General Data Protection Regulation. Revise the existing directive for the public sector

Similar documents
Less bureaucracy for small scale financial aid

Evaluation of the EU Strategy on Adaptation to Climate Change

Commitments must comply with local and regional autonomy

CEMR Response to the Consultation on the new texts regarding the application of State aid rules to Services of General Economic Interest

CEMR Response to the European Transparency Initiative COM (2006) 194

Transport. Local government is key to achieving Europe s transport system

Application pack. For the position of a junior project officer for the Covenant of Mayors Sub Saharan Africa. Contract until 30 November 2019

Parliament of Romania Chamber of Deputies Committee for information technologies and communications

David Simmonds CEMR spokesperson on Local and regional governments as employers Deputy Leader of the London Borough of Hillingdon (LGA, UK)

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

Paris Summit on climate change: Municipalities and regions as catalysts for success

Financial situation at subnational level in Greece

CEMR RESPONSE. Green Paper on e-procurement. Brussels, January 2011

COUNCIL OF EUROPEAN MUNICIPALITIES AND REGIONS CONSEIL DES COMMUNES ET REGIONS D EUROPE

8. But so far the principle of local and regional self-government has not been properly respected in the EU framework. The problem is not confined to

EU General Data Protection Regulation: are you ready?

UEAPME position on a proposal for a directive on transparent and predictable working conditions in the European Union COM (2017) 797

High Level Meetingon Governance and the EU. Turku 2-3 October 2006

ARTICLE 29 DATA PROTECTION WORKING PARTY

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

CEMR position paper on the proposal for a directive on energy efficiency

EU General Data Protection Regulation (GDPR)

Territorial development

Questions & answers to understand what is at stake and how we are responding

GENERAL DATA PROTECTION REGULATION.

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

GENERAL DATA PROTECTION REGULATION REPORT

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

IMPEL Project Developing a checklist for assessing legislation on practicability and enforceability

Ecommerce Europe. European in cross-border e-commerce. November 2015

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

GDPR factsheet Key provisions and steps for compliance

GDPR a legal overview

DER BINNENMARKT IST DER MOTOR DES WIRTSCHAFTSWACHSTUMS

EUROPEAN ECONOMIC AREA

WHAT YOU NEED TO KNOW [WHITE PAPER] ABOUT GDPR HOW TO STAY COMPLIANT

10366/15 VH/np DGD 2C LIMITE EN

The GDPR enforcement deadline is looming are you ready?

ARTICLE 29 Data Protection Working Party

New General Data Protection Regulation - an introduction

The General Data Protection Regulation: What does it mean for you?

Call for tender. CEMR-EPSU joint project Localising the European Semester. About CEMR

Public Internal Control Systems in the European Union

European Association of Co-operative Banks Groupement Européen des Banques Coopératives Europäische Vereinigung der Genossenschaftsbanken

Committee on Industry, Research and Energy Committee on the Internal Market and Consumer Protection

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Our position. Priorities for ensuring balance and focus in the update of the acquis

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR Factsheet - Key Provisions and steps for Compliance

The Council of European Municipalities and Regions ASSISTANT TO THE POLICY TEAM

1. Acas (Advisory, Conciliation and Arbitration Service) welcomes the opportunity to respond to the government s consultation on employment status.

EASPD Response to the Green Paper on the modernisation of EU public procurement policy. Towards a more efficient European Procurement Market

IFOAM EU Group. International Federation of Organic Agriculture Movements - EU Regional Group. Rue d'arlon 82, BE-1040 Brussels Tel

COUNCIL OF EUROPEAN MUNICIPALITIES AND REGIONS CONSEIL DES COMMUNES ET REGIONS D EUROPE

Council of the European Union Brussels, 22 May 2017 (OR. en)

- Translation from German -

Proposal for a Directive on Better Enforcement and Modernisation of EU Consumer Protection Rules

ROADMAP. A. Context, Subsidiarity Check and Objectives

Positioning Technology in Working Life

Introduction to the General Data Protection Regulation (GDPR)

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Framework for Action for the management of small drinking water supplies


Access to information, public participation and access to justice in environmental matters at Community level A Practical Guide

(Legislative acts) REGULATIONS

EU General Data Protection Regulation in the digital age: Are you ready?

INFORSE-Europe s opinion on. Recasting of the Energy Performance of Buildings Directive 2002/91/EC Consultation

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

DATA PROTECTION POLICY VERSION 1.0

Introduction to basic principles of Regulation (EC) 45/2001. Sophie Louveaux María Verónica Pérez Asinari

Overcoming Barriers in the field of Authentication and Identification

Relevant provisions of the Bill I would like to highlight for your attention are:

Commission proposal for a Directive on transparent and predictable working conditions BusinessEurope s views

General Data Protection Regulation

Preparation Guide to the New European General Data Protection Regulation

WELSH LANGUAGE STANDARDS: REGULATIONS

TOOL #38. DRAFTING THE EXPLANATORY MEMORANDUM

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR AGRICULTURE AND RURAL DEVELOPMENT

A summary of the implications of the General Data Protection Regulations (GDPR)

June PUBLIC OVERSIGHT OF THE AUDIT PROFESSION: Enhancing Credibility and Supporting Cooperation

IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS

EUROCHAMBRES and UEAPME s amendment proposals on the revision of the Waste Framework Directive

EU data protection reform

Summary. The remit and work of the Inquiry. The remit of the Inquiry

DATA PROTECTION KEY ISSUES OF THE PROPOSED REGULATION

Spanish Banking Association 7 th December 2010 AEB C/ Velazquez, Madrid Spain. Interest Representative Register ID:

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

Ref. Ares(2016) /04/2016. EU Public Procurement reform: Less bureaucracy, higher efficiency

Council of the European Union Brussels, 19 February 2015 (OR. en)

OPENNESS AND RECEPTIVENESS RESPECTFUL TREATMENT ACCOUNTABILITY CREDIBILITY

Proposal for an Interinstitutional Agreement on a mandatory Transparency Register COM (2016) 627. European Parliament draft negotiating mandate

GSMA comments on the Draft BEREC Report on OTT services (BoR (15) 142)

E U R O P E A N E C O N O M I C A R E A

Personal Protective Equipment

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

GENERAL DATA PROTECTION REGULATION

GD 2016/0082. Council of Ministers. Considerations relating to a single resident record for the Isle of Man

GDPR: what you need to know

CAN GDPR WORK FOR HEALTH SCIENTIFIC RESEARCH? BRUSSELS OCTOBER 22 ND CIPL EFPIA FPF EXECUTIVE SUMMARY

Executive Summary ²²²² DRAFT 00

Transcription:

General Data Protection Regulation Revise the existing directive for the public sector CEMR position on the Commission s proposal on General Data Protection Regulation - COM (2012) 11 final November 2012 Council of European Municipalities and Regions Registered in the Register of Interest Representatives Registration number: 81142561702-61

CEMR key messages CEMR supports a comprehensive reform of the data protection rules to guarantee citizens rights and to boost Europe s digital economy. However, the protection of personal data in the public sector should be legislated by revising the current directive 95/46/EC rather than using the proposed regulation. The private sector can be regulated by modifying the proposed regulation. The proposed regulation would increase heavily the administrative burden and create costs for local and regional authorities without actually benefitting the citizens. The public sector uses personal data for very different purposes from the private sector. The public sector has in all circumstances the responsibility to treat the personal data in a trustworthy way, while the private sector is using the data for commercial purposes. Applying the regulation for the public sector would not have a direct impact on the economic growth in Europe s digital market, because local and regional authorities are not using the data for commercial purposes. Employment conditions should be excluded from the scope of the regulation. The proposed regulation is unclear and raises doubts about how it affects labour law and the procedure in the labour market. The regulation contains several ambiguous articles that need to be clarified. As it stands it gives an unacceptably vague legal basis for treatment of personal data in the future. CEMR is concerned that the Commission would have an extensive power to adopt delegated acts with unknown consequences. If the protection of personal data in the public sector is to be legislated by the proposed regulation, it is vital that the regulation is modified to suit the specificities of the public sector. 2

CEMR position on the European Commission s proposed data protection reform 1. The Commission published on January 25 th 2012 its proposals for a reform of the EU data protection legislation. The CEMR supports in general a comprehensive reform of the data protection rules to guarantee citizens rights and to boost Europe s digital economy. However, the reform must take into consideration the practical resources of local and regional authorities, the differences between the public and private sectors and the reason why they hold and use personal data, as well as the cost of the reform compared to its benefits. 2. The Commission s proposal goes too far in regulating in detail the tasks and responsibilities for the controllers and processors of personal data, creating unnecessary administrative burdens for local and regional authorities. The proposal would increase the costs of local and regional authorities in many ways, which is not acceptable in the current financial situation, especially since the costs of the reform are considered disproportionately high compared to its benefits for the citizens. 3. According to the proposed regulation, local and regional authorities would have to redesign their operational processes related to the collection, maintenance, processing and erasure of personal data. The system would have to be adjusted to the new extensive rights given to the data subjects and to data controllers new responsibilities. These new rights and responsibilities include for example the right to be forgotten, the right to data portability, the obligation to use EU-standard forms, the obligation for electronic processes and protected connections, documentation obligations and requirements in case of data breaches. The proposed regulation would increase heavily the administrative burden and create costs for local and regional authorities without actually benefitting the citizens. 4. Local and regional authorities would also be obliged to carry out impact assessments and risk evaluations and to designate a data protection officer. We believe that it goes beyond the European Commission s competence to regulate the use of human resources in public authorities in such detail. 5. The supervisory authority would be given a power to impose heavy sanctions in cases where the detailed requirements are not fulfilled. These financial sanctions don t suit the public sector, who already under the current directive has the responsibility to treat the data in a trustworthy way and in the best interest of its citizens. Problems that have occurred in the public sector are mostly due to human error and financial sanctions are not the appropriate way in the public sector to solve this problem. The proposed financial sanctions are also disproportionate compared to the budget of local and regional authorities. 6. Furthermore, the proposed regulation gives the Commission an extensive power to adopt delegated acts, which makes the future uncertain for the development of data collecting and processing infrastructures. Many local and regional authorities in the EU have already developed digital services for their citizens. The uncertainty in the proposed reform would hamper the further development of new IT solutions, if local and regional resources would have to be used for adjusting these systems to the requirements set out in the regulation. 3

7. Public sector actors as data controllers operate in a very different environment compared to private or other commercial data controllers. Local and regional authorities collect and process various data that they use in the provision of public services and public (registerbased) research, and citizens rights always have the highest priority when personal data is used. Local and regional authorities use personal data only to the extent which is needed to carry out the service for the citizens and in public register-based research activities. The intention for collecting data is very different in the private sector, where personal data is used for different commercial purposes. 8. The proposed regulation would also affect local and regional authorities as employers. Local and regional authorities are important employers in many countries. The regulation recognizes the labour market as a special area but does not address, for example, the right to collective bargaining. The regulation gives employers certain flexibility regarding the treatment of personal data within the framework of the regulation. However, several Member States have currently more stringent national legislation on the protection of personal information than the current directive requires. The proposed regulation could lead to a situation where some countries would have to loosen their existing requirements for the handling of personal data. 9. Local and regional authorities in Europe support a strong protection of personal data of citizens as well as the objective of boosting Europe s digital economy. However, the problems related to personal data protection and to consumers trust in data controllers are different in the public sector. The responsibility of public sector is to use the personal data in the interest of the citizens and in a trustworthy way. According to our experience, citizens have very rarely the interest to know or change their personal data that are handled by the public authorities. 10. Local and regional authorities don t use the data for commercial purposes and therefore they are not market actors. Applying the proposed regulation to the public sector won t contribute to the economic growth of digital markets as expected by the Commission. 11. Referring to the principle of subsidiarity, the CEMR treats with caution the proposed use of a regulation as the preferred legal instrument, according to which the operational processes of data controllers are regulated in such detail at the EU-level. The CEMR believes that the desired outcome of the data protection reform can be achieved without heavy and strict regulation for the public sector. Therefore: The protection of personal data in the public sector should be legislated by revising the current directive rather than using the proposed regulation. The private sector can be regulated by modifying the proposed regulation. 4

Statements and arguments A) The protection of personal data in the public sector should be improved by revising the current directive (95/46/EC) The proposed regulation has been prepared with a focus on the challenges of data protection in the private sector and on data protection risks related to new types of internet services. These challenges are very different from those that occur for local and regional authorities, whose activities as data controllers are laid down in law. The protection of personal data in the public sector should be improved by revising the current directive and updating it in order to take into account technological developments rather than including the public sector in the scope of the proposed regulation. B) The public sector does not use personal data for commercial purposes Public authorities as data controllers operate in a very different environment compared to private or other commercial actors. Local and regional authorities collect various data that they use in the provision of public services and in public research, and citizens rights are always given the highest priority when personal data is used as required by laws in the Member States. C) The proposed regulation would create costs that are disproportionate to the expected benefits The proposed regulation adds administrative burdens on local and regional authorities. It contains new technical, personnel and administrative requirements, which would create costs that are disproportionate to the expected benefits. The Commission s impact assessment is incomplete because it does not take into account the costs for regional and local authorities. In the current economic crisis where public authorities have difficulties to finance their statutory duties, these costs cannot be justified compared to the potential benefits. See art. 12, 14-18, 22-28 and 30-39 D) The proposed regulation will not improve the protection of publically held personal data compared to the current directive The current directive already allows citizens to see their personal data held in local and regional authorities. At present, individuals very rarely request to see their data that is controlled by local and regional authorities or request this data to be modified. Therefore, the current level of data protection in local and regional authorities is sufficient. See art 12-18 and 30-39. E) Financial sanctions are not the appropriate measure for the public sector The public sector has the responsibility to treat personal data in a trustworthy way. Public authorities do not collect data for the purpose of making an economic profit; therefore financial sanctions are not the appropriate instrument to remedy incorrect treatment of data. Better enforcement of the existing directive and other control mechanisms would be better measures to improve the protection of personal data. See art 79. 5

F) The proposed regulation will not solve the problems with the legal uncertainty of the current directive There is lack of definition in the regulation and the amount of delegated acts will make it even more uncertain in the future. See art 86-87. G) The most problematic articles for local and regional authorities in the regulation are articles 12, 14-18, 22 28, 30-39, 79 and 82, 86-87 These articles go too far in regulating in detail the tasks and responsibilities for local and regional authorities. These requirements increase the costs of local and regional authorities in many ways, which is not acceptable in the current financial situation, especially since the costs of the reform are considered disproportionately high compared to its benefits for citizens. Therefore: The protection of personal data in the public sector should be legislated by revising the current directive rather than using the proposed regulation. The proposed regulation should only apply on the private sector. 6

Contact Alessandro Proia Policy Officer Square De Meeûs 1, B-1000 Bruxelles Tel.: +32 2 500 05 44 Email: alessandro.proia@ccre-cemr.org About CEMR The Council of European Municipalities and Regions (CEMR) is the broadest organisation of local and regional authorities in Europe. Its members are over 50 national associations of municipalities and regions from 40 European countries. Together these associations represent some 150 000 local and regional authorities. CEMR s objectives are twofold: to influence European legislation on behalf of local and regional authorities and to provide a platform for exchange between its members associations and their elected officials and experts. CEMR is the European section of United Cities and Local Governments (UCLG), the worldwide organisation of local government. www.ccre.org

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback