Navegaci贸n
RGPD > Art铆culo聽24. Objeto
Descargar PDF

Art铆culo聽24 RGPD. Objeto

Article 24 GDPR. Subject-matter and objectives

1. Teniendo en cuenta la naturaleza, el 谩mbito, el contexto y los fines del tratamiento as铆 como los riesgos de diversa probabilidad y gravedad para los derechos y libertades de las personas f铆sicas, el responsable del tratamiento aplicar谩 medidas t茅cnicas y organizativas apropiadas a fin de garantizar y poder demostrar que el tratamiento es conforme con el presente Reglamento. Dichas medidas se revisar谩n y actualizar谩n cuando sea necesario.

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 24(1) GDPR:

7.2.8 Records related to processing PII

Control

The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.

Implementation guidance

A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs.


para acceder al texto completo

Textos enlazados

2. Cuando sean proporcionadas en relaci贸n con las actividades de tratamiento, entre las medidas mencionadas en el apartado聽1 se incluir谩 la aplicaci贸n, por parte del responsable del tratamiento, de las oportunas pol铆ticas de protecci贸n de datos.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph聽1 shall include the implementation of appropriate data protection policies by the controller.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 5.1.1.

Here is the relevant paragraph to article 24(2) GDPR:

6.2.1.1 Policies for information security

Implementation guidance

Either by the development of separate privacy policies, or by the augmentation of information security policies, the organization should produce a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and/or regulation and with the contractual terms agreed between the organization and its partners, its subcontractors and its applicable third parties (customers, suppliers etc.), which should clearly allocate responsibilities between them.


para acceder al texto completo

3. La adhesi贸n a c贸digos de conducta aprobados a tenor del art铆culo聽40 o a un mecanismo de certificaci贸n aprobado a tenor del art铆culo聽42 podr谩n ser utilizados como elementos para demostrar el cumplimiento de las obligaciones por parte del responsable del tratamiento.

3. Adherence to approved codes of conduct as referred to in Article聽40 or approved certification mechanisms as referred to in Article聽42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 24(3) GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


para acceder al texto completo

Textos enlazados
Comentario de expertos Considerandos Ley de Directrices y caso Deja un comentario
Comentario de expertos

(EN) A controller is a person or an organization that determines the personal data to process and the purposes and means of the processing (Article 4(7)). The definition rightly points to the decision-making capacity of the entity that 鈥decides why and how data will be processed鈥 (ULD Schleswig-Holstein/Wirtschaftsakademie, Opinion of Advocate General).


para acceder al texto completo

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
Considerandos

(74) Debe quedar establecida la responsabilidad del responsable del tratamiento por cualquier tratamiento de datos personales realizado por 茅l mismo o por su cuenta. En particular, el responsable debe estar obligado a aplicar medidas oportunas y eficaces y ha de poder demostrar la conformidad de las actividades de tratamiento con el presente Reglamento, incluida la eficacia de las medidas. Dichas medidas deben tener en cuenta la naturaleza, el 谩mbito, el contexto y los fines del tratamiento as铆 como el riesgo para los derechos y libertades de las personas f铆sicas.

(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(75) Los riesgos para los derechos y libertades de las personas f铆sicas, de gravedad y probabilidad variables, pueden deberse al tratamiento de datos que pudieran provocar da帽os y perjuicios f铆sicos, materiales o inmateriales, en particular en los casos en los que el tratamiento pueda dar lugar a problemas de discriminaci贸n, usurpaci贸n de identidad o fraude, p茅rdidas financieras, da帽o para la reputaci贸n, p茅rdida de confidencialidad de datos sujetos al secreto profesional, reversi贸n no autorizada de la seudonimizaci贸n o cualquier otro perjuicio econ贸mico o social significativo; en los casos en los que se prive a los interesados de sus derechos y libertades o se les impida ejercer el control sobre sus datos personales; en los casos en los que los datos personales tratados revelen el origen 茅tnico o racial, las opiniones pol铆ticas, la religi贸n o creencias filos贸ficas, la militancia en sindicatos y el tratamiento de datos gen茅ticos, datos relativos a la salud o datos sobre la vida sexual, o las condenas e infracciones penales o medidas de seguridad conexas; en los casos en los que se eval煤en aspectos personales, en particular el an谩lisis o la predicci贸n de aspectos referidos al rendimiento en el trabajo, situaci贸n econ贸mica, salud, preferencias o intereses personales, fiabilidad o comportamiento, situaci贸n o movimientos, con el fin de crear o utilizar perfiles personales; en los casos en los que se traten datos personales de personas vulnerables, en particular ni帽os; o en los casos en los que el tratamiento implique una gran cantidad de datos personales y afecte a un gran n煤mero de interesados.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

(76) La probabilidad y la gravedad del riesgo para los derechos y libertades del interesado debe determinarse con referencia a la naturaleza, el alcance, el contexto y los fines del tratamiento de datos. El riesgo debe ponderarse sobre la base de una evaluaci贸n objetiva mediante la cual se determine si las operaciones de tratamiento de datos suponen un riesgo o si el riesgo es alto.

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

(77) Se podr铆an proporcionar directrices para la aplicaci贸n de medidas oportunas y para demostrar el cumplimiento por parte del responsable o del encargado del tratamiento, especialmente con respecto a la identificaci贸n del riesgo relacionado con el tratamiento, a su evaluaci贸n en t茅rminos de origen, naturaleza, probabilidad y gravedad y a la identificaci贸n de buenas pr谩cticas para mitigar el riesgo, que revistan, en particular, la forma de c贸digos de conducta aprobados, certificaciones aprobadas, directrices dadas por el Comit茅 o indicaciones proporcionadas por un delegado de protecci贸n de datos. El Comit茅 tambi茅n puede emitir directrices sobre operaciones de tratamiento que se considere improbable supongan un alto riesgo para los derechos y libertades de las personas f铆sicas, e indicar qu茅 medidas pueden ser suficientes en dichos casos para afrontar el riesgo en cuesti贸n.

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(83) A fin de mantener la seguridad y evitar que el tratamiento infrinja lo dispuesto en el presente Reglamento, el responsable o el encargado deben evaluar los riesgos inherentes al tratamiento y aplicar medidas para mitigarlos, como el cifrado. Estas medidas deben garantizar un nivel de seguridad adecuado, incluida la confidencialidad, teniendo en cuenta el estado de la t茅cnica y el coste de su aplicaci贸n con respecto a los riesgos y la naturaleza de los datos personales que deban protegerse. Al evaluar el riesgo en relaci贸n con la seguridad de los datos, se deben tener en cuenta los riesgos que se derivan del tratamiento de los datos personales, como la destrucci贸n, p茅rdida o alteraci贸n accidental o il铆cita de datos personales transmitidos, conservados o tratados de otra forma, o la comunicaci贸n o acceso no autorizados a dichos datos, susceptibles en particular de ocasionar da帽os y perjuicios f铆sicos, materiales o inmateriales.

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Ley de Directrices y caso Deja un comentario
[js-disqus]