Poland S&D

Lidia Joanna Geringer de Oedenberg

Country: Poland
Group: Progressive Alliance of Socialists and Democrats (S&D)
Party: Sojusz Lewicy Demokratycznej (SLD)

Member of Legal Affairs
Member of Petitions
Substitute of Budgets

Overview Lidia Joanna Geringer de Oedenberg

Amendments: 17
...stronger: 3
...weaker: 11
...neutral: 3

Amendments by Lidia Joanna Geringer de Oedenberg

(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such of a breach has occurredadversely affecting the personal data or privacy of a data subject, the controller should notify thethat breach to the supervisory authority without undue delay and, where feasible, within 2472 hours. Where this cannot achieved within 24such notification is not possible within 72 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breachsimilar breaches should be notified thereof without undue delay in order to allow themfor them to be able to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chancepossibility for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may be an argument to justify a longer delay.
 
(1) ‘data subject’ means an identified natural person or aor identifiable natural person who can be identified, directly or indirectly, by technically available means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;where the use of such means does not entail excessive costs, is not overly time-consuming and does not require complex actions to be taken;
 
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;. The permission of the data subject may also be sought electronically, particularly in the context of information society services;
 
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,personal data require particular safeguarding by virtue of the overriding interests of protecting data subjects in connection with their fundamental rights and freedoms. This shall apply in particular where the data subject is a child. ThisIt shall not apply to processing carried out by public authorities in the performance of their tasks. Exemption from the scope of this provision may also be based on one or more of the other grounds set out in this paragraph.
 
(ba) In the case referred to in paragraph 1(f), the data controller should clearly and separately notify the data subject of such processing. Upon an express request from the data subject, the data controller should also justify the reasons why he decided that the legitimate interest pursued outweighs the overriding interest of protecting the data subject's fundamental rights and freedoms.
 
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter. The permission of the data subject may be sought electronically, particularly in the context of information society services.
 
(c) the data subject objects has effectively objected to the processing of personal data pursuant to Article 19;
 
(da) there is no legal basis for the processing of the data other than the consent of the data subject.
  Comment: Intention unclear.
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, . Third parties shall be considered to be subjects who, at the time the request is submitted, the controller is reasonably likely to be able identify and inform that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
 
2a. The obligation to inform referred to in paragraph 2 should be considered to have been exercised as soon as the controller has informed the third parties which he has identified of a request for the erasure of the data of the relevant subject in a form corresponding to the original publication of that data, or in some other form ensuring the effective receipt of such information.
 
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly adversely affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
 
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
 
1. Having regard to the state of the art latest technological developments, the cost of their implementation and the cost of implementationcurrent state of the art, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
 
Cases in which it is highly probable that a breach of personal data protection will have a negative impact on the data subject’s privacy shall be deemed serious breaches.
 
4a. The supervisory authority should maintain a publicly accessible register of identified and closed serious breaches.
 
4b. Notification of a breach of personal data protection shall, exceptionally, not be required where the controller has, without delay, implemented appropriate technological measures to safeguard the personal data concerned by the breach, and where such measures ensure that the at-risk data are rendered unintelligible to any person not authorised to access them,
 
1. Each 1. The competent supervisory authority in accordance with Article 51 shall be empowered to impose administrative sanctions in accordance with this Article.