Spain S&D

Carmen Romero López

Country: Spain
Group: Progressive Alliance of Socialists and Democrats (S&D)
Party: Partido Socialista Obrero Español (PSOE)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Foreign Affairs

Overview Carmen Romero López

Amendments: 28
...stronger: 16
...weaker: 5
...neutral: 7

Amendments by Carmen Romero López

(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The subject should also have the right to withdraw their consent at any time and with the same facility as it was granted.
 
(53) Any person should have the right to have personal data concerning them rectified and a 'right to be forgotten' where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Nevertheless, in these cases, and insofar as the subject’s fundamental freedoms, rights and interests should prevail, he/she should be able to exercise the right to oppose the creation of links, copies or reproductions of such data where they are not necessary for these purposes.
 
(54) To strengthen the 'right to be forgotten' in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In cases where the measures taken by the controller have been ineffective or where the latter has disappeared, ceased to exist or cannot be contacted by the data subject, the latter should be entitled to oblige the third party to erase any link to the data, or copies or reproductions thereof. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
 
(97a) In the event of complaints or objections from the data subject, the latter should in all cases be able to have recourse to the supervisory authority in their Member State, which should be able, if the scale of the incident so warrants, to propose a coordinated response involving several supervisory bodies and headed by the lead authority, which should take a decision which should be implemented by all the supervisory bodies involved. Any discrepancies arising amongst the supervisory bodies concerned should be resolved by the European Data Protection Board.
 
(6a) ‘data protection by design’ means data protection embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal;
  Comment: Depends on consequences.
(6b) ‘data protection by default’ means configuration of the privacy settings on services and products so that these comply with the general principles of data protection, such as transparency, data minimisation, purpose limitation, integrity, storage minimisation, intervention possibility and accountability.
  Comment: Depends on consequences.
4. Where the purpose of further processing is not compatible with different from the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
 
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The option of withdrawing consent shall be made as easily accessible and shall involve the same level of practical difficulty attached to the granting of consent.
 
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal datawho made the personal data public has taken steps measures that have had no effect has disappeared, has ceased to exist or cannot be contacted by the data subject, the controller shall be considered responsible for that publication.latter shall have the right to obtain third parties the erasure of any links to, or copy or replication of the personal data.
 
When data are retained under the provisions of points (a), (b), (c) and (d), and the controller has made them public, the data subject may, for reasons related to overriding interests, rights or freedoms, exercise the right to object to links to, or the copying or replication of, such data, unless such processing forms an essential part of the rights, interests, obligations or purposes to which these points relate.
 
(b) (b) processing carried out by an enterprise employing fewer than 250 persons; or250 persons or more, or of one of the special categories of data listed in Article 9(1), or of personal data which could, if processed, threaten the reputation, income or employment of the data subject; o
 
(d) enlist another processor only with the prior permission of the controller;, with the other processor subcontracted to provide personal data processing services being bound by the same contractual obligations or binding legal terms relating to personal data protection as the original processor;
 
(b) the processing is carried out by an enterprise employing 250 persons or more; o or concerns any of the special categories of personal data referred to in Article 9(1), or personal data whose processing would pose an economic or labour-related risk to, or harm the reputation of, the interested party;o
 
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. Transfers to third countries in which the law specifically allows data to be processed in ways which are illegal under the terms of this regulation or are otherwise incompatible with EU fundamental rights, such as processing carried out for national or foreign policy purposes which is not necessary to maintain national security or uphold the law, shall be prohibited.
 
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, except with regard to decisions in response to the complaints referred to in Article 73, in which case it shall coordinate the actions of the supervisory authorities concerned, without prejudice to the provisions of Chapter VII of this Regulation.
 
(d) conduct investigations either on its own initiative or on the basis of a complaint , on receipt of information about illegal processing of personal data, or on request of another supervisory authority, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;
 
these supervisory authorities may request further information, cooperation with the reporting authority under the terms laid down in Articles 55 and 56 or coordinated action between all the supervisory authorities concerned under the terms laid down in paragraph 3. 2. The supervisory authority concerned shall provide the other authorities concerned with a draft measure or any other relevant information, including a summary of the facts and a legal report, before adopting a measure to close an open procedure in respect of Article 54(a) Lead authority 1. In the event of complaints, investigations or other supervisory activities and which have legal effects on controllers, processors or data subjects. 3. In the event that a supervisory authority concerned requests coordinated action between all the supervisory authorities concerned, the supervisory authority of the Member State in which the main establishment of the controller or processor is located shall be the lead authority and shall act, with their accord, on behalf of the pertaining to the processing of personal data, as part of the activities of a controller or processor established in more than one Member State, or if such data processing affects persons in more than one Member State, the supervisory authority concerned shall inform any other supervisory authorities concerned at all stages of the supervisory procedures. To that end, the lead authority must, inter alia, submit draft measures to the other before initiating any procedure. Any of request from one or more of the supervisory authorities concerned. 4. If any of the , the requesting supervisory authorities concerned expresses its opposition to the proposed draft measures within three weeks of their submission shall be competent to take provisional measures, and shall refer the matter will be referred to the European Data Protection Board under the terms of Article 58. 5. If none of the supervisory authorities expresses its opposition, the proposed measure shall be adopted by all the supervisory authorities concerned and applied at national level. 6. In the event that the lead authority fails to act within one month of receiving aas per the procedure laid down in Article 58.
  Comment: Alternative concept. Consequences unclear.
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisory authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56., or where a supervisory authority concerned opposes a draft measure proposed by another supervisory authority concerned or by the lead authority, as per the provisions of Article 54(a).
 
(ga) set out common procedures for the receipt and investigation of information pertaining to complaints concerning the unlawful processing of personal data with a view to protecting whistleblowers from reprisals, and to safeguarding the confidentiality of the sources of such information in cases where whistleblowers may be affected by third countries’ laws prohibiting the uncovering of such unlawful processing of personal data.
 
1a. In votes on the European Data Protection Board, each representative of the supervisory authority of their Member State shall have as many votes as its Member State has in the Council of the European Union.
 
1. The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
 
1. The European Data Protection Board shall have a secretariat. The European Data Protection SupervisorSecretariat of the Council shall provide that secretariat., and allocate the human and financial resources necessary to ensure it can exercise its duties effectively and independently under the management of its Chair.
 
3a. The Commission shall propose, within two years from the entry into force of this Regulation, a draft regulation for the establishment of an independent agency which shall run that secretariat, which shall have sufficient human and financial resources to ensure it can exercise its duties effectively and independently under the management of its Chair.
 
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in anytheir Member State of residence if they consider that the processing of personal data relating to them does not comply with this Regulation.
 
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with the supervisory authority in anythat Member State on behalf of one or more data subjects residing in that Member State if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
 
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member Statein the Member State in which are located, if it considers that a personal data breach affecting data subjects residing in that Member State has occurred.
 
4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.
 
(b) reasons of public interest in the area of public health, such as including protecting against serious cross-border threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or medical devices; oro