Netherlands ALDE

Sophia in 't Veld

Country: Netherlands
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Democraten 66 (D66)

Vice-Chair of Civil Liberties, Justice and Home Affairs
Member of Women's Rights and Gender Equality
Substitute of Economic and Monetary Affairs

Overview Sophia in 't Veld

Amendments: 53
...stronger: 32
...weaker: 6
...neutral: 15

Amendments by Sophia in 't Veld

(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/2001, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
(14a) Without prejudice to the limitations of the material scope of this Regulation, this Regulation should apply to the processing of personal data by third country authorities for the purpose of intelligence gathering and surveillance within the territory of the EEA by means of extraterritorial jurisdiction.
(38) The legitimate interests of a controller may provide a legal basis for processing, in a restrictive way, when no other legal grounds for processing apply and provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
(48a) The controller or processor should publish information on how often personal data has been requested by police and justice authorities, from which countries these requests originated, and how often those requests were fully or partially refused.
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred., to the extent that the processing is not massive, not repetitive and not structural.
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subjectIn cases where controllers or processors are confronted with conflicting compliance requirements between the jurisdiction of the EU on the one hand, and that of a third country on the other, the Commission should ensure that EU law takes precedence at all times. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act.Commission should provide guidance and assistance to the controller and processor, and it should seek to resolve the jurisdictional conflict with the third country in question.
(98) The competent authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment. In case of uncertainty regarding the main establishment, the determination of the main establishment of a controller or a processor should be dealt with within the consistency mechanism at the request of a supervisory authority.
(110a) The European Data Protection Board should work in a transparent way and, where possible and appropriate, consult stakeholders when developing specifications, opinions, guidelines or any other output on the basis of this Regulation.
(128) This Regulation respects and does not prejudice the status under national law of churches and religious associations or communities in the Member States, as recognised in Article 17 of the Treaty on the Functioning of the European Union. As a consequence, where a church in a Member State applies, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, these existing rules should continue to apply if they are brought in line with this Regulation. Such churches and religious associations should be required to provide for the establishment of a completely independent supervisory authority.
(b) by the Union institutions, bodies, offices and agencies;
(1) ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, an identification numbercode, location data, online identifieridentifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity , social or gender identity or sexual orientation of that person;
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; the location of the controller’s headquarters is given priority in cases where it is not clear where the main decisions as to the purposes, conditions and means of the processing are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;
(19a) ‘cloud service’ means the provision to the public of data processing or storage services using shared remote resources by means of an electronic communications network;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.Legitimate interest as a legal ground for processing can only be applied in a restrictive way, to the extent that it is strictly necessary for the purpose of the legitimate interest, and when no other legal ground is available for the specific purpose. The data controller shall in that case inform the data subject explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.
1a. The European Data Protection Board shall be entrusted with the task of further specifying when processing is justified for the purpose of the legitimate interests pursued by a controller as referred to in paragraph 1, and when the legitimate interest of the controller is overridden by the interests or fundamental rights and freedoms of the data subject.
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official and permission of the supervisory authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights and interests of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.
When the controller no longer exists, has disappeared or cannot be identified or contacted, the data subject has the right to obtain the erasure of personal data relating to him or her from third parties that process that personal data, where the same grounds apply as in Article 17(1).
1. Every natural person shall have the right not to be subject to a measure which produces legal effectsa legal effect concerning this natural person or significantly affects this natural person, and which is based solely or predominantly on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. Such automated processing may include the application of web analysing tools, tracking for assessing user behaviour, the creation of motion profiles by mobile applications, or the creation of personal profiles by social networks.
(a) is carried out in the course of the entering into, or performance of, a contract, where the request necessary for the performance of a contract to which the data subject is a party, or for the entering into or the performance of the contract, lodged by implementation of pre- contractual measures taken at the request of the data subject, has been satisfied or where provided that suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards., including effective protection against possible discrimination resulting from measures described in paragraph 1.
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on include or generate any data that fall under the special categories of personal data referred to in Article 9., without prejudice to the exceptions listed in Article 9(2).
3a. Profiling on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity that has a negative effect on individuals shall be prohibited.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and conditions for suitable measures to safeguard the data subject's fundamental rights regarding the provisions of this Article, and the legitimate interests referred to in paragraph 2.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.shall be able to demonstrate compliance with the provisions of this Regulation on request of the supervisory authority.
1a. Without prejudice to the other provisions of this Regulation, each controller and processor shall maintain documentation on transfers of data to a third country or an international organisation, including the identification of that third country or international organisation, the organisation, enterprise, public organisation or competent authority concerned, the legal basis of the transfer, and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards.
2. The documentation shall contain at least the following information: (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; (b) the name and contact details of the data protection officer, if any; (c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (d) a description of categories of data subjects and of the categories of personal data relating to them; (e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them; (f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (g) a general indication of the time limits for erasure of the different categories of data; (h) the description of the mechanisms referred to in Article 22(3).
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
4. The obligationsobligation referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a a natural person processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities..
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure European Data Protection Board shall be entrusted with the task of adopting guidelines for the format of the documentation referred to in Article 87(2).paragraph 1.
1. The controller and the processor shall designate or contract externally a data protection officer in any case where:
(b) the processing is carried out by an enterprise employing 250 persons or more; or
1a. The data protection officer shall report directly to the company board, which is ultimately responsible and accountable for the compliance with the provisions of this Regulation.
Article 37a COMPANY BOARD RESPONSABILITY The controller and the processor shall designate a company board member who shall bear the final responsibility for the compliance with the provisions of this Regulation.
3a. The appropriate safeguards referred to in paragraph 2 shall include the requirement that litigation on safeguards against third country government surveillance or information requests by third country authorities takes place under the jurisdiction of the Member State of the main establishment of the controller or processor concerned.
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. 5. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place , to the extent that the processing is not massive, not repetitive and not structural, only on condition that:
(a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; orand
(d) the transfer is necessary for important grounds of public interest; or
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying ‘important grounds of public interest’ within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
Article 44a Transfers to cloud services under third country jurisdiction The transfer of personal data to cloud services under the jurisdiction of a third country shall be prohibited, unless: (a) one of the legal grounds for transfer of personal data to third countries listed in this Chapter is applied; and (b) the data subject has given consent; and (c) the consent has been given by the data subject after having been informed in clear, unambiguous and warning language through a separate and prominently visible reference to: (i) the possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities; and (ii) the risk that the protection of personal data and fundamental rights provided by Union and Member State law cannot be guaranteed, despite the legal basis of the transfer.
(a) develop effective international co- operation mechanisms to facilitateensure the enforcement of legislation for the protection of personal data;
(da) clarify and resolve jurisdictional conflicts with third countries.
(a) access to all personal data and to all documents and information necessary for the performance of its duties;
(ga) provide assistance or litigate on behalf of the supervisory authority, at the request of that supervisory authority, when the resources of the supervisory authority are insufficient to effectively take up a case before any court;
(gb) The European Data Protection Board shall work in a transparent way and, where appropriate, consult stakeholders when developing specifications, opinions, guidelines or other output on the basis of this Regulation.
Article 71a Legal Service 1. The European Data Protection Board shall have a legal service. The European Data Protection Supervisor shall provide that legal service. 2. The legal service shall provide legal assistance to supervisory authorities and the European Data Protection Board under the direction of the chair. 3. The legal service shall be responsible in particular for: (a) providing assistance to supervisory authorities in litigation at the request of a supervisory authority; (b) litigating on behalf of the supervisory authority when the resources of the supervisory authority are insufficient to effectively take up a case before any court at the request of the supervisory authority, or at the request of the European Data Protection Board or the Commission with the consent of the supervisory authority; (c) exchanging legal knowledge and experience among the supervisory authorities; (d) clarifying jurisdictional conflicts with third countries.
Administrative sanctionsSanctions
7a. The Commission shall bring forward a legislative proposal for the purpose of specifying the criteria and requirements for the joint and several liability of the board of the controller and the processor, and in particular the board member referred to in Article 37a, in cases of non- compliance with the provisions of this Regulation within one year after the entry into force of this Regulation.
7b. The Commission shall bring forward a legislative proposal for the purpose of specifying the criteria and requirements for administrative and criminal sanctions against the board, in particular the board member referred to in Article 37a, in cases of non-compliance with the provisions of this Regulation causing, or having caused, damage to data subjects, within one year after the entry into force of this Regulation.
7c. The Commission shall bring forward a legislative proposal for the purpose of specifying the conditions and criteria to guarantee the legal protection of whistleblowers within one year after the entry into force of this Regulation.
Existing data protection rules of churches and religious associations 1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, such rules may continue to apply, provided that they are brought in line with the provisions of this Regulation. 2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall provide for the establishment of an independent supervisory authority in accordance with Chapter VI of this Regulation.Article 85 deleted