Netherlands ALDE

Jan Mulder

Country: Netherlands
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Volkspartij voor Vrijheid en Democratie (VVD)

Member of Budgetary Control
Member of Budgets
Substitute of Civil Liberties, Justice and Home Affairs

Overview Jan Mulder

Amendments: 49
...stronger: 12
...weaker: 25
...neutral: 12

Amendments by Jan Mulder

(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or (free)services to such data subjects, or to the monitoring of the behaviour of such data subjects.
 
(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet , regardless of the origins of the data, with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
 
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. as for example data that has been anonymised for the purpose of medical research.
 
(24) When using online servicesservices or devices, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
  Comment: Intention unclear
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity User-friendly information about the types of processing that will be carried out should facilitate informed consent. Silence, inactivity such as not changing opt-in by default settings, should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
 
(27) The (27) If a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is part of a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore nonot determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union.
 
(34) Consent should not as a rule provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially which is specifically the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
 
(39a) The processing of personal data for direct marketing purposes should constitute a legitimate interest, if the controller has obtained the personal data of the data subject in the context of the sale of a product or service and that the personal data are used for direct marketing of the data controllers own similar products.
 
(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixedreasonable deadline and give reasons, in case he does not comply with the data subject’s request.
 
(54) To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform where possible, taking into account the specific context in which the data was publicized and the responsibilities of the data subject and processor, to erase personal data made public. The processor should inform where this is possible third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
 
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Data controllers should be encouraged to develop interoperable formats that enable data portability. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
 
(65) (65) Each controller and processor should be obliged to co-operate with the supervisory authority. In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation. Each controller and processor should be obliged to co-operate with the supervisory authorityprocessing operations if one of the processing operations as mentioned in Article 33(2) is be being executed; the controller or processor should and make thisavailable documentation, on request, available to it by the DPA , so that it might serve for monitoring those processing operations.
 
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The responsibility hereof should rest with the controller. The individuals with whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
 
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this allowing the Member States to exempt processing, which was unlikely to pose risks to the data subjects, from this regulation. This obligation produces administrative and financial burdens, and it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
 
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person or a team of professionals should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently. However, final responsibility should stay with the management of an organization.
 
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and standardised marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.
 
(88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For the instance this would be the case if the purposes of processing forare historical, statistical andor scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration..
  Comment: Intention unclear
(110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission and promoting co-operation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.
 
(127a) The obligation to inform the data subject about the purposes of the processing, the right to erasure, the right to data portability, the right to objection, the obligation to take measures to ensure compliance as well as the prohibition to transfer data to countries outside the Union, should not apply to the processing of information relating to the professional capacity of an individual, such as such individual’s employer, job title, function, business address, business phone or fax number, business e-mail address or other organizational details. However, data subjects should have the right to request from the controller not to have such professional information disclosed to third parties.
 
(128) This Regulation respects and does not prejudice the status under national law of churches and religious associations or communities in the Member States, as recognised in Article 17 of the Treaty on the Functioning of the European Union. As a consequence, where a church in a Member State applies, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, these existing rules should continue to apply if they are brought in line with this Regulation. Such churches and religious associations should be required to provide for the establishment of a completely independent supervisory authority.
 
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
 
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage; as well as for dispute resolution purposes;
 
(f) processed under the responsibility and liability of the controller, who shall be able to ensure and demonstrate for each processing operationits processing operations the compliance with the provisions of this Regulation.
 
4. Where the purpose of further processing is not compatible 4. Personal data may not be processed further if the intended purpose for which the personal data will be processed is incompatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.. The data controller must assess the compatibility of the purposes in taking into account: (a) the affiliation between the intended and original processing purposes; (b) the nature of the data concerned; (c) the consequences of the intended processing for the data subjects or third parties; (d) the ways and means used for the original collection of the data; (e) any adequate safeguards the data controller has provided.
 
4a. Further processing of personal data for historical, statistical and scientific purposes shall not be considered as incompatible when the data controller has provided all necessary precautions to ensure that the personal data can only be further processed for these specific purposes.
 
4b. Further processing of personal data is prohibited if the processing is not compatible with any legal, professional or other binding obligation of secrecy.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
 
4. Consent shall not as a rule provide a legal basis for the processing, of personal data in case where there is a significant imbalance in terms of dependence between the position of the data subject and the controller.
 
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
 
2. The 2. To verify the lawfulness of the processing the data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
 
Responsibility Responsibility and accountability of the controller
 
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation. Accountability will always remain with the management.
 
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors..
 
(b) an enterprise employing fewer than 250 persons; or
 
The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall keep the personal data confidential and not process them except on instructions from the controller, unless required to do so by Union or Member State law.
 
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.if those operations pose a risk as stated in Article 33(2), so that it can at all times demonstrate compliance with this regulation.
 
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours as soon as possible, after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours. in the member state where the controller is established.
 
2a. Controllers shall notify the supervisory authority of the Member State in which they are established. Where the notification is carried out in accordance with paragraph 4, the supervisory authority of the Member State in which the controller responsible for the personal data breach is established shall be notified. Controllers which are not established on the territory of the European Union, shall notify the supervisory authority of the Member State in which their representative is established.
 
In case the controller is part of a group of undertakings or of joint controllers, the personal data breach may be notified by the main establishment, or by another controller or undertaking designated by the joint controllers or group of undertakings.
 
(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;
 
1. The controller and the processor shall designate a data protection officer or attract sufficient external advice in any case where: (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. The data protection officer can already be employed by the enterprise and fulfil his duties part time and will report to the board of an enterprise, organization or public authority which bears ultimate responsibility and is accountable.
 
(aa) where risks as mentioned in Article 33(2) are not negligible even though the company's main activity is not data processing;
 
(b) the processing is carried out by an enterprise employing 250 persons or more; or
 
2. In the case referred to in point (b) of paragraph 1, a 2. A group of undertakings may appoint a single data protection officer.
 
9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.
 
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor. which is responsible for protecting personal data in accordance with this regulation.
 
2a. The supervisory authority shall not disclose information provided to it, where such disclosure could adversely affect the rights and freedoms of others, including the controller or processor. This shall apply particularly to: (a) information related to the economic interests and trade secrets of the controller or processor; (b) the security measures taken in accordance with Article 30; and (c) information which Union or Member State law has designated as confidential.
 
(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.