The European Parliament adopted by 527 votes to 51, with 27 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The European Parliament’s position adopted at first reading under the ordinary legislative procedure amended the Commission proposal as follows:
Scope: the Regulation would apply to the processing of personal data by all Union institutions, bodies, offices and agencies when carrying out activities which fall within the scope of Chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) of Title V of Part Three of the TFEU for the purpose of the prevention, investigation, detection and prosecution of criminal offences.
However, it shall only apply to Europol or the European Public Prosecutor's Office once the legal acts establishing Europol and the European Public Prosecutor's Office have been adapted.
The Regulation shall not apply to the processing of personal data by tasks referred to in Articles 42(1), 43 and 44 of the Treaty on European Union, which implement the common security and defence policy
Transmission of personal data between Union institutions and bodies: personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest. The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject.
Where the controller initiates the transmission under this Article, it shall demonstrate that the transmission of personal data is necessary for and proportionate to the purposes of the transmission.
Union institutions and bodies shall reconcile the right to the protection of personal data with the right of access to documents in accordance with Union law.
Restrictions: the Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned.
The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions.
In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to:
- the purposes of the processing or categories of processing;
- the categories of personal data;
- the scope of the restrictions introduced;
- the safeguards to prevent abuse or unlawful access or transfer;
- the specification of the controller or categories of controllers;
- the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; and
- the risks to the rights and freedoms of data subjects.
Special categories of personal data: processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited by the Regulation.
Special categories of personal data which merit higher protection shall be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation shall provide for harmonised conditions for the processing of special categories of personal data concerning health.
European Data Protection Supervisor (EDPS): the amended Regulation stipulates that the European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates. On the basis of the list drawn up by the Commission, the competent committee of the European Parliament may decide to hold a hearing in order to enable it to express a preference.
The EDPS shall, inter alia, have the following tasks: (i) monitor and enforce the application of this Regulation by Union institutions and bodies, with the exception of the processing of personal data by the Court of Justice acting in its judicial capacity; (ii) advise, on his or her own initiative or on request, all Union institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to the processing of personal data.
Effective judicial remedy: the Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation, including claims for damages. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Prevention and detection of criminal offences (activities falling within the scope of Part Three, Title V, Chapter 4 or 5 of the TFEU): Directive (EU) 2016/680 sets out harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
In order to ensure the same level of protection for natural persons through legally enforceable rights throughout the Union, the rules for the protection and the free movement of operational personal data processed by such Union bodies, offices or agencies should be consistent with Directive (EU) 2016/680.