Navegaci贸n
RGPD > Art铆culo聽11. Tratamiento que no requiere identificaci贸n
Descargar PDF

Art铆culo聽11 RGPD. Tratamiento que no requiere identificaci贸n

Article 11 GDPR. Processing which does not require identification

1. Si los fines para los cuales un responsable trata datos personales no requieren o ya no requieren la identificaci贸n de un interesado por el responsable, este no estar谩 obligado a mantener, obtener o tratar informaci贸n adicional con vistas a identificar al interesado con la 煤nica finalidad de cumplir el presente Reglamento.

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 11(1) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).


para acceder al texto completo

2. Cuando, en los casos a que se refiere el apartado聽1 del presente art铆culo, el responsable sea capaz de demostrar que no est谩 en condiciones de identificar al interesado, le informar谩 en consecuencia, de ser posible. En tales casos no se aplicar谩n los art铆culos聽15 a聽20, excepto cuando el interesado, a efectos del ejercicio de sus derechos en virtud de dichos art铆culos, facilite informaci贸n adicional que permita su identificaci贸n.

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 11(2) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:

 


para acceder al texto completo

Textos enlazados
Considerandos Deja un comentario
Considerandos

(57) Si los datos personales tratados por un responsable no le permiten identificar a una persona f铆sica, el responsable no debe estar obligado a obtener informaci贸n adicional para identificar al interesado con la 煤nica finalidad de cumplir cualquier disposici贸n del presente Reglamento. No obstante, el responsable del tratamiento no debe negarse a recibir informaci贸n adicional facilitada por el interesado a fin de respaldarle en el ejercicio de sus derechos. La identificaci贸n debe incluir la identificaci贸n digital de un interesado, por ejemplo mediante un mecanismo de autenticaci贸n, como las mismas credenciales, empleadas por el interesado para abrir una sesi贸n en el servicio en l铆nea ofrecido por el responsable.

(57) If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

(64) El responsable del tratamiento debe utilizar todas las medidas razonables para verificar la identidad de los interesados que soliciten acceso, en particular en el contexto de los servicios en l铆nea y los identificadores en l铆nea. El responsable no debe conservar datos personales con el 煤nico prop贸sito de poder responder a posibles solicitudes.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

Deja un comentario
[js-disqus]