The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (GUE/NGL, DE) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows.
Scope of the Regulation: Members stated that the Regulation shall also apply to Union agencies carrying out activities which fall within the scope of chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) under Title V of Part Three TFEU, including where the founding acts of these Union agencies lay down a standalone data protection regime for the processing of operational personal data. Provisions relating to specific processing of operational personal data contained in the founding acts of these agencies may particularise and complement the application of this Regulation.
The provisions on the specific processing of data contained in the founding acts of the agencies shall clarify and complete the application of the Regulation.
Transfer of personal data between Union institutions and bodies: such a transfer shall only be possible if the data are necessary for the legitimate performance of tasks falling within the competence of the recipient. The controller shall verify the competence of the recipient and provisionally evaluate the necessity for the transfer of such data.
Transmission of personal data to recipients established in the Union: personal data may only be transmitted to recipients established in the Union and subject to the General Data Protection Regulation (Regulation (EU) 2016/679) or the national rules adopted pursuant to Directive (EU) 2016/680 only if the controller demonstrates, on the basis of a reasoned request from the recipient that the transmission is proportionate and necessary for the purposes of serving the public interest such as transparency or good administration and after having demonstrably weighed the various competing interests.
Restrictions: the proposal provides that legal acts adopted on the basis of the Treaties or, for matters concerning the functioning of the Union's institutions or bodies, internal rules laid down by them may restrict the exercise of the rights of the data subject. Members proposed to delete the possibility for Union institutions, bodies, offices and agencies to restrict the exercise of data subject’s rights by way of internal rules.
It is also specified that legal acts adopted on the basis of treaties to restrict the exercise of the rights of the person concerned shall be clear and precise. Their application shall be foreseeable to persons subject to it.
In particular, any legal act shall contain specific provisions at least, where relevant, as to: (i) the purposes of the processing; (ii) the categories of personal data; (iii) the scope of the restriction introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (vii) the risks to the rights and freedoms of data subjects; and (viii) the right of data subjects to be informed about the restriction.
Approved certification mechanisms and codes of conduct: under the proposal, the controller should implement technical and organisational measures to ensure that processing is done in accordance with the Regulation and is able to demonstrate it.
Members inserted a provision stating that adherence to approved certification mechanisms as referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Adherence to an approved code of conduct may be used as an element by which to demonstrate compliance.
Register of processing activities: Union institutions and bodies shall be obliged to keep their records of processing activities in a central register and make the register publicly accessible.
Independent monitoring by the European Data Protection Supervisor (EDPS): all institutions and bodies, including the Court of Justice, shall be subject to independent supervision by the EDPS. Members proposed that the European Parliament and the Council appoint, by common accord, the EDPS for a period of five years, on the basis of a list drawn up jointly by the European Parliament, the Council and the Commission following a public call for candidates.
The EDPS and the national supervisory authorities, acting within the scope of their respective competencies, shall cooperate in the framework of their responsibilities in order to ensure effective and coordinated control of large-scale IT systems or Union bodies, offices or agencies.
Alignment with the General Data Protection Regulation: Members tabled a number of amendments aimed at aligning this proposed Regulation with the General Data Protection Regulation in order to streamline these two texts as much as possible and to make ensure that the Union is kept to the same standards as the Member States when it comes to data protection.
The provisions introduced by the Members include the following aspects:
- principles relating to the processing of operational personal data: for example, data lawfully and fairly processed, collected for specified, explicit and legitimate purposes, kept in a form that enables the data subject to be identified for no longer than not necessary, processed to ensure appropriate data security;
- prohibition of treatment of particular categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; processing of genetic and biometric data, data relating to health or a person’s sexual life or sexual orientation;
- distinction between different categories of data subjects;
- specific processing conditions;
- transmission of operational personal data to other Union institutions and bodies;
- information to be made available or given to the data subject;
- the right of access of the data subject and limitations of the right of access; right of rectification or erasure;
- transfer of operational personal data to third countries.
Review clause: no later than 1 June 2021, and every five years thereafter, the Commission shall report on the application of the Regulation, accompanied, if necessary, by appropriate legislative proposals.