Two ways to give feeback:
- You can leave a general remark concernig the text as whole here.
- You can comment on single paragraphs using the plus icons. Furthermore, you can comment while reading (and don’t have to scroll to the very bottom).
CHAPTER II
EU-Commision
EU-Parliament
Council
Directive 2002/58/EC4
PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION STORED IN THEIR TERMINAL EQUIPMENT
PROTECTION OF ELECTRONIC COMMUNICATIONS OF NATURAL AND LEGAL PERSONS AND OF INFORMATION PROCESSED BY AND RELATED TO THEIR TERMINAL EQUIPMENT
PROTECTION OF ELECTRONIC COMMUNICATIONS OF END-USERS AND OF THE INTEGRITY OF THEIR TERMINAL EQUIPMENT
Article 5
Article 5
Confidentiality of electronic communications data
Confidentiality of electronic communications
– unverändert / unchanged –
Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.
1. Electronic communications shall be confidential. Any interference, with electronic communications , such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or any processing of electronic communications, by persons other than the end-users, shall be prohibited.
1 a. Confidentiality of electronic communications shall also apply to data related to or processed by terminal equipment.
Electronic communications data shall be confidential. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data, by anyone other than the end-users concerned, shall be prohibited, except when permitted by this Regulation.
1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
Article 6
Permitted processing of electronic communications data
Lawful processing of electronic communications data
– unverändert / unchanged –
1. Providers of electronic communications networks and services may process electronic communications data if:
(a) it is necessary to achieve the transmission of the communication, for the duration necessary for that purpose; or
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.
1. Providers of electronic communications networks and services may process electronic communications data only if it is technically necessary to achieve the transmission of the communication, for the duration necessary for that purpose.
1. Providers of electronic communications networks and services shall be permitted to process electronic communications data only if:
(a) it is necessary to provide an electronic communication service; or
(b) it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults, errors, security risks or attacks on electronic communications networks and services;
1 b. Providers of electronic communications networks and services or other parties acting on behalf of the provider or the end-user may process electronic communications data only if it is technically necessary to maintain or restore the availability, integrity, confidentiality and security of the respective electronic communications network or services, or to detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.
(c) it is necessary to detect or prevent security risks or attacks on end-users’ terminal equipment;
(d) it is necessary for compliance with a legal obligation to which the provider is subject laid down by Union or Member State law, which respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security.
2. Providers of electronic communications services may process electronic communications metadata if:
(a) it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration necessary for that purpose; or
(b) it is necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or
(c) the end-user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such end-users, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous.
2. Providers of electronic communications services and networks may process electronic communications metadata only if:
(a) it is strictly necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212028 for the duration technically necessary for that purpose; or
(b) it is strictly necessary for billing, determining interconnection payments, detecting or stopping fraudulent use of, or subscription to, electronic communications services; or
(c) the user concerned has given his or her consent to the processing of his or her communications metadata for one or more specified purposes, including for the provision of specific services to such users, provided that the purpose or purposes concerned could not be fulfilled without the processing of such metadata.
2. Electronic communications data shall only be permitted to be processed for the duration necessary for the specified purpose or purposes according to Articles 6 to 6c and if the specified purpose or purposes cannot be fulfilled by processing information that is made anonymous.
3. A third party acting on behalf of a provider of electronic communications network or services may be permitted to process electronic communications data in accordance with Articles 6 to 6c provided that the conditions laid down in Article 28 of Regulation (EU) 2016/679 are met.
(Article 5) 2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
(2a) For the purposes of point (c) of paragraph 2, where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, Articles 35 and 36 of Regulation (EU) 2016/679 shall apply.
3.Providers of the electronic communications services may process electronic communications content only:
– unverändert / unchanged –
Article 6a [previous art. 6(3)] Permitted processing of electronic communications content
1. Without prejudice to Article (6) 1, providers of the electronic communications networks and services shall be permitted to process electronic communications content only:
(a) for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content; or
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
(a) for the sole purpose of the provision of a specific service requested by the user, if the user concerned has given his or her consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content by the provider; or
(b) if all users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority. Points (2) and (3) of Article 36 of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
(a) for the purpose of the provision of a service requested by an end-user for purely individual use if the requesting end-user has given consent and where such requested processing does not adversely affect fundamental rights and interests of another person concerned; or
(b) if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes.
2. Prior to the processing in accordance with point (b) of paragraph 1 the provider shall carry out a data protection impact assessment of the impact of the envisaged processing operations on the protection of electronic communications data and consult the supervisory authority if necessary pursuant to Article 36 (1) of Regulation (EU) 2016/679. Article 36 (2) and (3) of Regulation (EU) 2016/679 shall apply to the consultation of the supervisory authority.
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
3a. The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.
Article 6b [previous art 6(2)] Permitted processing of electronic communications metadata
1. Without prejudice to Article (6) 1, providers of electronic communications networks and services shall be permitted to process electronic communications metadata only if:
(a) it is necessary for the purposes of network management or network optimisation, or to meet technical quality of service requirements pursuant to Directive (EU) 2018/1972 or Regulation (EU) 2015/212020; or
(b) it is necessary for the performance of an electronic communications service contract to which the end-user is party, or if necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or
(c) the end-user concerned has given consent to the processing of communications metadata for one or more specified purposes; or
(d) it is necessary in order to protect the vital interest of a natural person; or
(e) in relation to metadata that constitute location data, it is necessary for scientific or historical research purposes or statistical purposes, provided that:
i. such data is pseudonymised;
ii. the processing could not be carried out by processing information that is made anonymous, and the location data is erased or made anonymous when it is no longer needed to fulfil the purpose; and
iii. the location data is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.
(f) in relation to metadata other than location data, it is necessary for scientific or historical research purposes or statistical purposes, provided that such processing is in accordance with Union or Member State law and subject to appropriate safeguards, including encryption and pseudonymisation, to protect fundamental rights and the interest of the end-users and is in accordance with paragraph 6 of Article 21 and paragraphs 1, 2 and 4 of Article 89 of Regulation (EU) 2016/679.
2a. Data processed under point e and f of paragraph 1 of this article may also be used for the development, production and dissemination of official national and European statistics to the extent necessary for this purpose and in accordance, respectively, with national or Union law.
2. Without prejudice to Article 6 (3), electronic communications metadata processed pursuant to paragraph 1 (e) shall not be shared by the provider with any third party unless it has been made anonymous.
Article 6c [Previous art 6(2a)] Compatible processing of electronic communications metadata
1. Where the processing for a purpose other than that for which the electronic communications metadata have been collected under paragraph 1 of Articles 6 and 6b is not based on the end-user’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 11, the provider of electronic communications networks and services shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications metadata are initially collected, take into account, inter alia:
(a) any link between the purposes for which the electronic communications metadata have been collected and the purposes of the intended further processing;
(b) the context in which the electronic communications metadata have been collected, in particular regarding the relationship between end-users concerned and the provider;
(c) the nature of the electronic communications metadata as well as the modalities of the intended further processing, in particular where such data or the intended further processing could reveal categories of data, pursuant to Articles 9 or 10 of Regulation (EU) 2016/679;
(d) the possible consequences of the intended further processing for end-users;
(e) the existence of appropriate safeguards, such as encryption and pseudonymisation.
2. Such processing, if considered compatible, may only take place, provided that:
(a) the processing could not be carried out by processing information that is made anonymous, and electronic communications metadata is erased or made anonymous as soon as it is no longer needed to fulfil the purpose, and
(b) the processing is limited to electronic communications metadata that is pseudonymised, and
(c) the electronic communications metadata is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user, which produces legal effects concerning him or her or similarly significantly affects him or her.
3. For the purposes of paragraph 1 of this Article, the providers of electronic communications networks and services shall not, without prejudice to Article 6 (3), share such data with any third parties, unless it is made anonymous.
Article 6d – Processing of electronic communications data for the purpose of preventing child sexual abuse
Article 7 – Storage and erasure of electronic communications data
Article 6
1. Without prejudice to point (b) of Article 6(1) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content or make that data anonymous after receipt of electronic communication content by the intended recipient or recipients. Such data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with Regulation (EU) 2016/679.
1. Without prejudice to Article 6(1b) and points (a) and (b) of Article 6(3), the provider of the electronic communications service shall erase electronic communications content, when it is no longer necessary for the provision of such service, as requested by the user. Such data may be recorded or stored by the users or by a third party entrusted by them to record, store or otherwise process such data. The user may process the data in accordance with Regulation (EU) 2016/679.
1. The provider of the electronic communications service shall erase electronic communications content or make that data anonymous when it is no longer necessary for the purpose of processing in accordance to article 6 (1) and 6a (1).
1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).
2. Without prejudice to point (b) of Article 6(1) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of the transmission of a communication.
2. Without prejudice to Article 6(1b) and points (a) and (c) of Article 6(2), the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer necessary for the provision of such service, as requested by the user.
2. Without prejudice to points (b), (c) and (d) of Article 6 (1), points (c), (d), (e), (f), point (g) of Article 6b, Article 6c and points (b) to (g) of Article 8 (1) the provider of the electronic communications service shall erase electronic communications metadata or make that data anonymous when it is no longer needed for the purpose of providing an electronic communication service.
3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.
4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6(2), strictly necessary metadata may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance with national law.
3. Where the processing of electronic communications metadata takes place for the purpose of billing in accordance with point (b) of Article 6b (1), the relevant metadata may be kept until the end of the period during which a bill may lawfully be challenged, or a payment may be pursued in accordance with national law.
4. Union or Member state law may provide that the electronic communications metadata is retained, including under any retention measure that respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security, for a limited period. The duration of the retention may be extended if threats to public security of the Union or of a Member State persists.
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
Article 8 – Protection of information stored in and related to end-users’ terminal equipment
Article 8 – Protection of information transmitted to, stored in and related to processed by and collected from users’ terminal equipment
Article 8 – Protection of end-users’ terminal equipment information
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
1. The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the user concerned shall be prohibited, except on the following grounds:
– unverändert / unchanged –
(a) it is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or
(b) the end-user has given his or her consent; or
(c) it is necessary for providing an information society service requested by the end-user; or
(d) if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.
(a) it is strictly necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network; or
(b) the user has given his or her specific consent; or
(c) it is strictly technically necessary for providing an information society service specifically requested by the user; or
(d) if it is technically necessary for measuring the reach of an information society service requested by the user, provided that such measurement is carried out by the provider, or on behalf of the provider, or by a web analytics agency acting in the public interest including for scientific purpose; that the data is aggregated and the user is given a possibility to object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; Where audience measuring takes place on behalf of an information society service provider, the data collected shall be processed only for that provider and shall be kept separate from the data collected in the course of audience measuring on behalf of other providers; or
(a) it is necessary for the sole purpose of providing an electronic communication service; or
(b) the end-user has given consent; or
(c) it is strictly necessary for providing a service specifically requested by the end-user; or
(d) if it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end-user, or by a third party, or by third parties jointly on behalf of or jointly with provider of the service requested provided that, where applicable, the conditions laid down in Articles 26 or 28 of Regulation (EU) 2016/679 are met; or
(da) it is necessary to ensure security, confidentiality, integrity, availability and authenticity of the terminal equipment of the end-user, by means of updates, for the duration necessary for that purpose, provided that:
(i) this does not in any way change the functionality of the hardware or software or the privacy settings chosen by the user;
(ii) the user is informed in advance each time an update is being installed; and
(iii) the user has the possibility to postpone or turn off the automatic installation of these updates;
(d b) in the context of employment relationships, it is strictly technically necessary for the execution of an employee’s task, where:
(i) the employer provides and/or is the user of the terminal equipment;
(ii) the employee is the user of the terminal equipment; and
(iii) it is not further used for monitoring the employee.
(da) it is necessary to maintain or restore the security of information society services or terminal equipment of the end-user, prevent fraud or prevent or detect technical faults for the duration necessary for that purpose; or (e) it is necessary for a software update provided that: (i) such update is necessary for security reasons and does not in any way change the privacy settings chosen by the end-user, (ii) the end-user is informed in advance each time an update is being installed, and (iii) the end-user is given the possibility to postpone or turn off the automatic installation of these updates; or
(f) it is necessary to locate terminal equipment when an end-user makes an emergency communication either to the single European emergency number ‘112’ or a national emergency number, in accordance with Article 13(3).
(g) where the processing for purpose other than that for which the information has been collected under this paragraph is not based on the end-user’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 11 the person using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the electronic communications data are initially collected, take into account, inter alia:
(i) any link between the purposes for which the processing and storage capabilities have been used or the information have been collected and the purposes of the intended further processing;
(ii) the context in which the processing and storage capabilities have been used or the information have been collected, in particular regarding the relationship between end-users concerned and the provider;
(iii) the nature the processing and storage capabilities or of the collecting of information as well as the modalities of the intended further processing, in particular where such intended further processing could reveal categories of data, pursuant to Article 9 or 10 of Regulation (EU) 2016/679;
(iv) the possible consequences of the intended further processing for end-users;
(v) the existence of appropriate safeguards, such as encryption and pseudonymisation.
(h) Such further processing in accordance with paragraph 1
(g), if considered compatible, may only take place, provided that:
(i) the information is erased or made anonymous as soon as it is no longer needed to fulfil the purpose,
(ii) the processing is limited to information that is pseudonymised, and
(iii) the information is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.
(i) For the purposes of paragraph 1 (g) and (h), data shall not be shared with any third parties unless the conditions laid down in Article 28 of Regulation (EU) 2016/697 are met, or data is made anonymous.
1a. No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of processing or storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality.
2. The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if:
2. The processing of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if:
2. The collection of information emitted by terminal equipment of the end-user to enable it to connect to another device and, or to network equipment shall be prohibited, except on the following grounds:
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection; or
(a) it is done exclusively in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user; or
(a) it is done exclusively in order to, for the time necessary for, and for the purpose of establishing or maintaining a connection; or
(aa) the user has been informed and has given consent; or
(ab) the risks are mitigated.
(b) a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.
– gelöscht / deleted –
(b) the end-user has given consent; or
(c) it is necessary for the purpose of statistical purposes that is limited in time and space to the extent necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose,
(d) it is necessary for providing a service requested by the end-user.
The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.
– gelöscht / deleted –
2a. For the purpose of points (d) of paragraph 1 and (ab) of paragraph 2, the following controls shall be implemented to mitigate the risks:
(a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and
(b) the processing shall be limited in time and space to the extent strictly necessary for this purpose; and
(c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and
(d) the users shall be given effective possibilities to object that do not affect the functionality of the terminal equipment.
2a. For the purpose of paragraph 2 points (b) and (c), a clear and prominent notice is shall be displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.
2b. The information referred to in points (aa) and (ab) of paragraph 2 shall be conveyed in a clear and prominent notice setting out, at the least, details of how the information will be collected, the purpose of processing, the person responsible for it and other information required under Article 13 of Regulation (EU) 2016/679, where personal data are collected. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679.
2b. For the purpose of paragraph 2 points (b) and (c), the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679, have been applied.
3. The information to be provided pursuant to point (b) of paragraph 2 may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.
3. The information to be provided pursuant to paragraph 2b may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.
3. The information to be provided pursuant to paragraph 2a may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 25 determining the information to be presented by the standardized icon and the procedures for providing standardized icons.
Article 9 – Consent
– gelöscht / deleted –
1. The definition of and conditions for consent provided for under Articles 4(11) and 7 of Regulation (EU) 2016/679/EU shall apply.
1. The definition of and conditions for consent provided for in Regulation (EU) 2016/679/EU shall apply.
– gelöscht / deleted –
(Article 2) (f) “consent” by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC;
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet.
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed or withdrawn by using technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user’s terminal equipment or the software running on it, they may signal the user’s choice based on previous active selections by him or her. These signals shall be binding on, and enforceable against, any other party.
– gelöscht / deleted –
3. End-users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.
3. Users who have consented to the processing of electronic communications data as set out in point (c) of Article 6(2) and points (a) and (b) of Article 6(3), point (b) of Article 8(1) and point (aa) of Article 8(2) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 as long as the processing continues.
– gelöscht / deleted –
3 a. Any processing based on consent must not adversely affect the rights and freedoms of individuals whose personal data are related to or transmitted by the communication, in particular their rights to privacy and the protection of personal data.
Article 10 – Information and options for privacy settings to be provided
– gelöscht / deleted –
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall:
(a) by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment, except for the purposes laid down by Article 8(1), points (a) and (c);
(b) upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user’s consent to a setting and offer the option to prevent other parties from processing information transmitted to, already stored on or collected from the terminal equipment for the purposes laid down by Article 8(1) points (a), (c), (d) and (da);
(c) offer the user the possibility to express specific consent through the settings after the installation of the software.
– gelöscht / deleted –
2. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.
Before the first use of the software, the software shall inform the user about the privacy settings and the available granular setting options according to the information society service accessed. These settings shall be easily accessible during the use of the software and presented in a manner that gives the user the possibility for making an informed decision.
– gelöscht / deleted –
1a. For the purpose of.:
(a) points (a) and (b) of paragraph 1,
(b) giving or withdrawing consent pursuant to Article 9(2) of this Regulation, and
(c) objecting to the processing of personal data pursuant to Article 21(5) of Regulation (EU) 2017/679,
the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user’s intentions with regard to consent or objection. This signal shall be legally valid and be binding on, and enforceable against, any other party.
1b. In accordance with Article 9 paragraph 2, such software shall ensure that a specific information society service may allow the user to express specific consent. A specific consent given by a user pursuant to point (b) of Article 8(1) shall prevail over the existing privacy settings for that particular information society service. Without prejudice to paragraph 1, where a specified technology has been authorised by the data protection board for the purposes of point (b) of Article 8(1), consent may be expressed or withdrawn at any time both from within the terminal equipment and by using procedures provided by the specific information society service.
3. In the case of software which has already been installed on 25 May 2018, the requirements under paragraphs 1 and 2 shall be complied with at the time of the first update of the software, but no later than 25 August 2018.
3. In the case of software which has already been installed on [xx.xx.xxxx], the requirements under paragraphs 1, 1a and1b shall be complied with at the time of the first update of the software, but no later than six months after [the date of entry into force of this Regulation].
– gelöscht / deleted –
Article 11 Restrictions
– gelöscht / deleted –
– unverändert / unchanged –
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
– gelöscht / deleted –
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) (c) to (e), (i) and (j) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
1a. Article 23 (2) of Regulation (EU) 2016/679 shall apply to any legislative measures referred to in paragraph 1.
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.
– gelöscht / deleted –
– unverändert / unchanged –
Article 11a -Restrictions on the rights of the user
1. Union or Member State law to which the provider is subject may restrict by way of a legislative measure the scope of the obligations and principles relating to processing of electronic communications data provided for in Articles 6, 7 and 8 of this Regulation in so far as its provisions correspond to the rights and obligations provided for in Regulation (EU) 2016/679, when such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (d) of Regulation (EU) 2016/679.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.
Application of certain provisions of Directive 95/46/EC
1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.
Article 11b – Restrictions on confidentiality of communications
⬇︎⬇︎
Union or Member State law may restrict by way of a legislative measure the scope of the rights provided for in Article 5 where such a restriction fully respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the following general public interests:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of serious criminal offences, unauthorised use of electronic communication systems or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, pursuant to Article 23(2) of Regulation (EU) 2016/679.
Article 11 c – Documentation and reporting of restrictions
1. Providers of electronic communications services shall keep documentation about requests made by competent authorities to access communications content or metadata pursuant to Article 11b(2).This documentation shall include for each request:
(a) the in-house staff member who handled the request;
(b) the identity of the body making the request;
(c) the purpose for which the information was sought;
(d) the date and time of the request;
(e) the legal basis and authority for the request, including the identity and status or function of the official submitting the request;
(f) the judicial authorisation of the request;
(g) the number of users to whose data the request related;
(h) the data provided to the requesting authority; and
(i) the period covered by the data.
The documentation shall be made available to the competent supervisory authority upon request.
2. Providers of electronic communications services shall publish once per year a report with statistical information about data access requests by law enforcement authorities pursuant to Articles 11a and 11b. The report shall include, at least:
(a) the number of requests;
(b) the categories of purposes for the request;
(c) the categories of data requested;
(d) the legal basis and authority for the request;
(e) the number of users to whose data the request related;
(f) the period covered by the data;
(g) the number of negative and positive responses to those requests.
3. Member States’ competent authorities shall publish once per year a report with statistical information per month about data access requests pursuant to Articles 11a and 11b, including requests that were not authorised by a judge, including, but not limited to, the following points:
(a) the number of requests;
(b) the categories of purposes for the request;
(c) the categories of data requested;
(d) the legal basis and authority for the request;
(e) the number of users to whose data the request related;
(f) the period covered by the data;
(g) the number of negative and positive responses to those requests.
The reports shall also contain statistical information per month about any other restrictions pursuant to Articles 11a and 11b.
2. The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive.
3. The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC shall also carry out the tasks laid down in Article 30 of that Directive with regard to matters covered by this Directive, namely the protection of fundamental rights and freedoms and of legitimate interests in the electronic communications sector.
Have you got a general remark on the text?
8 Remarks
-
Gernal comment: We suggest adding “strictly” before necessary here and in several parts of Article 6.
Our proposal is “(a) it is strictly necessary to provide
an electronic communication
service,a for the duration
necessary for that purpose; or”See our proposal for AMs here: https://www.accessnow.org/cms/assets/uploads/2021/07/ePrivacy-4-column-Access-Now-noyb-EDRi.pdfReference
-
Add “strictly” before necessary. Otherwise the text falls in line with our proposalReference
-
Add “strictly” before necessary. Other than that the text falls in line with our proposalReference
-
We suggest a new paragraph 1a:
“1a. A third party acting on behalf of
a provider of electronic
communications network or
services may be permitted to
process electronic
communications data in
accordance with Article 6 provided
that the conditions laid down in
Article 28 of Regulation (EU)
2016/679 are met.”Explanation: This proposal gathers
language suggested by all institutions
in Article 6.1 and by the Council in
their Article 6.3″Reference -
On 6.2 and 6.3 we refer to our proposal for AMs as we believe bring an adequate compromise of all 3 texts: https://www.accessnow.org/cms/assets/uploads/2021/07/ePrivacy-4-column-Access-Now-noyb-EDRi.pdfReference
-
Ok for us. In line with our recommendations.Reference
-
Delete. We oppose the addition of a
possibility to further process metadata under this Regulation.
As noted, this Regulation already
clarifies and provides more
opportunity for the processing of communications content and
metadata for providers in comparison with the existing ePrivacy Directive.
Further opportunities for processing, in particular ones where the end-users
would not be able to consent to such processing, would erode the objective of this Regulation, the right it seeks to protect, and risk falling below the current level of protection guaranteed in the EU.Reference -
In general, this expansion of the permitted processing should at least be accompanied by a obligation for a data protection assessment as meant by art. 35 GDPR which shall be made publicly available.Reference
General Remarks
Inline Remarks