement to another matters, the requirement give consent must be presented give consent must be presented to giverequest for consent must be distinguishable in its appearance from clearly distinguishable in its presented in a manner which is this other matter. appearance from this other matter. clearly distinguishable in its Provisions on the data subject’s appearance from thise other consent which are partly in matters, in an intelligible and violation of this Regulation are easily accessible form, using fully void. clear and plain language. 3. The data subject shall have the 3. Notwithstanding other legal 3. The data subject shall have the right to withdraw his or her consent at grounds for processing, Tthe data right to withdraw his or her any time. The withdrawal of consent subject shall have the right to consent at any time. The
ANNEX DGD 2C LIMITE EN
shall not affect the lawfulness of withdraw his or her consent at any withdrawal of consent shall not processing based on consent before time. The withdrawal of consent affect the lawfulness of processing its withdrawal. shall not affect the lawfulness of based on consent before its processing based on consent withdrawal. Prior to giving before its withdrawal. It shall be consent, the data subject shall be as easy to withdraw consent as to informed thereof. give it. The data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller.
ANNEX DGD 2C LIMITE EN
-
4.Consent shall not provide a legal 4. Consent shall not provide a deleted basis for the processing, where there legal basis for the processing, is a significant imbalance between the where there is a significant position of the data subject and the imbalance between the position of controller. the data subject and the controller be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1), point (b).
ANNEX DGD 2C LIMITE EN
Article 8 Article 8 Article 8 Processing of personal data of a Processing of personal data of a Conditions applicable to child's
child child consent in relation to information society services
Amendment 102 1. For the purposes of this 1. For the purposes of this 1. For the purposes of this Regulation, in relation to the offering Regulation, in relation to the RegulationWhere Article 6 (1)(a) of information society services offering of information society applies, in relation to the offering directly to a child, the processing of goods or services directly to a of information society services personal data of a child below the age child, the processing of personal directly to a child, the processing of 13 years shall only be lawful if and data of a child below the age of 13 of personal data of a child below to the extent that consent is given or years shall only be lawful if and to the age of 13 years shall only be authorised by the child's parent or the extent that consent is given or lawful if and to the extent that custodian. The controller shall make authorised by the child's parent or such consent is given or reasonable efforts to obtain verifiable custodianlegal guardian. The authorised by the holder of consent, taking into consideration controller shall make reasonable parental responsibility over the available technology. efforts to obtain verifiable verify child's parent or custodianis given
such consent, taking into by the child in circumstances consideration available technology where it is treated as valid by without causing otherwise Union or Member State law. unnecessary processing of personal data. 1a. Information provided to children, parents and legal guardians in order to express consent, including about the controller’s collection and use of personal data, should be given in a clear language appropriate to the intended audience.
ANNEX DGD 2C LIMITE EN
1a. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
-
2.Paragraph 1 shall not affect the 2. Paragraph 1 shall not affect the 2. Paragraph 1 shall not affect the general contract law of Member general contract law of Member general contract law of Member States such as the rules on the States such as the rules on the States such as the rules on the validity, formation or effect of a validity, formation or effect of a validity, formation or effect of a contract in relation to a child. contract in relation to a child. contract in relation to a child. 3. The Commission shall be 3. The Commission European deleted empowered to adopt delegated acts in Data Protection Board shall be accordance with Article 86 for the empowered to adopt delegated purpose of further specifying the acts in accordance with Article 86 criteria and requirements for the for the purpose entrusted with the methods to obtain verifiable consent task of further specifying the referred to in paragraph 1. In doing criteria and requirements issuing so, the Commission shall consider guidelines, recommendations and specific measures for micro, small best practices for the methods to and medium-sized enterprises. obtain verifiable of verifying consent referred to in paragraph 1, in accordance with Article 66. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
ANNEX DGD 2C LIMITE EN
-
4.The Commission may lay down deleted deleted standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Article 9 Article 9 Article 9 Amendment 103
Processing of special categories of Processing of special Special Processing of special categories personal data categories of personal data of personal data
-
1.The processing of personal data, 1. The processing of personal data, 1. The processing of personal data, revealing race or ethnic origin, revealing race or ethnic origin, revealing race racial or ethnic political opinions, religion or beliefs, political opinions, religion or origin, political opinions, trade-union membership, and the philosophical beliefs, sexual religionus or philosophical processing of genetic data or data orientation or gender identity, beliefs, trade-union membership, concerning health or sex life or trade-union membership and and the processing of genetic data criminal convictions or related activities, and the processing of or data concerning health or sex security measures shall be prohibited. genetic or biometric data or data life or criminal convictions or concerning health or sex lifeor, related security measures shall be administrative sanctions, prohibited. judgments, criminal or suspected offences, convictions or related security measures shall be prohibited. 2. Paragraph 1 shall not apply where: 2. Paragraph 1 shall not 2. Paragraph 1 shall not apply if applywhere if one of the one of the following applies: following applies:
ANNEX DGD 2C LIMITE EN
(a) the data subject has given consent (a) the data subject has given (a) the data subject has given to the processing of those personal consent to the processing of those explicit consent to the processing data, subject to the conditions laid personal data for one or more of those personal data, subject to down in Articles 7 and 8, except specified purposes, subject to the the conditions laid down in where Union law or Member State conditions laid down in Articles 7 Articles 7 and 8, except where law provide that the prohibition and 8, except where Union law or Union law or Member State law referred to in paragraph 1 may not be Member State law provide that the provide that the prohibition lifted by the data subject; or prohibition referred to in referred to in paragraph 1 may not paragraph 1 may not be lifted by be lifted by the data subject; or the data subject; or (aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (b) processing is necessary for the (b) processing is necessary for the (b) processing is necessary for the purposes of carrying out the purposes of carrying out the purposes of carrying out the obligations and exercising specific obligations and exercising specific obligations and exercising specific rights of the controller in the field of rights of the controller in the field rights of the controller or of the employment law in so far as it is of employment law in so far as it data subject in the field of authorised by Union law or Member is authorised by Union law or employment and social security State law providing for adequate Member State law or collective and social protection law in so far safeguards; or agreements providing for as it is authorised by Union law or adequate safeguards for the Member State law or a collective fundamental rights and the agreement pursuant to Member interests of the data subject such State law providing for adequate as right to non-discrimination, safeguards; or subject to the conditions and safeguards referred to in Article 82; or
ANNEX DGD 2C LIMITE EN
(c) processing is necessary to protect (c) processing is necessary to (c) processing is necessary to the vital interests of the data subject protect the vital interests of the protect the vital interests of the or of another person where the data data subject or of another person data subject or of another person subject is physically or legally where the data subject is where the data subject is incapable of giving consent; or physically or legally incapable of physically or legally incapable of giving consent; or giving consent; or (d) processing is carried out in the (d) processing is carried out in the (d) processing is carried out in the course of its legitimate activities with course of its legitimate activities course of its legitimate activities appropriate safeguards by a with appropriate safeguards by a with appropriate safeguards by a foundation, association or any other foundation, association or any foundation, association or any non-profit-seeking body with a other non-profit-seeking body other non-profit-seeking body political, philosophical, religious or with a political, philosophical, with a political, philosophical, trade-union aim and on condition that religious or trade-union aim and religious or trade-union aim and the processing relates solely to the on condition that the processing on condition that the processing members or to former members of the relates solely to the members or to relates solely to the members or to body or to persons who have regular former members of the body or to former members of the body or to contact with it in connection with its persons who have regular contact persons who have regular contact purposes and that the data are not with it in connection with its with it in connection with its disclosed outside that body without purposes and that the data are not purposes and that the data are not the consent of the data subjects; or disclosed outside that body disclosed outside that body without the consent of the data without the consent of the data subjects; or subjects; or (e) the processing relates to personal (e) the processing relates to (e) the processing relates to data which are manifestly made personal data which are manifestly personal data which are manifestly public by the data subject; or made public by the data subject; made public by the data subject; or or
ANNEX DGD 2C LIMITE EN
(f) processing is necessary for the (f) processing is necessary for the (f) processing is necessary for the establishment, exercise or defence of establishment, exercise or defence establishment, exercise or defence legal claims; or of legal claims; or of legal claims or whenever courts are acting in their judicial capacity; or (g) processing is necessary for the (g) processing is necessary for the (g) processing is necessary for the performance of a task carried out in performance of a task carried out performance of a task carried out the public interest, on the basis of in the for reasons of high public in the reasons of public interest, Union law, or Member State law interest, on the basis of Union law, on the basis of Union law, or which shall provide for suitable or Member State law which shall Member State law which shall measures to safeguard the data be proportionate to the aim provide for suitable and specific subject's legitimate interests; or pursued, respect the essence of measures to safeguard the data the right to data protection and subject's legitimate interests; or provide for suitable measures to safeguard the fundamental rights and the data subject's legitimate interests of the data subject; or (h) processing of data concerning (h) processing of data concerning (h) processing of data concerning health is necessary for health health is necessary for health health is necessary for health purposes and subject to the conditions purposes and subject to the purposes the purposes of and safeguards referred to in Article conditions and safeguards referred preventive or occupational 81; or to in Article 81; or medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union law or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards
ANNEX DGD 2C LIMITE EN
referred to in Article 81paragraph 4; or (hb) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject; or
(i) processing is necessary for (i) processing is necessary for (i) processing is necessary for historical, statistical or scientific historical, statistical or scientific archiving purposes in the public research purposes subject to the research purposes subject to the interest or historical, statistical or conditions and safeguards referred to conditions and safeguards referred scientific research purposes and in Article 83; or to in Article 83; or subject to the conditions and safeguards laid down in Union or Member State law, including those referred to in Article 83.
ANNEX DGD 2C LIMITE EN
(ia) processing is necessary for archive services subject to the conditions and safeguards referred to in Article 83a; or
(j) processing of data relating to (j) processing of data relating to deleted criminal convictions or related administrative sanctions, security measures is carried out either judgments, criminal offences, under the control of official authority convictions or related security or when the processing is necessary measures is carried out either for compliance with a legal or under the control of official regulatory obligation to which a authority or when the processing controller is subject, or for the is necessary for compliance with a performance of a task carried out for legal or regulatory obligation to important public interest reasons, and which a controller is subject, or in so far as authorised by Union law for the performance of a task or Member State law providing for carried out for important public adequate safeguards. A complete interest reasons, and in so far as register of criminal convictions shall authorised by Union law or be kept only under the control of Member State law providing for official authority. adequate safeguards. A complete for the fundamental rights and the interests of the data subject. Any register of criminal convictions shall be kept only under the control of official authority.
ANNEX DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission European deleted empowered to adopt delegated acts in Data Protection Board shall be accordance with Article 86 for the empowered to adopt delegated purpose of further specifying the acts in accordance with Article 86
criteria, conditions and appropriate for the purposeentrusted with the safeguards for the processing of the task of further specifying the special categories of personal data criteria, conditions and referred to in paragraph 1 and the appropriate safeguards issuing
exemptions laid down in paragraph 2. guidelines, recommendations and best practices for the processing
of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2, in accordance with Article 66. 4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
ANNEX DGD 2C LIMITE EN
5. Member States may maintain or introduce more specific provisions with regard to genetic data or health data. This includes the possibility for Member States to introduce further conditions for the processing of these data.
Article 9a Processing of data relating to criminal convitions and offences Processing of data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out either under the control of official authority or when the processing is authorised by Union law or Member State law providing for adequate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the control of official authority.
ANNEX DGD 2C LIMITE EN
Article 10 Article 10 Article 10 Processing not allowing Processing not allowing Processing not allowing
identification identification requiring identification Amendment 104
If the data processed by a controller 1. If the data processed by a If the data processed by purposes do not permit the controller to controller do not permit the for which a controller processes identify a natural person, the controller or processor to directly personal data do not permitor do controller shall not be obliged to or indirectly identify a natural no longer require the acquire additional information in person, or consist only of identification of a data subject by order to identify the data subject for pseudonymous data, the the controller to identify a natural the sole purpose of complying with controller shall not be obliged to person, the controller shall not be any provision of this Regulation. process or acquire additional obliged to maintain or acquire information in order to identify the additional information nor to data subject for the sole purpose engage in additional processing of complying with any provision in order to identify the data of this Regulation. subject for the sole purpose of complying with any provision of this Regulation. 2. Where the data controller is 2. Where, in such cases the unable to comply with a provision controller is not in a position to of this Regulation because of identify the data subject, articles paragraph 1, the controller shall 15, 16, 17, 17a, 17b and 18 do not not be obliged to comply with that apply except where the data particular provision of this subject, for the purpose of Regulation. Where as a exercising his or her rights under consequence the data controller these articles, provides additional is unable to comply with a information enabling his or her request of the data subject, it identification. shall inform the data subject accordingly.
ANNEX DGD 2C LIMITE EN
CHAPTER III CHAPTER III CHAPTER III
RIGHTS OF THE DATA RIGHTS OF THE RIGHTS OF THE
SUBJECT DATA SUBJECT DATA SUBJECT
SECTION 1 SECTION 1 SECTION 1 TRANSPARENCY AND TRANSPARENCY AND TRANSPARENCY AND
MODALITIES MODALITIES MODALITIES
Article 10 a (new)
Amendment 105
General principles for the rights of the data subject rights
1. The basis of data protection is clear and unambiguous rights for the data subject which shall be respected by the data controller. The provisions of this Regulation aim to strengthen, clarify, guarantee and where appropriate, codify these rights.
ANNEX DGD 2C LIMITE EN
2. Such rights include, inter alia, the provision of clear and easily understandable information regarding the processing of the data subject’s his or her personal data, the right of access, rectification and erasure of their his or her data, the right to obtain data, the right to object to profiling, the right to lodge a complaint with the competent data protection authority and to bring legal proceedings as well as the right to compensation and damages resulting from an unlawful processing operation. Such rights shall in general be exercised free of charge. The data controller shall respond to requests from the data subject within a reasonable period of time.
ANNEX DGD 2C LIMITE EN
Article 11 Article 11 Article 11
Transparent information and Transparent information and Transparent information and communication communication communication
Amendment 106
-
1.The controller shall have 1. The controller shall have deleted transparent and easily accessible concise, transparent, clear and policies with regard to the processing easily accessible policies with of personal data and for the exercise regard to the processing of of data subjects' rights. personal data and for the exercise of data subjects' rights
-
2.The controller shall provide any 2. The controller shall provide any deleted information and any communication information and any relating to the processing of personal communication relating to the data to the data subject in an processing of personal data to the intelligible form, using clear and data subject in an intelligible plain language, adapted to the data form, using clear and plain subject, in particular for any language, adapted to the data information addressed specifically to subject, in particular for any a child. information addressed specifically to a child.
ANNEX DGD 2C LIMITE EN
Article 12 Article 12 Article 12
Procedures and mechanisms for Procedures and mechanisms for Procedures and mechanisms exercising the rights of the data exercising the rights of the data Transparent information, subject subject communication and modalities for exercising the rights of the data subject
Amendment 107
-
1.The controller shall establish 1. The controller shall establish 1. The controller shall establish procedures for providing the procedures for providing the procedures for providing the take information referred to in Article 14 information referred to in Article appropriate measured to provide and for the exercise of the rights of 14 and for the exercise of the any information referred to in data subjects referred to in Article 13 rights of data subjects referred to Article 14 and 14a for the exercise and Articles 15 to 19. The controller in Article 13 and Articles 15 to 19. of the rights of data subjects shall provide in particular The controller shall provide in referred to in Article 13 and any mechanisms for facilitating the particular mechanisms for communication under Articles 15 request for the actions referred to in facilitating the request for the to 19 and 32 relating to the Article 13 and Articles 15 to 19. actions referred to in Article 13 processing of personal data to the Where personal data are processed by and Articles 15 to 19. Where data subject in an intelligible and automated means, the controller shall personal data are processed by easily accessible form, using also provide means for requests to be automated means, the controller clear and plain language. The made electronically. shall also provide means for information shall be provided in requests to be made electronically writing, or by other means, where where possible. appropriately in electronic form. Where the data subject makes the request in electronic form, the information may as a rule be provided in electronic form, unless otherwise requested by the data subject. When requested by
ANNEX DGD 2C LIMITE EN
the data subject, the information may be given orally provided that the identity of the data subject is proven other means. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.
1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19. In cases referred to in Article 10 (2) the controller shall not refuse to act on the request of the data subject for exercising his/her rights under Articles 15 to 19, unless the controller demonstrates that he/she is not in a position to identify the data subject.
ANNEX DGD 2C LIMITE EN
-
2.The controller shall inform the data 2. The controller shall inform the 2. The controller shall provide subject without delay and, at the data subject without undue delay information on action taken on a latest within one month of receipt of and, at the latest within one month request under Articles 15 and 16 the request, whether or not any action 40 calendar days of receipt of the to 19 to the data subject without has been taken pursuant to Article 13 request, whether or not any action undue delay and, at the latest and Articles 15 to 19 and shall has been taken pursuant to Article within one month of receipt of the provide the requested information. 13 and Articles 15 to 19 and shall request, whether or not any action This period may be prolonged for a provide the requested information. has been taken pursuant to Article further month, if several data subjects This period may be prolonged for 13 and Articles 15 to 19 and shall exercise their rights and their a further month, if several data provide the requested information. cooperation is necessary to a subjects exercise their rights and This period may be prolonged reasonable extent to prevent an their cooperation is necessary to a extended for a further two months unnecessary and disproportionate reasonable extent to prevent an when necessary, taking into effort on the part of the controller. unnecessary and disproportionate account the complexity of the The information shall be given in effort on the part of the controller. request and the number of the writing. Where the data subject The information shall be given in requests., if several data subjects makes the request in electronic form, writing and, where possible, the exercise their rights and their the information shall be provided in controller may provide remote cooperation is necessary to a electronic form, unless otherwise access to a secure system which reasonable extent to prevent an requested by the data subject. would provide the data subject unnecessary and disproportionate with direct access to their his or effort on the part of the controller. her personal data. Where the data The information shall be given in subject makes the request in writing. Where the extended electronic form, the information period applies, the data subject shall be provided in electronic makes the request in electronic form where possible, unless form, the information shall be otherwise requested by the data provided in electronic form, unless subject. otherwise requested by the data subjectinformed within one month of receipt of the request of the reasons for the delay.
ANNEX DGD 2C LIMITE EN
-
3.If the controller refuses to take 3. If the controller refuses to does 3. If the controller refuses todoes action on the request of the data not take action at the request of not take action on the request of subject, the controller shall inform the the data subject, the controller the data subject, the controller data subject of the reasons for the shall inform the data subject of the shall inform the data subject refusal and on the possibilities of reasons for the refusalinaction and without delay and at the latest lodging a complaint to the on the possibilities of lodging a within one month of receipt of supervisory authority and seeking a complaint to the supervisory the request of the reasons for the judicial remedy. authority and seeking a judicial refusalnot taking action and on remedy. the possibilities possibility of lodging a complaint to the a supervisory authority and seeking a judicial remedy.
-
4.The information and the actions 4. The information and the actions 4. The iInformation and the taken on requests referred to in taken on requests referred to in actions taken on requests referred paragraph 1 shall be free of charge. paragraph 1 shall be free of to in paragraph 1provided under Where requests are manifestly charge. Where requests are Articles 14 and 14a and any excessive, in particular because of manifestly excessive, in particular communication under Articles 16 their repetitive character, the because of their repetitive to 19 and 32 shall be provided controller may charge a fee for character, the controller may free of charge. Where requests providing the information or taking charge a reasonable fee taking from a data subject are manifestly the action requested, or the controller into account the administrative unfounded or excessive, in may not take the action requested. In costs for providing the particular because of their that case, the controller shall bear the information or taking the action repetitive character, the controller burden of proving the manifestly requested, or the controller may may charge a fee for providing the excessive character of the request. not take the action requested. In information or taking the action that case, the controller shall bear requested, or the controller may the burden of proving the not take the action requested manifestly excessive character of refuse to act on the request.
ANNEX DGD 2C LIMITE EN
the request. In that case, the controller shall bear the burden of proving demonstrating the manifestly unfounded or excessive character of the request.
4a. Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
-
5.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
ANNEX DGD 2C LIMITE EN ANNEX DGD 2C LIMITE EN
Article 13 Article 13 Article 13
Amendment 108
Rights in relation to recipients Rights in relation to recipients Rights in relation to recipients Notification requirement in the
event of rectification and erasure
The controller shall communicate The controller shall communicate deleted any rectification or erasure carried any rectification or erasure carried out in accordance with Articles 16 out in accordance with Articles 16 and 17 to each recipient to whom the and 17 to each recipient to whom data have been disclosed, unless this the data have been disclosed proves impossible or involves a transferred, unless this proves disproportionate effort. impossible or involves a disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests this.
ANNEX DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2
INFORMATION AND INFORMATION AND INFORMATION AND ACCESS TO DATA ACCESS TO DATA ACCESS TO DATA
Article 13 a (new)
Amendment 109
Standardised information policies
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with the following particulars before providing information pursuant to Article 14: (a) whether personal data are collected beyond the minimum necessary for each specific purpose of the processing; (b) whether personal data are retained beyond the minimum necessary for each specific purpose of the processing; (c) whether personal data are processed for purposes other than the purposes for which they were collected; (d) whether personal data are disseminated to commercial third parties;
ANNEX DGD 2C LIMITE EN
(e) whether personal data are sold or rented out; (f) whether personal data are retained in encrypted form. 2. The particulars referred to in paragraph 1 shall be presented pursuant to Annex to this Regulation in an aligned tabular format, using text and symbols, in the following three columns: (a) the first column depicts graphical forms symbolising those particulars; (b) the second column contains essential information describing those particulars; (c) the third column depicts graphical forms indicating whether a specific particular is met. 3. The information referred to in paragraphs 1 and 2 shall be presented in an easily visible and clearly legible way and shall appear in a language easily understood by the consumers of the Member States to whom the information is provided. Where the particulars are presented electronically, they shall be machine readable.
ANNEX DGD 2C LIMITE EN
4. Additional particulars shall not be provided. Detailed explanations or further remarks regarding the particulars referred to in paragraph 1 may be provided together with the other information requirements pursuant to Article 14. 5. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the particulars referred to in paragraph 1 and their presentation as referred to in paragraph 2 and in the Annex to this Regulation.
ANNEX DGD 2C LIMITE EN
Article 14 Article 14 Article 14
Information to the data subject Information to the data subject Information to be provided where the data are collected from the data subject
Amendment 110
-
1.Where personal data relating to a 1. Where personal data relating to 1. Where personal data relating to data subject are collected, the a data subject are collected, the a data subject are collected from controller shall provide the data controller shall provide the data the data subject, the controller subject with at least the following subject with at least the following shall, at the time when personal information: information, after the particulars data are obtained, provide the pursuant to Article 13a have been data subject with at least the provided: following information:
(a) the identity and the contact details (a) the identity and the contact (a) the identity and the contact of the controller and, if any, of the details of the controller and, if details of the controller and, if controller's representative and of the any, of the controller's any, of the controller's data protection officer; representative and of the data representative; the controller protection officer; shall also include the contact details and of the data protection officer, if any;
ANNEX DGD 2C LIMITE EN
(b) the purposes of the processing for (b) the purposes of the processing (b) the purposes of the processing which the personal data are intended, for which the personal data are for which the personal data are including the contract terms and intended, as well as information intended, including the contract general conditions where the regarding the security of the terms and general conditions processing is based on point (b) of processing of personal data, where the processing is based on Article 6(1) and the legitimate including the contract terms and point (b) of Article 6(1) and the interests pursued by the controller general conditions where the legitimate interests pursued by the where the processing is based on processing is based on point (b) of controller where the processing is point (f) of Article 6(1); Article 6(1) and the legitimate based on point (f) of Article 6(1); interests pursued by the controller as well as the legal basis of the where the processing is based on , processing. where applicable, information on how they implement and meet the requirements of point (f) of Article 6(1);
1a. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with such further information that is necessary to ensure fair and transparent processing, having regard to the specific circumstances and context in which the personal data are processed:
ANNEX DGD 2C LIMITE EN
(c) the period for which the personal (c) the period for which the deleted data will be stored; personal data will be stored, or if this is not possible, the criteria used to determine this period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(fc) the recipients or categories of recipients of the personal data;
ANNEX DGD 2C LIMITE EN
(gd) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
(d) the existence of the right to (d) the existence of the right to (de) the existence of the right to request from the controller access to request from the controller access request from the controller access and rectification or erasure of the to and rectification or erasure of to and rectification or erasure of personal data concerning the data the personal data concerning the the personal data or restriction of subject or to object to the processing data subject, or to object to the processing of personal data of such personal data; processing of such personal data, concerning the data subject or and or to obtain data; to object to the processing of such personal data as well as the right to data portability;
ANNEX DGD 2C LIMITE EN
(ea) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint to (e) the right to lodge a complaint (ef) the right to lodge a complaint the supervisory authority and the towith the supervisory authority to the a supervisory authority and contact details of the supervisory and the contact details of the the contact details of the authority; supervisory authority; supervisory authority;
(f) the recipients or categories of (f) the recipients or categories of moved under (c) recipients of the personal data; recipients of the personal data;
ANNEX DGD 2C LIMITE EN
(g) where applicable, that the (g) where applicable, that the moved under (d) modified controller intends to transfer to a third controller’s intends to transfer the country or international organisation data to a third country or and on the level of protection international organisation and on afforded by that third country or the level of protection afforded by international organisation by that third country or international reference to an adequacy decision by organisation by reference to the the Commission; existence or absence of an adequacy decision by the Commission, or in case of transfers referred to in Article 42, Articleor 43, or point (h) of Article 44(1), reference to the appropriate safeguards and the means to obtain a copy of them;
(g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the data and of the possible consequences of failure to provide such data;
ANNEX DGD 2C LIMITE EN
(ga) where applicable, information about the existence of profiling, of measures based on profiling, and the envisaged effects of profiling on the data subject;
(gb) meaningful information about the logic involved in any automated processing;
(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
ANNEX DGD 2C LIMITE EN
(h) any further information necessary (h) any further information which deleted to guarantee fair processing in respect is necessary to guarantee fair of the data subject, having regard to processing in respect of the data the specific circumstances in which subject, having regard to the the personal data are collected. specific circumstances in which the personal data are collected or processed, in particular the existence of certain processing activities and operations for which a personal data impact assessment has indicated that there may be a high risk;
(ha) where applicable, information whether personal data was were provided to public authorities during the last consecutive 12-month period.
ANNEX DGD 2C LIMITE EN
1b. Where the controller intends to further process the data for a purpose other than the one for which the data were collected the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 1a.
-
2.Where the personal data are 2. Where the personal data are deleted collected from the data subject, the collected from the data subject, controller shall inform the data the controller shall inform the data subject, in addition to the information subject, in addition to the referred to in paragraph 1, whether information referred to in the provision of personal data is paragraph 1, whether the provision obligatory or voluntary, as well as the of personal data is obligatory possible consequences of failure to mandatory or voluntaryoptional, provide such data. as well as the possible consequences of failure to provide such data.
ANNEX DGD 2C LIMITE EN
2a. In deciding on further information which is necessary to make the processing fair under point (h) of paragraph 1, controllers shall have regard to any relevant guidance under Article 3834.
-
3.Where the personal data are not 3. Where the personal data are not deleted collected from the data subject, the collected from the data subject, controller shall inform the data the controller shall inform the data subject, in addition to the information subject, in addition to the referred to in paragraph 1, from information referred to in which source the personal data paragraph 1, from which source originate. the specific personal data originate. If personal data originate from publicly available sources, a general indication may be given.
-
4.The controller shall provide the 4. The controller shall provide the deleted information referred to in paragraphs information referred to in 1, 2 and 3: paragraphs 1, 2 and 3:
(a) at the time when the personal data (a) at the time when the personal deleted are obtained from the data subject; or data are obtained from the data subject or without undue delay where the above is not feasible; or
ANNEX DGD 2C LIMITE EN
(aa) on at the request by of a body, organization or association referred to in Article 73;
(b) where the personal data are not (b) where the personal data are not deleted collected from the data subject, at the collected from the data subject, at time of the recording or within a the time of the recording or within reasonable period after the collection, a reasonable period after the having regard to the specific collection, having regard to the circumstances in which the data are specific circumstances in which collected or otherwise processed, or, the data are collected or otherwise if a disclosure to another recipient is processed, or, if a disclosure envisaged, and at the latest when the transfer to another recipient is data are first disclosed. envisaged, and at the latest when the data are first disclosed.at the time of the first transfer, or, if the data are to be used for communication with the data subject concerned, at the latest at the time of the first communication to that data subject; or
(ba) only on request where the data are processed by a small or micro enterprise which processes personal data only as an ancillary activity.
ANNEX DGD 2C LIMITE EN
-
5.Paragraphs 1 to 4 shall not apply, 5. Paragraphs 1 to 4 shall not 5. Paragraphs 1, to 41a and 1b where: apply, where: shall not apply, where and insofar as the data subject already has the information.
(a) the data subject has already the (a) the data subject has already the merged with above 5. information referred to in paragraphs information referred to in 1, 2 and 3; or paragraphs 1, 2 and 3; or
(b) the data are not collected from the (b) the data are processed for deleted data subject and the provision of such historical, statistical or scientific information proves impossible or research purposes subject to the would involve a disproportionate conditions and safeguards effort; or referred to in Articles 81 and 83, are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and the controller has published the information for anyone to retrieve; or
ANNEX DGD 2C LIMITE EN
(c) the data are not collected from the (c) the data are not collected from deleted data subject and recording or the data subject and recording or disclosure is expressly laid down by disclosure is expressly laid down law; or by law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests, considering the risks represented by the processing and the nature of the personal data; or
(d) the data are not collected from the (d) the data are not collected from deleted data subject and the provision of such the data subject and the provision information will impair the rights and of such information will impair freedoms of others, as defined in the rights and freedoms of others Union law or Member State law in other natural persons, as defined accordance with Article 21. in Union law or Member State law in accordance with Article 21;
(da) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by Union or Member State law or to a statutory obligation of secrecy, unless the data is collected directly from the data subject.
ANNEX DGD 2C LIMITE EN
-
6.In the case referred to in point (b) 6. In the case referred to in point deleted of paragraph 5, the controller shall (b) of paragraph 5, the controller provide appropriate measures to shall provide appropriate measures protect the data subject's legitimate to protect the data subject's rights interests. or legitimate interests.
-
7.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized-enterprises.
ANNEX DGD 2C LIMITE EN
-
8.The Commission may lay down deleted deleted standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
Article 14a
Information to be provided where the data have not been obtained from the data subject
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, if any, of the controller's representative; the controller shall also include the contact details of the data protection officer, if any;
(b) the purposes of the processing for which the personal data are intended as well as the legal basis of the processing.
ANNEX DGD 2C LIMITE EN
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information that is necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed :
(a) the categories of personal data concerned;
(c) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
ANNEX DGD 2C LIMITE EN
(d) the recipients or categories of recipients of the personal data;
(da) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisatio;
(e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data as well as the right to data portability;
ANNEX DGD 2C LIMITE EN
(ea) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(f) the right to lodge a complaint to a supervisory authority;
(g) from which source the personal data originate, unless the data originate from publicly accessible sources;
ANNEX DGD 2C LIMITE EN
(h) the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the data, but at the latest within one month, having regard to the specific circumstances in which the data are processed, or
ANNEX DGD 2C LIMITE EN
(b) if a disclosure to another recipient is envisaged, at the latest when the data are first disclosed.
3a. Where the controller intends to further process the data for a purpose other than the one for which the data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2
ANNEX DGD 2C LIMITE EN
4. Paragraphs 1 to 3a shall not apply where and insofar as:
(a) the data subject already has the information; or
(b) the provision of such information proves impossible or would involve a disproportionate effort; in such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests; or
ANNEX DGD 2C LIMITE EN
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests; or
(e) where the data must remain confidential in accordance with Union or Member State law .
ANNEX DGD 2C LIMITE EN
Article 15 Article 15 Article 15
Amendment 111
Right of access for the data subject Right of to access and to obtain Right of access for the data data for the data subject subject
-
1.The data subject shall have the 1. TheSubject to Article 12(4), the 1. The data subject shall have the right to obtain from the controller at data subject shall have the right to right to obtain from the controller any time, on request, confirmation as obtain from the controller at any at reasonable intervals and free to whether or not personal data time, on request, confirmation as of charge any time, on request, relating to the data subject are being to whether or not personal data confirmation as to whether or not processed. Where such personal data relating to the data subject are personal data relating to the data are being processed, the controller being processed. Where such subject concerning him or her are shall provide the following personal data are being processed, being processed and . Wwhere information: and, in clear and plain language, such personal data are being the controller shall provide the processed, the controller shall following information: provideaccess to the data and the following information:
(a) the purposes of the processing; (a) the purposes of the processing (a) the purposes of the processing; for each category of personal
data;
(b) the categories of personal data (b) the categories of personal data deleted concerned; concerned;
ANNEX DGD 2C LIMITE EN
(c) the recipients or categories of (c) the recipients or categories of (c) the recipients or categories of recipients to whom the personal data recipients to whom the personal recipients to whom the personal are to be or have been disclosed, in data are to be or have been data are to be or have been or will particular to recipients in third disclosed, in particular including be disclosed, in particular to countries; to recipients in third countries; recipients in third countries or international organisations;
(d) the period for which the personal (d) the period for which the (d) where possible, the envisaged data will be stored; personal data will be stored, or if period for which the personal data this is not possible, the criteria will be stored; used to determine this period;
(e) the existence of the right to (e) the existence of the right to (e) the existence of the right to request from the controller request from the controller request from the controller rectification or erasure of personal rectification or erasure of personal rectification or erasure of personal data concerning the data subject or to data concerning the data subject or data or restriction of the object to the processing of such to object to the processing of such processing of personal data personal data; personal data; concerning the data subject or to object to the processing of such personal data;
ANNEX DGD 2C LIMITE EN
(f) the right to lodge a complaint to (f) the right to lodge a complaint (f) the right to lodge a complaint the supervisory authority and the to with the supervisory authority to a supervisory authority; contact details of the supervisory and the contact details of the authority; supervisory authority;
(g) communication of the personal deleted (g) where communication of the data undergoing processing and of personal data undergoing any available information as to their processing and of are not source; collected from the data subject, any available information as to their source;
(h) the significance and envisaged (h) the significance and envisaged (h) in the case of decisions based consequences of such processing, at consequences of such processing, on automated processing least in the case of measures referred at least in the case of measures including profiling referred to in to in Article 20. referred to in Article 20.; Article 20(1) and (3), information concerning the logic involved as well as the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
(ha) meaningful information about the logic involved in any automated processing;
ANNEX DGD 2C LIMITE EN
(hb) without prejudice to Article 21, in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been made.
1a. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 42 relating to the transfer.
1b. On request and without an excessive charge, the controller shall provide a copy of the personal data undergoing processing to the data subject.
ANNEX DGD 2C LIMITE EN
-
2.The data subject shall have the 2. The data subject shall have the deleted right to obtain from the controller right to obtain from the controller
communication of the personal data communication of the personal see Article 18 Council text
undergoing processing. Where the data undergoing processing. data subject makes the request in Where the data subject makes the electronic form, the information shall request in electronic form, the be provided in electronic form, unless information shall be provided in otherwise requested by the data an electronic form and structured subject. format, unless otherwise requested by the data subject. Without prejudice to Article 10, the controller shall take all reasonable steps to verify that the person requesting access to the data is the data subject.
ANNEX DGD 2C LIMITE EN
2a. Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.
2b. This Article shall be without prejudice to the obligation to delete data when no longer necessary under point (e) of Article 5(1).
ANNEX DGD 2C LIMITE EN
2c. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of point (da) of Article 14(5) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
2a. The right to obtain a copy referred to in paragraph 1b shall not apply where such copy cannot be provided without disclosing personal data of other data subjects or confidential data of the controller. Furthermore, this right shall not apply if disclosing personal data would infringe intellectual property rights in relation to processing of those personal data.
-
3.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
ANNEX DGD 2C LIMITE EN
-
4.The Commission may specify deleted deleted standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
SECTION 3 SECTION 3 SECTION 3 RECTIFICATION AND RECTIFICATION AND RECTIFICATION AND
ERASURE ERASURE ERASURE
Article 16 Article 16 Article 16
Right to rectification Right to rectification Right to rectification
The data subject shall have the right The data subject shall have the The data subject shall have the to obtain from the controller the right to obtain from the controller right to obtain from the controller rectification of personal data relating the rectification of personal data without undue delay the to them which are inaccurate. The relating to them which are rectification of personal data data subject shall have the right to inaccurate. The data subject shall relating to them concerning him obtain completion of incomplete have the right to obtain or her which are inaccurate. personal data, including by way of completion of incomplete personal Having regard to the purposes for supplementing a corrective statement. data, including by way of which data were processed, The supplementing a corrective the data subject shall have the statement. right to obtain completion of incomplete personal data, including by way means of supplementing providing a corrective supplementary statement.
ANNEX DGD 2C LIMITE EN
Article 17 Article 17 Article 17
Amendment 112
Right to be forgotten and to erasure Right to be forgotten and to Right to erasure and to be erasure forgotten and to erasure
-
1.The data subject shall have the 1. The data subject shall have the 1. The data subject shall have the right to obtain from the controller the right to obtain from the controller right to obtain from the controller erasure of personal data relating to the erasure of personal data shall have the obligation to erase them and the abstention from further relating to him or her and the the erasure of personal data dissemination of such data, especially abstention from further relating to them and the abstention in relation to personal data which are dissemination of such data, from further dissemination of such made available by the data subject especially in relation to personal data, especially in relation to while he or she was a child, where data which are made available by personal data which are made one of the following grounds applies: the data subject while he or she available by without undue delay, was a child, and to obtain from especially in relation to personal third parties the erasure of any which are collected when the data links to, or copy or replication of, subject while he or she was a those data where one of the child, and the data subject shall following grounds applies: have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
ANNEX DGD 2C LIMITE EN
(a) the data are no longer necessary in (a) the data are no longer (a) the data are no longer relation to the purposes for which necessary in relation to the necessary in relation to the they were collected or otherwise purposes for which they were purposes for which they were processed; collected or otherwise processed; collected or otherwise processed;
(b) the data subject withdraws (b) the data subject withdraws (b) the data subject withdraws consent on which the processing is consent on which the processing is consent on which the processing is based according to point (a) of Article based according to point (a) of based according to point (a) of 6(1), or when the storage period Article 6(1), or when the storage Article 6(1), or point (a) of Article consented to has expired, and where period consented to has expired, 9(2) and when the storage period there is no other legal ground for the and where there is no other legal consented to has expired, and processing of the data; ground for the processing of the where there is no other legal data; ground for the processing of the data;
(c) the data subject objects to the (c) the data subject objects to the (c) the data subject objects to the processing of personal data pursuant processing of personal data processing of personal data to Article 19; pursuant to Article 19; pursuant to Article 19(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2) ;
ANNEX DGD 2C LIMITE EN
(ca) a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased;
(d) the processing of the data does not (d) the processing of the data does (d) the processing of the data does comply with this Regulation for other not comply with this Regulation not comply with this Regulation reasons. for other reasons has have been for other reasons have been unlawfully processed. unlawfully processed;
(e) the data have to be erased for compliance with a legal obligation to which the controller is subject.
1a. The application of paragraph 1 shall be dependent upon the ability of the controller to verify that the person requesting the erasure is the data subject.
ANNEX DGD 2C LIMITE EN
1a. The data subject shall have also the right to obtain from the controller the erasure of personal data concerning him or her, without undue delay, if the data have been collected in relation to the offering of information society services referred to in Article 8(1).
-
2.Where the controller referred to in 2. Where the controller referred to deleted paragraph 1 has made the personal in paragraph 1 has made the
data public, it shall take all personal data public without a reasonable steps, including technical justification based on Article 6(1), measures, in relation to data for the it shall take all reasonable steps, publication of which the controller is including technical measures, in responsible, to inform third parties relation to data for the publication which are processing such data, that a of which the controller is data subject requests them to erase responsible, to inform third parties any links to, or copy or replication of which are processing such data, that that personal data. Where the a data subject requests them to erase controller has authorised a third party any links to, or copy or replication publication of personal data, the of that personal data. Where the controller shall be considered controller has authorised a third
responsible for that publication. party publication of personal data, the controller shall be considered
responsible for that publication to have the data erased, including by third parties, without prejudice to Article 77. The controller shall inform the data subject, where possible, of the action taken by the relevant third parties.
ANNEX DGD 2C LIMITE EN
2a. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the data, that the data subject has requested the erasure by such controllers of any links to, or copy or replication of that personal data.
-
3.The controller shall carry out the 3. The controller and, where 3. The controller shall carry out erasure without delay, except to the applicable, the third party shall the erasure without delay, except extent that the retention of the carry out the erasure without Paragraphs 1 and 2a shall not personal data is necessary: delay, except to the extent that the apply to the extent that the retention of the personal data is retention processing of the necessary: personal data is necessary:
(a) for exercising the right of freedom (a) for exercising the right of (a) for exercising the right of of expression in accordance with freedom of expression in freedom of expression in Article 80; accordance with Article 80; accordance with Article 80 and information;
ANNEX DGD 2C LIMITE EN
(b) for compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(b) for reasons of public interest in (b) for reasons of public interest in (bc) for reasons of public interest the area of public health in the area of public health in in the area of public health in accordance with Article 81; accordance with Article 81; accordance with Article 819(2)(h) and (hb) as well as Article 9(4);
(c) for historical, statistical and (c) for historical, statistical and (cd) for archiving purposes in the scientific research purposes in scientific research purposes in public interest or for scientific, accordance with Article 83; accordance with Article 83; historical, statistical and historicalscientific research purposes in accordance with Article 83;
ANNEX DGD 2C LIMITE EN
(d) for compliance with a legal (d) for compliance with a legal deleted obligation to retain the personal data obligation to retain the personal by Union or Member State law to data by Union or Member State which the controller is subject; law to which the controller is Member State laws shall meet an subject; Member State laws shall objective of public interest, respect meet an objective of public the essence of the right to the interest, respect the right to the protection of personal data and be protection of personal data and be proportionate to the legitimate aim proportionate to the legitimate aim pursued; pursued;
(e) in the cases referred to in (e) in the cases referred to in deleted paragraph 4. paragraph 4.
(g) for the establishment, exercise or defence of legal claims.
-
4.Instead of erasure, the controller 4. Instead of erasure, the controller deleted shall restrict processing of personal shall restrict processing of data where: personal data in such a way that it is not subject to the normal data access and processing operations and cannot be changed anymore, where:
(a) their accuracy is contested by the (a) their accuracy is contested by deleted data subject, for a period enabling the the data subject, for a period controller to verify the accuracy of enabling the controller to verify the data; the accuracy of the data;
ANNEX DGD 2C LIMITE EN
(b) the controller no longer needs the (b) the controller no longer needs deleted personal data for the accomplishment the personal data for the of its task but they have to be accomplishment of its task but maintained for purposes of proof; they have to be maintained for purposes of proof;
(c) the processing is unlawful and the (c) the processing is unlawful and deleted data subject opposes their erasure and the data subject opposes their requests the restriction of their use erasure and requests the restriction instead; of their use instead;
(ca) a court or regulatory authority based in the Union has ruled as final and absolute than the processing that the data concerned must be restricted;
(d) the data subject requests to (d) the data subject requests to deleted transmit the personal data into transmit the personal data into another automated processing system another automated processing in accordance with Article 18(2). system in accordance with paragraphs 2a of Article 18(2).15;
(da) the particular type of storage technology does not allow for erasure and has been installed before the entry into force of this Regulation.
ANNEX DGD 2C LIMITE EN
-
5.Personal data referred to in 5. Personal data referred to in deleted paragraph 4 may, with the exception paragraph 4 may, with the of storage, only be processed for exception of storage, only be purposes of proof, or with the data processed for purposes of proof, subject's consent, or for the protection or with the data subject's consent, of the rights of another natural or or for the protection of the rights legal person or for an objective of of another natural or legal person public interest. or for an objective of public interest.
-
6.Where processing of personal data 6. Where processing of personal deleted is restricted pursuant to paragraph 4, data is restricted pursuant to the controller shall inform the data paragraph 4, the controller shall subject before lifting the restriction inform the data subject before on processing. lifting the restriction on processing.
-
7.The controller shall implement deleted deleted mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
-
8.Where the erasure is carried out, 8. Where the erasure is carried deleted the controller shall not otherwise out, the controller shall not process such personal data. otherwise process such personal data.
ANNEX DGD 2C LIMITE EN
8a. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
-
9.The Commission shall be 9. The Commission shall be deleted empowered to adopt delegated acts in empowered to adopt, after accordance with Article 86 for the requesting an opinion of the purpose of further specifying: European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying:
(a) the criteria and requirements for (a) the criteria and requirements deleted the application of paragraph 1 for for the application of paragraph 1 specific sectors and in specific data for specific sectors and in specific processing situations; data processing situations;
(b) the conditions for deleting links, (b) the conditions for deleting deleted copies or replications of personal data links, copies or replications of from publicly available personal data from publicly communication services as referred to available communication services in paragraph 2; as referred to in paragraph 2;
ANNEX DGD 2C LIMITE EN
(c) the criteria and conditions for (c) the criteria and conditions for deleted restricting the processing of personal restricting the processing of data referred to in paragraph 4. personal data referred to in paragraph 4.
ANNEX DGD 2C LIMITE EN
Article 17a
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller the restriction of the processing of personal data where:
(a) the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
ANNEX DGD 2C LIMITE EN
(b) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
(c) he or she has objected to processing pursuant to Article 19(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing of personal data has been restricted under paragraph 1, such data may, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
ANNEX DGD 2C LIMITE EN
3. A data subject who obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
ANNEX DGD 2C LIMITE EN
Article 17b
Notification obligation regarding rectification, erasure or
restriction
The controller shall communicate any rectification, erasure or restriction of processing carried out in accordance with Articles 16, 17(1) and 17a to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
ANNEX DGD 2C LIMITE EN
Article 18 Article 18 Article 18
Amendment 113
Right to data portability Right to data portability Right to data portability
-
1.The data subject shall have the deleted deleted right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
-
2.Where the data subject has deleted 2. Where tThe data subject has provided the personal data and the provided shall have the right to processing is based on consent or on receive the personal data a contract, the data subject shall have concerning him or her, which he the right to transmit those personal or she has provided and the data and any other information processing is based on consent or provided by the data subject and on a contract, the data subject retained by an automated processing shall have the right to transmit system, into another one, in an those personal data and any other electronic format which is commonly information provided by the data used, without hindrance from the subject and retained by an controller from whom the personal automated processing system, into data are withdrawn. another one, in an electronic format which is to a ontroller, in a
ANNEX DGD 2C LIMITE EN
structured and commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller from whom the personal data are withdrawn to which the data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1)or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1); and
(b) the processing is carried out by automated means.
ANNEX DGD 2C LIMITE EN
2a. The exercise of this right shall be without prejudice to Article 17. The right referred to in paragraph 2 shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data.
-
3.The Commission may specify the deleted deleted electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
SECTION 4 SECTION 4 SECTION 4
RIGHT TO OBJECT AND RIGHT TO OBJECT AND RIGHT TO OBJECT AND PROFILING PROFILING PROFILING
AUTOMATED INDIVIDUAL DECISION
MAKING
Article 19 Article 19 Article 19
Right to object Right to object Right to object
Amendment 114
-
1.The data subject shall have the 1. The data subject shall have the 1. The data subject shall have the right to object, on grounds relating to right to object, on grounds relating right to object, on grounds relating their particular situation, at any time to their particular situation, at any to their his or her particular to the processing of personal data time to the processing of personal situation, at any time to the which is based on points (d), (e) and data which is based on points (d), processing of personal data (f) of Article 6(1), unless the and (e) and (f) of Article 6(1), concerning him or her which is controller demonstrates compelling unless the controller demonstrates based on points (e) and or (f) of legitimate grounds for the processing compelling legitimate grounds for Article 6(1); the first sentence of which override the interests or the processing which override the Article 6(4) in conjunction with fundamental rights and freedoms of interests or fundamental rights and point (e) of Article 6(1) or the the data subject. freedoms of the data subject. second sentence of Article 6(4). The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the
ANNEX DGD 2C LIMITE EN
interests, or fundamental rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
-
2.Where personal data are processed 2. Where the processing of 2. Where personal data are for direct marketing purposes, the personal data are processed for processed for direct marketing data subject shall have the right to direct marketing purposes is based purposes, the data subject shall object free of charge to the processing on point (f) of Article 6(1), the have the right to object free of of their personal data for such data subject shall have, at any charge at any time to the marketing. This right shall be time and without any further processing of their personal data explicitly offered to the data subject justification, the right to object concerning him or her for such in an intelligible manner and shall be free of charge in general or for marketing. At the latest at the clearly distinguishable from other any particular purpose to the time of the first communication information. processing of his or her personal with the data subject, Tthis right data for such marketing. This right shall be explicitly offered to shall be explicitly offered to the brought to the attention of the data subject in an intelligible data subject in an intelligible manner and shall be clearly manner and shall be clearly distinguishable from other distinguishable presented clearly information. and separately from any other information.
2a. The right referred to in paragraph 2 shall be explicitly offered to the data subject in an intelligible manner and form, using clear and plain language, in particular if addressed specifically to a child, and shall be clearly distinguishable from other information.
ANNEX DGD 2C LIMITE EN
2a. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
2b. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the right to object may be exercised by automated means using a technical standard which allows the data subject to clearly express his or her wishes.
2aa. Where personal data are processed for historical, statistical or scientific purposes the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
ANNEX DGD 2C LIMITE EN
-
3.Where an objection is upheld 3. Where an objection is upheld deleted pursuant to paragraphs 1 and 2, the pursuant to paragraphs 1 and 2, controller shall no longer use or the controller shall no longer use otherwise process the personal data or otherwise process the personal concerned. data concerned for the purposes determined in the objection.
ANNEX DGD 2C LIMITE EN
Article 20 Article 20 Article 20
Amendment 115
Measures based on profiling Measures based on Measures based on profilingProfiling profilingAutomated individual decision making
-
1.Every natural person shall have the 1. Without prejudice to the 1. Every natural person The data right not to be subject to a measure provisions in Article 6, Every subject shall have the right not to which produces legal effects every natural person shall have the be subject to a measure which concerning this natural person or right to object not to be subject to produces legal effects concerning significantly affects this natural a measure which produces legal this natural person or significantly person, and which is based solely on effects concerning this natural affects this natural person, and automated processing intended to person or significantly affects this which decision isbased solely on evaluate certain personal aspects natural person, and which is based automated processing,intended to relating to this natural person or to solely on automated processing evaluate certain personal aspects analyse or predict in particular the intended to evaluate certain relating to this natural person or to natural person's performance at work, personal aspects relating to this analyse or predict in particular the economic situation, location, health, natural person or to analyse or natural person's performance at personal preferences, reliability or predict in particular the natural work, economic situation, behaviour. person's performance at work, location, health, personal economic situation, location, preferences, reliability or health, personal preferences, behaviourincluding profiling, reliability or behaviour profiling which produces legal effects in accordance with Article 19. concerning him or her or The data subject shall be significantly affects him or her. informed about the right to object to profiling in a highly visible manner.
ANNEX DGD 2C LIMITE EN
1a. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a
data controller ; or
(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.
1b. In cases referred to in paragraph 1a (a) and (c) the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
-
2.Subject to the other provisions of 2. Subject to the other provisions deleted
ANNEX DGD 2C LIMITE EN
this Regulation, a person may be of this Regulation, a person may subjected to a measure of the kind be subjected to a measure of the referred to in paragraph 1 only if the kind referred to in paragraph 1 processing: profiling which leads to measures producing legal effects concerning the data subject or does similarly significantly affect the interests, rights or freedoms of the concerned data subject only if the processing:
(a) is carried out in the course of the (a) is carried out in the course of deleted entering into, or performance of, a necessary for the entering into, or contract, where the request for the performance of, a contract, where entering into or the performance of the request for the entering into or the contract, lodged by the data the performance of the contract, subject, has been satisfied or where lodged by the data subject, has suitable measures to safeguard the been satisfied or where, provided data subject's legitimate interests have that suitable measures to been adduced, such as the right to safeguard the data subject's obtain human intervention; or legitimate interests have been adduced, such as the right to obtain human intervention; or
ANNEX DGD 2C LIMITE EN
-
b)is expressly authorized by a Union (b) is expressly authorized by a deleted or Member State law which also lays Union or Member State law which down suitable measures to safeguard also lays down suitable measures the data subject's legitimate interests; to safeguard the data subject's or legitimate interests;
(c) is based on the data subject's (c) is based on the data subject's deleted consent, subject to the conditions laid consent, subject to the conditions down in Article 7 and to suitable laid down in Article 7 and to safeguards. suitable safeguards.
-
3.Automated processing of personal 3. Automated processing of 3. Automated processing of data intended to evaluate certain personal data intended to evaluate personal data intended to evaluate personal aspects relating to a natural certain personal aspects relating to certain personal aspects relating to person shall not be based solely on a natural personProfiling that has a natural person Decisions the special categories of personal data the effect of discriminating referred to in paragraph 1a shall referred to in Article 9. against individuals on the basis not be based solely on the special of race or ethnic origin, political categories of personal data opinions, religion or beliefs, trade referred to in Article 9(1), unless union membership, sexual points (a) or (g) of Article 9(2) orientation or gender identity, or apply and suitable measures to that results in measures which safeguard the data subject's have such effect, shall be rights and freedoms and prohibited. The controller shall legitimate interests are in place. implement effective protection against possible discrimination resulting from profiling. Profiling shall not be based solely on the special categories of personal data referred to in Article 9.
ANNEX DGD 2C LIMITE EN
-
4.In the cases referred to in deleted deleted paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
-
5.The Commission shall be 5. The Commission shall be deleted empowered to adopt delegated acts in empowered to adopt delegated acts
accordance with Article 86 for the in accordance with Article 86 for purpose of further specifying the the purpose of further specifying the criteria and conditions for suitable criteria and conditions for Profiling measures to safeguard the data which leads to measures producing subject's legitimate interests referred legal effects concerning the data
to in paragraph 2. subject or does similarly significantly affect the interests,
rights or freedoms of the concerned data subject shall not be based solely or predominantly on automated processing and shall include human assessment, including an explanation of the decision reached after such an assessment. The suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2 shall include the right to obtain human assessment and an explanation of the decision reached after such assessment.
ANNEX DGD 2C LIMITE EN
5a. The European Data Protection Board shall be entrusted with the task of issuing guidelines, recommendations and best practices in accordance with point (b) of Article 66(1) for further specifying the criteria and conditions for profiling pursuant to paragraph 2.
ANNEX DGD 2C LIMITE EN
CHAPTER IV CHAPTER IV CHAPTER IV
CONTROLLER AND CONTROLLER AND CONTROLLER AND
PROCESSOR PROCESSOR PROCESSOR
SECTION 1 SECTION 1 SECTION 1 GENERAL GENERAL GENERAL
OBLIGATIONS OBLIGATIONS OBLIGATIONS
Article 22 Article 22 Article 22
Amendment 117
Responsibility of the controller Responsibility and accountability Responsibility Obligations of the of the controller controller
-
1.The controller shall adopt policies 1. The controller shall adopt 1. Taking into account the and implement appropriate measures appropriate policies and nature, scope, context and to ensure and be able to demonstrate implement appropriate an purposes of the processing as well that the processing of personal data is demonstrable technical and as the likelihood and severity of performed in compliance with this organisational measures to ensure risk for the rights and freedoms Regulation. and be able to demonstrate in a of individuals,Tthe controller transparent manner that the shall adopt policies and implement processing of personal data is appropriate measures to ensure performed in compliance with this and be able to demonstrate that the Regulation, having regard to the processing of personal data is state of the art, the nature of performed in compliance with this personal data processing, the Regulation. context, scope and purposes of processing, the risks for the rights and freedoms of the data subjects and the type of the organisation,
ANNEX DGD 2C LIMITE EN
both at the time of the determination of the means for processing and at the time of the processing itself. 1a. Having regard to the state of the art and the cost of implementation, the controller shall take all reasonable steps to implement compliance policies and procedures that persistently respect the autonomous choices of data subjects. These compliance policies shall be reviewed at least every two years and updated where necessary.
-
2.The measures provided for in deleted deleted paragraph 1 shall in particular include: (a) keeping the documentation deleted deleted pursuant to Article 28; (b) implementing the data security deleted deleted requirements laid down in Article 30; (c) performing a data protection deleted deleted impact assessment pursuant to Article 33; (d) complying with the requirements deleted deleted for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2);
ANNEX DGD 2C LIMITE EN
(e) designating a data protection deleted deleted officer pursuant to Article 35(1). 2a. Where proportionate in relation to the processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. 2b. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the obligations of the controller. 3. The controller shall implement 3. The controller shall implement deleted mechanisms to ensure the verification mechanisms to ensure the of the effectiveness of the measures verification of thebe able to referred to in paragraphs 1 and 2. demonstrate the adequacy and If proportionate, this verification shall effectiveness of the measures be carried out by independent internal referred to in paragraphs 1 and 2. or external auditors. If proportionate, this verification shall be carried out by independent internal or external auditors Any regular general reports of the activities of the controller, such as the obligatory reports by publicly traded companies, shall contain a summary description of the policies and measures referred to
ANNEX DGD 2C LIMITE EN
in paragraph 1. 3a. The controller shall have the right to transmit personal data inside the Union within the group of undertakings the controller is part of, where such processing is necessary for legitimate internal administrative purposes between connected business areas of the group of undertakings and an adequate level of data protection as well as the interests of the data subjects are safeguarded by internal data protection provisions or equivalent codes of conduct as referred to in Article 38.
ANNEX DGD 2C LIMITE EN
-
4.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sizedenterprises.
ANNEX DGD 2C LIMITE EN
Article 23 Article 23 Article 23
Data protection by design and by Data protection by design and by Data protection by design and by default default default
Amendment 118
-
1.Having regard to the state of the art 1. Having regard to the state of the 1. Having regard to available and the cost of implementation, the art and the cost of implementation, technology the state of the art and controller shall, both at the time of current technical knowledge, the cost of implementation and the determination of the means for international best practices and taking account of the nature, processing and at the time of the the risks represented by the data scope, context and purposes of processing itself, implement processing, the controller and the the processing as well as the appropriate technical and processor, if any, shall, both at the likelihood and severity of the risk organisational measures and time of the determination of the for rights and freedoms of procedures in such a way that the purposes and means for individuals posed by the processing will meet the requirements processing and at the time of the processing, the controllers shall, of this Regulation and ensure the processing itself, implement both at the time of the protection of the rights of the data appropriate and proportionate determination of the means for subject. technical and organisational processing and at the time of the measures and procedures in such a processing itself, implement way that the processing will meet appropriate technical and the requirements of this organisational measures Regulation and ensure the appropriate to the processing protection of the rights of the data activity being carried out and its subject, in particular with regard objectives, such as data to the principles laid down in minimisation and Article 5. Data protection by pseudonymisation, and design shall have particular procedures in such a way that the regard to the entire lifecycle processing will meet the management of personal data requirements of this Regulation from collection to processing to and ensure protect the protection deletion, systematically focusing of the rights of the data subjects.
ANNEX DGD 2C LIMITE EN
on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures. 1a. In order to foster its widespread implementation in different economic sectors, data protection by design shall be a prerequisite for public procurement tenders according to Directive 2004/18/EC i of the European Parliament and of the
Council 1 as well as according to
Directive 2004/17/EC i of the European Parliament and of the
Council 2 (Utilities Directive). 1 Directive 2004/18/EC i of the
European Parliament and of the Council of 31 March 2004 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts (OJ L 134, 30.4.2004, p. 114).
2 Directive 2004/17/EC i of the
ANNEX DGD 2C LIMITE EN
European Parliament and of the Council of 31 March 2004 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sector (OJ L 134, 30.4.2004, p.1)
-
2.The controller shall implement 2. The controller shall implement 2. The controller shall implement mechanisms for ensuring that, by mechanisms for ensuring ensure mechanisms appropriate default, only those personal data are that, by default, only those measures for ensuring that, by processed which are necessary for personal data are processed which default, only those personal data each specific purpose of the are necessary for each specific are processed which are necessary processing and are especially not purpose of the processing and are for each specific purpose of the collected or retained beyond the especially not collected or, processing and are especially not minimum necessary for those retained or disseminated beyond collected or retained beyond the purposes, both in terms of the amount the minimum necessary for those minimum necessary for those of the data and the time of their purposes, both in terms of the purposes, both in terms of are storage. In particular, those amount of the data and the time of processed; this applies to the mechanisms shall ensure that by their storage. In particular, those amount of the data collected, the default personal data are not made mechanisms shall ensure that by extent of their processing,and the accessible to an indefinite number of default personal data are not made time period of their storage and individuals. accessible to an indefinite number their accessibility. Where the of individuals and that data purpose of the processing is not subjects are able to control the intended to provide the public distribution of their personal with informationIn particular, data. those mechanisms shall ensure that by default personal data are not made accessible without human intervention to an indefinite number of individuals.
ANNEX DGD 2C LIMITE EN
2a. An approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2.
-
3.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
ANNEX DGD 2C LIMITE EN
-
4.The Commission may lay down deleted deleted technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Article 24 Article 24 Article 24
Joint controllers Joint controllers Joint controllers
Amendment 119
Where a controller determines the Where a controller determines 1. Where two or more acontrollers purposes, conditions and means of the several controllers jointly jointly determines the purposes, processing of personal data jointly determine the purposes, conditions and means of the with others, the joint controllers shall conditions and means of the processing of personal data jointly determine their respective processing of personal data jointly with others, they are joint responsibilities for compliance with with others, the joint controllers controllers. They shall in a
the obligations under this Regulation, shall determine their respective transparent manner determine in particular as regards the procedures responsibilities for compliance their respective responsibilities for and mechanisms for exercising the with the obligations under this compliance with the obligations rights of the data subject, by means of Regulation, in particular as under this Regulation, in particular an arrangement between them. regards the procedures and as regards the procedures and mechanisms for exercising the mechanisms for exercising of the rights of the data subject, by rights of the data subject and their
means of an arrangement between respective duties to provide the them. The arrangement shall duly information referred to in Articles reflect the joint controllers' 14 and 14a, by means of an respective effective roles and arrangement between them unless,
relationships vis-à-vis data and in so far as, the respective responsibilities of the controllers
subjects, and the essence of the
ANNEX DGD 2C LIMITE EN
arrangement shall be made are determined by Union or available for the data subject. In Member State law to which the case of unclarity of the controllers are subject. The responsibility, the controllers arrangement shall designate shall be jointly and severally which of the joint controllers shall liable. act as single point of contact for
data subjects to exercise their rights.
2. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. 3. The arrangement shall duly reflect the joint controllers’ respective effective roles and relationships vis-à-vis data subjects, and the essence of the arrangement shall be made available for the data subject. Paragraph 2 does not apply where the data subject has been informed in a transparent and unequivocal manner which of the joint controllers is responsible, unless such arrangement other than one determined by Union or Member State law is unfair with regard to his or her rights.
ANNEX DGD 2C LIMITE EN
Article 25 Article 25 Article 25
Representatives of controllers not Representatives of controllers not Representatives of controllers not established in the Union established in the Union established in the Union
-
1.In the situation referred to in 1. In the situation referred to in 1. In the situation referred to in Article 3(2), the controller shall Article 3(2), the controller shall Where Article 3(2) applies, the designate a representative in the designate a representative in the controller shall designate Union. Union. inwriting a representative in the Union. 2. This obligation shall not apply to: 2. This obligation shall not apply 2. This obligation shall not apply to: to: (a) a controller established in a third (a) a controller established in a deleted country where the Commission has third country where the decided that the third country ensures Commission has decided that the an adequate level of protection in third country ensures an adequate accordance with Article 41; or level of protection in accordance with Article 41; or (b) an enterprise employing fewer (b) an enterprise employing fewer (b) an enterprise employing fewer than 250 persons; or than 250 personsa controller than 250 persons processing
processing personal data which which is occasional and unlikely relates to less than 5000 data to result in a risk for the rights subjects during any consecutive and freedoms of individuals, 12-month period and not taking into account the nature,
processing special categories of
personal data as referred to in context, scope and purposes of Article 9(1), location data or data the processing; or
on children or employees in largescale filing systems; or
ANNEX DGD 2C LIMITE EN
(c) a public authority or body; or (c) a public authority or body; or (c) a public authority or body; or (d) a controller offering only (d) a controller offering only deleted occasionally goods or services to data occasionally offering goods or subjects residing in the Union. services to data subjects residing in the Union, unless the processing of personal data concerns special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large-scale filing systems. 3. The representative shall be 3. The representative shall be 3. The representative shall be established in one of those Member established in one of those established in one of those States where the data subjects whose Member States where the data Member States where the data personal data are processed in subjects whose personal data are subjects whose personal data are relation to the offering of goods or processed in relation to the processed in relation to the services to them, or whose behaviour offering of goods or services to offering of goods or services to is monitored, reside. themthe data subjects, or whose them, or whose behaviour is behaviour is monitored, reside the monitored, reside. monitoring of them, takes place.
ANNEX DGD 2C LIMITE EN
3a. The representative shall be mandated by the controller to be addressed in addition to or instead of the controller by, in particular, supervisory authorities and data subjects, on all issues related to the processing of personal data, for the purposes of ensuring compliance with this Regulation.
-
4.The designation of a representative 4. The designation of a 4. The designation of a by the controller shall be without representative by the controller representative by the controller prejudice to legal actions which could shall be without prejudice to legal shall be without prejudice to legal be initiated against the controller actions which could be initiated actions which could be initiated itself. against the controller itself. against the controller itself.
ANNEX DGD 2C LIMITE EN
Article 26 Article 26 Article 26
Processor Processor Processor
Amendment 121
-
1.Where a processing operation is to 1. Where a processing operation is 1. Where a processing operation is be carried out on behalf of a to be carried out on behalf of a to be carried out on behalf of a controller, the controller shall choose controller, the controller shall controller, the The controller shall a processor providing sufficient choose a processor providing choose use only aprocessors guarantees to implement appropriate sufficient guarantees to implement providing sufficient guarantees to technical and organisational measures appropriate technical and implement appropriate technical and procedures in such a way that the organisational measures and and organisational measures and processing will meet the requirements procedures in such a way that the procedures in such a way that the of this Regulation and ensure the processing will meet the processing will meet the protection of the rights of the data requirements of this Regulation requirements of this subject, in particular in respect of the and ensure the protection of the Regulationand ensure the technical security measures and rights of the data subject, in protection of the rights of the data organizational measures governing particular in respect of the subject, in particular in respect of the processing to be carried out and technical security measures and the technical security measures shall ensure compliance with those organisational measures governing and organizational measures measures. the processing to be carried out governing the processing to be and shall ensure compliance with carried out and shall ensure those measures. compliance with those measures.
ANNEX DGD 2C LIMITE EN
1a. The processor shall not enlist another processor without the prior specific or general written consent of the controller. In the latter case, the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors, thereby giving the opportunity to the controller to object to such changes.
-
2.The carrying out of processing by a 2. The carrying out of processing 2. The carrying out of processing processor shall be governed by a by a processor shall be governed by a processor shall be governed contract or other legal act binding the by a contract or other legal act by a contract or other a legal act processor to the controller and binding the processor to the under Union or Member State stipulating in particular that the controller. The controller and the law binding the processor to the processor shall: processor shall be free to controller, setting out the subjectdetermine respective roles and matter and duration of the tasks with respect to the processing, the nature and requirements of this Regulation, purpose of the processing, the and shall provide that and type of personal data and stipulating in particular that the categories of data subjects, the processor shall: rights of binding the processor to the controller and stipulating in particular that the processor shall:
ANNEX DGD 2C LIMITE EN
(a) act only on instructions from the (a) act process personal data only (a) process the personal data act controller, in particular, where the on instructions from the controller, only on instructions from the transfer of the personal data used is in particular, where the transfer of controller,in particular, where the prohibited; the personal data used is transfer of the personal data used prohibited, unless otherwise is prohibited unless required to do required by Union law or so by Union or Member State law Member State law; to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing the data, unless that law prohibits such information on important grounds of public interest; (b) employ only staff who have (b) employ only staff who have deleted committed themselves to committed themselves to confidentiality or are under a confidentiality or are under a statutory obligation of confidentiality; statutory obligation of confidentiality; (c) take all required measures (c) take all required measures (c) take all required measures pursuant to Article 30; pursuant to Article 30; required pursuant to Article 30;
ANNEX DGD 2C LIMITE EN
(d) enlist another processor only with (d) enlist determine the (d) respect the conditions for the prior permission of the controller; conditions for enlisting another enlisting another processor only processor only with the prior with the prior permission such as permission of the controller, a requirement of specific prior unless otherwise determined; permission of the controller; (e) insofar as this is possible given (e) insofar as this is possible given (e) insofar as this is possible given the nature of the processing, create in the nature of the processing, create taking into account the nature of agreement with the controller the in agreement with the controller the processing, assist create in necessary technical and the necessary appropriate and agreement with the controller the organisational requirements for the relevant technical and necessary technical and fulfilment of the controller’s organisational requirements for organisational requirements for obligation to respond to requests for the fulfilment of the controller’s the fulfilment of the controller’s exercising the data subject’s rights obligation to respond to requests obligation to in responding to laid down in Chapter III; for exercising the data subject’s requests for exercising the data rights laid down in Chapter III; subject’s rights laid down in Chapter III; (f) assist the controller in ensuring (f) assist the controller in ensuring (f) assist the controller in ensuring compliance with the obligations compliance with the obligations compliance with the obligations pursuant to Articles 30 to 34; pursuant to Articles 30 to 34, pursuant to Articles 30 to 34; taking into account the nature of processing and the information available to the processor;
ANNEX DGD 2C LIMITE EN
(g) hand over all results to the (g) hand over return all results to (g) hand over all results to return controller after the end of the the controller after the end of the or delete, at the choice of the processing and not process the processing, and not process the controller after the end of the personal data otherwise; personal data otherwise and delete processing and not process the existing copies unless Union or personal data otherwise upon the Member State law requires termination of the provision of storage of the data; data processing services specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject; (h) make available to the controller (h) make available to the (h) make available to the and the supervisory authority all controller and the supervisory controller and the supervisory information necessary to control authority all information necessary authority all information necessary compliance with the obligations laid to control demonstrate to control demonstrate down in this Article. compliance with the obligations compliance with the obligations laid down in this Article and laid down in this Article and allow on-site inspections; allow for and contribute to audits conducted by the controller. The processor shall immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions.
ANNEX DGD 2C LIMITE EN
2a. Where a processor enlists another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 2 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
ANNEX DGD 2C LIMITE EN
2aa. Adherence of the processor to an approved code of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate sufficient guarantees referred to in paragraphs 1 and 2a. 2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a.
ANNEX DGD 2C LIMITE EN
2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2). 2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57.
-
3.The controller and the processor 3. The controller and the processor 3. The controller and the processor shall document in writing the shall document in writing the shall document in writing the controller's instructions and the controller's instructions and the controller's instructions and the processor's obligations referred to in processor's obligations referred to processor's obligations referred to paragraph 2. in paragraph 2. in paragraph 2 The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form.
ANNEX DGD 2C LIMITE EN
3a. The sufficient guarantees referred to in paragraph 1 may be demonstrated by adherence to codes of conduct or certification mechanisms pursuant to Articles 38 or 39 of this Regulation.
-
4.If a processor processes personal 4. If a processor processes deleted data other than as instructed by the personal data other than as controller, the processor shall be instructed by the controller or considered to be a controller in becomes the determining party in respect of that processing and shall be relation to the purposes and subject to the rules on joint means of data processing, the controllers laid down in Article 24. processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24. 5. The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
ANNEX DGD 2C LIMITE EN
Article 27 Article 27 Article 27
Processing under the authority of Processing under the authority of Processing under the authority of the controller and processor the controller and processor the controller and processor
The processor and any person acting The processor and any person deleted under the authority of the controller acting under the authority of the or of the processor who has access to controller or of the processor who personal data shall not process them has access to personal data shall except on instructions from the not process them except on controller, unless required to do so by instructions from the controller, Union or Member State law. unless required to do so by Union or Member State law.
Article 28 Article 28 Article 28
Documentation Documentation Records of categories of personal data processing activities
Amendment 122
-
1.Each controller and processor and, 1. Each controller and processor 1. Each controller and processor if any, the controller's representative, and, if any, the controller's and, if any, the controller's shall maintain documentation of all representative, shall maintain representative, shall maintain a processing operations under its regularly updated documentation record documentation of all responsibility. of all processing operations under categories of personal data its responsibility necessary to processing operations activities fulfill the requirements laid down under its responsibility. The in this Regulation. documentation This record shall contain at least the following information:
ANNEX DGD 2C LIMITE EN
-
2.The documentation shall contain at 2. The In addition, each [Merged with 1. above and least the following information: controller and processor shall slightly modified] maintain documentation shall contain at least of the following information: (a) the name and contact details of the (a) the name and contact details of (a) the name and contact details of controller, or any joint controller or the controller, or any joint the controller, or and any joint processor, and of the representative, controller or processor, and of the controller or processor, and of if any; representative, if any; thecontroller's representative and data protection officer, if any; (b) the name and contact details of (b) the name and contact details of deleted the data protection officer, if any; the data protection officer, if any; (c) the purposes of the processing, deleted (c) the purposes of the processing, including the legitimate interests including the legitimate interests pursued by the controller where the pursued by the controller processing is based on point (f) of wherewhen the processing is Article 6(1); based on point (f) of Article 6(1)(f); (d) a description of categories of data deleted (d) a description of categories of subjects and of the categories of data subjects and of the categories personal data relating to them; of personal data relating to them; (e) the recipients or categories of (e) the recipients or categories of (e) the recipients or categories of recipients of the personal data, recipients of the personal data, recipients of to whom the personal including the controllers to whom including name and contact data, including the controllers to personal data are disclosed for the details of the controllers to whom whom personal data are have been legitimate interest pursued by them; personal data are disclosed for the or will be disclosed for the legitimate interest pursued by legitimate interest pursued by them, if any; them in particular recipients in third countries;
ANNEX DGD 2C LIMITE EN
(f) where applicable, transfers of data deleted (f) where applicable, the to a third country or an international categories of transfers of personal organisation, including the data to a third country or an identification of that third country or international organisation, international organisation and, in case including the identification of that of transfers referred to in point (h) of third country or international Article 44(1), the documentation of organisation and, in case of appropriate safeguards; transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (g) a general indication of the time deleted (g) where possible, the envisaged limits for erasure of the different a general indication of the time categories of data; limits for erasure of the different categories of data; (h) the description of the mechanisms deleted (h) where possible, a general referred to in Article 22(3). description of the technical and organisational security measures the description of the mechanisms referred to in Article 2230(31). 2a. Each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:
ANNEX DGD 2C LIMITE EN
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any; (b) the name and contact details of the data protection officer, if any; (c) the categories of processing carried out on behalf of each controller; (d) where applicable, the categories of transfers of personal data to a third country or an international organisation;
ANNEX DGD 2C LIMITE EN
(e) where possible, a general description of the technical and organisational security measures referred to in Article 30(1). 3a. The records referred to in paragraphs 1 and 2a shall be in writing, including in an electronic or other non-legible form which is capable of being converted into a legible form.
-
3.The controller and the processor deleted 3. On request, Tthe controller and and, if any, the controller's the processor and, if any, the representative, shall make the controller's representative, shall documentation available, on request, make the documentation record to the supervisory authority. available, on request, to the supervisory authority. 4. The obligations referred to in deleted 4. The obligations referred to in paragraphs 1 and 2 shall not apply to paragraphs 1 and 2a shall not the following controllers and apply to the following controllers processors: and processors: (a) a natural person processing deleted (a) a natural person processing personal data without a commercial personal data without a interest; or commercial interest; or
ANNEX DGD 2C LIMITE EN
(b) an enterprise or an organisation deleted (b) an enterprise or an employing fewer than 250 persons organisation employing fewer than that is processing personal data only 250 persons that is unless the as an activity ancillary to its processing personal data only as main activities. an activity ancillary to its main activities it carries out is likely to result in a high risk for the rights and freedoms of data subject such as discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing. 5. The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
ANNEX DGD 2C LIMITE EN
-
6.The Commission may lay down deleted deleted standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Article 29 Article 29 Article 29
Co-operation with the supervisory Co-operation with the supervisory Co-operation with the supervisory authority authority authority
Amendment 123
-
1.The controller and the processor 1. The controller and, if any, the deleted and, if any, the representative of the processor and, if any, the controller, shall co-operate, on representative of the controller, request, with the supervisory shall co-operate, on request, with authority in the performance of its the supervisory authority in the duties, in particular by providing the performance of its duties, in information referred to in point (a) of particular by providing the Article 53(2) and by granting access information referred to in point (a) as provided in point (b) of that of Article 53(2) and by granting paragraph. access as provided in point (b) of that paragraph.
ANNEX DGD 2C LIMITE EN
-
2.In response to the supervisory 2. In response to the supervisory deleted authority's exercise of its powers authority's exercise of its powers under Article 53(2), the controller and under Article 53(2), the controller the processor shall reply to the and the processor shall reply to the supervisory authority within a supervisory authority within a reasonable period to be specified by reasonable period to be specified the supervisory authority. The reply by the supervisory authority. The shall include a description of the reply shall include a description of measures taken and the results the measures taken and the results achieved, in response to the remarks achieved, in response to the of the supervisory authority. remarks of the supervisory authority.
ANNEX DGD 2C LIMITE EN
SECTION 2 SECTION 2 SECTION 2 DATA SECURITY DATA SECURITY DATA SECURITY
Article 30 Article 30 Article 30
Security of processing Security of processing Security of processing
Amendment 124
-
1.The controller and the processor 1. The controller and the processor 1. Having regard to available shall implement appropriate technical shall implement appropriate technology and the costs of and organisational measures to ensure technical and organisational implementation and taking into a level of security appropriate to the measures to ensure a level of account the nature, scope, risks represented by the processing security appropriate to the risks context and purposes of the and the nature of the personal data to represented by the processing and processing as well as the be protected, having regard to the the nature of the personal data to likelihood and severity of the risk state of the art and the costs of their be protected, taking into account for the rights and freedoms of implementation. the results of a data protection individuals, Tthe controller and impact assessment pursuant to the processor shall implement Article 33, having regard to the appropriate technical and state of the art and the costs of organisational measures, such as their implementation. pseudonymisation of personal data to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 1a. Having regard to the state of 1a. In assessing the appropriate the art and the cost of level of security account shall be implementation, such a security taken in particular of the risks
ANNEX DGD 2C LIMITE EN
policy shall include: that are presented by data processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
(a) the ability to ensure that the integrity of the personal data is validated; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
ANNEX DGD 2C LIMITE EN
(c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident that impacts the availability, integrity and confidentiality of information systems and services; (d) in the case of sensitive personal data processing according to Articles 8 and 9, additional security measures to ensure situational awareness of risks and the ability to take preventive, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to the data; (e) a process for regularly testing, assessing and evaluating the effectiveness of security policies, procedures and plans put in place to ensure ongoing effectiveness.
ANNEX DGD 2C LIMITE EN
-
2.The controller and the processor 2. The controller and the processor deleted shall, following an evaluation of the shall, following an evaluation of risks, take the measures referred to in the risks, take the measures paragraph 1 to protect personal data referred to in paragraph 1 to against accidental or unlawful protect personal data against destruction or accidental loss and to accidental or unlawful destruction prevent any unlawful forms of or accidental loss and to prevent processing, in particular any any unlawful forms of processing, unauthorised disclosure, in particular any unauthorised dissemination or access, or alteration disclosure, dissemination or of personal data. access, or alteration of personal data. shall at least: (a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; (b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and (c) ensure the implementation of a security policy with respect to the processing of personal data.
ANNEX DGD 2C LIMITE EN
2a. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1. 2b. The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
ANNEX DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission European deleted empowered to adopt delegated acts in Data Protection Board shall be accordance with Article 86 for the empowered to adopt delegated purpose of further specifying the acts in accordance with Article 86 criteria and conditions for the for the purpose of further technical and organisational measures specifying the criteria and referred to in paragraphs 1 and 2, conditions entrusted with the task including the determinations of what of issuing guidelines, constitutes the state of the art, for recommendations and best specific sectors and in specific data practices in accordance with processing situations, in particular point (b) of Article 66(1) for the taking account of developments in technical and organisational technology and solutions for privacy measures referred to in paragraphs by design and data protection by 1 and 2, including the default, unless paragraph 4 applies. determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies. 4. The Commission may adopt, where deleted deleted necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access deleted deleted to personal data;
ANNEX DGD 2C LIMITE EN
(b) prevent any unauthorised deleted deleted disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the deleted deleted lawfulness of processing operations. Those implementing acts shall be deleted deleted adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
Article 31 Article 31 Article 31
Notification of a personal data
breach to the supervisory Notification of a personal data Notification of a personal data
authority breach to the supervisory breach to the supervisory authority authority
Amendment 125
-
1.In the case of a personal data 1. In the case of a personal data 1. In the case of a personal data breach, the controller shall without breach, the controller shall without breach which is likely to result in undue delay and, where feasible, not undue delay and, where feasible, a high risk for the rights and later than 24 hours after having not later than 24 hours after freedoms of individuals, such as become aware of it, notify the having become aware of it, notify discrimination, identity theft or personal data breach to the the personal data breach to the fraud, financial loss, supervisory authority. The supervisory authority. The unauthorized reversal of notification to the supervisory notification to the supervisory pseudonymisation, damage to the authority shall be accompanied by a authority shall be accompanied by reputation, loss of confidentiality reasoned justification in cases where a reasoned justification in cases of data protected by professional it is not made within 24 hours. where it is not made within 24 secrecy or any other significant hours. economic or social disadvantage, the controller shall without undue delay and, where feasible, not later than 24 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 51. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 72 hours.
ANNEX DGD 2C LIMITE EN
1a. The notification referred to in paragraph 1 shall not be required if a communication to the data subject is not required under Article 32(3)(a) and (b).
-
2.Pursuant to point (f) of Article 2. Pursuant to point (f) of Article 2. Pursuant to point (f) of Article 26(2), the processor shall alert and 26(2), the The processor shall 26(2), tThe processor shall inform the controller immediately alert and inform the controller alertnotify and inform the after the establishment of a personal immediately without undue delay controller immediately after the data breach. after the establishment of a establishment without undue personal data breach. delay after becoming award of a personal data breach. 3. The notification referred to in 3. The notification referred to in 3. The notification referred to in paragraph 1 must at least: paragraph 1 must at least: paragraph 1 must at least: (a) describe the nature of the personal (a) describe the nature of the (a) describe the nature of the data breach including the categories personal data breach including the personal data breach including and number of data subjects categories and number of data where possible and appropriate, concerned and the categories and subjects concerned and the the approximate categories and number of data records concerned; categories and number of data number of data subjects concerned records concerned; and the categories and approximate number of data records concerned; (b) communicate the identity and (b) communicate the identity and (b) communicate the identity and contact details of the data protection contact details of the data contact details of the data officer or other contact point where protection officer or other contact protection officer or other contact more information can be obtained; point where more information can point where more information can be obtained; be obtained;
ANNEX DGD 2C LIMITE EN
(c) recommend measures to mitigate (c) recommend measures to deleted the possible adverse effects of the mitigate the possible adverse personal data breach; effects of the personal data breach; (d) describe the consequences of the (d) describe the consequences of (d) describe the likely personal data breach; the personal data breach; consequences of the personal data breach identified by the controller; (e) describe the measures proposed or (e) describe the measures (e) describe the measures taken or taken by the controller to address the proposed or taken by the proposed or to be taken by the personal data breach. controller to address the personal controller to address the personal data breach and/or mitigate its data breach.; and effects. The information may if necessary be provided in phases. (f) where appropriate, indicate measures to mitigate the possible adverse effects of the personal data breach. 3a. Where, and in so far as, it is not possible to provide the information referred to in paragraph 3 (d), (e) and (f) at the same time as the information referred to in points (a) and (b) of paragraph 3, the controller shall provide this information without undue further delay.
ANNEX DGD 2C LIMITE EN
-
4.The controller shall document any 4. The controller shall document 4. The controller shall document personal data breaches, comprising any personal data breaches, any personal data breaches the facts surrounding the breach, its comprising the facts surrounding referred to in paragraphs 1 and 2, effects and the remedial action taken. the breach, its effects and the comprising the facts surrounding This documentation must enable the remedial action taken. This the breach, its effects and the supervisory authority to verify documentation must be sufficient remedial action taken. This compliance with this Article. The to enable the supervisory authority documentation must enable the documentation shall only include the to verify compliance with this supervisory authority to verify information necessary for that Article and with Article 30. The compliance with this Article. The purpose. documentation shall only include documentation shall only include the information necessary for that the information necessary for that purpose. purpose. 4a. The supervisory authority shall keep a public register of the types of breaches notified. 5. The Commission shall be 5. The Commission European Data deleted empowered to adopt delegated acts in Protection Board shall be accordance with Article 86 for the empowered to adopt delegated acts
purpose of further specifying the in accordance with Article 86 for criteria and requirements for the purpose entrusted with the task establishing the data breach referred of further specifying the criteria and to in paragraphs 1 and 2 and for the requirements issuing guidelines,
particular circumstances in which a recommendations and best controller and a processor is required practices in accordance with point
to notify the personal data breach. (b) of Article 66(1) for establishing the data breach and determining
the undue delay referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor isare required to notify the personal data breach.
ANNEX DGD 2C LIMITE EN
-
6.The Commission may lay down the deleted deleted standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
Article 32 Article 32 Article 32
Communication of a personal
data breach to the data subject Communication of a personal Communication of a personal data breach to the data subject data breach to the data subject
Amendment 126
-
1.When the personal data breach is 1. When the personal data breach 1. When the personal data breach likely to adversely affect the is likely to adversely affect the is likely to adversely affect the protection of the personal data or protection of the personal data, the protection of the personal data or privacy of the data subject, the or privacy, the rights or the privacy of the data subject result controller shall, after the notification legitimate interests of the data in a high risk for the rights and referred to in Article 31, subject, the controller shall, after freedoms of individuals, such as communicate the personal data the notification referred to in discrimination, identity theft or breach to the data subject without Article 31, communicate the fraud, financial loss, damage to undue delay. personal data breach to the data the reputation, unauthorized subject without undue delay. reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
ANNEX DGD 2C LIMITE EN
-
2.The communication to the data 2. The communication to the data 2. The communication to the data subject referred to in paragraph 1 subject referred to in paragraph 1 subject referred to in paragraph 1 shall describe the nature of the shall be comprehensive and use shall describe the nature of the personal data breach and contain at clear and plain language. It shall personal data breach and contain least the information and the describe the nature of the personal at least the information and the recommendations provided for in data breach and contain at least recommendations provided for in points (b) and (c) of Article 31(3). the information and the points (b), (e) and (cf) of Article recommendations provided for in 31(3). points (b) and , (c) and (d) of Article 31(3) and information about the rights of the data subject, including redress. 3. The communication of a personal 3. The communication of a 3. The communication of a data breach to the data subject shall personal data breach to the data personal data breach to the data not be required if the controller subject shall not be required if the subject referred to in paragraph 1 demonstrates to the satisfaction of the controller demonstrates to the shall not be required if: supervisory authority that it has satisfaction of the supervisory a. the controller demonstrates to implemented appropriate authority that it has implemented the satisfaction of the supervisory technological protection measures, appropriate technological authority that it has implemented and that those measures were applied protection measures, and that appropriate technological and to the data concerned by the personal those measures were applied to the organisational protection data breach. Such technological data concerned by the personal measures, and that those measures protection measures shall render the data breach. Such technological were applied to the data data unintelligible to any person who protection measures shall render concernedaffected by the personal is not authorised to access it. the data unintelligible to any data breach, in particular those person who is not authorised to that .Such technological access it. protection measures shall render the data unintelligible to any person who is not authorised to access it, such as encryption;or
ANNEX DGD 2C LIMITE EN
b. the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; or c. it would involve disproportionate effort, in particular owing to the number of cases involved. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner; or d. it would adversely affect a substantial public interest.
-
4.Without prejudice to the 4. Without prejudice to the deleted controller's obligation to controller's obligation to communicate the personal data communicate the personal data breach to the data subject, if the breach to the data subject, if the controller has not already controller has not already communicated the personal data communicated the personal data breach to the data subject of the breach to the data subject of the personal data breach, the supervisory personal data breach, the authority, having considered the supervisory authority, having likely adverse effects of the breach, considered the likely adverse may require it to do so. effects of the breach, may require it to do so.
ANNEX DGD 2C LIMITE EN
-
5.The Commission shall be 5. The Commission European deleted empowered to adopt delegated acts in Data Protection Board shall be accordance with Article 86 for the empowered to adopt delegated purpose of further specifying the acts in accordance with Article 86 criteria and requirements as to the for the purpose entrusted with the circumstances in which a personal task of further specifying the data breach is likely to adversely criteria and requirements issuing affect the personal data referred to in guidelines, recommendations and paragraph 1. best practices in accordance with point (b) of Article 66(1) as to the circumstances in which a personal data breach is likely to adversely affect the personal data, the privacy, the rights or the legitimate interests of the data subject referred to in paragraph 1. 6. The Commission may lay down the deleted deleted format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
Amendment 127
Article 32a
Respect to Risk
1. The controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks. 2. The following processing operations are likely to present specific risks: (a) processing of personal data relating to more than 5000 data subjects during any consecutive 12-month period; (b) processing of special categories of personal data as referred to in Article 9(1), location data or data on children or employees in large scale filing systems;
ANNEX DGD 2C LIMITE EN
(c) profiling on which measures are based that produce legal effects concerning the individual or similarly significantly affect the individual; (d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (e) automated monitoring of publicly accessible areas on a large scale; (f) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2); (g) where a personal data breach would likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject;
ANNEX DGD 2C LIMITE EN
(h) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; (i) where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited. 3. According to the result of the risk analysis: (a) where any of the processing operations referred to in points (a) or (b) of paragraph 2 exist, controllers not established in the Union shall designate a representative in the Union in line with the requirements and exemptions laid down in Article 25; (b) where any of the processing operations referred to in points (a), (b) or (h)of paragraph 2 exist, the controller shall designate a data protection officer in line with the requirements and exemptions laid down in Article 35;
ANNEX DGD 2C LIMITE EN
(c) where any of the processing operations referred to in points (a), (b), (c), (d), (e), (f), (g) or (h) of paragraph 2 exist, the controller or the processor acting on the controller's behalf shall carry out a data protection impact assessment pursuant to Article 33; (d) where processing operations referred to in point (f) of paragraph 2 exist, the controller shall consult the data protection officer, or in case a data protection officer has not been appointed, the supervisory authority pursuant to Article 34. 4. The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly. Where pursuant to point (c) of paragraph 3 the controller is not obliged to carry out a data protection impact assessment, the risk analysis shall be documented.
ANNEX DGD 2C LIMITE EN
SECTION 3 SECTION 3 SECTION 3 DATA PROTECTION LIFECYCLE DATA DATA PROTECTION IMPACT ASSESSMENT PROTECTION IMPACT ASSESSMENT
AND PRIOR MANAGEMENT AND PRIOR AUTHORISATION AUTHORISATION
Article 33 Article 33 Article 33
Data protection impact assessment Data protection impact Data protection impact assessment assessment
-
1.Where processing operations 1. Where processing operations 1. Where a type of processing in present specific risks to the rights and present specific risks to the rights particular using new freedoms of data subjects by virtue of and freedoms of data subjects by technologies, and taking into their nature, their scope or their virtue of their nature, their scope account operations present purposes, the controller or the or their purposes, required specific risks to the rights and processor acting on the controller's pursuant to point (c) of Article freedoms of data subjects by behalf shall carry out an assessment 32a(3) the controller or the virtue of their the nature, their of the impact of the envisaged processor acting on the controller's scope, context and or their processing operations on the behalf shall carry out an purposes of the processing, is protection of personal data. assessment of the impact of the likely to result in a high risk for envisaged processing operations the rights and freedoms of on the rights and freedoms of the individuals, such as data subjects, especially their discrimination, identity theft or right to protection of personal fraud, financial loss, damage to data. A single assessment shall be the reputation, unauthorised sufficient to address a set of reversal of pseudonymisation, similar processing operations that loss of confidentiality of data present similar risks. protected by professional secrecy or any other significant economic or social disadvantage, the controller or the processor acting on the controller's behalf shall,
ANNEX DGD 2C LIMITE EN
prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 1a. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
-
2.The following processing deleted 2. The following processing operations in particular present operations in particular present specific risks referred to in paragraph specific risks A data protection 1: impact assessment referred to in paragraph 1 shall in particular be required in the following cases:
ANNEX DGD 2C LIMITE EN
(a) a systematic and extensive Deleted (a) a systematic and extensive evaluation of personal aspects evaluation of personal aspects relating to a natural person or for relating to a natural persons or for analysing or predicting in particular analysing or predicting in the natural person's economic particular the natural person's situation, location, health, personal economic situation, location, preferences, reliability or behaviour, health, personal preferences, which is based on automated reliability or behaviour, which is processing and on which based on automated processing measures are based that produce legal which is based on profiling and effects concerning the individual or on which measures decisions are significantly affect the individual; based that produce legal effects concerning the individual data subjects or significantly severely affect the individualdata subjects; (b) information on sex life, health, Deleted (b) information on sex life, health, race and ethnic origin or for the race and ethnic origin or for the provision of health care, provision of health care, epidemiological researches, or epidemiological researches, or surveys of mental or infectious surveys of mental or infectious diseases, where the data are processed diseases processing of special for taking measures or decisions categories of personal data under regarding specific individuals on a Article 9(1), biometric data or large scale; data on criminal convictions and offences or related security measures, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
ANNEX DGD 2C LIMITE EN
(c) monitoring publicly accessible Deleted (c) monitoring publicly accessible areas, especially when using opticareas on a large scale, especially electronic devices (video when using optic-electronic surveillance) on a large scale; devices (video surveillance) on a large scale; (d) personal data in large scale filing deleted deleted systems on children, genetic data or biometric data; (e) other processing operations for deleted deleted which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2). 2a. The supervisory authority shall 2a. The supervisory authority establish and make public a list of the shall establish and make public a kind of processing operations which list of the kind of processing are subject to the requirement for a operations which are subject to data protection impact assessment the requirement for a data pursuant to paragraph 1. The protection impact assessment supervisory authority shall pursuant to paragraph 1. The communicate those lists and any supervisory authority shall updates to the European Data communicate those lists to the Protection Board. European Data Protection Board.
ANNEX DGD 2C LIMITE EN
2b. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the European Data Protection Board. 2c. Prior to the adoption of the lists referred to in paragraphs 2a and 2b the competent supervisory authority shall apply the consistency mechanism referred to in Article 57 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
ANNEX DGD 2C LIMITE EN
-
3.The assessment shall contain at 3. The assessment shall have regard 3. The assessment shall contain at least a general description of the to the entire lifecycle management least a general description of the envisaged processing operations, an of personal data from collection to envisaged processing operations, assessment of the risks to the rights processing to deletion. It shall an assessment evaluation of the and freedoms of data subjects, the contain at least a general description risks to the rights and freedoms of measures envisaged to address the of the envisaged processing data subjects referred to in risks, safeguards, security measures operations, an assessment of the paragraph 1, the measures and mechanisms to ensure the risks to the rights and freedoms of envisaged to address the risks, protection of personal data and to data subjects, the measures including safeguards, security
demonstrate compliance with this envisaged to address the risks, measures and mechanisms to Regulation, taking into account the safeguards, security measures and ensure the protection of personal rights and legitimate interests of data mechanisms to ensure the data and to demonstrate
subjects and other persons concerned. protection of personal data and to demonstrate compliance with this compliance with this Regulation,
Regulation, taking into account the taking into account the rights and
rights and legitimate interests of legitimate interests of data data subjects and other persons subjects and other persons concerned: concerned.
(a) a systematic description of the envisaged processing operations, the purposes of the processing and, if applicable, the legitimate interests pursued by the controller; (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
ANNEX DGD 2C LIMITE EN
(c) an assessment of the risks to the rights and freedoms of data subjects, including the risk of discrimination being embedded in or reinforced by the operation; (d) a description of the measures envisaged to address the risks and minimise the volume of personal data which is processed; (e) a list of safeguards, security measures and mechanisms to ensure the protection of personal data, such as pseudonymisation, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned; (f) a general indication of the time limits for erasure of the different categories of data;
ANNEX DGD 2C LIMITE EN
(g) an explanation which data protection by design and default practices pursuant to Article 23 have been implemented; (h) a list of the recipients or categories of recipients of the personal data; (i) where applicable, a list of the intended transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (j) an assessment of the context of the data processing. 3a. If the controller or the processor has designated a data protection officer, he or she shall be involved in the impact assessment proceeding.
ANNEX DGD 2C LIMITE EN
3b. The assessment shall be documented and lay down a schedule for regular periodic data protection compliance reviews pursuant to Article 33a(1). The assessment shall be updated without undue delay, if the results of the data protection compliance review referred to in Article 33a show compliance inconsistencies. The controller and the processor and, if any, the controller's representative shall make the assessment available, on request, to the supervisory authority. 3a. Compliance with approved codes of conduct referred to in Article 38 by the relevant controllers or processors shall be taken into due account in assessing lawfulness and impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
ANNEX DGD 2C LIMITE EN
-
4.The controller shall seek the views deleted 4. The controller shall seek the of data subjects or their views of data subjects or their representatives on the intended representatives on the intended processing, without prejudice to the processing, without prejudice to protection of commercial or public the protection of commercial or interests or the security of the public interests or the security of processing operations. the processing operations. 5. Where the controller is a public deleted 5. Where the controller is a public authority or body and where the authority or body and where the processing results from a legal processing results from a legal obligation pursuant to point (c) of obligation pursuant to point (c) or Article 6(1) providing for rules and (e) of Article 6(1) providing for procedures pertaining to the rules and procedures pertaining to processing operations and regulated the processing operations and by Union law, paragraphs 1 to 4 shall regulated by has a legal basis in not apply, unless Member States Union law, paragraphs 1 to 4 shall deem it necessary to carry out such not apply, unless or the law of the assessment prior to the processing Member States to which the activities. controller is subject, and such law regulates the specific processing operation or set of operations in question, paragraphs 1 to 3 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
ANNEX DGD 2C LIMITE EN
-
6.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises. 7. The Commission may specify deleted deleted standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
Amendment 130
Article 33 a (new)
Data protection compliance review
1. At the latest two years after the carrying out of an impact assessment pursuant to Article 33(1), the controller or the processor acting on the controller's behalf shall carry out a compliance review. This compliance review shall demonstrate that the processing of personal data is performed in compliance with the data protection impact assessment.
ANNEX DGD 2C LIMITE EN
2. The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations. 3. Where the compliance review results show compliance inconsistencies, the compliance review shall include recommendations on how to achieve full compliance. 4. The compliance review and its recommendations shall be documented. The controller and the processor and, if any, the controller's representative shall make the compliance review available, on request, to the supervisory authority. 5. If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding.
ANNEX DGD 2C LIMITE EN
Article 34 Article 34 Article 34
Amendment 131
Prior authorisation and prior
consultation Prior consultation
Prior authorisation and prior consultation
-
1.The controller or the processor as deleted deleted the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
ANNEX DGD 2C LIMITE EN
-
2.The controller or processor acting 2. The controller or processor 2. The controller or processor on the controller's behalf shall consult acting on the controller's behalf acting on the controller's behalf the supervisory authority prior to the shall consult the data protection shall consult the supervisory processing of personal data in order officer, or in case a data authority prior to the processing of to ensure the compliance of the protection officer has not been personal data where a data intended processing with this appointed, the supervisory protection impact assessment as Regulation and in particular to authority prior to the processing of provided for in Article 33 mitigate the risks involved for the personal data in order to ensure indicates that the in order to data subjects where: the compliance of the intended ensure the compliance of the processing with this Regulation intended processing with this and in particular to mitigate the Regulation and in particular to risks involved for the data subjects mitigate the would result in a where: high risks involved for the data subjects where:in the absence of measures to be taken by the controller to mitigate the risk. (a) a data protection impact (a) a data protection impact deleted assessment as provided for in Article assessment as provided for in 33 indicates that processing Article 33 indicates that operations are by virtue of their processing operations are by nature, their scope or their purposes, virtue of their nature, their scope likely to present a high degree of or their purposes, likely to present specific risks; or a high degree of specific risks; or (b) the supervisory authority deems it (b) the data protection officer or deleted necessary to carry out a prior the supervisory authority deems it consultation on processing operations necessary to carry out a prior that are likely to present specific risks consultation on processing to the rights and freedoms of data operations that are likely to present subjects by virtue of their nature, specific risks to the rights and
their scope and/or their purposes, and freedoms of data subjects by virtue
specified according to paragraph 4. of their nature, their scope and/or their purposes, and specified
according to paragraph 4.
ANNEX DGD 2C LIMITE EN
-
3.Where the supervisory authority is 3. Where the competent 3. Where the supervisory authority of the opinion that the intended supervisory authority is of the is of the opinion that the intended processing does not comply with this opinion determines in accordance processing referred to in Regulation, in particular where risks with its power that the intended paragraph 2 would does not are insufficiently identified or processing does not comply with comply with this Regulation, in mitigated, it shall prohibit the this Regulation, in particular particular where the controller intended processing and make where risks are insufficiently has risks are insufficiently appropriate proposals to remedy such identified or mitigated, it shall identified or mitigated the risk, it incompliance. prohibit the intended processing shall prohibit the intended and make appropriate proposals to processing and make appropriate remedy such non-compliance. proposals to remedy such incompliance within a maximum period of 6 weeks following the request for consultation give advice to the data controller , in writing, and may use any of its powers referred to in Article 53. This period may be extended for a further six weeks, taking into account the complexity of the intended processing. Where the extended period applies, the controller or processor shall be informed within one month of receipt of the request of the reasons for the delay.
ANNEX DGD 2C LIMITE EN
-
4.The supervisory authority shall 4. The supervisory authority deleted establish and make public a list of the European Data Protection Board processing operations which are shall establish and make public a subject to prior consultation pursuant list of the processing operations to point (b) of paragraph 2. The which are subject to prior supervisory authority shall consultation pursuant to point (b) communicate those lists to the of paragraph 2. The supervisory European Data Protection Board. authority shall communicate those lists to the European Data Protection Board. 5. Where the list provided for in deleted deleted paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
ANNEX DGD 2C LIMITE EN
-
6.The controller or processor shall 6. The controller or processor 6. When consulting the provide the supervisory authority shall provide the supervisory supervisory authority pursuant to with the data protection impact authority, on request, with the paragraph2, Tthe controller or assessment provided for in Article 33 data protection impact assessment processor shall provide the and, on request, with any other provided for in pursuant to supervisory authority, with information to allow the supervisory Article 33 and, on request, with (a) where applicable, the authority to make an assessment of any other information to allow the respective responsibilities of the compliance of the processing and supervisory authority to make an controller, joint controllers and in particular of the risks for the assessment of the compliance of processors involved in the protection of personal data of the data the processing and in particular of processing, in particular for subject and of the related safeguards. the risks for the protection of processing within a group of personal data of the data subject undertakings; and of the related safeguards. (b) the purposes and means of the intended processing; (c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation; (d) where applicable, the contact details of the data protection officer; (e) the data protection impact assessment provided for in Article 33; and (f), on request, with any other information to allow requested by the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
ANNEX DGD 2C LIMITE EN
-
7.Member States shall consult the 7. Member States shall consult the 7. Member States shall consult the supervisory authority in the supervisory authority in the supervisory authority in during preparation of a legislative measure preparation of a legislative the preparation of a proposal for a to be adopted by the national measure to be adopted by the legislative measure to be adopted parliament or of a measure based on national parliament or of a by thea national parliament or of a such a legislative measure, which measure based on such a regulatory measure based on such defines the nature of the processing, legislative measure, which defines a legislative measure, which in order to ensure the compliance of the nature of the processing, in defines the nature of the the intended processing with this order to ensure the compliance of processing, in order to ensure the Regulation and in particular to the intended processing with this compliance of the intended mitigate the risks involved for the Regulation and in particular to provide for the processing with data subjects. mitigate the risks involved for the this Regulation and in particular to data subjects. mitigate the risks involved for the data subjects of personal data. 7a. Notwithstanding paragraph 2, Member States' law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to the processing of personal data by a controller for the performance of a task carried out by the controller in the public interest, including the processing of such data in relation to social protection and public health.
ANNEX DGD 2C LIMITE EN
-
8.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2. 9. The Commission may set out deleted deleted standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
SECTION 4 SECTION 4 SECTION 4 DATA PROTECTION DATA PROTECTION DATA PROTECTION
OFFICER OFFICER OFFICER
Article 35 Article 35 Article 35
Designation of the data protection Designation of the data Designation of the data officer protection officer protection officer
Amendment 132
-
1.The controller and the processor 1. The controller and the processor 1. The controller and or the shall designate a data protection shall designate a data protection processor may, or where required officer in any case where: officer in any case where : by Union or Member State law shall designate a data protection officer in any case where:. (a) the processing is carried out by a (a) the processing is carried out by deleted public authority or body; or a public authority or body; or (b) the processing is carried out by an (b) the processing is carried out by deleted enterprise employing 250 persons or an enterprise employing 250 more; or persons or more a legal person and relates to more than 5000 data subjects in any consecutive 12-month period; or
ANNEX DGD 2C LIMITE EN
(c) the core activities of the controller (c) the core activities of the deleted or the processor consist of processing controller or the processor consist operations which, by virtue of their of processing operations which, by nature, their scope and/or their virtue of their nature, their scope purposes, require regular and and/or their purposes, require systematic monitoring of data regular and systematic monitoring subjects. of data subjects; or (d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems. 2. In the case referred to in point (b) 2. In the case referred to in point 2. In the case referred to in point of paragraph 1, a group of (b) of paragraph 1, a A group of (b) of paragraph 1, a A group of undertakings may appoint a single undertakings may appoint a single undertakings may appoint a single data protection officer. main responsible data protection data protection officer. officer, provided it is ensured that a data protection officer is easily accessible from each establishment.
ANNEX DGD 2C LIMITE EN
-
3.Where the controller or the 3. Where the controller or the 3. Where the controller or the processor is a public authority or processor is a public authority or processor is a public authority or body, the data protection officer may body, the data protection officer body, the a single data protection be designated for several of its may be designated for several of officer may be designated for entities, taking account of the its entities, taking account of the several of its entities such organisational structure of the public organisational structure of the authorities or bodies, taking authority or body. public authority or body. account of their organisational structure of the public authority or body and size. 4. In cases other than those referred to 4. In cases other than those deleted in paragraph 1, the controller or referred to in paragraph 1, the processor or associations and other controller or processor or bodies representing categories of associations and other bodies controllers or processors may representing categories of designate a data protection officer. controllers or processors may designate a data protection officer.
ANNEX DGD 2C LIMITE EN
-
5.The controller or processor shall 5. The controller or processor 5. The controller or processor designate the data protection officer shall designate the data protection shall designate the data protection on the basis of professional qualities officer on the basis of professional officer shall be designated on the and, in particular, expert knowledge qualities and, in particular, expert basis of professional qualities and, of data protection law and practices knowledge of data protection law in particular, expert knowledge of and ability to fulfil the tasks referred and practices and ability to fulfil data protection law and practices to in Article 37. The necessary level the tasks referred to in Article 37. and ability to fulfil the tasks of expert knowledge shall be The necessary level of expert referred to in Article 37, determined in particular according to knowledge shall be determined in particularly the absence of any the data processing carried out and particular according to the data conflict of interests. The the protection required for the processing carried out and the necessary level of expert personal data processed by the protection required for the knowledge shall be determined in controller or the processor. personal data processed by the particular according to the data controller or the processor. processing carried out and the protection required for the personal data processed by the controller or the processor. 6. The controller or the processor 6. The controller or the processor deleted shall ensure that any other shall ensure that any other professional duties of the data professional duties of the data protection officer are compatible with protection officer are compatible the person's tasks and duties as data with the person's tasks and duties protection officer and do not result in as data protection officer and do a conflict of interests. not result in a conflict of interests.
ANNEX DGD 2C LIMITE EN
-
7.The controller or the processor 7. The controller or the processor 7. The controller or the processor shall designate a data protection shall designate a data protection shall designate a During their officer for a period of at least two officer for a period of at least two term of office, the data protection years. The data protection officer may four years in case of an employee officer for a period of at least two be reappointed for further terms. or two years in case of an years. The data protection officer During their term of office, the data external service contractor. The may, apart from serious grounds protection officer may only be data protection officer may be under the law of the Member dismissed, if the data protection reappointed for further terms. State concerned which justify the officer no longer fulfils the conditions During their his or her term of dismissal of an employee or civil required for the performance of their office, the data protection officer servant, be reappointed for duties. may only be dismissed, if the data further terms. During their term of protection officer he or she no office, the data protection officer longer fulfils the conditions may only be dismissed, only if the required for the performance of data protection officer no longer their his or her duties. fulfils the conditions required for the performance of their duties his or her tasks pursuant to Article 37. 8. The data protection officer may be 8. The data protection officer may 8. The data protection officer may employed by the controller or be employed by the controller or be employed by a staff member of processor, or fulfil his or her tasks on processor, or fulfil his or her tasks the controller or processor, or the basis of a service contract. on the basis of a service contract. fulfil his or her the tasks on the basis of a service contract. 9. The controller or the processor 9. The controller or the processor 9. The controller or the processor shall communicate the name and shall communicate the name and shall communicate publish the contact details of the data protection contact details of the data name and contact details of the officer to the supervisory authority protection officer to the data protection officer and and to the public. supervisory authority and to the communicate these to the public. supervisory authority and to the public.
ANNEX DGD 2C LIMITE EN
-
10.Data subjects shall have the right 10. Data subjects shall have the 10. Data subjects shall have the to contact the data protection officer right to contact the data protection right to may contact the data on all issues related to the processing officer on all issues related to the protection officer on all issues of the data subject’s data and to processing of the data subject’s related to the processing of the request exercising the rights under data and to request exercising the data subject’s data and to request this Regulation. rights under this Regulation. exercising the the exercise of their rights under this Regulation. 11. The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
ANNEX DGD 2C LIMITE EN
Article 36 Article 36 Article 36
Position of the data protection Position of the data protection Position of the data protection officer officer officer
Amendment 133
-
1.The controller or the processor 1. The controller or the processor 1. The controller or the processor shall ensure that the data protection shall ensure that the data shall ensure that the data officer is properly and in a timely protection officer is properly and protection officer is properly and manner involved in all issues which in a timely manner involved in all in a timely manner involved in all relate to the protection of personal issues which relate to the issues which relate to the data. protection of personal data. protection of personal data. 2. The controller or processor shall 2. The controller or processor 2. The controller or processor ensure that the data protection officer shall ensure that the data shall ensure that support the data performs the duties and tasks protection officer performs the protection officer in performsing independently and does not receive duties and tasks independently and the duties and tasks referred to in any instructions as regards the does not receive any instructions Article 37 by providing resources exercise of the function. The data as regards the exercise of the necessary to carry out these tasks protection officer shall directly report function. The data protection as well as access to personal data to the management of the controller officer shall directly report to the and processing or the processor. executive management of the operationsindependently and does controller or the processor. The not receive any instructions as controller or processor shall for regards the exercise of the this purpose designate an function. The data protection executive management member officer shall directly report to the who shall be responsible for the management of the controller or compliance with the provisions of the processor. this Regulation.
ANNEX DGD 2C LIMITE EN
-
3.The controller or the processor 3. The controller or the processor 3. The controller or the processor shall support the data protection shall support the data protection shall support ensure that the data officer in performing the tasks and officer in performing the tasks and protection officer can act in an shall provide staff, premises, shall provide all means, including independent manner with respect equipment and any other resources staff, premises, equipment and any to the performingance of his or necessary to carry out the duties and other resources necessary to carry her the tasks and shall provide tasks referred to in Article 37. out the duties and tasks referred to staff, premises, equipment and any in Article 37, and to maintain his other resources necessary to carry or her professional knowledge. out the duties and does not receive any instructions regarding the exercise of these tasks referred to in Article 37. He or she shall not be penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
ANNEX DGD 2C LIMITE EN
4. Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject. 4. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
ANNEX DGD 2C LIMITE EN
Article 37 Article 37 Article 37
Tasks of the data protection officer Tasks of the data protection Tasks of the data protection officer officer
Amendment 134
-
1.The controller or the processor 1. The controller or the processor 1. The controller or the processor shall entrust the data protection shall entrust the data protection shall entrust the data protection officer at least with the following officer at least with the following officer at least with shall have the tasks: tasks: following tasks: (a) to inform and advise the controller (a) to raise awareness, to inform (a) to inform and advise the or the processor of their obligations and advise the controller or the controller or the processor and the pursuant to this Regulation and to processor of their obligations employees who are processing document this activity and the pursuant to this Regulation, in personal data of their obligations responses received; particular with regard to pursuant to this Regulation and to technical and organisational document this activity and the measures and procedures, and to responses received other Union or document this activity and the Member State data protection responses received; provisions; (b) to monitor the implementation (b) to monitor the implementation (b) to monitor compliance with this and application of the policies of the and application of the policies of Regulation, with other Union or controller or processor in relation to the controller or processor in Member State data protection the protection of personal data, relation to the protection of provisions and with the including the assignment of personal data, including the implementation and application of responsibilities, the training of staff assignment of responsibilities, the the policies of the controller or involved in the processing operations, training of staff involved in the processor in relation to the and the related audits; processing operations, and the protection of personal data,
related audits; including the assignment of responsibilities, awareness-raising
and the training of staff involved in the processing operations, and the related audits;
ANNEX DGD 2C LIMITE EN
(c) to monitor the implementation and (c) to monitor the implementation deleted application of this Regulation, in and application of this Regulation, particular as to the requirements in particular as to the requirements related to data protection by design, related to data protection by data protection by default and data design, data protection by default security and to the information of and data security and to the data subjects and their requests in information of data subjects and exercising their rights under this their requests in exercising their Regulation; rights under this Regulation; (d) to ensure that the documentation (d) to ensure that the deleted referred to in Article 28 is documentation referred to in maintained; Article 28 is maintained; (e) to monitor the documentation, (e) to monitor the documentation, deleted notification and communication of notification and communication of personal data breaches pursuant to personal data breaches pursuant to Articles 31 and 32; Articles 31 and 32; (f) to monitor the performance of the (f) to monitor the performance of (f) to monitor the performance of data protection impact assessment by the data protection impact provide advice where requested the controller or processor and the assessment by the controller or as regards the data protection application for prior authorisation or processor and the application for impact assessment by the prior consultation, if required prior authorisation or prior controller or processor and the pursuant Articles 33 and 34; consultation, if required pursuant application for prior authorisation to Articles 32a, 33 and 34; or prior consultation, if required monitor its performance pursuant Articles 33 and 34;
ANNEX DGD 2C LIMITE EN
(g) to monitor the response to (g) to monitor the response to (g) to monitor the responses to requests from the supervisory requests from the supervisory requests from the supervisory authority, and, within the sphere of authority, and, within the sphere authority, and, within the sphere the data protection officer's of the data protection officer's of the data protection officer's competence, co-operating with the competence, co-operating with the competence, to cosupervisory authority at the latter's supervisory authority at the latter's operatingoperate with the request or on the data protection request or on the data protection supervisory authority at the latter's officer’s own initiative; officer’s own initiative; request or on the data protection officer’s own initiative; (h) to act as the contact point for the (h) to act as the contact point for (h) to act as the contact point for supervisory authority on issues the supervisory authority on issues the supervisory authority on issues related to the processing and consult related to the processing and related to the processing of with the supervisory authority, if consult with the supervisory personal data, including the prior appropriate, on his/her own initiative. authority, if appropriate, on and consultation referred to in his/her own initiative. Article 34, and consult, as with the supervisory authority, if appropriate, on his/her own initiative any other matter. (i) to verify the compliance with this Regulation under the prior consultation mechanism laid out in Article 34; (j) to inform the employee representatives on data processing of the employees.
ANNEX DGD 2C LIMITE EN
-
2.The Commission shall be deleted deleted empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1. 2a. The data protection officer shall in the performance his or her tasks have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of the processing.
ANNEX DGD 2C LIMITE EN
SECTION 5 SECTION 5 SECTION 5 CODES OF CONDUCT AND CODES OF CONDUCT CODES OF CONDUCT
CERTIFICATION AND CERTIFICATION AND CERTIFICATION
Article 38 Article 38 Article 38
Codes of conduct Codes of conduct Codes of conduct
Amendment 135
-
1.The Member States, the 1. The Member States, the 1. The Member States, the supervisory authorities and the supervisory authorities and the supervisory authorities, the Commission shall encourage the Commission shall encourage the European Data Protection Board drawing up of codes of conduct drawing up of codes of conduct or and the Commission shall intended to contribute to the proper the adoption of codes of conduct encourage the drawing up of codes application of this Regulation, taking drawn up by a supervisory of conduct intended to contribute account of the specific features of the authority intended to contribute to to the proper application of this various data processing sectors, in the proper application of this Regulation, taking account of the particular in relation to: Regulation, taking account of the specific features of the various specific features of the various data processing sectors, in data processing sectors, in particular in relation to: and the particular in relation to: specific needs of micro, small and medium-sized enterprises.
ANNEX DGD 2C LIMITE EN
1a. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of this Regulation, such as:
(a) fair and transparent data (a) fair and transparent data (a) fair and transparent data processing; processing; processing; (aa) respect for consumer rights; (aa) the legitimate interests pursued by controllers in specific contexts; (b) the collection of data; (b) the collection of data; (b) the collection of data; (bb) the pseudonymisation of personal data; (c) the information of the public and (c) the information of the public (c) the information of the public of data subjects; and of data subjects; and of data subjects;
ANNEX DGD 2C LIMITE EN
(d) requests of data subjects in (d) requests of data subjects in (d) requests of data subjects inthe exercise of their rights; exercise of their rights; exercise of their rights of data subjects; (e) information and protection of (e) information and protection of (e) information and protection of children; children; children and the way to collect the parent’s and guardian’s consent; (ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30; (ef) notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects; (f) transfer of data to third countries (f) transfer of data to third deleted or international organisations; countries or international organisations; (g) mechanisms for monitoring and (g) mechanisms for monitoring deleted ensuring compliance with the code by and ensuring compliance with the the controllers adherent to it; code by the controllers adherent to it;
ANNEX DGD 2C LIMITE EN
(h) out-of-court proceedings and (h) out-of-court proceedings and deleted other dispute resolution procedures other dispute resolution for resolving disputes between procedures for resolving disputes controllers and data subjects with between controllers and data respect to the processing of personal subjects with respect to the data, without prejudice to the rights processing of personal data, of the data subjects pursuant to without prejudice to the rights of Articles 73 and 75. the data subjects pursuant to Articles 73 and 75. 1ab. In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.
ANNEX DGD 2C LIMITE EN
1b. Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.
ANNEX DGD 2C LIMITE EN
-
2.Associations and other bodies 2. Associations and other bodies 2. Associations and other bodies representing categories of controllers representing categories of referred to in paragraph 1a or processors in one Member State controllers or processors in one representing categories of which intend to draw up codes of Member State which intend to controllers or processors in one conduct or to amend or extend draw up codes of conduct or to Member State which intend to existing codes of conduct may submit amend or extend existing codes of draw up prepare a codes of them to an opinion of the supervisory conduct may submit them to an conduct or to amend or extend an authority in that Member State. The opinion of the supervisory existing codes, of conduct may supervisory authority may give an authority in that Member State. shall submit them to an opinion of opinion whether the draft code of The supervisory authority may draft code to the supervisory conduct or the amendment is in shall without undue delay give an authority in that Member State compliance with this Regulation. The opinion on whether the which is competent pursuant to supervisory authority shall seek the processing under the draft code of Article 51. The supervisory views of data subjects or their conduct or the amendment is in authority may shall give an representatives on these drafts. compliance with this Regulation. opinion on whether the draft code, The supervisory authority shall or amended or extended code of seek the views of data subjects or conduct or the amendment is in their representatives on these compliance with this Regulation drafts. and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
ANNEX DGD 2C LIMITE EN
2a. Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof. 2b. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.
ANNEX DGD 2C LIMITE EN
-
3.Associations and other bodies 3. Associations and other bodies 3. Associations and other bodies representing categories of controllers representing categories of representing categories of in several Member States may submit controllers or processors in controllers in several Member draft codes of conduct and several Member States may States may submit draft Where the amendments or extensions to existing submit draft codes of conduct and opinion referred to in paragraph codes of conduct to the Commission. amendments or extensions to 2b confirms that the codes of existing codes of conduct to the conduct, and or amendmentsed or Commission. extensionsded to existing codes, of conduct to the Commission is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards, the European Data Protection Board shall submit its opinion to the Commission.
ANNEX DGD 2C LIMITE EN
-
4.The Commission may adopt 4. The Commission may adopt 4. The Commission may adopt implementing acts for deciding that implementing acts shall be implementing acts for deciding the codes of conduct and amendments empowered to adopt, after that the approved codes of or extensions to existing codes of requesting an opinion of the conduct and amendments or conduct submitted to it pursuant to European Data Protection Board, extensions to existing approved paragraph 3 have general validity delegated acts in accordance with codes of conduct submitted to it within the Union. Those Article 86 for deciding that the pursuant to paragraph 3 have implementing acts shall be adopted in codes of conduct and amendments general validity within the Union. accordance with the examination or extensions to existing codes of Those implementing acts shall be procedure set out in Article 87(2). conduct submitted to it pursuant to adopted in accordance with the paragraph 3 are in line with this examination procedure set out in Regulation and have general Article 87(2). validity within the Union. Those implementing acts delegated acts shall be adopted in accordance with the examination procedure set out in Article 87(2) confer enforceable rights on data subjects. 5. The Commission shall ensure 5. The Commission shall ensure 5. The Commission shall ensure appropriate publicity for the codes appropriate publicity for the codes appropriate publicity for the which have been decided as having which have been decided as approved codes which have been general validity in accordance with having general validity in decided as having general validity paragraph 4. accordance with paragraph 4. in accordance with paragraph 4.
ANNEX DGD 2C LIMITE EN
5a. The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E- Justice Portal.
ANNEX DGD 2C LIMITE EN
Article 38a
Monitoring of approved codes of conduct
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the monitoring of compliance with a code of conduct pursuant to Article 38 (1b), may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for this purpose by the competent supervisory authority. 2. A body referred to in paragraph 1 may be accredited for this purpose if: (a) it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
ANNEX DGD 2C LIMITE EN
(b) it has established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation; (c) it has established procedures and structures to deal with complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make these procedures and structures transparent to data subjects and the public; (d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
ANNEX DGD 2C LIMITE EN
3. The competent supervisory authority shall submit the draft criteria for accreditation of a body referred to in paragraph 1 to the European Data Protection Board pursuant to the consistency mechanism referred to in Article 57. 4. Without prejudice to the provisions of Chapter VIII, a body referred to in paragraph 1 may, subject to adequate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
ANNEX DGD 2C LIMITE EN
5. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation. 6. This article shall not apply to the processing of personal data carried out by public authorities and bodies.
ANNEX DGD 2C LIMITE EN
Article 39 Article 39 Article 39
Certification Certification Certification
Amendment 136
-
1.The Member States and the deleted 1. The Member States, the Commission shall encourage, in European Data Protection Board particular at European level, the and the Commission shall establishment of data protection encourage, in particular at certification mechanisms and of data European Union level, the protection seals and marks, allowing establishment of data protection data subjects to quickly assess the certification mechanisms and of level of data protection provided by data protection seals and marks, controllers and processors. The data for the purpose of demonstrating protection certifications mechanisms compliance with this Regulation shall contribute to the proper of processing operations carried application of this Regulation, taking out allowing data subjects to account of the specific features of the quickly assess the level of data various sectors and different protection provided by controllers processing operations. and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operationsneeds of micro, small and medium-sized entreprises shall be taken into account.
ANNEX DGD 2C LIMITE EN
1a. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 2a may also be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation according to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(e). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards, including as regards data subjects’ rights.
ANNEX DGD 2C LIMITE EN
1a. Any controller or processor may request any supervisory authority in the Union, for a reasonable fee taking into account the administrative costs, to certify that the processing of personal data is performed in compliance with this Regulation, in particular with the principles set out in Article 5, 23 and 30, the obligations of the controller and the processor, and the data subject’s rights. 1b. The certification shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome. 1c. The supervisory authorities and the European Data Protection Board shall cooperate under the consistency mechanism pursuant to Article 57 to guarantee a harmonised data protection certification mechanism including harmonised fees within the Union.
ANNEX DGD 2C LIMITE EN
1d. During the certification procedure, the supervisory authorityies may accredit specialised third party auditors to carry out the auditing of the controller or the processor on their behalf. Third party auditors shall have sufficiently qualified staff, be impartial and free from any conflict of interests regarding their duties. Supervisory authorities shall revoke accreditation, if there are reasons to believe that the auditor does not fulfil its duties correctly. The final certification shall be provided by the supervisory authority. 1e. Supervisory authorities shall grant controllers and processors, who pursuant to the auditing have been certified that they process personal data in compliance with this Regulation, the standardised data protection mark named "European Data Protection Seal".
ANNEX DGD 2C LIMITE EN
1f. The "European Data Protection Seal" shall be valid for as long as the data processing operations of the certified controller or processor continue to fully comply with this Regulation. 1g. Notwithstanding paragraph 1f, the certification shall be valid for maximum five years. 1h. The European Data Protection Board shall establish a public electronic register in which all valid and invalid certificates which have been issued in the Member States can be viewed by the public. 1i. The European Data Protection Board may on its own initiative certify that a data protection-enhancing technical standard is compliant with this Regulation.
ANNEX DGD 2C LIMITE EN
-
2.The Commission shall be 2. The Commission shall be [Moved and modified under empowered to adopt delegated acts in empowered to adopt, after Article 39a point 7] accordance with Article 86 for the requesting an opinion of the purpose of further specifying the European Data Protection Board criteria and requirements for the data and consulting with stakeholders, protection certification mechanisms in particular industry and nonreferred to in paragraph 1, including governmental organisations, conditions for granting and delegated acts in accordance with withdrawal, and requirements for Article 86 for the purpose of recognition within the Union and in further specifying the criteria and third countries. requirements for the data protection certification mechanisms referred to in paragraph 1paragraphs 1a to 1h, including requirements for accreditation of auditors, conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. Those delegated acts shall confer enforceable rights on data subjects. 2. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.
ANNEX DGD 2C LIMITE EN
2a. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority on the basis of the criteria approved by the competent supervisory authority or, pursuant to Article 57, the European Data Protection Board.
-
3.The Commission may lay down deleted deleted technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
ANNEX DGD 2C LIMITE EN
3. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 39a, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure. 4. The certification shall be issued to a controller or processor for a maximum period of 3 years and may be renewed under the same conditions as long as the relevant requirements continue to be met. It shall be withdrawn by the certification bodies referred to in Article 39a, or where applicable, by the competent supervisory authority where the requirements for the certification are not or no longer met.
ANNEX DGD 2C LIMITE EN
5. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.
ANNEX DGD 2C LIMITE EN
Article 39a
Certification body and procedure
1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 52 and 53, the certification shall be issued and renewed by a certification body which has an appropriate level of expertise in relation to data protection. Each Member State shall provide whether these certification bodies are accredited by: (a) the supervisory authority which is competent according to Article 51 or 51a; and/or
ANNEX DGD 2C LIMITE EN
(b) the National Accreditation Body named in accordance with Regulation (EC) 765/2008 i of the European parliament and the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products in compliance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent according to Article 51 or 51a. 2. The certification body referred to in paragraph 1 may be accredited for this purpose only if: (a) it has demonstrated its independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
ANNEX DGD 2C LIMITE EN
(aa) it has undertaken to respect the criteria referred to in paragraph 2a of Article 39 and approved by the supervisory authority which is competent according to Article 51 or 51a or , pursuant to Article 57, the European Data Protection Board; (b) it has established procedures for the issue, periodic review and withdrawal of data protection seals and marks; (c) it has established procedures and structures to deal with complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make these procedures and structures transparent to data subjects and the public;
ANNEX DGD 2C LIMITE EN
(d) it demonstrates to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests. 3. The accreditation of the certification bodies referred to in paragraph 1 shall take place on the basis of criteria approved by the supervisory authority which is competent according to Article 51 or 51a or, pursuant to Article 57, the European Data Protection Board. In case of an accreditation pursuant to point (b) of paragraph 1, these requirements complement those envisaged in Regulation 765/2008 i and the technical rules that describe the methods and procedures of the certification bodies.
ANNEX DGD 2C LIMITE EN
4. The certification body referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation is issued for a maximum period of five years and can be renewed in the same conditions as long as the body meets the requirements. 5. The certification body referred to in paragraph 1 shall provide the competent supervisory authority with the reasons for granting or withdrawing the requested certification.
ANNEX DGD 2C LIMITE EN
6. The requirements referred to in paragraph 3 and the criteria referred to in paragraph 2a of Article 39 shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit these to the European Data Protection Board. The European Data Protection Board shall collect all certification mechanisms and data protection seals in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal. 6a. Without prejudice to the provisions of Chapter VIII, the competent supervisory authority or the National Accreditation Body shall revoke the accreditation it granted to a certification body referred to in paragraph 1 if the conditions for accreditation are not, or no longer, met or actions taken by the body are not in compliance with this Regulation.
ANNEX DGD 2C LIMITE EN
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86, for the purpose of specifying the criteria and requirements to be taken into account for the data protection certification mechanisms referred to in paragraph 1 including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. 7a. The European Data Protection Board shall give an opinion to the Commission on the criteria and requirements referred to in paragraph 7.
ANNEX DGD 2C LIMITE EN
deleted 8. The Commission may lay down technical standards for
certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
ANNEX DGD 2C LIMITE EN
CHAPTER V CHAPTER V CHAPTER V
TRANSFER OF TRANSFER OF TRANSFER OF
PERSONAL DATA TO PERSONAL DATA TO PERSONAL DATA TO
THIRD COUNTRIES OR THIRD COUNTRIES THIRD COUNTRIES
INTERNATIONAL OR INTERNATIONAL OR INTERNATIONAL
ORGANISATIONS ORGANISATIONS ORGANISATIONS
Article 40 Article 40 Article 40
General principle for transfers General principle for transfers General principle for transfers
Any transfer of personal data which Any transfer of personal data deleted are undergoing processing or are which are undergoing processing intended for processing after transfer or are intended for processing to a third country or to an after transfer to a third country or international organisation may only to an international organisation take place if, subject to the other may only take place if, subject to provisions of this Regulation, the the other provisions of this conditions laid down in this Chapter Regulation, the conditions laid are complied with by the controller down in this Chapter are complied and processor, including for onward with by the controller and transfers of personal data from the processor, including for onward third country or an international for onward transfers of personal organisation to another third country data from the third country or an or to another international international organisation to organisation. another third country or to another international organisation.
ANNEX DGD 2C LIMITE EN
Article 41 Article 41 Article 41
Transfers with an adequacy decision Transfers with an adequacy Transfers with an adequacy decision decision
Amendment 137
-
1.A transfer may take place where 1. A transfer may take place where 1. A transfer of personal data to a the Commission has decided that the the Commission has decided that third country or an international third country, or a territory or a the third country, or a territory or organisation may take place processing sector within that third a processing sector within that where the Commission has country, or the international third country, or the international decided that the third country, or a organisation in question ensures an organisation in question ensures territory or one or more specified adequate level of protection. Such an adequate level of protection. a processing sectors within that transfer shall not require any further Such transfer shall not require any third country, or the international authorisation. furtherspecific authorisation. organisation in question ensures an adequate level of protection. Such transfer shall not require any further specific authorisation.
ANNEX DGD 2C LIMITE EN
-
2.When assessing the adequacy of 2. When assessing the adequacy of 2. When assessing the adequacy of the level of protection, the the level of protection, the the level of protection, the Commission shall give consideration Commission shall give Commission shall, in particular, to the following elements: consideration to the following take account of give consideration elements: to the following elements:
(a) the rule of law, relevant (a) the rule of law, relevant (a) the rule of law, respect for legislation in force, both general and legislation in force, both general human rights and fundamental sectoral, including concerning public and sectoral, including concerning freedoms, relevant legislation in security, defence, national security public security, defence, national force, both general and sectoral, and criminal law, the professional security and criminal law as well data protection including rules and security measures which are as the implementation of this concerning public security, complied with in that country or by legislation, the professional rules defence, national security and that international organisation, as and security measures which are criminal law, the professional well as effective and enforceable complied with in that country or rules and security measures, rights including effective by that international organisation, including rules for onward administrative and judicial redress for jurisprudential precedents, as transfer of personal data to data subjects, in particular for those well as effective and enforceable another third country or data subjects residing in the Union rights including effective international organisation, which whose personal data are being administrative and judicial redress are complied with in that country transferred; for data subjects, in particular for or by that international those data subjects residing in the organisation, as well as the Union whose personal data are existences of effective and being transferred; enforceable data subject rights including and effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
ANNEX DGD 2C LIMITE EN
(b) the existence and effective (b) the existence and effective (b) the existence and effective functioning of one or more functioning of one or more functioning of one or more independent supervisory authorities independent supervisory independent supervisory in the third country or international authorities in the third country or authorities in the third country or organisation in question responsible international organisation in to which an international for ensuring compliance with the data question responsible for ensuring organisation in question is subject, protection rules, for assisting and compliance with the data with responsibleility for ensuring advising the data subjects in protection rules, including and enforcing compliance with exercising their rights and for cosufficient sanctioning powers, for the data protection rules including operation with the supervisory assisting and advising the data adequate sanctioning powers for authorities of the Union and of subjects in exercising their rights assisting and advising the data Member States; and and for co-operation with the subjects in exercising their rights supervisory authorities of the and for co-operation with the Union and of Member States; and supervisory authorities of the Union and of Member States;and
ANNEX DGD 2C LIMITE EN
(c) the international commitments the (c) the international commitments (c) the international commitments third country or international the third country or international the third country or international organisation in question has entered organisation in question has organisation in question into. entered into, in particular any concerned has entered into or legally binding conventions or other obligations arising from its instruments with respect to the participation in multilateral or protection of personal data. regional systems, in particular in relation to the protection of personal data.
2a. The European Data Protection Board shall give the Commission an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country or the territory or the international organization or the specified sector no longer ensures an adequate level of protection.
-
3.The Commission may decide that a 3. The Commission may shall be 3. The Commission, after third country, or a territory or a empowered to adopt delegated assessing the adequacy of the processing sector within that third acts in accordance with Article 86 level of protection, may decide country, or an international to decide that a third country, or a that a third country, or a territory organisation ensures an adequate territory or a processing sector or one or more specified a level of protection within the within that third country, or an processing sectors within that meaning of paragraph 2. Those international organisation ensures third country, or an international implementing acts shall be adopted in an adequate level of protection organisation ensures an adequate accordance with the examination within the meaning of paragraph level of protection within the
ANNEX DGD 2C LIMITE EN
procedure referred to in Article 87(2). 2. Those implementing acts Such meaning of paragraph 2. Those delegated acts shall be adopted in implementing acts shall specify its accordance with the examination territorial and sectoral
procedure referred to in Article application and, where 87(2) provide for a sunset clause applicable, identify the if they concern a processing (independent) supervisory sector and shall be revoked authority(ies) mentioned in according to paragraph 5 as soon point(b) of paragraph 2. The as an adequate level of protection implementing act shall be adopted according to this Regulation is no in accordance with the longer ensured. examination procedure referred to in Article 87(2).
ANNEX DGD 2C LIMITE EN
3a. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC i shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5.
-
4.The implementing act shall specify 4. The implementingdelegated act deleted its geographical and sectoral shall specify its application, and, where applicable, geographicalterritorial and identify the supervisory authority sectoral application, and, where mentioned in point (b) of paragraph applicable, identify the 2. supervisory authority mentioned in point (b) of paragraph 2.
4a. The Commission shall, on an 4a. The Commission shall on-going basis, monitor monitor the functioning of developments in third countries decisions adopted pursuant to and international organisations paragraph 3 and decisions that could affect the elements adopted on the basis of Article listed in paragraph 2 where a 25(6) or Article 26(4) of Directive delegated act pursuant to 95/46/EC. paragraph 3 has been adopted.
ANNEX DGD 2C LIMITE EN
-
5.The Commission may decide that a 5. The Commission mayshall be 5. The Commission may decide third country, or a territory or a empowered to adopt delegated that a third country, or a territory processing sector within that third acts in accordance with Article 86 or a processing specified sector country, or an international to decide that a third country, or a within that third country, or an organisation does not ensure an territory or a processing sector international organisation does not adequate level of protection within within that third country, or an no longer ensures an adequate the meaning of paragraph 2 of this international organisation does not level of protection within the Article, in particular in cases where ensure or no longer ensures an meaning of paragraph 2 and may, the relevant legislation, both general adequate level of protection within where necessary, repeal, amend and sectoral, in force in the third the meaning of paragraph 2 of this or suspend such decision without country or international organisation, Article, in particular in cases retro-active effect of this Article, does not guarantee effective and where the relevant legislation, in particular in cases where the enforceable rights including effective both general and sectoral, in force relevant legislation, both general administrative and judicial redress for in the third country or and sectoral, in force in the third data subjects, in particular for those international organisation, does country or international data subjects residing in the Union not guarantee effective and organisation, does not guarantee whose personal data are being enforceable rights including effective and enforceable rights transferred. Those implementing acts effective administrative and including effective administrative shall be adopted in accordance with judicial redress for data subjects, and judicial redress for data the examination procedure referred to in particular for those data subjects, in particular for those in Article 87(2), or, in cases of subjects residing in the Union data subjects residing in the Union extreme urgency for individuals with whose personal data are being whose personal data are being respect to their right to personal data transferred. Those implementing transferred. Those The protection, in accordance with the acts shall be adopted in implementing acts shall be procedure referred to in Article 87(3). accordance with the examination adopted in accordance with the procedure referred to in Article examination procedure referred to 87(2), or, in cases of extreme in Article 87(2), or, in cases of urgency for individuals with extreme urgency for individuals respect to their right to personal with respect to their right to data protection, in accordance personal data protection, in with the procedure referred to in accordance with the procedure Article 87(3). referred to in Article 87(3).
ANNEX DGD 2C LIMITE EN
5a. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the Decision made pursuant to paragraph 5.
ANNEX DGD 2C LIMITE EN
-
6.Where the Commission decides 6. Where the Commission decides 6. Where the Commission pursuant to paragraph 5, any transfer pursuant to paragraph 5, any decidesA decision pursuant to of personal data to the third country, transfer of personal data to the paragraph 5, any is without or a territory or a processing sector third country, or a territory or a prejudice to transfers of personal within that third country, or the processing sector within that third data to the third country, or athe international organisation in question country, or the international territory or a processing specified shall be prohibited, without prejudice organisation in question shall be sector within that third country, or to Articles 42 to 44. At the prohibited, without prejudice to the international organisation in appropriate time, the Commission Articles 42 to 44. At the question shall be prohibited, shall enter into consultations with the appropriate time, the Commission without prejudice pursuant to third country or international shall enter into consultations with Articles 42 to 44. At the organisation with a view to the third country or international appropriate time, the Commission remedying the situation resulting organisation with a view to shall enter into consultations with from the Decision made pursuant to remedying the situation resulting the third country or international paragraph 5 of this Article. from the Decision decision made organisation with a view to pursuant to paragraph 5 of this remedying the situation resulting Article. from the Decision made pursuant to paragraph 5 of this Article.
6a. Prior to adopting a delegated act pursuant to paragraphs 3 and 5, the Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To that end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the government of the third country,
ANNEX DGD 2C LIMITE EN
territory or processing sector within that third country or the international organisation.
-
7.The Commission shall publish in 7. The Commission shall publish 7. The Commission shall publish the Official Journal of the European in the Official Journal of the in the Official Journal of the Union a list of those third countries, European Union and on its European Union a list of those territories and processing sectors website a list of those third third countries, territories and within a third country and countries, territories and processing specified sectors within international organisations where it processing sectors within a third a third country and international has decided that an adequate level of country and international organisations where it has decided protection is or is not ensured. organisations where it has decided that an adequate level of that an adequate level of protection is or is not ensured in protection is or is not ensured. respect of which decisions have been taken pursuant to paragraphs 3, 3a and 5.
-
8.Decisions adopted by the 8. Decisions adopted by the deleted Commission on the basis of Article Commission on the basis of 25(6) or Article 26(4) of Directive Article 25(6) or Article 26(4) of 95/46/EC shall remain in force, until Directive 95/46/EC i shall remain amended, replaced or repealed by the in force until five years after the Commission. entry into force of this Regulation unless amended, replaced or repealed by the Commission before the end of this period.
ANNEX DGD 2C LIMITE EN
Article 42 Article 42 Article 42
Transfers by way of appropriate Transfers by way of appropriate Transfers by way of appropriate safeguards safeguards safeguards
Amendment 138
-
1.Where the Commission has taken 1. Where the Commission has 1. Where the Commission has no decision pursuant to Article 41, a taken no decision pursuant to taken no In the absence of a controller or processor may transfer Article 41, or decides that a third decision pursuant to paragraph 3 personal data to a third country or an country, or a territory or of Article 41, a controller or international organisation only if the processing sector within that processor may transfer personal controller or processor has adduced third country, or an international data to a third country or an appropriate safeguards with respect to organisation does not ensure an international organisation only if the protection of personal data in a adequate level of protection in the controller or processor has legally binding instrument. accordance with Article 41(5), a adduced appropriate controller or processor may not safeguardswith respect to the transfer personal data to a third protection of personal data in a country, territory or an legally binding instrument, also international organisation unless covering onward transfers. the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
ANNEX DGD 2C LIMITE EN
-
2.The appropriate safeguards 2. The appropriate safeguards 2. The appropriate safeguards referred to in paragraph 1 shall be referred to in paragraph 1 shall be referred to in paragraph 1 shall provided for, in particular, by: provided for, in particular, by: may be provided for, in particularwithout requiring any specific authorisation from a supervisory authority, by:
(oa) a legally binding and enforceable instrument between public authorities or bodies; or
(a) binding corporate rules in (a) binding corporate rules in (a) binding corporate rules in accordance with Article 43; or accordance with Article 43; or accordance with referred to in Article 43; or
(aa) a valid “European Data Protection Seal” for the controller and the recipient in accordance with paragraph 1e of Article 39; or
(b) standard data protection clauses deleted (b) standard data protection adopted by the Commission. Those clauses adopted by the implementing acts shall be adopted in CommissionThose implementing accordance with the examination acts shall be adopted in procedure referred to in Article 87(2); accordance with the examination or procedure referred to in Article 87(2); or
ANNEX DGD 2C LIMITE EN
(c) standard data protection clauses (c) standard data protection (c) standard data protection adopted by a supervisory authority in clauses adopted by a supervisory clauses adopted by a supervisory accordance with the consistency authority in accordance with the authority in accordance with the mechanism referred to in Article 57 consistency mechanism referred to consistency mechanism referred to when declared generally valid by the in Article 57 when declared in Article 57 when declared Commission pursuant to point (b) of generally valid by the generally valid and adopted by the Article 62(1); or Commission pursuant to point (b) Commission pursuant to point (b) of Article 62(1); or of Article 62(1)the examination procedure referred to in Article 87(2); or
(d) contractual clauses between the (d) contractual clauses between (d) an approved code of conduct controller or processor and the the controller or processor and the pursuant to Article 38 together recipient of the data authorised by a recipient of the data authorised by with binding and enforceable supervisory authority in accordance a supervisory authority in commitments of the controller or with paragraph 4. accordance with paragraph 4. processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (…) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
ANNEX DGD 2C LIMITE EN
2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies.
-
3.A transfer based on standard data 3. A transfer based on standard deleted protection clauses or binding data protection clauses, a corporate rules as referred to in points “European Data Protection Seal” (a), (b) or (c) of paragraph 2 shall not or binding corporate rules as require any further authorisation. referred to in point (a), (b) (aa) or (c) of paragraph 2 shall not require any furtherspecific authorisation.
ANNEX DGD 2C LIMITE EN
-
4.Where a transfer is based on 4. Where a transfer is based on deleted contractual clauses as referred to in contractual clauses as referred to point (d) of paragraph 2 of this in point (d) of paragraph 2 of this Article the controller or processor Article the controller or processor shall obtain prior authorisation of the shall obtain prior authorisation of contractual clauses according to point the contractual clauses according (a) of Article 34(1) from the to point (a) of Article 34(1) from supervisory authority. If the transfer the supervisory authority. If the is related to processing activities transfer is related to processing which concern data subjects in activities which concern data another Member State or other subjects in another Member State Member States, or substantially affect or other Member States, or the free movement of personal data substantially affect the free within the Union, the supervisory movement of personal data within authority shall apply the consistency the Union, the supervisory mechanism referred to in Article 57. authority shall apply the consistency mechanism referred to in Article 57.
ANNEX DGD 2C LIMITE EN
-
5.Where the appropriate safeguards 5. Where the appropriate deleted with respect to the protection of safeguards with respect to the personal data are not provided for in a protection of personal data are not legally binding instrument, the provided for in a legally binding controller or processor shall obtain instrument, the controller or prior authorisation for the transfer, or processor shall obtain prior a set of transfers, or for provisions to authorisation for the transfer, or a be inserted into administrative set of transfers, or for provisions arrangements providing the basis for to be inserted into administrative such transfer. Such authorisation by arrangements providing the basis the supervisory authority shall be in for such transfer. Such accordance with point (a) of Article authorisation by the supervisory 34(1). If the transfer is related to authority shall be in accordance processing activities which concern with point (a) of Article 34(1). If data subjects in another Member the transfer is related to processing State or other Member States, or activities which concern data substantially affect the free subjects in another Member State movement of personal data within the or other Member States, or Union, the supervisory authority shall substantially affect the free apply the consistency mechanism movement of personal data within referred to in Article 57. the Union, the supervisory Authorisations by a supervisory authority shall apply the authority on the basis of Article 26(2) consistency mechanism referred to of Directive 95/46/EC i shall remain in Article 57. Authorisations by a valid, until amended, replaced or supervisory authority on the basis repealed by that supervisory of Article 26(2) of Directive authority. 95/46/EC shall remain valid, until two years after the entry into force of this Regulation unless amended, replaced or repealed by that supervisory authority before the end of that period.
ANNEX DGD 2C LIMITE EN
5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).
5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC i shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.
ANNEX DGD 2C LIMITE EN
Article 43 Article 43 Article 43
Transfers by way of binding Transfers by way of binding Transfers by way of bBinding corporate rules corporate rules corporate rules
Amendment 139
-
1.A supervisory authority shall in 1. AThe supervisory authority 1. A The competent supervisory accordance with the consistency shall in accordance with the authority shall approve binding mechanism set out in Article 58 consistency mechanism set out in corporate rules in accordance approve binding corporate rules, Article 58 approve binding with the consistency mechanism provided that they: corporate rules, provided that set out in Article 5857 approve they: binding corporate rules, provided that they:
(a) are legally binding and apply to (a) are legally binding and apply (a) are legally binding and apply and are enforced by every member to and are enforced by every to and are enforced by every within the controller’s or processor's member within the controller’s member concerned of the within group of undertakings, and include group of undertakings and those the controller’s or processor's their employees; external subcontractors that are group of undertakings or group of covered by the scope of the enterprises engaged in a joint binding corporate rules, and economic activity, and include include their employees; their employees;
ANNEX DGD 2C LIMITE EN
(b) expressly confer enforceable (b) expressly confer enforceable (b) expressly confer enforceable rights on data subjects; rights on data subjects; rights on data subjects with regard to the processing of their personal data;
(c) fulfil the requirements laid down (c) fulfil the requirements laid (c) fulfil the requirements laid in paragraph 2. down in paragraph 2 down in paragraph 2.
1a. With regard to employment data, the representatives of the employees shall be informed about and, in accordance with Union or Member State law and practice, be involved in the drawing-up of binding corporate rules pursuant to Article 43.
-
2.The binding corporate rules shall at 2. The binding corporate rules 2. The binding corporate rules least specify: shall at least specify. referred to in paragraph 1 shall at least specify at least :
ANNEX DGD 2C LIMITE EN
(a) the structure and contact details of (a) the structure and contact (a) the structure and contact the group of undertakings and its details of the group of details of the concerned group of members; undertakings and its members and undertakings and of each of its those external subcontractors members; that are covered by the scope of the binding corporate rules;
(b) the data transfers or set of (b) the data transfers or set of (b) the data transfers or set transfers, including the categories of transfers, including the categories categories of transfers, including personal data, the type of processing of personal data, the type of the categories types of personal and its purposes, the type of data processing and its purposes, the data, the type of processing and its subjects affected and the type of data subjects affected and purposes, the type of data subjects identification of the third country or the identification of the third affected and the identification of countries in question; country or countries in question; the third country or countries in question;
(c) their legally binding nature, both (c) their legally binding nature, (c) their legally binding nature, internally and externally; both internally and externally; both internally and externally;
ANNEX DGD 2C LIMITE EN
(d) the general data protection (d) the general data protection (d) application of the general data principles, in particular purpose principles, in particular purpose protection principles, in particular limitation, data quality, legal basis for limitation, data minimisation, purpose limitation, data quality, the processing, processing of limited retention periods, data legal basis for the processing, sensitive personal data; measures to quality, data protection by design processing of sensitive special ensure data security; and the and by default, legal basis for the categories of personal data;, requirements for onward transfers to processing, processing of sensitive measures to ensure data security;, organisations which are not bound by personal data; measures to ensure and the requirements for in the policies; data security; and the respect of onward transfers to requirements for onward transfers organisations bodies which are not to organisations which are not bound by the policiesbinding bound by the policies; corporate rules;
ANNEX DGD 2C LIMITE EN
(e) the rights of data subjects and the (e) the rights of data subjects and (e) the rights of data subjects in means to exercise these rights, the means to exercise these rights, regard to the processing of their including the right not to be subject to including the right not to be personal data and the means to a measure based on profiling in subject to a measure based on exercise these rights, including the accordance with Article 20, the right profiling in accordance with right not to be subject to a to lodge a complaint before the Article 20, the right to lodge a measure based on decisions based competent supervisory authority and complaint before the competent solely on automated processing, before the competent courts of the supervisory authority and before including profiling in accordance Member States in accordance with the competent courts of the with Article 20, the right to lodge Article 75, and to obtain redress and, Member States in accordance with a complaint before the competent where appropriate, compensation for Article 75, and to obtain redress supervisory authority and before a breach of the binding corporate and, where appropriate, the competent courts of the rules; compensation for a breach of the Member States in accordance with binding corporate rules; Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
ANNEX DGD 2C LIMITE EN
(f) the acceptance by the controller or (f) the acceptance by the controller (f) the acceptance by the controller processor established on the territory or processor established on the or processor established on the of a Member State of liability for any territory of a Member State of territory of a Member State of breaches of the binding corporate liability for any breaches of the liability for any breaches of the rules by any member of the group of binding corporate rules by any binding corporate rules by any undertakings not established in the member of the group of member concerned of the group Union; the controller or the processor undertakings not established in the of undertakingsnot established in may only be exempted from this Union; the controller or the the Union; the controller or the liability, in whole or in part, if he processor may only be exempted processor may only be exempted proves that that member is not from this liability, in whole or in from this liability, in whole or in responsible for the event giving rise part, if he proves that that member part, if he proves on proving that to the damage; is not responsible for the event that member is not responsible for giving rise to the damage; the event giving rise to the damage;
(g) how the information on the (g) how the information on the (g) how the information on the binding corporate rules, in particular binding corporate rules, in binding corporate rules, in on the provisions referred to in points particular on the provisions particular on the provisions (d), (e) and (f) of this paragraph is referred to in points (d), (e) and (f) referred to in points (d), (e) and (f) provided to the data subjects in of this paragraph is provided to of this paragraph is provided to accordance with Article 11; the data subjects in accordance the data subjects in accordance with Article 11; with Articles 1114 and 14a;
ANNEX DGD 2C LIMITE EN
(h) the tasks of the data protection (h) the tasks of the data protection (h) the tasks of the any data officer designated in accordance with officer designated in accordance protection officer designated in Article 35, including monitoring with Article 35, including accordance with Article 35 or any within the group of undertakings the monitoring within the group of other person or entity in charge compliance with the binding undertakings the compliance with of the , including monitoring corporate rules, as well as monitoring the binding corporate rules, as within the group of undertakings the training and complaint handling; well as monitoring the training the compliance with the binding and complaint handling; corporate rules within the group, as well as monitoring the training and complaint handling;
(hh) the complaint procedures;
ANNEX DGD 2C LIMITE EN
(i) the mechanisms within the group (i) the mechanisms within the (i) the mechanisms within the of undertakings aiming at ensuring group of undertakings aiming at group of undertakings aiming at the verification of compliance with ensuring the verification of for ensuring the verification of the binding corporate rules; compliance with the binding compliance with the binding corporate rules; corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;
(j) the mechanisms for reporting and (j) the mechanisms for reporting (j) the mechanisms for reporting recording changes to the policies and and recording changes to the and recording changes to the reporting these changes to the policies and reporting these policies rules and reporting these supervisory authority; changes to the supervisory changes to the supervisory authority; authority;
ANNEX DGD 2C LIMITE EN
(k) the co-operation mechanism with (k) the co-operation mechanism (k) the co-operation mechanism the supervisory authority to ensure with the supervisory authority to with the supervisory authority to compliance by any member of the ensure compliance by any member ensure compliance by any member group of undertakings, in particular of the group of undertakings, in of the group of undertakings, in by making available to the particular by making available to particular by making available to supervisory authority the results of the supervisory authority the the supervisory authority the the verifications of the measures results of the verifications of the results of the verifications of the referred to in point (i) of this measures referred to in point (i) of measures referred to in point (i) of paragraph. this paragraph. this paragraph;
(l) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
ANNEX DGD 2C LIMITE EN
(m) the appropriate data protection training to personnel having permanent or regular access to personal data.
2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules
ANNEX DGD 2C LIMITE EN
-
3.The Commission shall be 3. The Commission shall be deleted empowered to adopt delegated acts in empowered to adopt delegated accordance with Article 86 for the acts in accordance with Article 86 purpose of further specifying the for the purpose of further criteria and requirements for binding specifying the format, procedures, corporate rules within the meaning of criteria and requirements for this Article, in particular as regards binding corporate rules within the the criteria for their approval, the meaning of this Article, in application of points (b), (d), (e) and particular as regards the criteria (f) of paragraph 2 to binding for their approval, including corporate rules adhered to by transparency for data subjects, processors and on further necessary the application of points (b), (d), requirements to ensure the protection (e) and (f) of paragraph 2 to of personal data of the data subjects binding corporate rules adhered to concerned. by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
-
4.The Commission may specify the deleted 4. The Commission may specify format and procedures for the the format and procedures for the exchange of information by electronic exchange of information by means between controllers, electronic means between processors and supervisory controllers, processors and authorities for binding corporate rules supervisory authorities for binding within the meaning of this Article. corporate rules within the meaning Those implementing acts shall be of this Article. Those adopted in accordance with the implementing acts shall be examination procedure set out in adopted in accordance with the Article 87(2). examination procedure set out in Article 87(2).
ANNEX DGD 2C LIMITE EN
Amendment 140
Article 43a (new)
Transfers or disclosures not authorised by Union law
1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
ANNEX DGD 2C LIMITE EN
2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer or disclosure by the supervisory authority.
ANNEX DGD 2C LIMITE EN
3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of Article 44(1) and Article 44(5). Where data subjects from other Member States are affected, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
4. The supervisory authority shall inform the competent national authority of the request. Without prejudice to Article 21, the controller or processor shall also inform the data subjects of the request and of the authorisation by the supervisory authority and where applicable inform the data subject whether personal data was provided to public authorities during the last consecutive 12- month period, pursuant to point (ha) of Article 14(1).
ANNEX DGD 2C LIMITE EN
Article 44 Article 44 Article 44
Derogations Derogations for specific
Derogations situations
Amendment 141
-
1.In the absence of an adequacy 1. In the absence of an adequacy 1. In the absence of an adequacy decision pursuant to Article 41 or of decision pursuant to Article 41 or decision pursuant to paragraph 3 appropriate safeguards pursuant to of appropriate safeguards pursuant of Article 41, or of appropriate Article 42, a transfer or a set of to Article 42, a transfer or a set of safeguards pursuant to Article 42, transfers of personal data to a third transfers of personal data to a third including binding corporate rules country or an international country or an international a transfer or a set category of organisation may take place only on organisation may take place only transfers of personal data to a third condition that: on condition that: country or an international organisation may take place only on condition that:
ANNEX DGD 2C LIMITE EN
(a) the data subject has consented to (a) the data subject has consented (a) the data subject has explicitly the proposed transfer, after having to the proposed transfer, after consented to the proposed transfer, been informed of the risks of such having been informed of the risks after having been informed of the transfers due to the absence of an of such transfers due to the risks of that such transfers may adequacy decision and appropriate absence of an adequacy decision involve risks for the data subject safeguards; or and appropriate safeguards; or due to the absence of an adequacy decision and appropriate safeguards; or
(b) the transfer is necessary for the (b) the transfer is necessary for the (b) the transfer is necessary for the performance of a contract between performance of a contract between performance of a contract between the data subject and the controller or the data subject and the controller the data subject and the controller the implementation of pre-contractual or the implementation of preor the implementation of premeasures taken at the data subject's contractual measures taken at the contractual measures taken at the request; or data subject's request; or data subject's request; or
(c) the transfer is necessary for the (c) the transfer is necessary for the (c) the transfer is necessary for the conclusion or performance of a conclusion or performance of a conclusion or performance of a contract concluded in the interest of contract concluded in the interest contract concluded in the interest the data subject between the of the data subject between the of the data subject between the controller and another natural or legal controller and another natural or controller and another natural or person; or legal person; or legal person; or
ANNEX DGD 2C LIMITE EN
(d) the transfer is necessary for (d) the transfer is necessary for (d) the transfer is necessary for important grounds of public interest; important grounds of public important grounds reasons of or interest; or public interest; or
(e) the transfer is necessary for the (e) the transfer is necessary for the (e) the transfer is necessary for the establishment, exercise or defence of establishment, exercise or defence establishment, exercise or defence legal claims; or of legal claims; or of legal claims; or
(f) the transfer is necessary in order to (f) the transfer is necessary in (f) the transfer is necessary in protect the vital interests of the data order to protect the vital interests order to protect the vital interests subject or of another person, where of the data subject or of another of the data subject or of another the data subject is physically or person, where the data subject is persons, where the data subject is legally incapable of giving consent; physically or legally incapable of physically or legally incapable of or giving consent; or giving consent; or
ANNEX DGD 2C LIMITE EN
(g) the transfer is made from a (g) the transfer is made from a (g) the transfer is made from a register which according to Union or register which according to Union register which according to Union Member State law is intended to or Member State law is intended or Member State law is intended provide information to the public and to provide information to the to provide information to the which is open to consultation either public and which is open to public and which is open to by the public in general or by any consultation either by the public in consultation either by the public in person who can demonstrate general or by any person who can general or by any person who can legitimate interest, to the extent that demonstrate legitimate interest, to demonstrate a legitimate interest the conditions laid down in Union or the extent that the conditions laid but only to the extent that the Member State law for consultation down in Union or Member State conditions laid down in Union or are fulfilled in the particular case; or law for consultation are fulfilled in Member State law for consultation the particular case. are fulfilled in the particular case; or
(h) the transfer is necessary for the deleted (h) the transfer, which is not large purposes of the legitimate interests scale or frequent, is necessary for pursued by the controller or the the purposes of the legitimate processor, which cannot be qualified interests pursued by the controller as frequent or massive, and where the which are not overridden by the controller or processor has assessed interests or rights and freedoms all the circumstances surrounding the of the data subject or the data transfer operation or the set of processor, which cannot be data transfer operations and based on qualified as frequent or massive, this assessment adduced appropriate and where the controller or safeguards with respect to the processor has assessed all the protection of personal data, where circumstances surrounding the necessary. data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate suitable safeguards with respect to the protection of personal data, where necessary.
ANNEX DGD 2C LIMITE EN
-
2.A transfer pursuant to point (g) of 2. A transfer pursuant to point (g) 2. A transfer pursuant to point (g) paragraph 1 shall not involve the of paragraph 1 shall not involve of paragraph 1 shall not involve entirety of the personal data or entire the entirety of the personal data or the entirety of the personal data or categories of the personal data entire categories of the personal entire categories of the personal contained in the register. When the data contained in the register. data contained in the register. register is intended for consultation When the register is intended for When the register is intended for by persons having a legitimate consultation by persons having a consultation by persons having a interest, the transfer shall be made legitimate interest, the transfer legitimate interest, the transfer only at the request of those persons or shall be made only at the request shall be made only at the request if they are to be the recipients. of those persons or if they are to of those persons or if they are to be the recipients. be the recipients.
-
3.Where the processing is based on deleted deleted point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.
ANNEX DGD 2C LIMITE EN
-
4.Points (b), (c) and (h) of paragraph 4. Points (b), and (c) and (h) of 4. Points (a), (b), (c) and (h) of 1 shall not apply to activities carried paragraph 1 shall not apply to paragraph 1 shall not apply to out by public authorities in the activities carried out by public activities carried out by public exercise of their public powers. authorities in the exercise of their authorities in the exercise of their public powers. public powers.
-
5.The public interest referred to in 5. The public interest referred to in 5. The public interest referred to in point (d) of paragraph 1 must be point (d) of paragraph 1 must be point (d) of paragraph 1 must be recognised in Union law or in the law recognised in Union law or in the recognised in Union law or in the of the Member State to which the law of the Member State to which national law of the Member State controller is subject. the controller is subject. to which the controller is subject.
5a. In the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
ANNEX DGD 2C LIMITE EN
-
6.The controller or processor shall Deleted 6. The controller or processor document the assessment as well as shall document the assessment as the appropriate safeguards adduced well as the appropriate suitable referred to in point (h) of paragraph 1 safeguards adduced referred to in of this Article in the documentation point (h) of paragraph 1 of this referred to in Article 28 and shall Article in the documentation inform the supervisory authority of records referred to in Article the transfer. 28and shall inform the supervisory authority of the transfer.
-
7.The Commission shall be 7. The Commission European deleted empowered to adopt delegated acts in Data Protection Board shall be accordance with Article 86 for the empowered to adopt delegated purpose of further specifying acts in accordance with Article 86 'important grounds of public interest' entrusted with the task of issuing within the meaning of point (d) of guidelines, recommendations and paragraph 1 as well as the criteria and best practices in accordance with requirements for appropriate point (b) of Article 66(1) for the safeguards referred to in point (h) of purpose of further specifying paragraph 1. 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) data transfers on the basis of paragraph 1.
ANNEX DGD 2C LIMITE EN
Article 45 Article 45 Article 45
International co-operation for the International co-operation for the International co-operation for the protection of personal data protection of personal data protection of personal data
Amendment 142
-
1.In relation to third countries and 1. In relation to third countries and 1. In relation to third countries and international organisations, the international organisations, the international organisations, the Commission and supervisory Commission and supervisory Commission and supervisory authorities shall take appropriate authorities shall take appropriate authorities shall take appropriate steps to: steps to: steps to:
(a) develop effective international co(a) develop effective international (a) develop effective international operation mechanisms to facilitate the co-operation mechanisms to co-operation mechanisms to enforcement of legislation for the facilitate ensure the enforcement facilitate the effective enforcement protection of personal data; of legislation for the protection of of legislation for the protection of personal data; personal data;
ANNEX DGD 2C LIMITE EN
(b) provide international mutual (b) provide international mutual (b) provide international mutual assistance in the enforcement of assistance in the enforcement of assistance in the enforcement of legislation for the protection of legislation for the protection of legislation for the protection of personal data, including through personal data, including through personal data, including through notification, complaint referral, notification, complaint referral, notification, complaint referral, investigative assistance and investigative assistance and investigative assistance and information exchange, subject to information exchange, subject to information exchange, subject to appropriate safeguards for the appropriate safeguards for the appropriate safeguards for the protection of personal data and other protection of personal data and protection of personal data and fundamental rights and freedoms; other fundamental rights and other fundamental rights and freedoms; freedoms;
(c) engage relevant stakeholders in (c) engage relevant stakeholders in (c) engage relevant stakeholders in discussion and activities aimed at discussion and activities aimed at discussion and activities aimed at furthering international co-operation furthering international cofurthering promoting international in the enforcement of legislation for operation in the enforcement of co-operation in the enforcement of the protection of personal data; legislation for the protection of legislation for the protection of personal data; personal data;
ANNEX DGD 2C LIMITE EN
(d) promote the exchange and (d) promote the exchange and (d) promote the exchange and documentation of personal data documentation of personal data documentation of personal data protection legislation and practice. protection legislation and practice; protection legislation and practice.
Amendment 143
(da) clarify and consult on jurisdictional conflicts with third countries.
-
2.For the purposes of paragraph 1, 2. For the purposes of paragraph deleted the Commission shall take 1, the Commission shall take appropriate steps to advance the appropriate steps to advance the relationship with third countries or relationship with third countries or international organisations, and in international organisations, and in particular their supervisory particular their supervisory authorities, where the Commission authorities, where the Commission has decided that they ensure an has decided that they ensure an adequate level of protection within adequate level of protection within the meaning of Article 41(3). the meaning of Article 41(3).
ANNEX DGD 2C LIMITE EN
Amendment 144
Article 45a (new)
Report by the Commission
The Commission shall submit to the European Parliament and the Council at regular intervals, starting not later than four years after the date referred to in Article 91(1), a report on the application of Articles 40 to 45. For that purpose, the Commission may request information from the Member States and supervisory authorities, which shall be supplied without undue delay. The report shall be made public.
ANNEX DGD 2C LIMITE EN ANNEX DGD 2C LIMITE EN