Finland ALDE

Nils Torvalds

Country: Finland
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Svenska folkpartiet (SFP)

Vice-Chair of Fisheries
Member of Civil Liberties, Justice and Home Affairs
Substitute of Budgets
Substitute of Economic and Monetary Affairs

Overview Nils Torvalds

Amendments: 64
...stronger: 4
...weaker: 35
...neutral: 25

Amendments by Nils Torvalds

Proposal for a REGULATIONDIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection RegulationDirective) (Text with EEA relevance)
 
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
 
(125) The processing of personal data for the purposes of historical, statistical or scientific research should, in order to be lawful, also respect other relevant legislation such as on clinical trials. A research ethics committee as mentioned in Article 83 should be consistent with the principles of the World Medical Association’s Declaration of Helsinki and any national requirements in Member States.
  Comment: Intention unclear.
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;
 
(19a) ‘data protection officer’ means a natural or legal person or a team of professionals, with the necessary professional experience and expertise required to perform the duties stemming from and outlined in this Regulation, who are employed or designated by the controller or the processor.
 
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
 
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, and unless disproportionate efforts or costs arise from this, the controller shall also provide means for requests to be made electronically.
 
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form if possible, unless otherwise requested by the data subject.
 
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:
 
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, unless the data is kept by competent authorities or other bodies in a legal register required by national or Union legislation, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
 
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject..
 
1. The controller shall adopt policies and 1. With regard to the nature of personal data being processed, the type of organization in question, and considering the state-of-the-art, the controller and processor shall, both at the time of the determination of the means of processing and at the time of the processing, implement appropriate measures to ensure and be able to demonstrate that and demonstrable technical and organizational measures as well as suitable privacy programmes that ensure that the processing of personal data is performed in compliance with this Regulation.meets the requirements of this Regulation and the protection of the rights of the data subject by design.
 
2. The measures provided for in paragraph 1 shall in particular include:include, but not be limited to,
 
(a) keeping the documentation pursuant to Article 28;(a) management oversight of the processing of personal data to ensure the existence, implementation and effectiveness of the technical and organizational measures outlined in paragraph 1;
  Comment: Intention unclear.
(b) implementing the data security requirements laid down in Article 30;(b) the existence of proper policies, instructions or other guidelines to direct the processing of data in a way that complies with this Regulation, as well as procedures and enforcement to make such policies, instructions or guidelines effective;
  Comment: Intention unclear.
(c) performing a data protection impact assessment pursuant to Article 33;(c) the existence of proper planning and procedures which ensure compliance with this Regulation and which address potentially risky processing of personal data prior to the start of the processing of data;
 
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2);(d) the existence of appropriate documentation of data processing that enables compliance with the obligations arising from this Regulation;
  Comment: Intention unclear.
(e) designating (e) the existence of a data protection officer pursuant to Article 35(1)., as outlined in Article 4, or other staff supported with adequate resources to oversee the implementation of measures defined in this Article and to monitor compliance with this Regulation. The sufficient organizational independence of the data protection officer or other staff shall be ensured;
 
(ea) the existence of proper awareness and training of the staff participating in the processing of data and the related decision-making;
 
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.or processor shall, upon request by the competent data protection authority, demonstrate the existence of technical and organizational measures in line with those referred to in paragraphs 1 and 2.
 
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.4. A group of undertakings may apply joint technical and organizational measures to meet the obligations arising from this Regulation.
 
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
 
(b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
 
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
 
1. In the case of a personal data breach which is likely to adversely affect the data subject and the protection of the personal data of the data subject, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
 
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union or national law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
 
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
 
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
 
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
 
1. The controller and the processor shall , unless such tasks are already being carried out, designate a data protection officer in as outlined in Article 4 in any case where:
 
2. In the casecases referred to in point (b) of paragraph 1, a group of undertakings may appoint a singlejoint data protection officer.
 
3. Where the controller or the processor is a public authority or body, the data protection officer or officers may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
 
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. or officers.
 
5. The controller or processor shall designate the data protection officer or data protection officers on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
 
6. The controller or the processor shall ensure that any other professional duties of the data protection officer or data protection officers are compatible with the person's or persons' tasks and duties as data protection officer and do not result in a conflict of interests.
 
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
 
9. The controller or the processor shall communicate make available the name and contact details of the data protection officer to the supervisory authority and to the public.
 
10. Data subjects shall have the right to contact the data protection officer or data protection officers on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
 
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
 
1. The controller or the processor shall ensure that the data protection officer is or officers are properly and in a timely manner involved in all issues which relate to the protection of personal data.
 
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The or data protection officer shall directly report to the management of the controller or the processor.officers shall perform their duties and tasks independently.
 
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary by providing appropriate means to carry out the duties and tasks referred to in Article 37.
 
1. The controller or the processor shall entrust the data protection officer or data protection officers at least with the following tasks:
 
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;;
 
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; as outlined in Article 22;
 
(c) to monitor the implementation and application of compliance with this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;;
 
(d) to ensure that the documentation referred to in Article 28 is maintained;
 
(e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
 
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
 
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative;
 
(h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.
 
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
 
1. Each supervisory authority shall be empowered to impose warnings or administrative sanctions in accordance with this Article.
 
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to based on the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
 
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities..
 
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover,, based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:
 
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to , based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:
 
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to , based on the gravity of the breach, impose a fine or warning to anyone who, intentionally or negligently:
 
1a. In order to reconcile the right to the protection of personal data with the principle of public access to official documents, personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation regarding public access to official documents.
 
2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.
 
1. Within the limits of this Regulation, Member States may adopt by law or by collective agreements specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
 
(ba) in case data is to be processed for scientific research purposes, the proposed scientific research project has received a favourable opinion from an independent research ethics committee.
 
1a. The data subject has given his or her consent for the processing of data for historical, statistical and scientific research. For the purposes of historical, statistical and scientific research, a one- time consent is enough and there is no need for explicit consent to be given each time by the data subject, or a need to notify the data subject, separately before the processing of data related to research purposes.
 
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation. 3. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 5. A delegated act adopted pursuant to Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.