(61) Ba cheart an fhaisnéis i ndáil le próiseáil sonraí pearsanta a bhaineann leis an ábhar sonraí a thabhairt dó nó di tráth bhailiú na sonraí ón ábhar sonraí, nó, i gcás nach bhfaightear na sonraí pearsanta ach ó fhoinse eile, laistigh de thréimhse réasúnta, ag brath ar imthosca an cháis. I gcás inar féidir sonraí pearsanta a nochtadh d'fhaighteoir eile go dlisteanach, ba cheart an t-ábhar sonraí a chur ar an eolas nuair a nochtar na sonraí pearsanta an chéad uair don fhaighteoir. I gcás ina bhfuil sé beartaithe ag an rialaitheoir na sonraí pearsanta a phróiseáil chun críche seachas an chríoch ar chuici a bailíodh iad, ba cheart don rialaitheoir, sula ndéanfaí an tuilleadh próiseála sin, faisnéis a chur ar fáil don ábhar sonraí faoin gcríoch eile sin, agus aon fhaisnéis eile a mbeadh gá léi. Más rud é nach féidir tionscnamh na sonraí pearsanta a chur ar fáil don ábhar sonraí toisc gur úsáideadh foinsí éagsúla, ba cheart faisnéis ghinearálta a chur ar fáil.
(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
(62) Ní gá, áfach, an oibleagáid a fhorchur faisnéis a chur ar fáil i gcás ina mbíonn an fhaisnéis ag an ábhar sonraí cheana, i gcás ina bhfuil taifeadadh nó nochtadh na sonraí pearsanta leagtha síos go sainráite le dlí nó i gcás ina bhfuil sé dodhéanta an fhaisnéis a chur ar fáil don ábhar sonraí nó ina mbeadh iarracht dhíréireach ag baint leis sin. Sampla a d'fhéadfadh an cás a bheith amhlaidh go háirithe ó thaobh é a bheith dodhéanta déanamh amhlaidh nó ó thaobh iarracht dhíréireach ná, go háirithe, nuair a dhéantar an phróiseáil chun críocha cartlannú a dhéanamh ar mhaithe le leas an phobail, chun críocha taighde eolaíoch nó stairiúil nó chun críocha staidrimh. I dtaca leis sin, ba cheart líon na n-ábhar sonraí do na sonraí, aois na sonraí agus aon choimircí iomchuí a glacadh a chur san áireamh.
(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
(63) Ba cheart é a bheith de cheart ag ábhar sonraí rochtain a fháil ar shonraí pearsanta a bailíodh a bhaineann leis nó léi, agus ba cheart don ábhar sonraí a bheith in ann an ceart sin a fheidhmiú go héasca agus ag eatraimh réasúnta, d'fhonn a bheith ar an eolas faoi dhlíthiúlacht na próiseála agus d'fhonn dlíthiúlacht na próiseála a fhíorú. Áirítear leis sin an ceart atá ag ábhair sonraí rochtain a fháil ar shonraí a bhaineann lena sláinte, amhail na sonraí ina dtaifid leighis ina bhfuil faisnéis amhail diagnóis, torthaí scrúduithe, measúnuithe a rinne lianna cóireála agus faisnéis faoi aon chóireáil nó idirghabháil a rinneadh. Ba cheart é a bheith de cheart ag gach ábhar sonraí, dá bhrí sin, a bheith ar an eolas agus teachtaireacht a fháil go háirithe maidir leis na críocha ar chucu a dhéantar na sonraí pearsanta a phróiseáil, agus leis an tréimhse ar lena linn a dhéantar na sonraí pearsanta a phróiseáil, nuair is féidir é, le faighteoirí na sonraí pearsanta, leis an loighic a bhaineann le haon uathphróiseáil sonraí pearsanta agus leis na hiarmhairtí a bhaineann le próiseáil den sórt sin, ar a laghad nuair atá an phróiseáil sin bunaithe ar phróifíliú. I gcás inar féidir é, ba cheart don rialaitheoir a bheith in ann cianrochtain ar chóras slán a thabhairt lena dtabharfaí rochtain dhíreach don ábhar sonraí ar a shonraí pearsanta nó ar a sonraí pearsanta. Níor cheart don cheart sin dochar a dhéanamh do chearta ná saoirsí daoine eile, lena n-áirítear cearta agus saoirsí maidir le rúin trádála nó maoin intleachtúil agus go háirithe níor cheart dó dochar a dhéanamh don chóipcheart lena gcosnaítear bogearraí. Níor cheart, áfach, é a bheith mar thoradh ar na cúinsí sin go ndiúltófaí don fhaisnéis uile a thabhairt don ábhar sonraí. Má dhéanann an rialaitheoir próiseáil ar chainníocht mhór faisnéise a bhaineann leis an ábhar sonraí, ba cheart don rialaitheoir a bheith in ann a iarraidh go sonróidh an t-ábhar sonraí, sula seachadfar an fhaisnéis, an fhaisnéis nó na gníomhaíochtaí próiseála a mbaineann an iarraidh léi nó leo.
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 13(2)(a) GDPR:
7.4.7 Retention
Control
The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.
Implementation guidance
The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.
(EN) […]
(EN) Sign in
to read the full text