Romania EPP

Csaba Sógor

Country: Romania
Group: European People's Party (EPP)
Party: Uniunea Democrată Maghiară din România (UDMR)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Employment and Social Affairs

Overview Csaba Sógor

Amendments: 25
...stronger: 15
...weaker: 2
...neutral: 8

Amendments by Csaba Sógor

(45a) The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling. Moreover the data subject should also have the possibility of lodging a complaint with regard to the processing of personal data by a controller or processor with the competent data protection authority and to bring legal proceedings in order to enforce his or her rights as well as the right to compensation and damages resulting of an unlawful processing operation or from an action incompatible with this Regulation. The provisions of this Regulation should strengthen, clarify, guarantee and where appropriate, codify those rights.
 
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation should be promoted, and, where appropriate, cooperate with third countries.third countries should be encouraged to cooperate.
  Comment: Intention unclar
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority in the country where it is based without undue delay and, where feasible, within 24 hoursone working day. Where this cannot achieved within 24 hoursone working day, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
  Comment: Unclear consequence
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise or relates to more than 249 data subjects per year, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. When establishing whether data about a large number of data subjects are processed, archived data that is restricted in such a way that they are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection officers, whether or not an employee of the controller and whether or not performing that task full time, should be in a position to perform their duties and tasks independently. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
 
(75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organizational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and full knowledge of the role and competence of an employee representative. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.
 
(101) Each supervisory authority should hear complaints lodged by any data subject or organisation acting in the public interest and should investigate the matter. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.
 
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and (112) In the spirit of this Regulation, any body, organisation or association acting in the public interest which is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject's complaint, an own complaint where it considers that a personal data breach has occurred.
 
(114) In the spirit of this Regulation, in order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data acting in the public interest to bring on the data subject’s their behalf proceedings against that supervisory authority to the competent court in the other Member State.
 
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processingspecifying the technical formats for giving consent; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of dataconditions of modes based on icons and other graphic features for provision of information; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation tofor verification of the responsibility of the controller and to data protection by design and by default; a processor; ; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogationsthe adequate level of protection afforded by a third country or an international organisation; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level and in particular with the European Data Protection Board. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
  Comment: Result depends on other changes. Intention unclear.
(1) ‘data subject’ means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification numbera unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity , social or gender identity or sexual orientation of that person;
 
1. For the purposes of this Regulation, in relation to the offering of information society goods and services directly to a child, the processing of personal data of a child below the age of 1314 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodianlegal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
 
2a. Information for data subjects shall be provided in a format offering data subjects the information needed to understand their position and make decisions in an appropriate way. Therefore the controller shall provide and communicate its data protection policies through an easily understandable mode of description based on icons and other graphic features for the different types of data processing, their conditions and consequences. Full information shall be available on request in accordance with Article 14.
 
2b. The Commission shall be empowered to adopt, after requesting an opinion of The European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the mode of description based on icons and other graphic features which is referred to in paragraph 3 concerning the nature of the processing, duration of storage, transfer or erasure of data by establishing icons or other instruments in order to provide information in a standardised way.
 
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic forma freely-available electronic format, the information shall be provided in electronic form which enables the data subject to make subsequent use of it, unless otherwise requested by the data subject.
 
2a. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in a freely-available electronic format, without hindrance from the controller from whom the personal data are withdrawn.
 
3. 3.Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.use the personal data concerned only for historical, statistical or research purposes or, depending on the option chosen, delete it.
 
2. In particular, any legislative measure referred to in paragraph 1 must be necessary and proportionate in the information society and shall contain specific provisions at least as to : (a) the objectives to be pursued by the processing and; (b) the determination of the controller.; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards to prevent abuse; (g) the right of data subjects to be informed about the restriction.
 
2. The controller shall implement mechanisms for ensuring 2. Where the data subject is given a choice regarding the processing of personal data, the controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals. and that information in the form of a request for consent regarding the distribution of personal data will be obtained.
 
3a. Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject. Where in the course of their activities data protection officers become aware of data for which the head of the data controller or a person employed by the data controller has the right to refuse to give evidence, that right shall also apply to data protection officers and their subordinates.
 
8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission. for two years from the entry into force of this Regulation.
 
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) 5. Authorisations by a supervisory authority on the basis of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, 26(2) of Directive 95/46/EC shall remain in force for no longer than two years from the entry into force of this Regulation or until amended, replaced or repealed by thatthe supervisory authority.
 
Article 45a The Commission shall, starting four years from the date referred to in Article 91(1) (the date of entry into force of this Regulation), submit a report on the application of Articles 40 and 45 every two years to the European Parliament. and the Council. To this end, the Commission may request information from the Member States and the supervisory authorities; such information must be delivered promptly. The reports will be published.
 
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the – following consultation with the parliament – the government of the Member State concerned., always ensuring that political influence is kept to a minimum; the requisite qualifications, absence of conflicts of interest and positions of the members must also be regulated.
 
1. The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
 
Article 82a Processing in the social security context 1. Member States may, in accordance with the rules set out in this Regulation, adopt specific legislative rules particularising the conditions for the processing of personal data by their public institutions and departments in the social security context if carried out in the public interest. 2. Each Member State shall notify the Commission of the rules adopted in national law pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and of any subsequent amendment affecting them within one month of the amendment being adopted.