Austria EPP

Hubert Pirker

Country: Austria
Group: European People's Party (EPP)
Party: Österreichische Volkspartei (ÖVP)

Member of Transport and Tourism
Substitute of Civil Liberties, Justice and Home Affairs

Overview Hubert Pirker

Amendments: 26
...stronger: 0
...weaker: 24
...neutral: 2

Amendments by Hubert Pirker

(25) Consent should be given explicitlyunambiguously by any appropriate method within the context of the product or the service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This nevertheless leaves the provisions of 2002/58/EC untouched which state that under certain circumstances consent can be expressed via appropriate settings in the user’s device. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
 
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
 
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
 
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a personal data breach has occurred.
 
(114) In order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data to bring on the data subject’s behalf proceedings against that supervisory authority to the competent court in the other Member State.
 
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
 
(f) processing is necessary for the purposes of the legitimate interests pursued by , or on behalf of a controller, or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject issuch as in the case of processing data pertaining to a child. This The interest or fundamental rights and freedoms of the data subject shall not apply to override processing carried out by public authorities in the performance of their tasks.
 
(fa) the data are collected from public registers lists or documents accessible by everyone;
 
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
 
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
 
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
 
(da) the data originates from publicly available sources; or
 
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
 
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
 
1. The 1. Only the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
 
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication todata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject of the content of the personal data referred to in point (g) of paragraph 1.. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable on the basis of such data or identification would require the controller to undo the process of pseudonymisation.
 
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
 
Article 18 Right to data portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
 
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the relating to special categories of personal data, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
 
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy , the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
 
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it data breach has not produced significant harm and the controller has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible , unusable or anonymised to any person who is not authorised to access it.access to it.
 
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
 
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.
 
1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
 
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the specific category of personal data, the seriousness of the damage or risk of damage caused by the breach, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co- operation with the supervisory authority in order to remedy the breach.