Navegaci贸n
RGPD > Art铆culo聽5. Principios relativos al tratamiento
Descargar PDF

Art铆culo聽5 RGPD. Principios relativos al tratamiento

Article 5 GDPR. Principles relating to processing of personal data

1. Los datos personales ser谩n:

1. Personal data shall be:

a) tratados de manera l铆cita, leal y transparente en relaci贸n con el interesado (芦licitud, lealtad y transparencia禄);

(a)聽processed lawfully, fairly and in a transparent manner in relation to the data subject (鈥榣awfulness, fairness and transparency鈥);

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 5(1)(a) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


para acceder al texto completo

Ley de Directrices y caso Considerandos

(39) Todo tratamiento de datos personales debe ser l铆cito y leal. Para las personas f铆sicas debe quedar totalmente claro que se est谩n recogiendo, utilizando, consultando o tratando de otra manera datos personales que les conciernen, as铆 como la medida en que dichos datos son o ser谩n tratados. El principio de transparencia exige que toda informaci贸n y comunicaci贸n relativa al tratamiento de dichos datos sea f谩cilmente accesible y f谩cil de entender, y que se utilice un lenguaje sencillo y claro. Dicho principio se refiere en particular a la informaci贸n de los interesados sobre la identidad del responsable del tratamiento y los fines del mismo y a la informaci贸n a帽adida para garantizar un tratamiento leal y transparente con respecto a las personas f铆sicas afectadas y a su derecho a obtener confirmaci贸n y comunicaci贸n de los datos personales que les conciernan que sean objeto de tratamiento. Las personas f铆sicas deben tener conocimiento de los riesgos, las normas, las salvaguardias y los derechos relativos al tratamiento de datos personales as铆 como del modo de hacer valer sus derechos en relaci贸n con el tratamiento. En particular, los fines espec铆ficos del tratamiento de los datos personales deben ser expl铆citos y leg铆timos, y deben determinarse en el momento de su recogida. Los datos personales deben ser adecuados, pertinentes y limitados a lo necesario para los fines para los que sean tratados. Ello requiere, en particular, garantizar que se limite a un m铆nimo estricto su plazo de conservaci贸n. Los datos personales solo deben tratarse si la finalidad del tratamiento no pudiera lograrse razonablemente por otros medios. Para garantizar que los datos personales no se conservan m谩s tiempo del necesario, el responsable del tratamiento ha de establecer plazos para su supresi贸n o revisi贸n peri贸dica. Deben tomarse todas las medidas razonables para garantizar que se rectifiquen o supriman los datos personales que sean inexactos. Los datos personales deben tratarse de un modo que garantice una seguridad y confidencialidad adecuadas de los datos personales, inclusive para impedir el acceso o uso no autorizados de dichos datos y del equipo utilizado en el tratamiento.

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Textos enlazados

b) recogidos con fines determinados, expl铆citos y leg铆timos, y no ser谩n tratados ulteriormente de manera incompatible con dichos fines; de acuerdo con el art铆culo聽89, apartado聽1, el tratamiento ulterior de los datos personales con fines de archivo en inter茅s p煤blico, fines de investigaci贸n cient铆fica e hist贸rica o fines estad铆sticos no se considerar谩 incompatible con los fines iniciales (芦limitaci贸n de la finalidad禄);

(b)聽collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (鈥榩urpose limitation鈥);

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(b) GDPR:

7.2.1 Identify and document purpose

Control

The organization should identify and document the specific purposes for which the PII will be processed.

Implementation guidance

The organization should ensure that PII principals understand the purpose for which their PII is processed. It is the responsibility of the organization to clearly document and communicate this to PII principals.


para acceder al texto completo

Ley de Directrices y caso Textos enlazados

c) adecuados, pertinentes y limitados a lo necesario en relaci贸n con los fines para los que son tratados (芦minimizaci贸n de datos禄);

(c)聽adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (鈥榙ata minimisation鈥);

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(c) GDPR:

7.4.1 Limit collection

Control

The organization should limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes.

Implementation guidance

The organization should limit the collection of PII to what is adequate, relevant and necessary in relation to the identified purposes. This includes limiting the amount of PII that the organization collects indirectly (e.g. through web logs, system logs, etc.).

Privacy by default implies that, where any optionality in the collection and processing of PII exists, each option should be disabled by default and only enabled by explicit choice of the PII principal.

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.


para acceder al texto completo

Ley de Directrices y caso Textos enlazados

d) exactos y, si fuera necesario, actualizados; se adoptar谩n todas las medidas razonables para que se supriman o rectifiquen sin dilaci贸n los datos personales que sean inexactos con respecto a los fines para los que se tratan (芦exactitud禄);

(d)聽accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (鈥榓ccuracy鈥);

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(d) GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.


para acceder al texto completo

Textos enlazados

e) mantenidos de forma que se permita la identificaci贸n de los interesados durante no m谩s tiempo del necesario para los fines del tratamiento de los datos personales; los datos personales podr谩n conservarse durante per铆odos m谩s largos siempre que se traten exclusivamente con fines de archivo en inter茅s p煤blico, fines de investigaci贸n cient铆fica o hist贸rica o fines estad铆sticos, de conformidad con el art铆culo聽89, apartado聽1, sin perjuicio de la aplicaci贸n de las medidas t茅cnicas y organizativas apropiadas que impone el presente Reglamento a fin de proteger los derechos y libertades del interesado (芦limitaci贸n del plazo de conservaci贸n禄);

(e)聽kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article聽89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (鈥榮torage limitation鈥);

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(e) GDPR:

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

Implementation guidance

Organizations should identify how the specific PII and amount of PII collected and processed is limited relative to the identified purposes.


para acceder al texto completo

Ley de Directrices y caso Textos enlazados

f) tratados de tal manera que se garantice una seguridad adecuada de los datos personales, incluida la protecci贸n contra el tratamiento no autorizado o il铆cito y contra su p茅rdida, destrucci贸n o da帽o accidental, mediante la aplicaci贸n de medidas t茅cnicas u organizativas apropiadas (芦integridad y confidencialidad禄).

(f)聽processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (鈥榠ntegrity and confidentiality鈥).

Comentario de expertos
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.2.1.

Here is the relevant paragraphs to article 5(1)(f) GDPR:

6.3.2.1 Mobile device policy

Implementation guidance

The organization should ensure that the use of mobile devices does not lead to a compromise of PII.


para acceder al texto completo

Ley de Directrices y caso Textos enlazados

2. El responsable del tratamiento ser谩 responsable del cumplimiento de lo dispuesto en el apartado聽1 y capaz de demostrarlo (芦responsabilidad proactiva禄).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph聽1 (鈥榓ccountability鈥).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 18.1.3.

Here is the relevant paragraphs to article 5(2) GDPR:

6.15.1.3 Protection of records

Implementation guidance

Review of current and historical policies and procedures can be required (e.g. in the cases of customer dispute resolution and investigation by a supervisory authority).


para acceder al texto completo

Ley de Directrices y caso Considerandos

(82) Para demostrar la conformidad con el presente Reglamento, el responsable o el encargado del tratamiento debe mantener registros de las actividades de tratamiento bajo su responsabilidad. Todos los responsables y encargados est谩n obligados a cooperar con la autoridad de control y a poner a su disposici贸n, previa solicitud, dichos registros, de modo que puedan servir para supervisar las operaciones de tratamiento.

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Textos enlazados
Considerandos Ley de Directrices y caso Deja un comentario
Considerandos

(39) Todo tratamiento de datos personales debe ser l铆cito y leal. Para las personas f铆sicas debe quedar totalmente claro que se est谩n recogiendo, utilizando, consultando o tratando de otra manera datos personales que les conciernen, as铆 como la medida en que dichos datos son o ser谩n tratados. El principio de transparencia exige que toda informaci贸n y comunicaci贸n relativa al tratamiento de dichos datos sea f谩cilmente accesible y f谩cil de entender, y que se utilice un lenguaje sencillo y claro. Dicho principio se refiere en particular a la informaci贸n de los interesados sobre la identidad del responsable del tratamiento y los fines del mismo y a la informaci贸n a帽adida para garantizar un tratamiento leal y transparente con respecto a las personas f铆sicas afectadas y a su derecho a obtener confirmaci贸n y comunicaci贸n de los datos personales que les conciernan que sean objeto de tratamiento. Las personas f铆sicas deben tener conocimiento de los riesgos, las normas, las salvaguardias y los derechos relativos al tratamiento de datos personales as铆 como del modo de hacer valer sus derechos en relaci贸n con el tratamiento. En particular, los fines espec铆ficos del tratamiento de los datos personales deben ser expl铆citos y leg铆timos, y deben determinarse en el momento de su recogida. Los datos personales deben ser adecuados, pertinentes y limitados a lo necesario para los fines para los que sean tratados. Ello requiere, en particular, garantizar que se limite a un m铆nimo estricto su plazo de conservaci贸n. Los datos personales solo deben tratarse si la finalidad del tratamiento no pudiera lograrse razonablemente por otros medios. Para garantizar que los datos personales no se conservan m谩s tiempo del necesario, el responsable del tratamiento ha de establecer plazos para su supresi贸n o revisi贸n peri贸dica. Deben tomarse todas las medidas razonables para garantizar que se rectifiquen o supriman los datos personales que sean inexactos. Los datos personales deben tratarse de un modo que garantice una seguridad y confidencialidad adecuadas de los datos personales, inclusive para impedir el acceso o uso no autorizados de dichos datos y del equipo utilizado en el tratamiento.

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Ley de Directrices y caso Deja un comentario
[js-disqus]