Germany GUE/NGL

Cornelia Ernst

Country: Germany
Group: European United Left – Nordic Green Left (GUE/NGL)
Party: DIE LINKE. (Linke)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Women's Rights and Gender Equality
Substitute of Regional Development

Overview Cornelia Ernst

Amendments: 141
...stronger: 114
...weaker: 4
...neutral: 23

Amendments by Cornelia Ernst

(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the supervisory authorities of different Member States. To Where demonstrably necessary and without undermining protection of personal data principles, to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises.
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence , mere use of a service, or inactivity , such as not un-ticking pre- ticked boxes, should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(29a) Workers’ personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, should be protected in accordance with Articles 8, 12, 27 and 28 of the Charter of Fundamental Rights of the European Union and Articles 8 and 11 of the European Convention on Human Rights. Workers’ personal data may not be used to put workers on so-called ‘blacklists’ to be passed on to other enterprises with the aim of discriminating against particular workers.
(33a) Consent is not indefinite in time and loses its legal effect as a basis for processing as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. Where the conclusion of the intended purpose can not be clearly determined, the controller should at least once a year provide the data subject with the information pursuant to Article 14 and request a confirmation of the original consent from the data subject. If the data subject does not reply positively, the original consent should be considered to have lost its effectiveness at the end of the second calendar year after the first processing.
(33b) Consent should only be considered a valid ground for processing that is lawful and thus not excessive in relation to the purpose. Disproportional data processing cannot be legitimised though obtaining consent.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject. The latter should not apply when the public authority acts as an employer.
(38) The legitimate interests(38) In exceptional circumstances, the well-defined legitimate interest of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. Notably, direct marketing should not be seen as a legitimate interest. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interestsspecific legitimate interest pursued and on the data subject’s right to object, and also be obliged to document these legitimate intereststhis specific legitimate interest it intends to use as a legal basis and notify the national data protection authority in advance of any such processing. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks...
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
(45) If the data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. In case of a request for access, the controller should be entitled to ask the data subject for further information to enable the data controller to locate the personal data which that person seeks. If it is possible for the data subject to provide such data, controllers should not be able to invoke a lack of information to refuse an access request.
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the softwareother natural persons. However, the result of these considerations should not be that all information is refused to the data subject.
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used , freely available, interoperable, and where possible open source format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.Providers of information society services should not make the transfer of those data mandatory for the provision of their services. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.
(57) Where personal data are processed for the purposes of direct marketingone or more specific purposes, the data subject should have the right to object to such processing in advance, free of charge and in a manner that can be easily and effectively invoked... Where consent has originally been used as a legal purpose for the processing, the controller should at regular intervals inform the data subject of his rights under Articles 15, 17, 18 and 19.
(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of specific criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of specific and well-defined public interests of the Union or of a Member State, or the protection of the data subject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data subjects, or to the monitoring their behaviourof data subjects, the controller should designate a representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprise or an enterprise which processes personal data of less than 500 data subjects or is a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by any supervisory authority.
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation, and should be promoted, also, where appropriate, cooperate with towards third countries.
  Comment: intention unclar Discuss this Rating
(72) There are circumstances under which it may be sensible and economic necessary that the subject of a data protection impact assessment should be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.
(74) Where a data protection impact assessment indicates that processing operations might involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, an enterprise and relates to more than 500 data subjects per year, or where its core activities involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently.
(75a) Where the data protection officer is employed by the controller or processor, in order to guarantee the independence, the data protection officer should enjoy particular protection against dismissal and discrimination when performing his duties, comparable to worker representatives in accordance with national law and practices. He should be appointed with the consent of the workplace representation. The data protection officer should have the opportunity to follow regular training within their regular working time in relation to their duties, without loss of pay. The costs of the training should be borne by the employer.
(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. ensuring an equivalent level of protection for the fundamental rights of citizens.
(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation. The Commission may also decide, having given notice and a complete justification to the third country, to revoke such a decision.
(83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures justified in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations and where authorised by a supervisory authority.. Those appropriate safeguards should uphold an equal respect of the data subject rights as in intra-EU processing, in particular relating to purpose limitation, right to access, rectification, erasure and compensation.
(85) A corporate group should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings, as long as such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
(86) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In this latter case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients., taking into full account the balance of interest of the fundamental rights and interests of the data subject.
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer should be carried out.
(88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For the purposes of processing for historical, statistical and scientific research purposes, should take the legitimate expectations of society for an increase of knowledge should be taken into consideration.
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be should, by default, be considered to be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act. The existence of legislation which would, even theoretically, permit extra-territorial access to European citizens’ data should be considered, on its own and regardless of the application of legislation, as grounds to revoke recognition of adequacy of the data protection regime of that country or any equivalent bilateral arrangement.
(97a) If people are also affected by suspected breaches of the rules by an undertaking in other Member States (e.g. as consumers or employees), they should be able to complain to the data protection authority of their choice. If a procedure based on the same ground for complaint has already been initiated in another Member State, a further data protection authority which has received a complaint may temporarily suspend the procedure. The data protection authority which takes responsibility for the procedure must coordinate its work with that of the other authorities concerned. If legal issues are contested between the authorities concerned, the matter must be put before the Court of Justice of the EU.
(101) Each supervisory authority should hear complaints lodged by any data subject or by any body, association or organisation acting in the public interest or on behalf of one or more data subjects and should investigate the matter. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject or, as the case may be, the body, association or organisation of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data natural persons or is acting in the public interest and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a personal data breach has occurred.
(114) In order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data natural persons or acting in the public interest to bring on the data subject’s behalf proceedings against that supervisory authority to the competent court in the other Member State.
(118) Any damage , whether pecuniary or not, which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability only if they prove that they are not responsible for the damage, in particular where he establishes fault beyond any doubt that the balance of fault is on the part of the data subject or in case of force majeure.
(119a) Member States should be able to impose criminal sanctions, such as a suspension or temporary revocation of a commercial license for instance, in cases of severe infringements of the provisions of this Regulation, where it concerns manifestly unethical commercial behaviour towards the data subjects and the exercise of their rights.
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation(121) Whenever necessary, exemptions or derogations from the requirements of certain provisions of this Regulation for the processing of personal data should be possible in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Member States competence to define and organize public service broadcasting in accordance with protocol No. 29 to the Treaty of the European Union shall be respected. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order to regulate the processing of employees’ personal data in the employment context, Member States should be able, within the limits of in accordance with this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector.context.
  Comment: Intention unclar Discuss this Rating
(126) Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research in the meaning of Article 13 of the Charter of Fundamental Rights of the European Union and in addition should take into account the Union’s objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. Opinion and social research form part of scientific research. Market research does not as a rule fall under the notion of scientific research.
3a. Paragraph 3 is without prejudice to legislative measures by the Member States which provide for more favourable conditions for data subjects with regard to the protection of their data, in particular for the purposes of Articles 80 and 84.
(e) by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
(3a) ‘Profiling’ means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyze or to predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
(3a) ‘profiling’ means any kind of automated processing of personal data carried out in order to assess certain characteristics specific to a natural person or to analyse or predict, in particular, his or her professional performance, economic situation, location, state of health, personal preferences, reliability or conduct, and/or in order to tailor a service which is provided or a decision which is applied to a person, and which may also involve processing to determine to what category or categories a person belongs;
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; for one or more specific purposes;
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. In order to determine main processing activities, factual elements like the physical location of data servers, the centralization of core processing activities, or the dominant influence of one particular establishment should be taken into account. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;
(19) ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 46.(19) Does not affect the English version.
(b) collected for specified, explicit and legitimate purposes and , not further processed in a way incompatible with those purposes; and processed in a proportionate manner to that purpose (purpose limitation);
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;, in the form as described in Article 7;
(f) processing (f) Where none of the legal grounds for the processing of personal data referred to in paragraph 1 apply, processing of personal data shall be lawful if and to the extent that it is necessary for and proportionate to the purposes of the well- defined legitimate interests pursued by athe controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where . The data controller shall in that case inform the data subject is a child. This about the data processing explicitly and separately, and shall inform him of the possibility to seek redress via the supervisory authority. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject. This paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.
1a. The legitimate interests of the controller as referred to in paragraph 1 point (f) may override the interests or fundamental rights and freedoms of the data subject, only if: (a) processing of personal data takes place as part of the exercise of the right to freedom of expression, the media and the arts, within the limits of Union or national law; (b) processing of personal data is necessary for and proportionate to the enforcement of the legal claims of the data controller or of third parties on behalf of whom the data controller is acting in relation to a specific identified data subject, or for preventing or limiting damage by the data subject to the controller, given that these legal claims are not manifestly unreasonable; (c) processing of personal data takes place in the context of professional business-to- business relationships and the data were collected from the data subject for that purpose and the processing shall be limited to the business-to-business relationship in which the data were originally collected; (d) processing of personal data is necessary for registered non-profit associations, foundations and charities, recognised as acting in the public interest under Union or national law, for the sole purpose of collecting donations.
  Comment: Tending to be at least not weaker than most other definitions if read together with AM911. Discuss this Rating
1b. The interests or fundamental rights and freedoms of the data subject as referred to in paragraph 1 point (f) override the legitimate interest of the controller, as a rule, if: (a) the processing may cause a serious risk of damage to the data subject; (b) special categories of data as referred to in paragraph 1 of article 9, location data, or biometric data are processed; (c) personal data are processed in the context of profiling; (d) personal data is made accessible for a large number of persons or large amounts of personal data about the data subject are processed, aligned or combined with other data; (e) the processing of personal data may adversely affect the data subject, in particular because it can lead to defamation or discrimination; or (f) the data subject is a child.
  Comment: Tending to be at least not weaker than most other definitions if read together with AM907. Discuss this Rating
1c. Where the controller or his representative intends to process personal data on the basis of point f of Article 6(1) , he shall notify the supervisory authority referred to in Chapter VI before carrying out any such processing operation.
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
4a. Consent loses its legal effect as a basis for processing as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. Where the conclusion of the intended purpose can not be clearly determined, the controller shall at least once a year provide the data subject with the information pursuant to Article 14 and request a confirmation of the original consent from the data subject. If the data subject does not reply positively, the original consent should be considered to have lost its legal effect at the end of the second calendar year after the first processing.
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of financial data, genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguardsprovided that it meets a clearly defined objective of public interest, respect the essence of the right to protection of personal data, be proportionate to the legitimate aim pursued and respect the fundamental rights and interests of the data subject; or
(e) the processing relates to personal data which are manifestly and demonstrably made public by the data subject; or
(f) processing is necessary for the establishment, exercise or defence of legal claims given they are not manifestly unreasonable; or
(g) processing is necessary for the performance of a task carried out in the a well- defined and substantial public interest, on the basis of Union law, or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitableadequate measures to safeguard the data subject's legitimate interestsfundamental rights and interests of the data subject; or
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action requested, or the controller may not take the action . The level of such a fee shall not exceed the costs of providing the information requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);Article 6(1)(f), (1a) and (1b);
(f) the recipients or categories of recipients of the of the personal data, including the controllers to whom personal data; are disclosed for the legitimate interests pursued by them;
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected. In particular, such information shall contain the existence of certain processing activities and operations for which personal data impact assessments have indicated that their may be a high risk, the measures taken in respect of the impact assessment, the existence of any measures of profiling, their legal grounds and their consequences for that particular data subject.
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosuretransfer to another recipientcontroller is envisaged, and at the latest when the data are first disclosed.at the time of the transfer.
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of othersother natural persons, as defined in Union law or Member State law in accordance with Article 21.
5a. Points (c) and (d) of paragraph 5 shall not apply where the absence of the information impedes the data subject to exercise its rights to access, objection, correction or erasure.
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, an electronic and structured format which follows an open standard, is freely available, interoperable, commonly used and allows for further use by the data subject, unless otherwise requested by the data subject.
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of essential public interest, fully respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
2a. Member States shall promote and use a freely-available and user-friendly format to exercise the data portability right.
1. The data subject shall always have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.). This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention and arrangements that allow the data subject to submit his point of view; or
2a. Profiling that has the direct or indirect effect of discriminating against individuals on the basis of race or ethnic origin, socio-economic status, political opinions, religion or beliefs, trade union membership and activities, sexual orientation or gender identity, or that results in measures which have such effect, shall always be prohibited. Profiling in the employment context shall always be prohibited.
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.
3a. Credit rating data and/or profiling procedures in connection with the conclusion of contracts may be used only when a specially high risk of default can be demonstrated. In predicting the risk of default, only personal data that is genuinely relevant to the person’s credit rating, such as payment problems or insolvency data, may be used. Where scoring methods are used, these must lead to scientifically watertight conclusions. The provider and requester of credit rating data must act in a transparent manner. Consumers should be informed about the data used, the deployment of scoring methods, etc. Credit rating data must be correct and up to date. Health data may not be used for scoring purposes.
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) toc) and (e) of Article 5 and Articles 11 to 20 and 13 and 15 to 19, Article 20, paragraph 1, 2 and 4 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society provided that it meets a clearly defined objective of public interest, respects the essence of the right to protection of personal data, is proportionate to the legitimate aim pursued and respects the fundamental rights and interests of the data subject in order to safeguard:
(b) the prevention, investigation, detection and prosecution of specific criminal offences;
(c) other substantial public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including in relation to important monetary, budgetary and taxation matters and the protection of market stability and integrity;;
(e) a monitoring, inspection or regulatory function connected, even occasionally, within the framework of the exercise of official a competent public authority in cases referred to in (a), (b), (c) and (d);
2. In particular, any 2. Any legislative measure referred to in paragraph 1 shall contain specific provisions at least as to the objectives to be pursued by the processing and the determination of the controller., the categories of personal data processed, the specific means and purposes of processing, the categories of persons entitled to process the data, the designation of the controller, and the safeguards against unlawful access or transfer of data.
2a. Any such legislative measure shall contain the requirement to inform the data subject of the restriction of their right and of the possibility to obtain indirect access through the national data protection supervisory authority.
3. The controller shall implement mechanisms to ensure the verification of the adequacy and effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors. The controller shall regularly make public reports of its activities under this Article.
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
(a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or
(b) an enterprise employing processing personal data relating to fewer than 250 persons500 data subjects per year; or
The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall not process them except on instructions from the controller, unless required to do so by Union or Member State law.in accordance with Article 6.
(e) the recipients or categories of recipients of of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the data subject and the supervisory authority.
(a) a natural person processing personal data without a commercial interest; or, unless personal data is made accessible for a large number of persons or a large amount of personal data about the data subjects are processed or combined or aligned with other personal data.
(b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation..
4a. The supervisory authority shall keep a public register of the types of breaches notified.
3a. If after the implementation of the suggested technological measures another data breach were to occur, the controller shall always be obliged to communicate this without undue delay to the data subject.
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an a detailed assessment of the impact of the envisaged processing operations on the protection of personal data.
(b) information on sex life, health, race and ethnic origin , socio-economic status, or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;;
(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;or any other sensory devices;
3. The assessment shall contain at least a general systematic and detailed description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations..
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
(b) the processing is carried out by an enterprise employing 250 persons or morea legal person and relates to more than 500 data subjects per year; or
5. The controller or processor shall designate the data protection officer , after consultation with the employee's representatives, on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. The controller shall inform the competent supervisory authority of the reasons for his dismissal.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. Transfers are prohibited to third countries whose laws explicitly provide for processing which would be unlawful under this Regulation or which are otherwise incompatible with Fundamental Rights, such as political and foreign policy purposes which are not necessary for law enforcement or national security.
3. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44Article 42. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Article 43a Transfers not authorised by Union Law 1. Any judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall only be recognized or be enforceable in any manner, on the basis of and in accordance with a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State. 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with Article 34. 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44. 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority. 5. The Commission may lay down in an implementing act the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, and without prejudice to Articles 6, 14, 15, 16 and 17, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
3. Where the processing is based on point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.
  Comment: Has to be read together with AM2502 Discuss this Rating
4. Points (b), (c) and (hc) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject. This derogation shall only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer needs to be carried out.
6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the supervisory authority of the transfer.
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
(fa) keep a public register of all prior notifications received by data controllers or processors on intended processing activities in accordance with Article 6(1c).
6. Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not to take the action requested by the data subject. The level of such a fee shall not exceed the costs of taking the action requested. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.
4a. A supervisory authority shall pay a reward to an informant who provides information concerning allegations of unlawful processing, amounting to twenty percent of any fine imposed under paragraph 4 which results from investigation of the information received. The procedures for payment shall protect the identity of the informant from disclosure, and make provision for payment to anonymous informants.
Article 59 Opinion by the Commission 1. Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61. 2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission's opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure. 3. During the period referred to in paragraph 1, the draft measure shall not be adopted by the supervisory authority. 4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
Article 60 Suspension of a draft measure 1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.
2. Any body, organisation or association which aims to protect data subjects‘ protects the rights and interests concerning the protection of their personal data and of natural persons or is acting in the public interest and which has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred. or when it considers that a controller or processor has breached its obligations under Article 23.
4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to refer the matter to the European Protection Board where his case shall be treated according to the consistency mechanism. Only where the Board has not reached any settlement between the two data protection supervisory authorities, may the data subject request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. In the case of a group of undertakings, the entire group shall be liable as a single economic entity.
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,51 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 13 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 25 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary whenever necessary to reconcile the right to the protection of personal data with the rules governing freedom of expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.accordance with the Charter of Fundamental Rights of the European Union and its referral to the ECHR.
1. Within the limits of 1. In accordance with the rules set out in this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
The right of the Member States to lay down protective provisions on the processing of personal data in the context of employment which are more favourable to employees shall be unaffected.
1a. Data on employees may be processed only in a manner and for purposes which either (a) are bindingly laid down by a national law; or (b) are necessary as a basis for employment or to carry out or terminate employment; or (c) are necessary for the fulfilment of duties under an employment contract or the exercise of rights arising from employment; or (d) are necessary for the proper functioning of IT systems; or (e) are necessary for services within a business which an employee uses without being compelled to do so.
1b. Without prejudice to the other provisions of this regulation, the legal provisions of the Member States referred to in paragraph 1 shall at the minimum include the following minimum standards: (a) Processing of data on employees without the employees’ knowledge shall not be permitted. The private and intimate life of employees shall always be respected; (b) Optical electronic surveillance of parts of the business premises which are not accessible to the public and are predominantly used for purposes of an employee’s private life, particularly in sanitary facilities, changing rooms, rooms where breaks are spent and bedrooms, shall not be permitted; (c) Optical electronic surveillance of publicly accessible parts of the business premises and parts which are not accessible to the public and are not predominantly used for purposes of an employee’s private life, such as entry halls, foyers, offices, workshops or the like, shall be permitted only to the extent that it is absolutely necessary for the safety/security of the employee and of the business; (d) Insofar as possible, surveillance of public parts of the business should not include surveillance of the employee in his place of work. Before surveillance is performed, the employee shall be informed when and for how long the surveillance devices will be operated; (e) Acoustic electronic surveillance shall be permitted only on compelling grounds of public safety, for example in the cockpit of an aircraft. Secret surveillance shall always be prohibited; (f) Any surveillance of employees’ representatives who are provided for by European Union law or domestic law and/or customs, including trade union representatives, shall be prohibited in relation to their representative activity. The same shall apply to blacklisting; (g) Medical data on employees, particularly those gathered in connection with occupational health care examinations pursuant to Article 81(1)(a), may also not be disclosed to the employer; (h) Profiling and processing whose purpose is to permanently monitor employees, their performance or their conduct, shall be prohibited. This shall apply irrespective of the technology used.
1c. In the cases referred to in points (b) to (e) of paragraph 1a and for the purposes of this regulation, it shall be permitted for domestic laws or collective agreements between employers and employees – insofar as these are provided for by law – to create a basis for the admissibility of specific procedures, the design of procedures or implementation or to prohibit processing.
1d. If a representative body has been established for employees within an undertaking in accordance with the law of the Member State, processing by the employer shall be permitted only if the statutory participation rights have been respected.
1e. If there is an intention to communicate data concerning employees to entities which fall outside the scope of this regulation, the employer’s data protection officer shall without fail perform an assessment pursuant to Article 33.
1f. Data concerning the conduct or performance of employees which have been collected or processed in a manner which breaches this regulation may not be used either judicially or extrajudicially.
1g. Employees’ representative bodies or trade unions may exercise rights pursuant to Article 76 on behalf of the employees whom they represent.
1h. Without prejudice to domestic legal provisions concerning the rights of participation of employees’ representative bodies, the latter should be involved in any decision: (a) to appoint the business’s data protection officer pursuant to Section 4; (b) to establish and adapt data-processing systems; (c) to formulate Binding Corporate Rules.
1a. The processing of personal data for purposes of opinion and social research shall be lawful if the data will be rendered anonymous at the earliest possible moment in such a way that the identification of the data subjects is no longer possible.
1b. Subject to the exception in paragraph 1b, data falling within the categories of data covered by Articles 8 and 9 may be processed for historical, statistical or scientific research only with the consent of the data subjects unless they will be rendered anonymous under adequate technical standards and at the earliest possible moment for the research purposes.
  Comment: Intention unclear. Discuss this Rating
(b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or