|Group:||European Conservatives and Reformists (ECR)|
|Party:||Conservative Party (CON)|
Member of Civil Liberties, Justice and Home Affairs
Substitute of Culture and Education
Overview Timothy Kirkhope
Amendments by Timothy Kirkhope
2. This Regulation applies
to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(8) ‘the data subject’s consent’ means any freely given
specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
(a) processed lawfully,
fairly and in a transparent manner in relation to the data subject;
(b) collected for specified,
explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
2. If the data subject's consent is to be given in the context of a written declaration which
also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
(c) processing is necessary to protect the
vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation
, association or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards.
A complete register of criminal convictions shall be kept only under the control of official authority.
1. The controller shall have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights.
2. The controller shall
provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
2. The controller shall inform the data subject without delay and, at the latest within
one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller . The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. If the controller
refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular
because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
3. Where the personal data
are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.
6. In the case referred to in point (b) of paragraph 5, the controller shall
provide appropriate measures to protect the data subject's legitimate interests.
The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data
, including by way of supplementing a corrective statement.
1. The data subject shall have the right to
obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject
1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object
free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
1. Every natural person shall have the right not to be subject to a measure which
produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour .
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1
and the envisaged effects of such processing on the data subject.
(c) other public interests of the Union or of a Member State
, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation
2. The measures provided for in paragraph 1
shall in particular include:
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2.
If proportionate, this verification shall be carried out by independent internal or external auditors.
1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of
all processing operations under its responsibility .
2. The documentation
shall contain at least the following information:
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
(b) an enterprise or an organisation employing fewer than
250 persons that is processing personal data only as an activity ancillary to its main activities.
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than
24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller
immediately after the establishment of a personal data breach.
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
1. When the personal data breach is likely to
adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
4. The supervisory authority shall establish and make public a list of the processing operations which
are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
7. Member States
shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.
1. The controller and the processor shall designate a data protection officer in any case where:
(b) the processing is carried out by an enterprise employing
250 persons or more; or
10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently
and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
1. The controller or the processor shall
entrust the data protection officer at least with the following tasks: (a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received; (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; (c) to monitor the implementation and application of this Regulation , in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation; (d) to ensure that the documentation referred to in Article 28 is maintained; (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32; (f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34; (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative; (h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority , if appropriate, on his/her own initiative.
1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:
3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the
Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.
Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.
Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards
with respect to the protection of personal data in a legally binding instrument.
(f) the acceptance by the controller or processor
established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
2. The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody
The members and the staff of the supervisory authority shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority
of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
(f) be consulted by Member State institutions and bodies on legislative and administrative measures
relating to the protection of individuals‘ rights and freedoms with regard to the processing of personal data;
6. Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall
bear the burden of proving the manifestly excessive character of the request.
1. Before a supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board
and the Commission.
1. The discussions of the European Data Protection Board shall be confidential
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in
any Member State if they consider that the processing of personal data relating to them does not comply with this Regulation.
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects
if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall
be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
4. The supervisory authority shall impose
a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover , to anyone who , intentionally or negligently:
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover
, to anyone who , intentionally or negligently:
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who
, intentionally or negligently:
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.