Nascleanúint
RGCS (GDPR) > Airteagal 40. Cóid iompair
Íoslódáil PDF

Airteagal 40 RGCS (GDPR). Cóid iompair

Article 40 GDPR. Codes of conduct

1. Tabharfaidh na Ballstáit, na húdaráis mhaoirseachta, an Bord agus an Coimisiún spreagadh chun cóid iompair a tharraingt suas a chuideoidh le cur i bhfeidhm cuí an Rialacháin seo, agus sainairíonna na n-earnálacha éagsúla próiseála á gcur san áireamh mar aon le riachtanais sonracha na micreafhiontar agus na bhfiontar beag agus meánmhéide.

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. Féadfaidh comhlachais agus comhlachtaí eile a dhéanann ionadaíocht do chatagóirí rialaitheoirí nó próiseálaithe cóid iompair a ullmhú, a leasú nó síneadh a chur leo chun cur i bhfeidhm an Rialacháin seo a shonrú, amhail i dtaca leis an méid seo a leanas:

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

Recitals

(89) I dTreoir 95/46/CE rinneadh foráil maidir le hoibleagáid ghinearálta chun fógra a thabhairt do na húdaráis mhaoirseachta faoin bpróiseáil a dhéantar ar shonraí pearsanta. Cé go mbaineann ualaí riaracháin agus airgeadais leis an oibleagáid sin, níor chuidigh sí i gcónaí le cosaint sonraí pearsanta a fheabhsú. Dá bhrí sin, ba cheart oibleagáidí ginearálta fánacha den sórt sin maidir le fógra a thabhairt a dhíothú, agus nósanna imeachta éifeachtacha agus sásraí éifeachtacha a chur ina n-ionad, ar nósanna imeachta agus sásraí iad lena gcuirfí béim ar na cineálacha oibríochtaí próiseála sin ar dócha go mbeadh ardriosca ag gabháil leo maidir le cearta agus le saoirsí daoine nádúrtha mar gheall ar chineál, ar raon feidhme, ar chomhthéacs agus ar chuspóirí na n-oibríochtaí sin. Áirítear i gcineálacha oibríochtaí próiseála den sórt sin, go háirithe, na hoibríochtaí sin lena mbaintear úsáid as teicneolaíochtaí nua, nó na cinn ar de chineál nua iad agus nach bhfuil measúnú tionchair ar chosaint sonraí déanta ag an rialaitheoir ina leith go fóill nó na cinn a bhfuil measúnú tionchair ar chosaint sonraí tagtha chun bheith riachtanach mar gheall ar an tréimhse ama a chuaigh thart ón uair a rinneadh an phróiseáil tosaigh i leith.

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

(90) I gcásanna den sórt sin, ba cheart don rialaitheoir measúnú tionchair a dhéanamh ar an gcosaint sonraí sula ndéanfar an phróiseáil, d'fhonn dóchúlacht faoi leith agus déine faoi leith an ardriosca sin a mheasúnú, agus cineál, raon feidhme, comhthéacs agus críocha na próiseála agus foinsí an riosca á gcur san áireamh. Ba cheart a chur san áireamh sa mheasúnú tionchair sin, go háirithe, na bearta, na coimircí agus na sásraí a bheartaítear leis an riosca sin a mhaolú, agus é á áirithiú go gcosnaítear sonraí pearsanta agus comhlíonadh an Rialacháin seo á thaispeáint.

(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

(a) próiseáil chothrom thrédhearcach;

(a) fair and transparent processing;

Téacsanna gaolmhara

(b) na leasanna dlisteanacha atá á saothrú ag rialaitheoirí i gcomhthéacsanna sonracha;

(b) the legitimate interests pursued by controllers in specific contexts;

(c) bailiú sonraí pearsanta;

(c) the collection of personal data;

(d) ainm bréige a chur i bhfeidhm ar shonraí pearsanta;

(d) the pseudonymisation of personal data;

(e) an fhaisnéis a sholáthraítear don phobal agus d’ábhar sonraí;

(e) the information provided to the public and to data subjects;

(f) feidhmiú chearta na n-ábhar sonraí;

(f) the exercise of the rights of data subjects;

(g) faisnéis a sholáthraítear do leanaí, agus cosaint leanaí, agus an bealach a ndéantar an toiliú a fháil ó shealbhóirí fhreagracht tuismitheora an linbh;

(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

(h) na bearta agus na nósanna imeachta dá dtagraítear in Airteagal 24 agus in Airteagal 25 agus na bearta chun slándáil na próiseála dá dtagraítear in Airteagal 32 a áirithiú;

(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

Téacsanna gaolmhara

(i) fógra faoi sháruithe i ndáil le sonraí pearsanta a thabhairt d’údaráis mhaoirseachta agus na sáruithe sin i ndáil le sonraí pearsanta a chur in iúl do na hábhair sonraí;

(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

(j) sonraí pearsanta a aistriú chuig tríú tíortha nó chuig eagraíochtaí idirnáisiúnta; nó

(j) the transfer of personal data to third countries or international organisations; or

(k) imeachtaí lasmuigh den chúirt agus nósanna imeachta eile um réiteach díospóide chun díospóidí idir rialaitheoirí agus ábhair sonraí i dtaca le próiseáil a réiteach, gan dochar do chearta na n-ábhar sonraí de bhun Airteagal 77 agus Airteagal 79.

(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

Téacsanna gaolmhara

3. De bhreis ar rialaitheoirí nó próiseálaithe atá faoi réir an Rialacháin seo do chloí leo, féadfaidh rialaitheoiri nó próiseálaíthe nach bhfuil faoi réir an Rialacháin seo cloí le cóid iompair a fhormheastar de bhun mhír 5 den Airteagal seo agus a bhfuil bailíocht ghinearálta acu de bhun mhír 9 den Airteagal seo, féadfaidh rialaitheoirí nó próiseálaithe nach bhfuil faoi réir an Rialacháin seo de bhun Airteagal 3 na cóid sin a chomhlíonadh freisin d’fhonn na coimircí iomchuí a sholáthar faoi chuimsiú chreat aistrithe sonraí pearsanta chuig tríú tíortha nó chuig eagraíochtaí idirnáisiúnta faoi na téarmaí dá dtagraítear i bpointe (e) d’Airteagal 46(2). Déanfaidh rialaitheoirí nó próiseálaithe den sórt sin gealltanais cheangailteacha in-fhorfheidhmithe, trí ionstraimí conarthacha nó trí ionstraimí eile atá ceangailteach ó thaobh dlí de, chun na coimircí iomchuí sin a chur i bhfeidhm, lena n-áirítear i ndáil le cearta na n-ábhar sonraí do na sonraí.

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

Téacsanna gaolmhara

4. I gcód iompair dá dtagraítear i mír 2 den Airteagal seo beidh sásraí trína mbeidh an chomhlacht dá dtagraítear in Airteagal 41(1) in ann faireachán éigeantach a dhéanamh féachaint an bhfuil a fhorálacha á gcomhlíonadh ag na rialaitheoirí agus ag na próiseálaithe a ghabhann orthu féin é a chur i bhfeidhm, gan dochar do chúraimí ná do chumhachtaí na n-údarás maoirseachta atá inniúil de bhun Airteagal 55 nó 56.

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

Téacsanna gaolmhara

5. Comhlachais agus comhlachtaí eile dá dtagraítear i mír 2 den Airteagal seo a bhfuil sé beartaithe acu cód iompair a ullmhú nó cód iompair atá ann a leasú nó síneadh a chur leis, cuirfidh siad an dréachtchód, an leasú nó an síneadh faoi bhráid an údaráis mhaoirseachta atá inniúil de bhun Airteagal 55. Tabharfaidh an t-údarás maoirseachta tuairim faoin Rialachán seo a bheith nó gan a bheith i gcomhréir leis an dréachtchód, leis an leasú nó leis an síneadh, agus formhuineoidh sé an dréachtchód, an leasú nó an síneadh sin má chinneann sé go bhfuil coimircí iomchuí leordhóthanacha á gcur ar fáil aige.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6. I gcás ina bhformheastar an dréachtchód, an leasú nó an síneadh de bhun mhír 5, agus i gcás nach mbaineann an cód iompair lena mbaineann le gníomhaíochtaí próiseála i roinnt Ballstát, cláróidh agus foilseoidh an t-údarás maoirseachta an cód.

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7. I gcás ina mbaineann dréachtchód iompair le gníomhaíochtaí próiseála i roinnt Ballstát, déanfaidh an t-údarás maoirseachta atá inniúil de bhun Airteagal 55 an cód a chur faoi bhráid an Bhoird, sula bhformheasfaidh sé an dréachtchód, an leasú nó an síneadh, de réir an nós imeachta dá dtagraítear in Airteagal 63 agus tabharfaidh an Bord tuairim an bhfuil an dréachtchód, an leasú nó an síneadh i gcomhréir leis an Rialachán seo, nó, sa chás dá dtagraítear i mír 3 den Airteagal seo, an soláthraítear coimircí iomchuí leis.

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

Téacsanna gaolmhara

8. I gcás ina ndeimhnítear leis an tuairim dá dtagraítear i mír 7 go bhfuil an dréachtchód, an leasú nó an síneadh i gcomhréir leis an Rialachán seo, nó, sa chás dá dtagraítear i mír 3, go gcuirtear coimircí iomchuí ar fáil leo, cuirfidh an Bord a thuairim faoi bhráid an Choimisiúin.

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. Féadfaidh an Coimisiún, trí bhíthin gníomhartha cur chun feidhme, cinneadh a dhéanamh go mbeidh bailíocht ghinearálta san Aontas ag an cód iompair, an leasú nó an síneadh atá formheasta agus a cuireadh faoina bhráid de bhun mhír 8 den Airteagal seo. Déanfar na gníomhartha cur chun feidhme sin a ghlacadh i gcomhréir leis an nós imeachta scrúdúcháin dá dtagraítear in Airteagal 93(2).

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Téacsanna gaolmhara

10. Áiritheoidh an Coimisiún go bpoibleofar go cuí na cóid fhormheasta ar cinneadh bailíocht ghinearálta a bheith ag baint leo i gcomhréir le mír 9.

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. Déanfaidh an Bord na cóid iompair, na leasuithe agus na síntí uile atá formheasta a thiomsú i gclár agus cuirfidh sé ar fáil don phobal iad trí bhíthin bealaí iomchuí.

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

ISO 27701 Recitals Dlí Treoirlínte & Cásanna Leave a comment
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 40 GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.

(EN) […]


to read the full text

Recitals

(98) Ba cheart comhlachais nó comhlachtaí eile a dhéanann ionadaíocht thar ceann catagóirí rialaitheoirí nó próiseálaithe a spreagadh cóid iompair a tharraingt suas, laistigh de theorainneacha an Rialacháin seo, ionas go n-éascófar cur chun feidhme an Rialacháin seo, ag cur san áireamh shaintréithe sonracha na próiseála a dhéantar in earnálacha áirithe agus riachtanais shonracha na micrifhiontar, na bhfiontar beag agus na bhfiontar meánmhéide. Le cóid iompair den sórt sin, d'fhéadfaí go háirithe na hoibleagáidí atá ar rialaitheoirí agus ar phróiseálaithe a chalabrú, agus an riosca ar dócha a thiocfaidh as an bpróiseáil á chur san áireamh, ar riosca é atá ann do chearta agus do shaoirsí daoine nádúrtha.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) Agus cód iompair á tharraingt suas, nó nuair a bheadh cód den sórt sin á leasú nó á leathnú, ba cheart do chomhlachais agus do chomhlachtaí eile a dhéanann ionadaíocht thar ceann catagóirí rialaitheoirí nó próiseálaithe dul i gcomhairle le geallsealbhóirí ábhartha, lena n-áirítear ábhair sonraí nuair is féidir, agus ba cheart dóibh aird a thabhairt ar aighneachtaí a gheofar agus tuairimí a léireofar mar fhreagra ar na comhairliúcháin sin.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

Dlí Treoirlínte & Cásanna Leave a comment
[js-disqus]