|Group:||Progressive Alliance of Socialists and Democrats (S&D)|
|Party:||Sozialdemokratische Partei Österreichs (SPÖ)|
Member of Civil Liberties, Justice and Home Affairs
Substitute of Internal Market and Consumer Protection
Overview Josef Weidenholzer
Amendments by Josef Weidenholzer
(3) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to guarantee the
free flow of personal data between Member States.
(15) This Regulation should not apply to processing of personal data by a natural person,
which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
(17) This Regulation should be without prejudice to the application of
Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them.
It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation.
(32) Where processing is based on the data subject’s consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there
would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by
a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently.
(76) Associations or other bodies representing categories of controllers should be encouraged
to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors.
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation
to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects , or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a personal data breach has occurred.
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context.
Therefore, in order to regulate the processing of employees’ personal data in the employment context , Member States should be able, within the limits of this Regulation , to adopt by law specific rules for the processing of personal data in the employment sector.
(d) by a natural person
without any gainful interest in the course of its own exclusively personal or household activity;
Comment: Some restrictions, some allowances. Overall leaning more towards a stricter law. Discuss this Rating
(1) ‘data subject’ means an identified
natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person ;
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject
, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Comment: Intention unclear. Discuss this Rating
child’ means any person below the age of 18 years;
(a) the data subject has given consent to the processing of their personal data for one
or more specific purposes;
3. The basis of the processing referred to in points (c) and (e) of paragraph 1 must be provided for in:
(b) the law of the Member State
to which the controller is subject.
2. If the data subject's consent is
to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of
13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1.
In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs,
trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law
in so far as it is authorised by Union law or Member State law providing for adequate safeguards;
1. The controller shall have
transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects ‘ rights.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be
given in writing . Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. If the controller refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal
and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge.
Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
6. The Commission may lay down standard forms
and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
(b) the purposes of the processing for which
the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1 );
(c) the period for which
the personal data will be stored;
(f) the recipients or categories of recipients of
the personal data;
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source
the personal data originate.
4. The controller shall provide the information referred to in paragraphs 1, 2 and 3
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others
, as defined in Union law or Member State law in accordance with Article 21.
(a) the purposes of the processing
(d) the period for which
the personal data will be stored;
2. The data subject shall have the right to obtain from the controller
communication of the personal data undergoing processing . Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
Comment: Better compared to Art 12/4. Discuss this Rating
4. The Commission may specify standard forms
and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations;
(b) the conditions for
deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;
1. The data subject shall have the right, where personal data are processed by electronic means
and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
1. The data subject shall have the right to object,
on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or
significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based
solely on the special categories of personal data referred to in Article 9.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of
processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
(b) an enterprise employing fewer than
250 persons; or
(b) an enterprise or an organisation employing fewer than
250 persons that is processing personal data only as an activity ancillary to its main activities.
3. The communication of a personal data breach to the data subject
shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
1. The controller and the processor shall designate
a data protection officer in any case where:
(b) the processing is carried out by an enterprise employing
250 persons or more;
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a
single data protection officer .
5. The controller or processor shall
designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
7. The controller or the processor shall
designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
8. The data protection officer may be employed by the controller or processor
, or fulfil his or her tasks on the basis of a service contract.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment
and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors . The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations. 2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. 3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
5. Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board.
(b) access to any of its premises, including to any data processing equipment and means
, where there are reasonable grounds for presuming that an activity in violation of this Regulation is being carried out there.
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State
shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to
0,5 % of its annual worldwide turnover , to anyone who , intentionally or negligently : (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2 ); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to
1 % of its annual worldwide turnover , to anyone who, intentionally or negligently : (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
6. The supervisory authority shall impose a fine
up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who , intentionally or negligently : (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32; (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.
1. Member States shall provide for exemptions or derogations from the
provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.