Poland EPP

Rafał Trzaskowski

Country: Poland
Group: European People's Party (EPP)
Party: Platforma Obywatelska (PO)

Member of Constitutional Affairs
Substitute of Internal Market and Consumer Protection

Overview Rafał Trzaskowski

Amendments: 33
...stronger: 11
...weaker: 19
...neutral: 3

Amendments by Rafał Trzaskowski

(12) The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of personal data, except for those pursuing economic activity, which identifies them on the market. With regard to the processing of data which concern legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should not be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.
 
(25) Consent should be given freely and without pressure from the controller and explicitly by any appropriate method enabling a freely given specific and an informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
  Comment: Eliminates "specific" consent
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is be expressed freely and without pressure from the controller. Consent cannot be deemed as freely given when due to a clear imbalance lack of balance between the data subject and the controller, a refusal to give consent could result in adverse financial or legal consequences for the data subject. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
 
(38) The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. A legitimate interest pursued by a controller may include in particular direct marketing of controller's goods and services and enforcement of the controller’s claims. When data subject withdraws his or her consent, the controller should be also allowed to refuse further provision of services if the processing is necessary because of the nature of the service or the functioning of the filling system. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
 
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, and if not possible the criteria used to determine the data storage period, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
 
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, and if not possible the criteria used to determine the data storage period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
 
(ea) natural person pursuing economic activity, which identifies this person on the market;
 
(eb) of a natural person which data are made public in the course of exercising professional duties such as name, contact details and function;
 
3a. If the separate provisions of the European Union or the Member States law provide for more advanced protection of personal data than provided by this Regulation, these provisions shall be implemented complementarily. This applies in particular to the secrecy protected by law, e.g. bank secrecy.
 
3b. The information disclosed in accordance with the law in national registers of economic entities is not protected under this Regulation to the extent that it identifies entities on the market.
 
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
 
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if . In case of a group of undertakings, it is the place of establishment of the company with the dominant position over rest of the group as regards data protection policy. If no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;the same rules apply. The competent authority shall be informed by the controller and processor of the designation of a ‘main establishment’;
  Comment: Initial grading was "weaker". After an intervention we will reconsider the grading and changed it to "neutral" for now.
(c) processing is necessary for exercise of the right or compliance with a legal obligation to which the controller is subject;
 
(f) (f) without prejudice to the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where in particular: - direct marketing for its own and similar products and services, - the enforcement of the claims of the controller or of a third party on behalf of which the controller is acting in relation to the data subject, or for preventing or limiting damage by the data subject is a child.to the controller This shall not apply to processing carried out by public authorities in the performance of their tasks.
  Comment: Depends on the interpretation of "legitimate interests". Compared to others this AM seems to be average.
(fa) processing is necessary in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organization of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship, as well as for the purpose of entering, updating, improving, and modifying employees' data processing systems, including technical security systems designed to protect employees' data against unauthorized access by third parties, including transformation, viruses and malware;
 
3a. In the event that the data subject withdraws consent, the controller may refuse to provide further services if the processing of the data is vital for the provision of the service or ensuring the appropriate level of services.
 
4. Consent shall not provide a legal basis for the processing, where there is if, due to a significant imbalance between the position of the controller and the data subject and the controller., it has not been given freely, in accordance with Article 4(8).
 
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
 
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards ensuring the fundamental rights of the data subject such as right to non-discrimination; or
 
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests and fundamental rights; or
 
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive characterif the request of the same character repeats more than once per 6 months, the controller may charge a an administrative fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character repetitiveness of the request.
 
The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient with whom he stays in contractual relationship and to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.
 
(c) the period for which the personal data will be stored; and if not possible the criteria used to determine this period;
 
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. This is without prejudice to the right of the controller to determine other form of handling requests for information specified in point 1 if it is justified by the necessity of verifying the identity of subject requesting such information.
 
2a. The data subject shall have the right, where personal data are processed by electronic means, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which allows for further use.
 
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
 
Article 18 Right to data portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
 
1. Every natural person , both off-line and online, shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
 
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfiedexamined or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the including the right to obtain the information on the profiling criteria and the right to obtain human intervention; or
 
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests and fundamental rights, including the right to non- discrimination; or
  Comment: Two sided.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 Articles14 and 15 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 , including the criteria for the processing in question and the envisaged effects of such processing on the data subject.
 
(b) an enterprise employing fewer than 250 persons, unless its core activities, regardless the number of the employees, consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects; or
 
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties..