Article 4 Definitions




Дата канвертавання27.04.2016
Памер70.4 Kb.
Proposed Amendment 1



Article 4

Definitions

Commission Proposal



Telefónica Proposal

(proposed new text in blue)


(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;





(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;









Justification:

The definition of controller should be based on the decision of the purposes for which personal data are processed (i.e. “why” the data are processed) rather than the conditions or means by which this is achieved (i.e. “how” the data are processed).


The control over the reason/purpose for processing is the logical basis for allocating different responsibilities between controllers who are responsible for what and why data is processed and processing parties who deal with how data is processed”.
A clear divide between controller and processor and their roles and responsibilities is key in a Cloud environment. More and more data processing is outsourced by the controller to a service provider (processor). Controllers often rely on their service providers to determine the most effective technological solutions to deliver outsourced processing. In fact, service providers sell themselves to their customers on the basis of their technical expertise, and necessarily exercise a certain, but limited, autonomy over the means and conditions by which they process data on their customers’ behalf. However, by doing so, service providers risk exposure under the current Proposal to the full compliance requirements of the Directive, a disproportionate burden when considering that the purposes for which they process data are entirely mandated by their customer. It is also not in alignment with the typical practice of sharing responsibilities of the service providers and their customers in commercial agreements regarding such data processing services.


Proposed Amendment 2



Article 18

Right to data portability

Commission Proposal



Telefónica Proposal



(proposed new text in blue)




  1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and […].

  2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, […].

  3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, […].





  1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and […].

  2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, […].

  3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, […].





Justification:
Data portability is fraught with technical and competition issues and therefore easier said than done. But apart from this enforcement difficulties, Telefónica would like to make a more important point: in essence, it is a competition or market organisation measure to be addressed in the proper regulation, but not related to data protection or privacy.
Transparency as a whole will be of further more importance to obtain confidence from our customers, therefore the market will provide for the most suitable forms of Data Subjects Access Rights. Some of our Operating Businesses are already today providing answers to customer requests for data in an electronic form and the customers are free to use it however they want. This will evolve in the future due to increasing amounts of data and the necessary process development going along with it.
We would, therefore, suggest striking it from this Regulation and strengthening and make easier the right to access to data. In other words to reinforce the data Subject Access Rights.
Competition issues around Cloud services are not solved by providing a general data portability right. Cloud provides different services with different technical, business and competition implications with different portability possibilities, the data is not the same and the services are not the same, except that we would aim at building "uniform" cloud based services in Europe (which is not really the idea of the European Cloud Strategy). We cannot provide a blank slate regarding portability for all the services around cloud business without considering the service provided and the competition constraints in each business proposition based on Cloud: hosting, IaaS, processing, SaaS, etc.
It is not so easy to move data from one provider to another, especially if the cloud provider provides value added services and not only infrastructure. And this will not be solved by a generic data portability right.
Service costs and prices will clearly increase without not clear benefit in most of the cases, innovation will be constrained by European formats, standards and rules, and the European cloud services will be still less competitive from the end user perspective although implement user's data portability rights.



  • MEP Kelly’s Draft Opinion tries to introduce some improvements in the wording of Art.18, but at the end there seems to be no difference between Art. 18 as amended by MEP Kelly and Art. 15 on right of access for the data subjects. Having a sound right of access (art. 15) would solve the problems the new right to Data Portability is willing to address, without any negative effects as identified above.


Proposed Amendment 3





Article 26

Processor

Commission Proposal



Telefónica Proposal

(proposed new text in blue)


1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:

(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;

(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;

(c) take all required measures pursuant to Article 30;

(d) only enlist another further processors only with the prior permission of the controller that enable the requirements of this Regulation to be met;

(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;

(g) hand over all results to the controller after the end of the processing and not process the personal data further after the end of the agreed processing otherwise;

(h) upon request make available to the controller and the supervisory authority all relevant and permissible information necessary to control compliance with the obligations laid down in this Article.

3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.

4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.





1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.

2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:

(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;

(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;

(c) take all required measures pursuant to Article 30;



(d) only enlist another further processors only with the prior permission of the controller that enable the requirements of this Regulation to be met;

(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;

(g) hand over all results to the controller after the end of the processing and not process the personal data further after the end of the agreed processing otherwise;

(h) upon request make available to the controller and the supervisory authority all relevant and permissible information necessary to control compliance with the obligations laid down in this Article.

3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.



4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.






Justification:

This article introduces many new obligations on processors that should preferably be set in the contractual agreements between controllers and processors.


Furthermor, we suggest to delete the possibility for the Commission to adopt delegated.


Proposed Amendment 4



Article 28

Documentation

Commission Proposal



Proposal


(proposed new text in blue)

1. Each controller and processor and, if any, the controller's representative, shall

maintain documentation of all processing operations under its responsibility.
2. The documentation shall contain at least the following information:

(a) the name and contact details of the controller, or any joint controller or

processor, and of the representative, if any;

(b) the name and contact details of the data protection officer, if any;

(c) the purposes of the processing, including the legitimate interests pursued by thecontroller where the processing is based on point (f) of Article 6(1);

(d) a description of categories of data subjects and of the categories of personal

data relating to them;

(e) the recipients or categories of recipients of the personal data, including the

controllers to whom personal data are disclosed for the legitimate interest

pursued by them;

(f) where applicable, transfers of data to a third country or an international

organisation, including the identification of that third country or international

organisation and, in case of transfers referred to in point (h) of Article 44(1),

the documentation of appropriate safeguards;

(g) a general indication of the time limits for erasure of the different categories of

data;


(h) the description of the mechanisms referred to in Article 22(3).
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).


1. Each controller and processor and, if any, the controller's representative, shall

maintain documentation of all processing operations under its responsibility.
2. The documentation shall contain at least the following information:

(a) the name and contact details of the controller, or any joint controller or

processor, and of the representative, if any;

(b) the name and contact details of the data protection officer, if any;



(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(d) a description of categories of data subjects and of the categories of personal

data relating to them;

(e) the recipients or categories of recipients of the personal data, including the

controllers to whom personal data are disclosed for the legitimate interest

pursued by them;

(f) where applicable, transfers of data to a third country or an international

organisation, including the identification of that third country or international

organisation and, in case of transfers referred to in point (h) of Article 44(1),

the documentation of appropriate safeguards;

(g) a general indication of the time limits for erasure of the different categories of

data;

(h) the description of the mechanisms referred to in Article 22(3).
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).


Justification:
With the aim to reduce administrative burden on controllers, Art. 28 replaces the general obligation to notify individual processing operations to the supervisory authority under Articles 18(1) and 19 of Directive 95/46/EC. However, we believe this new obligation to maintain documentation of all processing operations will involve heavy bureaucratic requirements and therefore seriously risk increasing rather than reducing the administrative burden, compared to the current rules.
We are also concerned that identical obligations apply to data controllers and data processors (which currently are not subject to any notification obligation). This poses a particular problem in the area of cloud computing. Indeed, imposing disproportionate documentation obligations on data processors -identical to the controllers’ obligations- risks severely slowing the development and roll out of new cloud computing offerings and services in Europe.
Finally, we firmly believe Article 28 conflicts with the principles of accountability and efficiency that are set out in Article 22 of the GDPR, therefore it should be simplified in order to become effective and proportionate. Only Article 28.2.a. and 28.2.b. should be maintained, combined with a general duty to keep an inventory and description of the way the controller ensures that processing operations comply with data protection rules.
Finally, we suggest to delete the possibility for the Commission to adopt delegated and implementing acts.

Proposed Amendment 5





Article 33

Data Protection Impact Assessment

Commission Proposal



Proposal


(proposed new text in blue)

(1) Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

(2) The following processing operations in particular present specific risks referred to in paragraph 1:

(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; […]

(4) The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.

(1) Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.


(2) The following processing operations in particular present specific risks referred to in paragraph 1:
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; […]
(4) The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.



Justification:
Data controllers should have flexibility in determining risks under the principle of accountability. Data controllers know the particularities of their products, services or sectors and can better adapt DPIAs to their needs.
A PIA is naturally a duty of the controllers, therefore, imposing this obligation also on processors should be questioned as it could be even more counterproductive, diluting the liabilities between the data controller and the data processor. This poses a particular problem in the area of cloud, where more than ever the responsabilities and roles of the data controller and the data processor shall be clearly differentiated.
We call for the removal of the obligation to conduct a PIA of a processing based on profiling, as we do not agree with the fact that profiling per se presents “specific risks”.
Article 33 (4) obliges data controllers to seek the views of data subjects or their representatives (e.g., consumer organisations) on the intended processing of their personal data. This obligation is disproportionate and would create commercial concern for companies developing new products and services in highly competitive markets. Therefore, we suggest its deletion.



Proposed Amendment 6





Article 77

Right to compensation and liability

Commission Proposal



Telefónica Proposal

(proposed new text in blue)


1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.

2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, to the extent that liability has not already been established in the determination of responsibilities envisaged in Article 24.

3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.



1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.


2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, to the extent that liability has not already been established in the determination of responsibilities envisaged in Article 24.
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are it is not responsible for the event giving rise to the damage.





Justification:

Liability should be maintained on the data controller as it is currently the case further to the Directive 1995/46/EC. The controller is the one who has the direct link with the data subject and is the one responsible vis-à-vis the data subject. If the controller considers any eventual damage was due to the processor’s incorrect processing, the data controller will ask compensation from the processor. Furthermore, the controller and the processor normally establish the liability relationship in the contractrual arrangements, for cases where the processor does not act as requested by the data controller.


This article instead of helping data subjects creates confusion for controllers, processors and even more importantly for data subjects.


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка