Tuilleadh
Nascleanúint
(1-4)
Airteagal 1. Ábhar agus cuspóiríAirteagal 2. Raon feidhme ábharthaAirteagal 3. Raon feidhme críochachAirteagal 4. Sainmhínithe
CAIBIDIL II Prionsabail (5-11)
Airteagal 5. Prionsabail a bhaineann le próiseáil sonraí pearsanta
Airteagal 6. Dleathacht na próiseála
Airteagal 7. Coinníollacha maidir le toiliúAirteagal 8. Na coinníollacha is infheidhme maidir le toiliú linbh i dtaca le seirbhísí na sochaí faisnéiseAirteagal 9. Catagóirí speisialta sonraí pearsanta a phróiseáilAirteagal 10. Sonraí pearsanta a bhaineann le ciontuithe coiriúla agus coireanna a phróiseáilAirteagal 11. Próiseáil nach ngabhann ceanglas sainaitheanta léi
CAIBIDIL III Cearta an ábhair sonraí (12-23)
Airteagal 12. Faisnéis thrédhearcach, cumarsáid agus módúlachtaí i dtaca le feidhmiú chearta an ábhair sonraíAirteagal 13. An fhaisnéis a bheidh le soláthar i gcás go mbailítear sonraí ón ábhar sonraíAirteagal 14. An fhaisnéis a bheidh le soláthar i gcás nár bailíodh na sonraí ón ábhar sonraíAirteagal 15. Ceart rochtana don ábhar sonraíAirteagal 16. An ceart go ndéanfaí ceartúcháinAirteagal 17. An ceart go ndéanfaí léirscriosadh (“an ceart go ndéanfaí ligean i ndearmad”)Airteagal 18. An ceart go gcuirfí srian le próiseáilAirteagal 19. An oibleagáid fógra a thabhairt go ndearnadh sonraí pearsanta a cheartú nó a léirscriosadh nó próiseáil a shrianadhAirteagal 20. An ceart chun iniomparthacht sonraíAirteagal 21. An ceart chun agóid a dhéanamhAirteagal 22. Cinnteoireacht aonair uathoibrithe, lena n-áirítear próifíliúAirteagal 23. Srianta
CAIBIDIL IV Rialaitheoir agus próiseálaí (24-43)
Airteagal 24. Ábhar agus cuspóiríAirteagal 25. Cosaint sonraí trí dhearadh agus mar réamhshocrúAirteagal 26. Rialaitheoirí comhpháirteachaAirteagal 27. Ionadaithe do rialaitheoirí nódo phróiseálaithe nach bhfuil bunaithe san AontasAirteagal 28. An próiseálaíAirteagal 29. Próiseáil faoi údarás an rialaitheora nó an phróiseálaíAirteagal 30. Taifid de ghníomhaíochtaí próiseálaAirteagal 31. Comhar leis an údarás maoirseachtaAirteagal 32. Slándáil na próiseálaAirteagal 33. Fógra a thabhairt don údarás maoirseachta faoi shárú i ndáil le sonraí pearsantaAirteagal 34. Sárú i ndáil le sonraí pearsanta a chur in iúl don ábhar sonraíAirteagal 35. Measúnú tionchair ar chosaint sonraíAirteagal 36. RéamhchomhairliúchánAirteagal 37. An t-oifigeach cosanta sonraí a ainmniúAirteagal 38. Post an oifigigh cosanta sonraíAirteagal 39. Cúraimí an oifigigh cosanta sonraíAirteagal 40. Cóid iompairAirteagal 41. Faireachán a dhéanamh ar chóid fhormheasta iompairAirteagal 42. DeimhniúAirteagal 43. Comhlachtaí deimhniúcháin
CAIBIDIL V Aistrithe sonraí pearsanta go tríú tíortha nó go heagraíochtaí idirnáisiúnta (44-50)
Airteagal 44. Prionsabal ginearálta maidir le haistritheAirteagal 45. Aistrithe ar bhonn cinneadh leordhóthanachtaAirteagal 46. Aistrithe faoi réir coimircí iomchuíAirteagal 47. Rialacha ceangailteacha corporáideachaAirteagal 48. Aistrithe nó nochtadh sonraí nach bhfuil údaraithe le dlí an AontaisAirteagal 49. Maoluithe i gcásanna sonrachaAirteagal 50. Comhar idirnáisiúnta chun sonraí pearsana a chosaint
CAIBIDIL VI Údaráis mhaoirseachta neamhspleácha (51-59)
Airteagal 51. An t-údarás maoirseachtaAirteagal 52. NeamhspleáchasAirteagal 53. Coinníollacha ginearálta do chomhaltaí an údaráis mhaoirseachtaAirteagal 54. Rialacha maidir leis an údarás maoirseachta a bhunúAirteagal 55. InniúlachtAirteagal 56. Inniúlacht an príomhúdaráis mhaoirseachtaAirteagal 57. CúraimíAirteagal 58. CumhachtaíAirteagal 59. Tuarascálacha ar ghníomhaíochtaí
CAIBIDIL VII Comhar agus comhsheasmhacht (60-70)
Airteagal 60. Comhar idir an príomhúdarás maoirseachta agus na húdaráis mhaoirseachta eile lena mbaineannAirteagal 61. Cúnamh frithpháirteachAirteagal 62. Oibríochtaí comhpháirteacha na n-údarás maoirseachtaAirteagal 63. An sásra comhsheasmhachtaAirteagal 64. Tuairim an BhoirdAirteagal 65. Réiteach díospóide ag an mBord Eorpach um Chosaint SonraíAirteagal 66. Nós imeachta práinneAirteagal 67. Malartú faisnéiseAirteagal 68. An Bord Eorpach um Chosaint SonraíAirteagal 69. NeamhspleáchasAirteagal 70. Cúraimí an Bhoird Eorpaigh um Chosaint SonraíAirteagal 71. TuarascálachaAirteagal 72. Nós imeachtaAirteagal 73. CathaoirleachAirteagal 74. Cúraimí an ChathaoirlighAirteagal 75. An RúnaíochtAirteagal 76. Rúndacht
CAIBIDIL VIII Leigheasanna, dliteanas agus pionóis (77-84)
Airteagal 77. An ceart chun gearán a thaisceadh le húdarás maoirseachtaAirteagal 78. An ceart chun leigheas breithiúnach éifeachtach a fháil i gcoinne údarás maoirseachtaAirteagal 79. An ceart chun leigheas breithiúnach éifeachtach a fháil i gcoinne rialaitheoir nó próiseálaíAirteagal 80. Ionadaíocht d'ábhair sonraíAirteagal 81. Imeachtaí a chur ar fionraíAirteagal 82. An ceart chun cúiteamh a fháil agus dliteanasAirteagal 83. Coinníollacha ginearálta maidir le fíneálacha riaracháin a ghearradhAirteagal 84. Pionóis
CAIBIDIL IX Forálacha a bhaineann le cásanna sonracha próiseála (85-91)
Airteagal 85. Próiseáil agus saoirse chun tuairimí a nochtadh agus faisnéis a fháilAirteagal 86. Próiseáil agus rochtain phoiblí ar dhoiciméid oifigiúlaAirteagal 87. An uimhir aitheantais náisiúnta a phróiseáilAirteagal 88. Próiseáil i gcomhthéacs na fostaíochtaAirteagal 89. Coimircí agus maoluithe i ndail le próiseáil chun críocha cartlannú a dhéanamh ar mhaithe le leas an phobail, chun críocha taighde eolaíoch nó stairiúil nó chun críocha staidrimhAirteagal 90. Oibleagáidí rúndachtaAirteagal 91. Rialacha cosanta sonraí atá ag eaglaisí agus comhlachais reiligiúnacha cheana
CAIBIDIL X Gníomhartha tarmligthe agus gníomhartha cur chun feidhme (92-93)
Airteagal 92. An tarmligean a fheidhmiúAirteagal 93. An nós imeachta coiste
CAIBIDIL XI Forálacha críochnaitheacha (94-95)
Airteagal 94. Treoir 95/46/CE a aisghairmAirteagal 95. An gaol le Treoir 2002/58/CEAirteagal 96. An gaol le Comhaontuithe a tugadh i gcrích roimhe seoAirteagal 97. Tuarascálacha ón gCoimisiúnAirteagal 98. Athbhreithniú a dhéanamh ar ghníomhartha dlí eile de chuid an Aontais maidir le cosaint sonraíAirteagal 99. Teacht i bhfeidhm agus cur i bhfeidhm
RGCS (GDPR) > Airteagal 6. Dleathacht na próiseála
Íoslódáil PDF

Airteagal 6 RGCS (GDPR). Dleathacht na próiseála

Article 6 GDPR. Lawfulness of processing

1. Ní bheidh an phróiseáil dleathach ach amháin má tá feidhm, agus a mhéid atá feidhm, le ceann díobh seo a leanas ar a laghad:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) tá toiliú tugtha ag an ábhar sonraí a shonraí pearsanta nó a sonraí pearsanta a phróiseáil chun ceann amháin nó níos mó de chríocha sonracha;

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Dlí Treoirlínte & Cásanna Téacsanna gaolmhara
Dlí Treoirlínte & Cásanna Téacsanna gaolmhara

(b) is gá an phróiseáil a dhéanamh chun conradh ar páirtí ann an t-ábhar sonraí a chomhlíonadh nó chun bearta a dhéanamh arna iarraidh sin ag an ábhar sonraí sula ndéanfaidh sé nó sí conradh;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Dlí Treoirlínte & Cásanna Recitals Téacsanna gaolmhara
Dlí Treoirlínte & Cásanna Recitals

(44) Ba cheart próiseáil a bheith dleathach i gcás inar gá sin i gcomhthéacs conartha nó i gcás ina bhfuil sé beartaithe conradh a dhéanamh.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Téacsanna gaolmhara

(c) is gá an phróiseáil a dhéanamh chun oibleagáid dhlíthiúil a bhfuil an rialaitheoir faoina réir a chomhlíonadh;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

Recitals
Recitals

(45) I gcás ina ndéantar próiseáil i gcomhréir le hoibleagáid dhlíthiúil a bhfuil an rialaitheoir faoina réir nó i gcás ina bhfuil gá le próiseáil chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil, ba cheart bunús a bheith ag an bpróiseáil i ndlí an Aontais nó i ndlí Ballstáit. Ní cheanglaítear leis an Rialachán seo dlí sonrach a bheith ann do gach próiseáil ar leith. D'fhéadfadh sé gur leor dlí mar bhunús d'oibríochtaí éagsúla próiseála ar bhonn oibleagáid dhlíthiúil a bhfuil an rialaitheoir faoina réir nó nuair is gá an phróiseáil a dhéanamh chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil. Ba cheart freisin gur faoi dhlí an Aontais nó faoi dhlí Ballstáit a bheadh sé críoch na próiseála a chinneadh. Thairis sin, d'fhéadfadh an dlí sin coinníollacha ginearálta an Rialacháin seo a shonrú lena rialaítear dlíthiúlacht na próiseála sonraí pearsanta, na sonraíochtaí a bhunú lena gcinntear an rialaitheoir, cineál na sonraí pearsanta atá faoi réir na próiseála, na hábhair sonraí lena mbaineann, na heintitis a bhféadfar na sonraí pearsanta a nochtadh dóibh, na teorannuithe de réir cuspóra, an tréimhse stórála agus bearta eile chun próiseáil dhleathach chothrom a áirithiú. Ba cheart gur faoi dhlí an Aontais nó faoi dhlí Ballstáit a bheadh sé cinneadh a dhéanamh freisin maidir le cé acu ar cheart don rialaitheoir a chuireann cúram i gcrích ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil a bheith mar údarás poiblí nó mar dhuine nádúrtha nó dlítheanach eile a rialaítear faoin dlí poiblí, nó, i gcás inarb é ar mhaithe le leas an phobail déanamh amhlaidh, lena n-áirítear chun críocha sláinte, amhail sláinte phoiblí agus cosaint shóisialta agus bainistiú seirbhísí cúraim sláinte, faoin dlí príobháideach, amhail comhlachas gairmiúil.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(d) is gá an phróiseáil a dhéanamh chun leasanna ríthábhachtacha an ábhair sonraí nó duine nádúrtha eile a chosaint;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Recitals
Recitals

(46) Ba cheart a mheas go bhfuil próiseáil sonraí pearsanta dleathach freisin nuair is gá é a dhéanamh chun leas a chosaint ar leas é atá riachtanach do shaol an ábhair sonraí nó do shaol duine nádúrtha eile. Níor cheart sonraí pearsanta a phróiseáil ach ar bhonn leas ríthábhachtach duine nádúrtha eile i bprionsabal i gcás nach bhféadfar an phróiseáil a bhunú go follasach ar bhunús dlí eile. Le roinnt cineálacha próiseála, d'fhéadfaí fónamh do leas tábhachtach an phobail agus do leasanna ríthábhachtacha an ábhair sonraí araon, mar shampla nuair is gá an phróiseáil a dhéanamh chun críocha daonnúla, lena n-áirítear chun faireachán a dhéanamh ar eipidéimí agus ar a leathadh nó i gcásanna éigeandálaí daonnúla, go háirithe i gcásanna tubaistí nádúrtha agus tubaistí de dhéantús an duine.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(e) is gá an phróiseáil a dhéanamh chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil atá dílsithe don rialaitheoir;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Dlí Treoirlínte & Cásanna Recitals
Dlí Treoirlínte & Cásanna Recitals

(115) Glacann roinnt tríú tíortha dlíthe, rialacháin agus gníomhartha dlí eile a cheaptar le gníomhaíochtaí próiseála sonraí daoine nádúrtha agus daoine dlítheanacha a rialáil go díreach faoi dhlínse na mBallstát. D'fhéadfaí a áireamh leis sin breithiúnais ó chúirteanna nó ó bhinsí nó cinntí ó údaráis riaracháin i dtríú tíortha lena gceanglaítear ar rialaitheoir nó ar phróiseálaí sonraí pearsanta a aistriú nó a nochtadh, agus nach bhfuil bunaithe ar chomhaontú idirnáisiúnta, amhail conradh ar chúnamh dlíthiúil frithpháirteach, i bhfeidhm idir an tríú tír iarrthach agus an tAontas nó Ballstát. D'fhéadfadh sé go sárófaí dlí idirnáisiúnta dá gcuirfí na dlíthe, na rialacháin agus na gníomhartha dlí eile sin i bhfeidhm lasmuigh de dhlínse na dtíortha sin agus d'fhéadfadh sé cur isteach ar an gcosaint do dhaoine nádúrtha a áirithítear san Aontas leis an Rialachán seo. Níor cheart aistrithe a cheadú ach i gcás ina gcomhlíontar coinníollacha an Rialacháin seo maidir le haistrithe chuig tríú tíortha. Féadfaidh an cás a bheith amhlaidh, inter alia, má tá gá leis an nochtadh ar fhoras tábhachtach leasa phoiblí a aithnítear i ndlí an Aontais nó i ndlí Ballstáit a bhfuil an rialaitheoir faoina réir.

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

(f) is gá an phróiseáil a dhéanamh chun críocha na leasanna dlisteanacha atá á saothrú ag an rialaitheoir nó ag tríú páirtí, seachas i gcás ina mbeidh sáraíocht ag na leasanna sin ar leasanna nó ar chearta bunúsacha agus ar shaoirsí bunúsacha an ábhair sonraí, lena gceanglaítear go ndéanfar sonraí pearsanta a chosaint, go háirithe más leanbh é an t-ábhar sonraí.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Dlí Treoirlínte & Cásanna Recitals
Dlí Treoirlínte & Cásanna Recitals

(47) Le leasanna dlisteanacha rialaitheora, lena n-áirítear leasanna dlisteanacha rialaitheora a bhféadfar sonraí pearsanta a nochtadh dó, nó le leasanna dlisteanacha tríú páirtí, féadfar bunús dlí a thabhairt don phróiseáil, ar choinníoll nach mbeadh sáraíocht ag leasanna nó cearta bunúsacha agus saoirsí bunúsacha an ábhair sonraí orthu, agus aird á tabhairt ar ionchais réasúnta na n-ábhar sonraí bunaithe ar a gcaidreamh a leis an rialaitheoir. D'fhéadfadh leas dlisteanach den sórt sin a bheith ann mar shampla i gcás ina bhfuil caidreamh ábhartha iomchuí idir an t-ábhar sonraí agus an rialaitheoir i gcásanna amhail gur cliant den rialaitheoir an t-ábhar sonraí nó go bhfuil an t-ábhar sonraí i seirbhís an rialaitheora. Ar aon chuma, chaithfí measúnú cúramach a dhéanamh ar aon leas dlisteanach a bheadh ann, lena n-áirítear a mheas an bhféadfadh an t-ábhar sonraí a bheith ag súil leis go réasúnta tráth bhailiú na sonraí pearsanta agus i gcomhthéacs bhailiú na sonraí pearsanta go bhféadfaí próiseáil a dhéanamh chun na críche sin. D'fhéadfadh sáraíocht a bheith ag leasanna bunúsacha agus ag cearta bunúsacha an ábhair sonraí ar leas an rialaitheora sonraí i gcás ina ndéanfaí sonraí pearsanta a phróiseáil in imthosca nach mbeadh na hábhair sonraí ag súil leis go ndéanfaí tuilleadh próiseála iontu. Ós rud é gur faoin reachtóir atá sé foráil a dhéanamh le dlí maidir leis an mbunús dlí atá ag údaráis phoiblí chun sonraí pearsanta a phróiseáil, níor cheart feidhm a bheith ag an mbunús dlí sin maidir le leas dlisteanach an rialaitheora i ndáil le próiseáil ag údaráis phoiblí i bhfeidhmiú a gcúraimí. Maidir le próiseáil ar shonraí pearsanta a bhfuil dianghá leo chun cosc a chur ar chalaois, is leas dlisteanach de chuid an rialatheora lena mbaineann é an leas sin. Féadfar próiseáil sonraí pearsanta chun críocha na margaíochta dírí a mheas mar phróiseáil a dhéantar ar mhaithe le leas dlisteanach.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Féadfaidh leas dlisteanach a bheith ag rialaitheoirí, ar cuid de ghrúpa gnóthas nó institiúidí atá cleamhnaithe le comhlacht lárnach iad, i sonraí pearsanta a tharchur laistigh den ghrúpa gnóthas chun críocha an riaracháin inmheánaigh, lena n-áirítear sonraí pearsanta cliant nó fostaithe a phróiseáil. Ní dhéantar aon difear do na prionsabail ghinearálta a bhaineann le tarchur sonraí pearsanta, laistigh de ghrúpa gnóthas, chuig gnóthas atá lonnaithe i dtríú tír.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) An phróiseáil a dhéantar ar shonraí pearsanta a mhéid atá sé sin fíor-riachtanach agus comhréireach chun slándáil líonra agus faisnéise a áirithiú, i.e. an cumas atá i líonra nó i gcóras faisnéise, ar leibhéal áirithe muiníne, seasamh i gcoinne eachtraí a tharlaíonn de thaisme nó gníomhaíochtaí neamhdhleathacha nó mailíseacha a chuireann isteach ar infhaighteacht, ar bharántúlacht, ar shláine agus ar rúndacht sonraí pearsanta atá stóráilte nó tarchurtha, agus ar shlándáil na seirbhísí gaolmhara atá á dtairiscint ag na líonraí agus na córais sin, ag údaráis phoiblí, ag foirne práinnfhreagartha ríomhaireachta (CERTanna), ag foirne freagartha do theagmhais a bhaineann le slándáil ríomhaireachta (CSIRTanna), ag soláthraithe líonraí agus seirbhísí cumarsáide leictreonaí agus ag soláthraithe teicneolaíochtaí agus seirbhísí slándála, nó slándáil na seirbhísí gaolmhara atá inrochtana tríothu sin, is é atá i gceist leis an bpróiseáil sin leas dlisteanach de chuid an rialaitheora sonraí lena mbaineann. D'fhéadfaí a áireamh leis sin, mar shampla, rochtain neamhúdaraithe ar líonraí cumarsáide leictreonaí agus dáileadh mailíseach cód a chosc agus stop a chur le hionsaithe “diúltaithe seirbhíse” agus le damáiste do ríomhchórais agus do chórais chumarsáide leictreonaí.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Ní bheidh feidhm ag pointe (f) den chéad fhomhír maidir le próiseáil a dhéanann údaráis phoiblí i gcomhlíonadh a gcúraimí.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Recitals
Recitals

(40) Le go mbeidh an phróiseáil dleathach, ba cheart sonraí pearsanta a phróiseáil ar bhonn thoiliú an ábhair sonraí lena mbaineann nó ar bhonn dlisteanach éigin eile, a leagtar síos de réir dlí, sa Rialachán seo nó i ndlí eile de chuid an Aontais nó i ndlí Ballstáit amhail dá dtagraítear sa Rialachán seo, lena n-áirítear an gá atá ann an oibleagáid dhlíthiúil a chomhlíonadh, ar oibleagáid í a bhfuil an rialaitheoir faoina réir nó an gá atá ann conradh ar páirtí ann an t-ábhar sonraí a chomhlíonadh nó chun bearta a dhéanamh ar iarraidh ón ábhar sonraí sula ndéanfar conradh.

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(50) Níor cheart an phróiseáil a dhéantar ar shonraí pearsanta chun críocha seachas na críocha sin ar chucu a bailíodh na sonraí pearsanta ar an gcéad dul síos a cheadú ach amháin i gcás ina bhfuil an phróiseáil ag luí leis na críocha ar bailíodh na sonraí pearsanta chucu ar an gcéad dul síos. I gcás den sórt sin, níl gá le bunús dlí ar leith ón mbunús dlí lenar ceadaíodh bailiú na sonraí pearsanta. Más gá an phróiseáil chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil atá dílsithe don rialaitheoir, féadfar, le dlí an Aontais nó le dlí Ballstáit, na cúraimí agus na críocha a chinneadh agus a shonrú ar cheart an tuilleadh próiseála a mheas mar bheith comhoiriúnach agus dleathach ina leith. Ba cheart a mheas gur oibríochtaí próiseála comhoiriúnacha dleathacha é tuilleadh próiseála a dhéanfaí chun críocha cartlannú a dhéanamh ar mhaithe le leas an phobail, chun críocha taighde eolaíoch nó stairiúil nó chun críocha staidrimh. An bunús dlí a fhoráiltear le dlí an Aontais nó le dlí Ballstáit chun sonraí pearsanta a phróiseáil, féadfaidh sé bunús dlí a thabhairt chun tuilleadh próiseála a dhéanamh freisin. Chun fáil amach an bhfuil críoch an tuillidh próiseála ag luí leis an gcríoch ar chuige a bailíodh na sonraí pearsanta ar an gcéad dul síos, ba cheart don rialaitheoir, tar éis dó nó di na ceanglais uile a chomhlíonadh maidir le dlíthiúlacht na próiseála bunaidh, an méid seo a leanas, inter alia, a chur san áireamh: aon nasc idir na críocha sin agus críocha an tuillidh próiseála a bheartaítear;an comhthéacs inar bailíodh na sonraí pearsanta, go háirithe ionchais réasúnta na n-ábhar sonraí bunaithe ar an gcaidreamh atá acu leis an rialaitheoir maidir le tuilleadh úsáide a bhaint astu; cineál na sonraí pearsanta; na hiarmhairtí ar na hábhair sonraí a bheadh ag an tuilleadh próiseála a bheartaítear a dhéanamh; agus coimircí iomchuí a bheith ann sna hoibríochtaí próiseála bunaidh agus sna hoibríochtaí tuillidh próiseála a bheartaítear araon.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

I gcás inar thug an t-ábhar sonraí toiliú nó ina mbeadh an phróiseáil bunaithe ar dhlí an Aontais nó ar dhlí Ballstáit, ar beart riachtanach comhréireach é i sochaí dhaonlathach chun cuspóirí tábhachtacha a bhaineann le leas ginearálta an phobail a choimirciú go háirithe, ba cheart cead a bheith ag an rialaitheoir na sonraí pearsanta a phróiseáil tuilleadh beag beann ar chomhoiriúnacht na gcríoch. Ar aon chaoi, ba cheart cur i bhfeidhm na bprionsabal a leagtar amach sa Rialachán seo a áirithiú, agus ba cheart a áirithiú go háirithe go gcuirtear an ábhar sonraí ar an eolas faoi na críocha eile sin agus faoi na cearta atá aige nó aici, lena n-áirítear an ceart chun agóid a dhéanamh. Gníomhartha ionchasacha coiriúla nó bagairtí ionchasacha ar an tslándáil phoiblí a bheith á gcur in iúl ag an rialaitheoir agus na sonraí pearsanta ábhartha i gcásanna aonair nó i gcásanna éagsúla a bhaineann leis an ngníomh céanna coiriúla nó leis na bagairtí céanna ar an tslándáil phoiblí a bheith á dtarchur aige nó aici chuig údarás inniúil, ba cheart a mheas gur chun leas dlisteanach an rialaitheora é an cur in iúl agus an tarchur sin. Mar sin féin, ba cheart cosc a chur ar tharchur den sórt sin ar mhaithe le leas dlisteanach an rialaitheora nó ar thuilleadh próiseála ar shonraí pearsanta mura bhfuil an phróiseáil ag luí le hoibleagáid dhlíthiúil nó ghairmiúil rúndachta nó le hoibleagáid eile cheangailteach rúndachta.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

2. Féadfaidh na Ballstáit forálacha níos sonraí a choimeád ar bun nó a thabhairt isteach chun cur i bhfeidhm rialacha an Rialacháin seo a oiriúnú i ndáil le próiseáil chun pointe (c) agus pointe (e) de mhír 1 a chomhlíonadh trí chinneadh níos cruinne a dhéanamh maidir le ceanglais shonracha don phróiseáil agus do na bearta eile chun próiseáil dhleathach agus chothrom a áirithiú lena n-áirítear le haghaidh cásanna sonracha próiseála eile dá bhforáiltear i gCaibidil IX.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. Déanfar an bunús don phróiseáil dá dtagraítear i bpointe (c) agus i bpointe (e) de mhír 1 a leagan síos leis méid seo a leanas:

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) dlí an Aontais; nó

(a) Union law; or

(b) dlí Ballstáit a bhfuil an rialaitheoir faoina réir.

(b) Member State law to which the controller is subject.

Cinnfear críoch na próiseála sa bhunús dlí sin nó, maidir leis an bpróiseáil dá dtagraítear i bpointe (e) de mhír 1, beidh ga léi le haghaidh cúram chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil atá dílsithe don rialaitheoir. Féadfaidh forálacha sonracha a bheith sa bhunús dlí sin chun cur i bhfeidhm rialacha an Rialacháin seo a oiriúnú, lena n-áirítear na coinníollacha ginearálta lena rialaítear dlíthiúlacht na próiseála sonraí ag an rialaitheoir; an cineálacha sonraí atá faoi réir a bpróiseála; na hábhair sonraí lena mbaineann; na heintitis a bhféadfar na sonraí pearsanta a nochtadh dóibh agus na críocha ar chucu a bhféadfar iad a nochtadh dóibh; an teorannú de réir cuspóra; tréimhsí stórála; agus oibríochtaí próiseála agus nósanna imeachta próiseála, lena n-áirítear bearta chun próiseáil dhleathach agus chothrom a áirithiú, amhail iad sin do staideanna sonracha próiseála eile dá bhforáiltear i gCaibidil IX. Comhlíonfaidh dlí an Aontais nó dlí Ballstáit cuspóir a bhaineann le leas an phobail agus beidh sé i gcomhréir leis an aidhm dhleathach atá á saothrú.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

Recitals
Recitals

(41) Aon áit a dhéanann an Rialachán seo tagairt do bhunús dlí nó do bheart reachtach, ní gá go mbeadh gníomh reachtach arna ghlacadh ag parlaimint ag teastáil, gan dochar do cheanglais de bhun ord bunreachtúil an Bhallstáit lena mbaineann. Mar sin féin, ba cheart bunús dlí den sórt sin nó beart reachtach den sórt sin a bheith soiléir cruinn agus ba cheart a chur chun feidhme a bheith intuartha do na daoine sin a bheadh faoina réir, i gcomhréir le cásdlí Chúirt Bhreithiúnais an Aontais Eorpaigh (“an Chúirt Bhreithiúnais”) agus cásdlí na Cúirte Eorpaí um Chearta an Duine.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

4. I gcás nach bhfuil an phróiseáil chun críche eile seachas an chríoch ar chuici a bailíodh na sonraí pearsanta bunaithe ar thoiliú an ábhair sonraí nó ar dhlí de chuid an Aontais nó ar dhlí Ballstáit atá mar bheart riachtanach agus comhréireach i sochaí dhaonlathach chun na cuspóirí dá dtagraítear in Airteagal 23(1) a choimirciú, déanfaidh an rialaitheoir, d’fhonn fáil amach an bhfuil críoch na próiseála ag luí leis na críocha sin ar chucu a bailíodh na sonraí pearsanta ar an gcéad dul síos, na nithe seo a leanas, inter alia, a chur san áireamh:

4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

Dlí Treoirlínte & Cásanna
Dlí Treoirlínte & Cásanna

(a) aon nasc idir na críocha ar bailíodh na sonraí pearsanta chucu agus na críocha atá leis an tuilleadh próiseála atá beartaithe;

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) an comhthéacs inar bailíodh na sonraí pearsanta, go háirithe maidir leis an ngaol idir na hábhair sonraí agus an rialaitheoir;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) cineál na sonraí pearsanta, go háirithe an ndéantar catagóirí speisialta sonraí pearsanta a phróiseáil, de bhun Airteagal 9, nó an ndéantar sonraí pearsanta a bhaineann le ciontuithe coiriúla agus coireanna a phróiseáil, de bhun Airteagal 10;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) na hiarmhairtí a d’fhéadfadh a bheith ann do na hábhair sonraí ag an tuilleadh próiseála atá beartaithe;

(d) the possible consequences of the intended further processing for data subjects;

(e) an bhfuil coimircí iomchuí ann, ar a bhféadfar a áirithiú criptiú a dhéanamh nó ainm bréige a chur i bhfeidhm.

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

ISO 27701
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6(4)(e) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).

(EN) […]


to read the full text

An Rialachán Ginearálta maidir le Cosaint Sonraí (RGCS, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Tráchtaireacht ISO 27701 Recitals Dlí Treoirlínte & Cásanna Téacsanna gaolmhara Leave a comment
Tráchtaireacht
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:

(EN) […]


to read the full text

Recitals

(40) Le go mbeidh an phróiseáil dleathach, ba cheart sonraí pearsanta a phróiseáil ar bhonn thoiliú an ábhair sonraí lena mbaineann nó ar bhonn dlisteanach éigin eile, a leagtar síos de réir dlí, sa Rialachán seo nó i ndlí eile de chuid an Aontais nó i ndlí Ballstáit amhail dá dtagraítear sa Rialachán seo, lena n-áirítear an gá atá ann an oibleagáid dhlíthiúil a chomhlíonadh, ar oibleagáid í a bhfuil an rialaitheoir faoina réir nó an gá atá ann conradh ar páirtí ann an t-ábhar sonraí a chomhlíonadh nó chun bearta a dhéanamh ar iarraidh ón ábhar sonraí sula ndéanfar conradh.

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(41) Aon áit a dhéanann an Rialachán seo tagairt do bhunús dlí nó do bheart reachtach, ní gá go mbeadh gníomh reachtach arna ghlacadh ag parlaimint ag teastáil, gan dochar do cheanglais de bhun ord bunreachtúil an Bhallstáit lena mbaineann. Mar sin féin, ba cheart bunús dlí den sórt sin nó beart reachtach den sórt sin a bheith soiléir cruinn agus ba cheart a chur chun feidhme a bheith intuartha do na daoine sin a bheadh faoina réir, i gcomhréir le cásdlí Chúirt Bhreithiúnais an Aontais Eorpaigh (“an Chúirt Bhreithiúnais”) agus cásdlí na Cúirte Eorpaí um Chearta an Duine.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

(42) I gcás ina bhfuil próiseáil bunaithe ar thoiliú an ábhair onraí, ba cheart don rialaitheoir a bheith in ann a thaispeáint gur thoiligh an t-ábhar sonraí leis an oibríocht próiseála. Go háirithe i gcomhthéacs dearbhú i scríbhinn maidir le hábhar éigin eile, ba cheart coimircí a bheith ann chun a d'áiritheodh go bhfuil an t-ábhar sonraí ar an eolas maidir leis an bhfíric go bhfuil toiliú tugtha aige nó aici agus go bhfuil sé nó sí ar an eolas faoin méid atá an toiliú tugtha. I gcomhréir le Treoir 93/13/CEE ón gComhairle (10), ba cheart dearbhú tola, agus é curtha le chéile roimh ré ag an rialaitheoir, a chur ar fáil i bhfoirm shothuigthe inrochtana, ag úsáid teanga shoiléir agus éasca agus níor cheart téarmaí éagóracha a bheith ann. Ionas go mbeidh an toiliú feasach, ba cheart don ábhar sonraí a bheith ar an eolas, ar a laghad, faoi chéannacht an rialaitheora agus faoi chríocha na próiseála a bheartaítear a dhéanamh ar na sonraí pearsanta. Níor cheart breathnú ar an toiliú mar thoiliú a tugadh faoi shaoirse mura bhfuil rogha atá dílis nó saor ag an ábhar sonraí nó mura bhfuil sé nó sí in ann diúltú don toiliú a thabhairt nó é a tharraingt siar gan díobháil.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(10) Treoir 93/13/CEE ón gComhairle an 5 Aibreán 1993 maidir le téarmaí éagóracha i gconarthaí tomhaltóra (IO L 95, 21.4.1993, lch. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

(43) Chun a áirithiú go dtugtar an toiliú sin faoi shaoirse, níor cheart toiliú a bheith ina fhoras bailí dlíthiúil le sonraí pearsanta a phróiseáil i gcás sonrach ina bhfuil éagothromaíocht shoiléir idir an t-ábhar sonraí agus an rialaitheoir, go háirithe i gcás inar údarás poiblí é an rialaitheoir agus ní dócha, dá bhrí sin, gur tugadh an toiliú sin faoi shaoirse sna cúinsí uile a bhain leis an staid shonrach sin. Toimhdítear nár tugadh toiliú faoi shaoirse más rud é nach gceadaítear leis toiliú ar leithligh a thabhairt d'oibríochtaí próiseála sonraí pearsanta éagsúla in ainneoin gurb iomchuí é sin sa chás ar leith, nó más rud é go bhfuil comhlíonadh conartha, lena n-áirítear cur ar fáil seirbhíse, ag brath ar an toiliú sin, in ainneoin nach dteastaíonn toiliú den sórt sin le haghaidh comhlíonadh den sórt sin.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(44) Ba cheart próiseáil a bheith dleathach i gcás inar gá sin i gcomhthéacs conartha nó i gcás ina bhfuil sé beartaithe conradh a dhéanamh.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

(45) I gcás ina ndéantar próiseáil i gcomhréir le hoibleagáid dhlíthiúil a bhfuil an rialaitheoir faoina réir nó i gcás ina bhfuil gá le próiseáil chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil, ba cheart bunús a bheith ag an bpróiseáil i ndlí an Aontais nó i ndlí Ballstáit. Ní cheanglaítear leis an Rialachán seo dlí sonrach a bheith ann do gach próiseáil ar leith. D'fhéadfadh sé gur leor dlí mar bhunús d'oibríochtaí éagsúla próiseála ar bhonn oibleagáid dhlíthiúil a bhfuil an rialaitheoir faoina réir nó nuair is gá an phróiseáil a dhéanamh chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil. Ba cheart freisin gur faoi dhlí an Aontais nó faoi dhlí Ballstáit a bheadh sé críoch na próiseála a chinneadh. Thairis sin, d'fhéadfadh an dlí sin coinníollacha ginearálta an Rialacháin seo a shonrú lena rialaítear dlíthiúlacht na próiseála sonraí pearsanta, na sonraíochtaí a bhunú lena gcinntear an rialaitheoir, cineál na sonraí pearsanta atá faoi réir na próiseála, na hábhair sonraí lena mbaineann, na heintitis a bhféadfar na sonraí pearsanta a nochtadh dóibh, na teorannuithe de réir cuspóra, an tréimhse stórála agus bearta eile chun próiseáil dhleathach chothrom a áirithiú. Ba cheart gur faoi dhlí an Aontais nó faoi dhlí Ballstáit a bheadh sé cinneadh a dhéanamh freisin maidir le cé acu ar cheart don rialaitheoir a chuireann cúram i gcrích ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil a bheith mar údarás poiblí nó mar dhuine nádúrtha nó dlítheanach eile a rialaítear faoin dlí poiblí, nó, i gcás inarb é ar mhaithe le leas an phobail déanamh amhlaidh, lena n-áirítear chun críocha sláinte, amhail sláinte phoiblí agus cosaint shóisialta agus bainistiú seirbhísí cúraim sláinte, faoin dlí príobháideach, amhail comhlachas gairmiúil.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(46) Ba cheart a mheas go bhfuil próiseáil sonraí pearsanta dleathach freisin nuair is gá é a dhéanamh chun leas a chosaint ar leas é atá riachtanach do shaol an ábhair sonraí nó do shaol duine nádúrtha eile. Níor cheart sonraí pearsanta a phróiseáil ach ar bhonn leas ríthábhachtach duine nádúrtha eile i bprionsabal i gcás nach bhféadfar an phróiseáil a bhunú go follasach ar bhunús dlí eile. Le roinnt cineálacha próiseála, d'fhéadfaí fónamh do leas tábhachtach an phobail agus do leasanna ríthábhachtacha an ábhair sonraí araon, mar shampla nuair is gá an phróiseáil a dhéanamh chun críocha daonnúla, lena n-áirítear chun faireachán a dhéanamh ar eipidéimí agus ar a leathadh nó i gcásanna éigeandálaí daonnúla, go háirithe i gcásanna tubaistí nádúrtha agus tubaistí de dhéantús an duine.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) Le leasanna dlisteanacha rialaitheora, lena n-áirítear leasanna dlisteanacha rialaitheora a bhféadfar sonraí pearsanta a nochtadh dó, nó le leasanna dlisteanacha tríú páirtí, féadfar bunús dlí a thabhairt don phróiseáil, ar choinníoll nach mbeadh sáraíocht ag leasanna nó cearta bunúsacha agus saoirsí bunúsacha an ábhair sonraí orthu, agus aird á tabhairt ar ionchais réasúnta na n-ábhar sonraí bunaithe ar a gcaidreamh a leis an rialaitheoir. D'fhéadfadh leas dlisteanach den sórt sin a bheith ann mar shampla i gcás ina bhfuil caidreamh ábhartha iomchuí idir an t-ábhar sonraí agus an rialaitheoir i gcásanna amhail gur cliant den rialaitheoir an t-ábhar sonraí nó go bhfuil an t-ábhar sonraí i seirbhís an rialaitheora. Ar aon chuma, chaithfí measúnú cúramach a dhéanamh ar aon leas dlisteanach a bheadh ann, lena n-áirítear a mheas an bhféadfadh an t-ábhar sonraí a bheith ag súil leis go réasúnta tráth bhailiú na sonraí pearsanta agus i gcomhthéacs bhailiú na sonraí pearsanta go bhféadfaí próiseáil a dhéanamh chun na críche sin. D'fhéadfadh sáraíocht a bheith ag leasanna bunúsacha agus ag cearta bunúsacha an ábhair sonraí ar leas an rialaitheora sonraí i gcás ina ndéanfaí sonraí pearsanta a phróiseáil in imthosca nach mbeadh na hábhair sonraí ag súil leis go ndéanfaí tuilleadh próiseála iontu. Ós rud é gur faoin reachtóir atá sé foráil a dhéanamh le dlí maidir leis an mbunús dlí atá ag údaráis phoiblí chun sonraí pearsanta a phróiseáil, níor cheart feidhm a bheith ag an mbunús dlí sin maidir le leas dlisteanach an rialaitheora i ndáil le próiseáil ag údaráis phoiblí i bhfeidhmiú a gcúraimí. Maidir le próiseáil ar shonraí pearsanta a bhfuil dianghá leo chun cosc a chur ar chalaois, is leas dlisteanach de chuid an rialatheora lena mbaineann é an leas sin. Féadfar próiseáil sonraí pearsanta chun críocha na margaíochta dírí a mheas mar phróiseáil a dhéantar ar mhaithe le leas dlisteanach.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Féadfaidh leas dlisteanach a bheith ag rialaitheoirí, ar cuid de ghrúpa gnóthas nó institiúidí atá cleamhnaithe le comhlacht lárnach iad, i sonraí pearsanta a tharchur laistigh den ghrúpa gnóthas chun críocha an riaracháin inmheánaigh, lena n-áirítear sonraí pearsanta cliant nó fostaithe a phróiseáil. Ní dhéantar aon difear do na prionsabail ghinearálta a bhaineann le tarchur sonraí pearsanta, laistigh de ghrúpa gnóthas, chuig gnóthas atá lonnaithe i dtríú tír.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) An phróiseáil a dhéantar ar shonraí pearsanta a mhéid atá sé sin fíor-riachtanach agus comhréireach chun slándáil líonra agus faisnéise a áirithiú, i.e. an cumas atá i líonra nó i gcóras faisnéise, ar leibhéal áirithe muiníne, seasamh i gcoinne eachtraí a tharlaíonn de thaisme nó gníomhaíochtaí neamhdhleathacha nó mailíseacha a chuireann isteach ar infhaighteacht, ar bharántúlacht, ar shláine agus ar rúndacht sonraí pearsanta atá stóráilte nó tarchurtha, agus ar shlándáil na seirbhísí gaolmhara atá á dtairiscint ag na líonraí agus na córais sin, ag údaráis phoiblí, ag foirne práinnfhreagartha ríomhaireachta (CERTanna), ag foirne freagartha do theagmhais a bhaineann le slándáil ríomhaireachta (CSIRTanna), ag soláthraithe líonraí agus seirbhísí cumarsáide leictreonaí agus ag soláthraithe teicneolaíochtaí agus seirbhísí slándála, nó slándáil na seirbhísí gaolmhara atá inrochtana tríothu sin, is é atá i gceist leis an bpróiseáil sin leas dlisteanach de chuid an rialaitheora sonraí lena mbaineann. D'fhéadfaí a áireamh leis sin, mar shampla, rochtain neamhúdaraithe ar líonraí cumarsáide leictreonaí agus dáileadh mailíseach cód a chosc agus stop a chur le hionsaithe “diúltaithe seirbhíse” agus le damáiste do ríomhchórais agus do chórais chumarsáide leictreonaí.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

(50) Níor cheart an phróiseáil a dhéantar ar shonraí pearsanta chun críocha seachas na críocha sin ar chucu a bailíodh na sonraí pearsanta ar an gcéad dul síos a cheadú ach amháin i gcás ina bhfuil an phróiseáil ag luí leis na críocha ar bailíodh na sonraí pearsanta chucu ar an gcéad dul síos. I gcás den sórt sin, níl gá le bunús dlí ar leith ón mbunús dlí lenar ceadaíodh bailiú na sonraí pearsanta. Más gá an phróiseáil chun cúram a chur i gcrích a dhéantar ar mhaithe le leas an phobail nó i bhfeidhmiú údaráis oifigiúil atá dílsithe don rialaitheoir, féadfar, le dlí an Aontais nó le dlí Ballstáit, na cúraimí agus na críocha a chinneadh agus a shonrú ar cheart an tuilleadh próiseála a mheas mar bheith comhoiriúnach agus dleathach ina leith. Ba cheart a mheas gur oibríochtaí próiseála comhoiriúnacha dleathacha é tuilleadh próiseála a dhéanfaí chun críocha cartlannú a dhéanamh ar mhaithe le leas an phobail, chun críocha taighde eolaíoch nó stairiúil nó chun críocha staidrimh. An bunús dlí a fhoráiltear le dlí an Aontais nó le dlí Ballstáit chun sonraí pearsanta a phróiseáil, féadfaidh sé bunús dlí a thabhairt chun tuilleadh próiseála a dhéanamh freisin. Chun fáil amach an bhfuil críoch an tuillidh próiseála ag luí leis an gcríoch ar chuige a bailíodh na sonraí pearsanta ar an gcéad dul síos, ba cheart don rialaitheoir, tar éis dó nó di na ceanglais uile a chomhlíonadh maidir le dlíthiúlacht na próiseála bunaidh, an méid seo a leanas, inter alia, a chur san áireamh: aon nasc idir na críocha sin agus críocha an tuillidh próiseála a bheartaítear;an comhthéacs inar bailíodh na sonraí pearsanta, go háirithe ionchais réasúnta na n-ábhar sonraí bunaithe ar an gcaidreamh atá acu leis an rialaitheoir maidir le tuilleadh úsáide a bhaint astu; cineál na sonraí pearsanta; na hiarmhairtí ar na hábhair sonraí a bheadh ag an tuilleadh próiseála a bheartaítear a dhéanamh; agus coimircí iomchuí a bheith ann sna hoibríochtaí próiseála bunaidh agus sna hoibríochtaí tuillidh próiseála a bheartaítear araon.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

I gcás inar thug an t-ábhar sonraí toiliú nó ina mbeadh an phróiseáil bunaithe ar dhlí an Aontais nó ar dhlí Ballstáit, ar beart riachtanach comhréireach é i sochaí dhaonlathach chun cuspóirí tábhachtacha a bhaineann le leas ginearálta an phobail a choimirciú go háirithe, ba cheart cead a bheith ag an rialaitheoir na sonraí pearsanta a phróiseáil tuilleadh beag beann ar chomhoiriúnacht na gcríoch. Ar aon chaoi, ba cheart cur i bhfeidhm na bprionsabal a leagtar amach sa Rialachán seo a áirithiú, agus ba cheart a áirithiú go háirithe go gcuirtear an ábhar sonraí ar an eolas faoi na críocha eile sin agus faoi na cearta atá aige nó aici, lena n-áirítear an ceart chun agóid a dhéanamh. Gníomhartha ionchasacha coiriúla nó bagairtí ionchasacha ar an tslándáil phoiblí a bheith á gcur in iúl ag an rialaitheoir agus na sonraí pearsanta ábhartha i gcásanna aonair nó i gcásanna éagsúla a bhaineann leis an ngníomh céanna coiriúla nó leis na bagairtí céanna ar an tslándáil phoiblí a bheith á dtarchur aige nó aici chuig údarás inniúil, ba cheart a mheas gur chun leas dlisteanach an rialaitheora é an cur in iúl agus an tarchur sin. Mar sin féin, ba cheart cosc a chur ar tharchur den sórt sin ar mhaithe le leas dlisteanach an rialaitheora nó ar thuilleadh próiseála ar shonraí pearsanta mura bhfuil an phróiseáil ag luí le hoibleagáid dhlíthiúil nó ghairmiúil rúndachta nó le hoibleagáid eile cheangailteach rúndachta.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

(155) Le dlí Ballstáit nó le comhaontuithe comhchoiteanna, lena n-áirítear “comhaontuithe oibre”, féadfar foráil a dhéanamh do rialacha sonracha maidir le sonraí pearsanta na bhfostaithe a phróiseáil i gcomhthéacs na fostaíochta, go háirithe do na coinníollacha faoina bhféadfar sonraí pearsanta a phróiseáil i gcomhthéacs na fostaíochta bunaithe ar thoiliú an fhostaí, chun críocha na hearcaíochta, feidhmiú an chonartha fostaíochta, lena n-áirítear urscaoileadh na n-oibleagáidí arna leagan síos de réir dlí nó comhaontuithe comhchoiteanna, bainistiú, pleanáil agus eagrú na hoibre, comhionannas agus éagsúlacht san ionad oibre, sláinte agus slándáil ar obair, agus chun cearta agus sochair a bhaineann le fostaíocht a fheidhmiú agus tairbhiú díobh, ar bhonn aonair nó comhchoiteann, agus chun deireadh a chur leis an gcaidreamh fostaíochta.

(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Dlí Treoirlínte & Cásanna Téacsanna gaolmhara Leave a comment
[js-disqus]