Austria NI

Ewald Stadler

Country: Austria
Group: Non-Inscrits (NI)
Party: Bündnis Zukunft Österreich (BZÖ)

Member of Agriculture and Rural Development
Substitute of Environment, Public Health and Food Safety

Overview Ewald Stadler

Amendments: 46
...stronger: 6
...weaker: 24
...neutral: 16

Amendments by Ewald Stadler

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law. This shall be without prejudice to national provisions to which the controller is subject.
 
(1) ‘(1) 'data subject' means an identified natural person or a natural person who can be unequivocally identified, directly or indirectly, by means reasonably likely to be used by available to the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
 
(3) ‘processing’(3) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure , blocking or destruction;
 
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristics of an individual which aredata obtained by means of genetic testing or genetic analysis performed in connection with genetic testing regarding genetic characteristics. Genetic characteristics are hereditary information of human origin which is inherited or acquired during early prenatal development,conception or up until birth;
  Comment: Intention unclear.
(11) ‘(11) 'biometric data' means any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;, but not signatures;
 
(19a) ‘anonymising’ means altering personal data in such a manner that all the information relating to a data subject becomes impossible to connect with a particular or identifiable natural person or can only be so connected by means of a disproportionate effort in terms of time, cost and labour;
 
(19b) ‘pseudonymising’ means replacing the name and other identifying features with a mark for the purpose of preventing or seriously impeding the identification of the data subject;
 
(19c) ‘third party’ means a natural or legal person, authority, institution or any other entity, with the exception of the data subject, the controller, the processor and persons who are authorised to process the data under the direct responsibility of the controller or of the processor;
 
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;;
 
(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
 
(d) accurate and , if necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or , if this is not possible, blocked or rectified without delay;
 
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if statutory retention rules so require or insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
 
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.
 
(fa) personal data shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data, for example pseudonymised or anonymised data;
 
(c) processing is necessary for compliance with a legal obligation(c) a law or other legal provision to which the controller is subject; requires or allows processing;
 
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or an entitled third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
 
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (ef) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
 
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In accordance with the principle of good faith, withdrawal of consent shall not be permitted when the consent is required for the completion of a contract.
 
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller. In this connection the interests of the data subjects shall be taken into account.
  Comment: Intention unclear.
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that bodyto third parties without the consent of the data subjects;
 
(h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; for the purposes referred to there or for the completion of contracts related thereto;
 
(ja) For the purposes of conformity with compliance rules, persons subject to such rules shall be entitled to process data to the extent necessary for the implementation of the compliance rules.
 
Processing not allowing identificationProcedure for automated processing
  Comment: See AM1099
If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
  Comment: See AM1099
If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify 1. The establishment of a common procedure for automated processing by several data controllers shall be permissible provided that this procedure is appropriate taking into account the legitimate interests of the data subjects and the duties or business purposes of the participating data controllers and each of these data controllers at least has full control over the processing of the data he or she has collected. Several data controllers may also have full control over all data in a joint automated processing procedure. 2. The data controllers shall ensure that the lawfulness of the joint procedure can be monitored. To that end they shall specify in writing: (a) the reason and purpose for the joint automated data processing procedure; (b) all participating data controllers and their purposes; (c) third parties to whom data is transmitted; (d) type of data; (e) the technical and organisational measures and procedures required. 3. The data subject of a data processing procedure may assert his or her rights vis- à-vis each data controller. If that data controller does not have full control over the data, he or she shall be required to pass on the request of the data subject to the controller who collected the data subject for the sole purpose of complying with any provision . The data subject shall be informed about the transmission of his or her request to the data controller. The data subject’s right to be informed shall extend to all data controllers and all purposes of the joint data processing procedure. 4. The data controllers shall be jointly and severally liable for the compliance of the whole automated data processing procedure with the data protection requirements of this Regulation.regulation.
  Comment: Concept is not related to Article 10. Impact unclear.
3. The Commission shall be empowered to adopt delegated acts 3. Paragraphs 1 and 2 shall not apply where: (a) the data are stored only because they cannot be deleted on account of statutory, statutes-based or contractual periods for which they are required to be kept; (b) the data serve solely to provide a data backup or to monitor data protection, and providing information would involve a disproportionate effort; (c) the data must be kept secret in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to legislation or by virtue of their nature, particularly because of the overriding legal interest of a third party; (d) the data storage is necessary solely for purposes of academic or scientific research and providing information would involve a disproportionate effort; (e) the data subject have been derived from generally accessible sources and notification would be disproportionate on account of the content of the personal data referred to in point (g) of paragraph 1.large number of cases concerned; (f) notification would seriously jeopardise the commercial objectives or other fundamental rights and freedoms of the controller, unless the interest in notification outweighs the risk.
 
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
 
4. Instead of erasure, the controller shall restrict processing of block personal data where:
 
(da) for technical reasons, erasure would be impossible or would involve disproportionate efforts.
 
9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.
 
(c) the criteria and conditions for restricting the processing of blocking personal data referred to in paragraph 4.
 
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects places this natural person at a legal disadvantage, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
 
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
 
1. Having regard to the risk, the type of data requiring protection, the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
 
1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with ; the controller shall also ensure that those measures. have been complied with.
 
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;(f) Does not affect English text. The German original corrects ‘den Auftragsverarbeiter’ (the processor) to ‘den für die Verarbeitung Verantwortlichen’ (the data controller).
 
(g) hand over (g) return all results to the controller after the end of the processing and not process the personal data otherwise;erase stored data;
 
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
 
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
 
(b) the processing is carried out by an enterprise employing 25050 persons or more;
 
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.for transfer, anonymised transfer, market research or opinion polling purposes.
  Comment: Intention unclear.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.Does not affect English version.. German original replaces ‘Leitung’ with ‘Geschäftsführung’, both meaning ‘management’.
 
(ha) if an appropriate level of data protection pursuant to Article 41 or 42 does not exist, transfer or a category of transfer of personal data to a third country or to an international organisation or authority is permissible only if the transfer takes place to comply with a statutory obligation or authorisation, a requirement pertaining to supervision or another legislative provision to which the controller is subject.
 
4. The supervisory authority shall impose a fine up to 250.500 000 EUR or, in case of an enterprise up to 0,5 % of its annual worldwide turnover, to to anyone who, intentionally or negligently:
  Comment: Two sided.
6. The supervisory authority shall impose a fine up to 1.000.000 EUR or, in case of a breach with intent to make a profit by an enterprise, up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: