Austria S&D

Evelyn Regner

Country: Austria
Group: Progressive Alliance of Socialists and Democrats (S&D)
Party: Sozialdemokratische Partei Österreichs (SPÖ)

Vice-Chair of Legal Affairs
Substitute of Constitutional Affairs
Substitute of Employment and Social Affairs

Overview Evelyn Regner

Amendments: 18
...stronger: 15
...weaker: 2
...neutral: 1

Amendments by Evelyn Regner

(29a) Workers’ personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, must be protected in accordance with Articles 8, 12 and 28 of the Charter of Fundamental Rights of the European Union and Articles 8 and 11 of the European Convention on Human Rights, and may under no circumstances be used to put workers on so-called ‘blacklists’ to be passed on to other enterprises with the aim of discriminating against particular workers.
 
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there would be is an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
 
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprisean enterprise which has at least 50 staff or which processes the data of at least 250 data subjects, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently. In order to ensure the independence of data protection officers, they should enjoy special protection against dismissal and discrimination in the performance of their duties, which should be comparable with national provisions on the protection of employees’ representatives. They should be appointed only with the consent of the representatives of the business's employees. In addition, data protection officers should have opportunities for further training and in-service training at the expense of the controller or of the contracted processor.
 
(76) Associations or other bodies representing categories of controllers should be encouraged , with the consent of the representatives of the business's employees, to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors.
 
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order Member States should be able to regulate the processing of employees’ personal data in the employment context, Member States should be able, within the limits of in accordance with the rules and minimum standards set out in this Regulation, to adopt by law specific rules . Where a statutory basis is provided in the Member State in question for the regulation of employment matters by agreement between employee representatives and the management of the undertaking or the controlling undertaking of a group of undertakings (collective agreement) or under Directive 2009/38/EC of the European Parliament and of the Council of 6 May 2009 on the establishment of a European Works Council or a procedure in Community- scale undertakings and Community-scale groups of undertakings for the purposes of informing and consulting employees, the processing of personal data in the employment sector.an employment context should also be regulated by such an agreement, if the rules and minimum standards set out in this Regulation are not undercut.
 
(b) the law of the Member State , including collective employment agreements, to which the controller is subject.
 
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membershipmembership of or activity in a trade union, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
 
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law , including collective wage agreements, in so far as it is authorised by Union law or Member State law providing for adequate safeguards;
 
2a. In the employment sphere, the processing or use of data for the purposes of the permanent surveillance or profiling of employees, the drawing-up and dissemination of black lists of employees, the monitoring of performance or conduct or the preparation of a dismissal on grounds of illness shall be prohibited; job applicants’ data shall enjoy the same protection.
 
(b) an enterprise employing fewer than 250 persons50 persons or processing the data of fewer than 250 data subjects; or
 
(b) an enterprise or an organisation employing fewer than 25050 persons that is processing personal data relating to fewer than 250 data subjects only as an activity ancillary to its main activities.
 
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor. and to the representatives of the business's employees.
 
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment , training and any other resources necessary to carry out the duties and tasks referred to in Article 37.
 
(ha) to inform and consult the representatives of the business's employees about employee data.
 
(ba) have been drawn up after consent has been given by the representatives of the firm’s employees and the data protection officer at the place where the branch of the firm is located;
 
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State , in particular employees’ representatives, shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
 
2a. Member States shall lay down rules on penalties that are effective and dissuasive in preventing any abuse of the fundamental right to the protection of personal data as enshrined in the Charter of Fundamental Rights, including legal provisions outlawing as a criminal offence the use of personal data to blacklist workers, vet them or bar them from future employment.
 
2b. Member States shall ensure that persons or companies found to be taking part in blacklisting will be excluded from receiving EU grants and funding and from taking part in calls for tender for other public procurement contracts at EU, national or public authority level until all legal proceedings are proven to be completed, all compensation has been paid in full to any victims and there is reliable proof that this criminal culture has been removed from the organisation.