Spain EPP

Teresa Jiménez-Becerril Barrio

Country: Spain
Group: European People's Party (EPP)
Party: Partido Popular (PP)

Member of Civil Liberties, Justice and Home Affairs
Member of Women's Rights and Gender Equality
Substitute of Employment and Social Affairs

Overview Teresa Jiménez-Becerril Barrio

Amendments: 95
...stronger: 15
...weaker: 37
...neutral: 43

Amendments by Teresa Jiménez-Becerril Barrio

(c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;
 
(ea) by competent authorities for the purposes of producing and disseminating the official statistics entrusted to them;
 
(eb) by competent authorities for the purposes of drawing up electoral rolls.
 
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
 
(13) ‘main establishment’ means both as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken and as regards the processor, the place constituting its official seat in the Union, the main establishment if that is the place where the main processing activities in the context decisions of the activities of an establishment of a controller in the Union take place. As regards the processor, 'main establishment' means the place of its central administration in the Union;institution, enterprise, or group are taken, or the latter place, if different;
 
(19a) ‘official statistics’ means quantitative and qualitative, aggregated and representative information characterising a collective phenomenon in a considered population;
 
(19b) ‘electoral rolls’ means personal data, and data relating to the place of residence, of persons entitled to vote;
  Comment: Exceptions led to less protection.
(19c) ‘information society services’ means services provided at the recipient’s individual request, at a distance, and by electronic means, that is to say, the service is sent initially and received at its destination by means of electronic equipment for the processing, including digital compression, and storage of data and is transmitted, conveyed, and received entirely by wire, by radio, by optical means, or by any other electromagnetic means.
 
(c) adequate, relevant, and limited to the minimum necessary not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
 
(d) accurate and , where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
 
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions , without prejudice to the provisions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;;
 
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.
 
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, or by a third party to whom the data are to be communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
 
The law Union law and the law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
 
1. The controller shall bear the burden of proof for the data subject's having been duly informed in advance or in time to give their consent to the processing of their personal data for specified purposes.
 
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
 
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
 
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
 
(f) processing is necessary for the establishment, exercise or defence of legal claimsor administrative claims of any kind; o
 
(i) processing is necessary for historical, statistical or scientific research purposes or for preliminary official or administrative investigation to determine biological parentage, subject to the conditions and safeguards referred to in Article 83; o
 
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions , whether complete or not, shall be kept only under the control of official authority.
 
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
 
1. The controller shall have transparent and easily accessible policies observe transparency and accessibility criteria with regard to the processing of personal data and for the exercise of data subjects' rights.’ rights. To that end it may disseminate those criteria by framing policies to be made known to all data subjects.
 
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular wherever possible. This last point shall be taken particularly into account for any information addressed specifically to a child.
 
1. The controller shall establish procedures for providing provide the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.this is deemed appropriate, the above information as a whole may be presented in the form of policies and manuals of procedures to facilitate understanding and the use of such information.
 
a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
 
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);;
 
(c) (c) where possible, the period for which the personal data will be stored;
 
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;;
 
(a) (a) in general at the time when the personal data are obtained from the data subject or as soon as possible where the above is not feasible, demands undue effort, or reduces the safeguards enjoyed by the data subject; or
 
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
 
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. If the controller is processing a large number of files relating to the data subject, it may ask the data subject to specify in the necessary detail, before the information is supplied, which file or files, or what particular fields of activity, are covered by the data subject’s request. Where such personal data are being processed, the controller shall provide the following information:
 
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
 
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
 
2. Where the controller referred to in paragraph 1 has made the explicitly or tacitly allowed third-party access to personal data public, it shall take all reasonable steps in proportion to its capacity, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal datawho has allowed access to personal data has disappeared, has ceased to exist or for other reasons cannot be contacted by the data subject, the controller shall be considered responsible for that publication.data subject shall have the right to obtain from third-party controllers the erasure of any links to, or copy or replication of the personal data.
 
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Union law and Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
 
In the cases referred to in points (a) to (d), the data subject may exercise the right to object to the establishment of links or creation of copies or replications of his personal data. The viability of this right shall be resolved in the light of all the circumstances involved in the case, whilst making efforts not to frustrate the specific basis for the retention of data.
 
9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.
 
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. Where the format requested by the data subject differs from the processing format, the controller may impose a charge for conversion at a level which may not exceed the cost of the service provided at market prices.
 
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. The controller from whom the personal data are withdrawn shall delete those data, unless their continued processing is covered by another legal provision in force. Union and Member State laws may regulate cases where there is a legal obligation to store data, based on objectives of public interest proportionate to the aim pursued, and respecting the essence of the right to the protection of personal data.
 
3. Where an objection is upheld pursuant to paragraphs 1 and paragraph 1, the controller shall inform the data subject of the compelling legitimate grounds which apply in accordance with paragraph 1 or, if he does not do so, he shall no longer use or otherwise process the personal data concerned; where the objection is upheld pursuant to paragraph 2, the controller shall no longer use or otherwise process the personal data concerned.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
 
1. The controller shallmay adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
 
2. The measures provided for in paragraph 1 shall in particular include:include, in the cases and in accordance with the rules set out in this chapter:
 
(e) designating a data protection officer pursuant to Article 35(1).), or the obligation and maintenance of certification in accordance with the certification policies defined by the Commission.
 
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, and a high level of risk exists, this verification shall be carried out by independent internal or external auditors.
 
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
 
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures appropriate to the activities and their purposes, in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
 
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary not excessive for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for in proportion to those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
 
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
 
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
 
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. To ensure that data subjects may exercise their right to object to this arrangement, it must be documented and data subjects must have been notified in advance; otherwise, the above rights may be exercised in full in relation to any of the controllers, who shall be responsible for ensuring that the conditions laid down by law are fully complied with.
 
(b) an enterprise employing fewer than 250 persons, unless the processing carried out by that enterprise is considered high risk by the supervisory authorities, taking account of its characteristics, the type of data or the number of people affected; o
 
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller , which shall be documented in a form of which a record can be kept, and stipulating in particular that the processor shall:
 
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.
 
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.; without prejudice to the responsibility which the controller may have occurred in relation to compliance with their obligations.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
 
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
 
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; oor administrative claims;
 
6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and , and where appropriate in accordance with that rule, and shall inform the supervisory authority of the transfer.
 
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
 
2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).(a) and (b), the supervisory authorities shall be able to exchange information and cooperate in activities related to the exercise of their powers and defence of the rights regulated in this Regulation.
  Comment: Different Approach.
Article 45a Cooperation may take place provided that: (a) the competent authorities of third countries have competence for the protection of personal data in the context of matters of which they possess knowledge in accordance with existing legislation; (b) working arrangements based on reciprocity have been agreed between the competent authorities concerned; (c) the transfer of personal data to the third country is in accordance with Chapter V of this Directive.
 
Article 45b The working arrangements referred to in paragraph 3(b) shall ensure that: (a) justification as to the purpose of the request for cooperation is provided by the competent authorities; (b) the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; (c) the competent authorities of the third country may use the results of cooperation only for the exercise of functions relating to the protection of personal data; (d) in the event of the competent authority of the third country intending to transfer the information received by means of cooperation to a third party, prior, specific and written consent must be obtained from the authority which provided the information, unless such transfer is required by national law or ordered by a court of law and constitutes a necessary measure to safeguard relevant public interests relating to: (i) the prevention, investigation or prosecution of criminal offences; (ii) the monitoring, inspection or regulation connected, even occasionally, with the exercise of official authority within the scope of the agreement. In such cases, prior notice shall be given to the authority that provided the information; (e) the appropriate technical and organisational security measures are adopted to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing personal data; (f) the request for cooperation from the competent authority of the third country should be refused: (i) where it would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or (ii) where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State.
  Comment: Intention unclear.
Article 45c Member States shall communicate to the Commission the working arrangements referred to in paragraphs 3 and 4.
 
Article 45d For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).
 
1. The supervisory authorityauthorities shall act with complete independence in exercising the duties and powers entrusted to it.them.
 
2. The members of the supervisory authorityauthorities shall, in the performance of their duties, neither seek nor take instructions from anybody.
 
3. Members of the supervisory authorityauthorities shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
 
4. Members of the supervisory authorityauthorities shall behave, after their term of office, with integrity and discretion as regards the acceptance of appointments and benefits.
 
5. Each Member State shall , in line with its internal distribution of competencies, ensure that the supervisory authority isauthorities are provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co- operation and participation in the European Data Protection Board.
  Comment: Intention unclear.
6. Each Member State shall , in line with its internal distribution of competencies, ensure that the supervisory authority has itsauthorities have their own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority.
  Comment: Intention unclear.
7. Member States shall , in line with their internal distribution of competencies, ensure that the supervisory authority isauthorities are subject to financial control which shall not affect itstheir independence. Member States shall , in line with their internal distribution of competencies, ensure that the supervisory authority hasauthorities have separate annual budgets. The budgets shall be made public.
  Comment: Intention unclear.
1. Member States shall provide that the members of the supervisory authority or authorities must be appointed either by the parliamentparliaments or the government bodies of the Member State concerned.
 
3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement in accordance with paragraph 5. or in the event of incapacity to hold office, incompatibility, resignation, dismissal, final conviction of an intentional crime or compulsory retirement.
 
4. A member may be dismissed or deprived of the right to a pension or other benefits in its stead his appointment terminated by the competent national courtbody which appointed him, if the member no longer fulfils the conditions required for the performance of the duties or is guilty of serious misconduct.failure to discharge the obligations relating to his office.
  Comment: Two sided. Less reasons to dismiss lead to more independence, but the appointing bodies are more political than courts.
(a) the establishment and status of the supervisory authority; or authorities;
 
(b) the qualifications, experience and skills required to perform the duties of the members of the supervisory authority;authorities;
 
(c) the rules and procedures for the appointment of the members of the supervisory authorityauthorities, as well as the rules on actions or occupations incompatible with the duties of the office;
 
(d) the duration of the term of the members of the supervisory authorityauthorities which shall be no less than four years, except for the first appointment after entry into force of this Regulation, part of which may take place for a shorter period where this is necessary to protect the independence of the supervisory authorityauthorities by means of a staggered appointment procedure;
 
(e) whether the members of the supervisory authorityauthorities shall be eligible for reappointment;
 
(f) the regulations and common conditions governing the duties of the members and staff of the supervisory authority;authorities;
 
The members and the staff of the supervisory authorityauthorities shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties.
 
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, except with regard to decisions in response to the complaints referred to in Article 73, in which case it shall coordinate the actions of the supervisory authorities concerned, without prejudice to the provisions of Chapter VII of this Regulation.
  Comment: Intention unclear.
(d) conduct investigations either on its own initiative or , on the basis of a complaint or , on request of another supervisory authority or following a police complaint, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;
 
(ja) coordinate certification policies in the territory for which it is responsible, in accordance with the provisions of Article 39.
 
(ja) to carry out audits or draw up audit plans on personal data protection
 
Each supervisory authority must draw up an annual report on its activities. The report shall be presented to the nationalrespective parliament and /or to the other authorities stipulated in the relevant national legislation and shall be made be available to the public, the Commission and the European Data Protection Board.
 
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month15 days after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations contrary to this Regulation.
 
8. Where a supervisory authority does not act within one month15 days on request of another supervisory authority, the requesting supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1) and shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57.
 
5. Where a supervisory authority does not comply within one month15 days with the obligation laid down in paragraph 2, the other supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1).
 
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within one week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within one month by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authority competent under Article 51 of the opinion and make it public.
 
1. Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61.
 
2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission’s opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure.