PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,6June2014 (OR.en) 10615/14 InterinstitutionalFile: 2012/0011(COD) LIMITE

Similar documents
Council of the European Union Brussels, 13 April 2015 (OR. en)

Interinstitutional File: 2012/0011 (COD)

Council of the European Union Brussels, 31 March 2015 (OR. en)

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

PUBLIC 14707/1/14REV1DATAPROTECT147JAI803MI806 DRS136DAPIX151 FREMP179COMIX569CODEC /1/14REV1 GS/np 1 DGD2C LIMITE EN

PUBLIC LIMITE EN COUNCILOF THEEUROPEANUNION. Brusels,19December2013 (OR.en) 18031/13 LIMITE. InterinstitutionalFile: 2012/0011(COD)

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 20 December /06 Interinstitutional File: 2004/0287 (COD) LIMITE

Council of the European Union Brussels, 16 May 2018 (OR. en)

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 25 October /06 Interinstitutional File: 2004/0287 (COD) LIMITE

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 11 January /07 Interinstitutional File: 2004/0287 (COD) LIMITE VISA 7 CODEC 32 COMIX 25

Council of the European Union Brussels, 18 January 2019 (OR. en)

9949/16 PR/mz 1 DG B 3A

Council of the European Union Brussels, 21 October 2016 (OR. en)

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,25February2014 (OR.en) 6795/14 InterinstitutionalFile: 2010/0209(COD) LIMITE

Atitsmeetingon20February2002,theAsylum WorkingPartyexaminedArticles1to12 (formerly14)oftheaboveproposalbasedondraftingsuggestionsfrom thepresidency.

6153/1/18 REV 1 VH/np 1 DGD2

Council of the European Union Brussels, 29 May 2017 (OR. en)

Council of the European Union Brussels, 12 June 2015 (OR. en)

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Council of the European Union Brussels, 23 March 2017 (OR. en)

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 27 March 2006 (29.03) (OR. de) 7527/06 LIMITE DROIPEN 21 CATS 41 NOTE

The Presidency compromise suggestions are set out in the Annex to this Note.

Telekom Austria Group Standard Data Processing Agreement

Data Processing Agreement

15275/16 AP/es 1 DGD 1B LIMITE EN

L 352/12 Official Journal of the European Union

Geographical mobility in the context of EU enlargement

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 November /09 SOC 699

Council of the European Union Brussels, 26 February 2015 (OR. en)

Council of the European Union Brussels, 24 October 2017 (OR. en)

Introduction and Background

Appendix 1 Data Processing Agreement

Data Protection in the European Union. Data controllers perceptions. Analytical Report

At its meetings on 2 December 2016 and 17 January 2017, the Asylum Working Party examined the proposal for a Union Resettlement Framework.

Council of the European Union Brussels, 30 May 2017 (OR. en)

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

5418/16 AV/NT/vm DGD 2

EU, December Without Prejudice

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT

I have asked for asylum in the EU which country will handle my claim?

COU CIL OF THE EUROPEA U IO. Brussels, 21 January /09 MI 20 JAI 27 SOC 27 COVER OTE

1. Adoption of the agenda Approval of "I" items in Annex

COUNCIL OF THE EUROPEAN UNION. Brussels, 2 May /12 COPEN 97 EJN 32 EUROJUST 39

DGE 1 EUROPEAN UNION. Brussels, 27 April 2018 (OR. en) 2015/0272 (COD) PE-CONS 9/18 ENV 126 ENT 32 MI 109 CODEC 250

REGULATION (EC) No 1103/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 22 October 2008

13462/18 BN/cr 1 JAI.1 LIMITE EN

Exhibit MC - Standard Contractual Clauses (processors)

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Annex 1: Standard Contractual Clauses (processors)

9091/17 VH/np 1 DGD 2C

EUROPEAN UNION. Brussels, 15 May 2014 (OR. en) 2013/0010 (COD) LEX 1542 PE-CONS 39/1/14 REV 1

COMMISSION STAFF WORKING DOCUMENT. Tables "State of play" and "Declarations" Accompanying the document

COUNCIL OF THE EUROPEAN UNION. Brussels, 11 June /08 Interinstitutional File: 2004/0209 (COD) SOC 357 SAN 122 TRANS 199 MAR 82 CODEC 758

1. The Commission proposed on 25 January 2012 a comprehensive data protection package comprising of:

Council of the European Union Brussels, 24 April 2018 (OR. en)

ECB-PUBLIC. Recommendation for a

EUROPEAN UNION. Brussels, 12 February 2008 (OR. en) 2006/0305 (COD) PE-CONS 3675/07 EF 79 ECOFIN 466 CODEC 1271

Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu sub-processor"

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

AGREEMENT. between. the European Union. and. the Republic of Serbia

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

Purchasing Terms and Conditions

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

Data Processing Agreement

EUROPEAN UNION APPLICATION FOR ACTION

OTrack Data Processing Terms

EUROPEAN COMMISSION DIRECTORATE-GENERAL ENVIRONMENT Directorate E Implementation & Support to Member States ENV.E.4 Compliance & Better Regulation

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

European Parliament Flash Eurobarometer FIRST RESULTS Focus on EE19 Lead Candidate Process and EP Media Recall

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Strategic engagement for gender equality

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,28May /13 LIMITE SPORT58 MI 464 COMPET372 JUR274 DROIPEN65 ENFOPOL165 COPEN88 NOTE

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

SUPPLIER DATA PROCESSING AGREEMENT

Statistics on intra-eu labour mobility 2015 Annual Report

PUBLIC LIMITE EN. Brusels,13December2013 COUNCILOF THEEUROPEANUNION /13 InterinstitutionalFile: 2011/0297(COD) LIMITE

Report on the national preparation for the implementation of the Eurodac Recast

Mission of Montenegro to the European Union

REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 9 July 2008

Council of the European Union Brussels, 20 November 2017 (OR. en)

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

10622/12 LL/mf 1 DG G 3 A

Revision of the Posting of Workers Directive frequently asked questions

ID number. ID number. IR No

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING DOCUMENT. Accompanying document to the

I m in the Dublin procedure what does this mean?

Council of the European Union Brussels, 30 November 2016 (OR. en)

TREE.2 EUROPEAN UNION. Brussels, 14 March 2019 (OR. en) 2018/0298 (COD) PE-CONS 13/19 MAR 13 PREP-BXT 19 CODEC 172

STATEMENT OF THE COUNCIL'S REASONS

A. THURSDAY 9 JUNE 2016 (10.00)

9478/18 GW/st 1 DG E 2B

COUNCIL OF THE EUROPEAN UNION. Brussels, 6 September /11 SIRIS 80 SCHENGEN 25 ENFOPOL 271 COMIX 518 NOTE

Council of the European Union Brussels, 19 September 2016 (OR. en)

Transcription:

ConseilUE COUNCILOF THEEUROPEANUNION Brusels,6June2014 (OR.en) PUBLIC 10615/14 InterinstitutionalFile: 2012/0011(COD) LIMITE DATAPROTECT91 JAI434 MI484 DRS78 DAPIX81 FREMP115 COMIX303 CODEC1407 NOTE From: To: Subject: Presidency WorkingGroupon InformationExchangeandDataProtction(DAPIX) ProposalforaregulationoftheEuropeanParliamentandoftheCouncilonthe protectionofindividualswithregardtotheprocessingofpersonaldataandon thefreemovementofsuchdata(generaldataprotectionregulation) -Procesor(RevisionofArticle26) DelegationswilfindatachedthePresidency'srevisedproposalsregardingArticle26. 10615/14 CHS/np 1 DGD2B LIMITE EN

ANNEX 63a) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. Such sufficient guarantees may be demonstrated by means of adherence of the processor to a code of conduct or a certification mechanism. The carrying out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risks for the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are either adopted by the Commission or by a supervisory authority in accordance with the consistency mechanism and adopted by the Commission, or which are part of a certification granted in the certification mechanism. After the completion of the processing on behalf of the controller, the processor should return or delete the personal data, unless there is a requirement to store the data under Union or Member State law to which the processor is subject. 10615/14 CHS/np 2

Article 26 Processor 1. ( ) 1 The controller shall use only processors providing sufficient guarantees 2 to implement appropriate technical and organisational measures ( ) in such a way that the processing will meet the requirements of this Regulation ( ) 3. 2. 4 The carrying out of processing by a processor shall be governed by a contract or other legal act 5 binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects (..) and stipulating in particular that the processor shall: (a) process the personal data only on instructions from the controller ( ), unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of the Union or Member State law which imposes that processing, unless that law prohibits such information on important grounds of public interest 6 ; 1 2 3 4 5 6 DE proposed starting the sentence by stating that the controller shall be responsible for ensuring compliance with data protection rules. Some delegations thought it should be explicitly stated that the rights of the data subject and the right to compensation for damages must be asserted against the controller. DK and FR thought the 'sufficient guarantees should be detailed. The latter part of the article was deleted as it added nothing substantial: IE, NL and SE. DE thought it could be put in a separate sentence. Some delegations (UK, IE) thought this requirement was too onerous for one-off transactions especially in the case of single traders/practitioners or SMEs who used services of a subcontractor. FR wanted to know what was meant by an other legal act. SE thought a recital should clarify it could cover Member State legislation. AT suggested that the details referred to for the contract should also apply to 'other legal act'. Further to PT suggestion. Several delegations (ES, FR, PT) were concerned about the possibility for Member State law to restrict the possibility of prohibiting such notification. 10615/14 CHS/np 3

(b) ( ) (c) take all ( ) measures required pursuant to Article 30; (d) 7 determine the conditions for enlisting another processor ( ), such as a requirement of specific prior permission of the controller 8 ; (e) as far as ( ) possible, taking into account the nature of the processing 9, assist the controller in responding to requests for exercising the data subject s rights laid down in Chapter III; (f) determine how the controller is to be assisted in ensuring compliance with the obligations pursuant to Articles 30 to 34; (g) return or delete, at the choice of the controller, the personal data after the completion 10 of the processing specified in the contract or other legal act, unless there is a requirement to store the data under Union or Member State law to which the processor is subject; (h) make available to the controller ( ) all information 11 necessary to demonstrate compliance with the obligations laid down in this Article. 7 8 9 10 11 UK thought this overlapped with other parts of the Regulation (Article 26,(2)(a) and 30). DE thought the requirement should have been limited to establishment of contractual relationships. AT and SK scrutiny reservation: SK thought there were many questions surrounding the relation with this 'secondary' processor. BE had suggested to draw inspiration from Article 11(1) of Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC. FR thought this was unclear and should possibly replaced by a reference to risk. IT thought different types of risk could be referred to here. FR, ES and NL request that there should be an obligation to return the data. DE referred to 'the principal s rights of supervision and the contractor s corresponding rights of tolerance and involvement', for instance rights of entry, certified auditor s obligations to report periodically. 10615/14 CHS/np 4

2a. Where a processor enlists by way of a contract or other legal act another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 2 shall be imposed on that other processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations. 2aa. The provision of sufficient guarantees referred to in paragraphs 1 and 2a may be demonstrated by means of adherence of the processor to a code of conduct pursuant to Article 38 or a certification mechanism pursuant to Article 39. 2ab. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 2 and 2a may be based, in whole or in parts 12, on standard contractual clauses referred to in paragraphs 2b and 2c or on standard contractual clauses which are part of a certification granted to the controller or processor pursuant to Articles 39 and 39a 13. 2b. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the examination procedure referred to in Article 87(2) 14. 12 13 14 ES suggestion. IE reservation. PL was worried about a scenario in which the Commission would not act. CY and FR were opposed to conferring this role to COM (FR could possibly accept it for the EDPB). 10615/14 CHS/np 5

2c. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 2 and 2a and in accordance with the consistency mechanism referred to in Article 57. 3. The contract or the other legal act referred to in paragraphs 2 and 2a shall be in writing, including in an electronic form. 4. ( ) 5. ( ) 15 15 COM reservation on deletion. 10615/14 CHS/np 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback