Članak 13. 📖 GDPR. Informacije koje treba dostaviti ako se osobni podaci prikupljaju od ispitanika

Članak 13. GDPR. Informacije koje treba dostaviti ako se osobni podaci prikupljaju od ispitanika

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

1. Ako su osobni podaci koji se odnose na ispitanika prikupljeni od ispitanika, voditelj obrade u trenutku prikupljanja osobnih podataka ispitaniku pruža sve sljedeće informacije:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

Uvodne izjave Vezani tekstovi

Uvodne izjave

(60) Načelima poštene i transparentne obrade zahtijeva se da je ispitanik informiran o postupku obrade i njegovim svrhama. Voditelj obrade trebao bi ispitaniku pružiti sve dodatne informacije neophodne za osiguravanje poštene i transparentne obrade uzimajući u obzir posebne okolnosti i kontekst obrade osobnih podataka. Osim toga ispitanik bi trebao biti informiran o postupku izrade profila i posljedicama takve izrade profila. Kada se prikupljaju osobni podaci od ispitanika, trebalo bi ga također obavijestiti o tome je li obvezan pružiti osobne podatke te o posljedicama ako takve podatke ne pruži. Ova se informacija može pružiti u kombinaciji sa standardiziranim ikonama kako bi se na lako vidljiv, razumljiv i jasno čitljiv način pružio smislen pregled planirane obrade. Kada su ikone predstavljene elektroničkim putem, trebale bi biti strojno čitljive.

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Vezani tekstovi

Article 29 Working Party Guidelines on transparency under Regulation 2016/679

Timing for provision of information

Articles 13 and 14 set out information which must be provided to the data subject at the commencement phase of the processing cycle. Article 13 applies to the scenario where the data is collected from the data subject. This includes personal data that: • a data subject consciously provides to a data controller (e.g. when completing an online form); or • a data controller collects from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras, network equipment, Wi-Fi tracking, RFID or other types of sensors). Article 14 applies in the scenario where the data have not been obtained from the data subject. This includes personal data which a data controller has obtained from sources such as: • third party data controllers; • publicly available sources; • data brokers; or • other data subjects.

(a) identitet i kontaktne podatke voditelja obrade i, ako je primjenjivo, predstavnika voditelja obrade;

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

This information should allow for easy identification of the controller and preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address etc.).

(b) kontaktne podatke službenika za zaštitu podataka, ako je primjenjivo;

(b) the contact details of the data protection officer, where applicable;

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on Data Protection Officers (DPOs) (2017):

The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website.

Article 37(7) does not require that the published contact details should include the name of the DPO. Whilst it may be a good practice to do so, it is for the controller or the processor and the DPO to decide whether this is necessary or helpful in the particular circumstances.

[…]

As a matter of good practice, the WP29 also recommends that an organisation informs its employees of the name and contact details of the DPO. For example, the name and contact details of the DPO could be published internally on organisation’s intranet, internal telephone directory, and organisational charts.

(c) svrhe obrade radi kojih se upotrebljavaju osobni podaci kao i pravnu osnovu za obradu;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 must be specified. In the case of special categories of personal data, the relevant provision of Article 9 (and where relevant, the applicable Union or Member State law under which the data is processed) should be specified. Where, pursuant to Article 10, personal data relating to criminal convictions and offences or related security measures based on Article 6.1 is processed, where applicable the relevant Union or Member State law under which the processing is carried out should be specified.

(d) ako se obrada temelji na članku 6. stavku 1. točki (f), legitimne interese voditelja obrade ili treće strane;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

Smjernice i sudska praksa Vezani tekstovi

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The specific interest in question must be identified for the benefit of the data subject. As a matter of best practice, the controller can also provide the data subject with the information from the balancing test, which must be carried out to allow reliance on Article 6.1(f) as a lawful basis for processing, in advance of any collection of data subjects’ personal data. To avoid information fatigue, this can be included within a layered privacy statement/ notice (see paragraph 35). In any case, the WP29 position is that information to the data subject should make it clear that they can obtain information on the balancing test upon request. This is essential for effective transparency where data subjects have doubts as to whether the balancing test has been carried out fairly or they wish to file a complaint with a supervisory authority.

Vezani tekstovi

Članak 6. GDPR. Zakonitost obrade

Article 6 GDPR. Lawfulness of processing

[…]

1. Obrada je zakonita samo ako i u onoj mjeri u kojoj je ispunjeno najmanje jedno od sljedećega:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

[…]

(f) obrada je nužna za potrebe legitimnih interesa voditelja obrade ili treće strane, osim kada su od tih interesa jači interesi ili temeljna prava i slobode ispitanika koji zahtijevaju zaštitu osobnih podataka, osobito ako je ispitanik dijete.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

(e) primatelje ili kategorije primatelja osobnih podataka, ako ih ima; i

(e) the recipients or categories of recipients of the personal data, if any;

Smjernice i sudska praksa Vezani tekstovi

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The term “recipient” is defined in Article 4.9 as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” [emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” and information on such recipients should be provided in addition to information on third party recipients. The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

Vezani tekstovi

Članak 4. GDPR. Definicije

Article 4 GDPR. Definitions

Definicije

Definitions

[…]

9. „primatelj” znači fizička ili pravna osoba, tijelo javne vlasti, agencija ili drugo tijelo kojem se otkrivaju osobni podaci, neovisno o tome je li on treća strana. Međutim, tijela javne vlasti koja mogu primiti osobne podatke u okviru određene istrage u skladu s pravom Unije ili države članice ne smatraju se primateljima; obrada tih podataka koju obavljaju ta tijela javne vlasti mora biti u skladu s primjenjivim pravilima o zaštiti podataka prema svrhama obrade;

(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

[…]

(f) ako je primjenjivo, činjenicu da voditelja obrade namjerava osobne podatke prenijeti trećoj zemlji ili međunarodnoj organizaciji te postojanje ili nepostojanje odluke Komisije o primjerenosti, ili u slučaju prijenosâ iz članaka 46. ili 47. ili članka 49. stavka 1. drugog podstavka upućivanje na prikladne ili odgovarajuće zaštitne mjere i načine pribavljanja njihove kopije ili mjesta na kojem su stavljene na raspolaganje.

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Smjernice i sudska praksa Vezani tekstovi

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. adequacy decision under Article 45/ binding corporate rules under Article 47/ standard data protection clauses under Article 46.2/ derogations and safeguards under Article 49 etc.) should be specified. Information on where and how the relevant document may be accessed or obtained should also be provided e.g. by providing a link to the mechanism used. In accordance with the principle of fairness, the information provided on transfers to third countries should be as meaningful as possible to data subjects; this will generally mean that the third countries be named.

Vezani tekstovi

Članak 45. GDPR. Prijenosi na temelju odluke o primjerenosti

Article 45 GDPR. Transfers on the basis of an adequacy decision

Članak 47. GDPR. Obvezujuća korporativna pravila

Article 47 GDPR. Binding corporate rules

Članak 46. GDPR. Prijenosi koji podliježu odgovarajućim zaštitnim mjerama

Article 46 GDPR. Transfers subject to appropriate safeguards

[…]

2. Odgovarajuće zaštitne mjere iz stavka 1. mogu, bez potrebe za ikakvim posebnim ovlaštenjem nadzornog tijela, pružati:

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(b) obvezujuća korporativna pravila u skladu s člankom 47.;

(b) binding corporate rules in accordance with Article 47;

(c) standardne klauzule o zaštiti podataka koje donosi Komisija u skladu s postupkom ispitivanja iz članka 93. stavka 2.;

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

[…]

Članak 49. GDPR. Odstupanja za posebne situacije

Article 49 GDPR. Derogations for specific situations

1. Ako ne postoji odluka o primjerenosti u skladu s člankom 45. stavkom 3., ili odgovarajuće zaštitne mjere u skladu s člankom 46., što uključuje obvezujuća korporativna pravila, prijenos ili skup prijenosa osobnih podataka u treću zemlju ili međunarodnu organizaciju ostvaruje se samo pod jednim od sljedećih uvjeta:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

[…]

Kad se prijenos ne može temeljiti na nekoj odredbi iz članka 45. ili 46., uključujući odredbe obvezujućih korporativnih pravila, i kad nije primjenjivo nijedno odstupanje za posebne situacije iz prvog podstavka ovog stavka, prijenos u treću zemlju ili međunarodnu organizaciju može se ostvariti samo ako se prijenos ne ponavlja, ako se odnosi samo na ograničen broj ispitanika, nužan je za potrebe uvjerljivih, legitimnih interesa voditelja obrade koji nisu podređeni interesima ili pravima i slobodama ispitanika, a voditelj obrade procijenio sve okolnosti prijenosa podataka te je na temelju te procjene predvidio odgovarajuće zaštitne mjere u pogledu zaštite osobnih podataka. Voditelj obrade obavješćuje nadzorno tijelo o tom prijenosu. Uz pružanje informacija iz članaka 13. i 14., voditelj obrade ispitanika obavješćuje o prijenosu i o uvjerljivim legitimnim interesima.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

[…]

2. Osim informacija iz stavka 1., voditelj obrade u trenutku kada se osobni podaci prikupljaju pruža ispitaniku sljedeće dodatne informacije potrebne kako bi se osigurala poštena i transparentna obrada:

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

Uvodne izjave Vezani tekstovi

Uvodne izjave

(61) Ispitaniku bi tijekom prikupljanja podataka trebalo dati informacije o obradi osobnih podataka koji se odnose na njega, ili ako se osobni podaci ne uzimaju od ispitanika već su prikupljeni iz drugog izvora, u razumnom roku ovisno o okolnostima slučaja. Ako se osobni podaci legitimno mogu otkriti drugom primatelju, ispitanika bi trebalo informirati kada se osobni podaci prvi put otkrivaju primatelju. Ako voditelj obrade namjerava obrađivati osobne podatke u svrhu koja je različita od one za koju su prikupljeni, voditelj obrade bi prije te daljnje obrade ispitaniku trebao pružiti informacije o toj drugoj svrsi te druge potrebne informacije. Ako se izvor osobnih podataka ne može dati ispitaniku jer su upotrebljavani razni izvori, trebalo bi dati opće informacije.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

Vezani tekstovi

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. “Guidelines on transparency under Regulation 2016/679”. WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 – endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility – Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

(a) razdoblje u kojem će osobni podaci biti pohranjeni ili, ako to nije moguće, kriterije kojima se utvrdilo to razdoblje;

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

ISO 27701 Smjernice i sudska praksa

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(a) GDPR:

7.4.7 Retention

Control

The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.

Implementation guidance

The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.

(EN) […]

(EN) Sign in
to read the full text

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This is linked to the data minimisation requirement in Article 5.1(c) and storage limitation requirement in Article 5.1(e). The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes. It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods.

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020):

Storage limitation should consider the true needs and the medical relevance (this may include epidemiology-motivated considerations like the incubation period,etc.) and personal data should be kept only for the duration of the COVID-19 crisis. Afterwards,as a general rule,all personal data should be erased or anonymised.

(b) postojanje prava da se od voditelja obrade zatraži pristup osobnim podacima i ispravak ili brisanje osobnih podataka ili ograničavanje obrade koji se odnose na ispitanika ili prava na ulaganje prigovora na obradu takvih te prava na prenosivost podataka;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

ISO 27701 Smjernice i sudska praksa

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 13(2)(b) GDPR:

7.3.5 Providing mechanism to object to PII processing

Control

The organization should provide a mechanism for PII principals to object to the processing of their PII.

Implementation guidance

Some jurisdictions provide PII principals with a right to object to the processing of their PII. Organizations subject to the legislation and/or regulation of such jurisdictions should ensure that they implement appropriate measures to enable PII principals to exercize this right.

(EN) […]

(EN) Sign in
to read the full text

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should be specific to the processing scenario and include a summary of what the right involves and how the data subject can take steps to exercise it and any limitations on the right. […] In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of first communication with the data subject and must be presented clearly and separately from any other information.64 In relation to the right to portability, see WP29 Guidelines on the right to data portability.

(c) ako se obrada temelji na članku 6. stavku 1. točki (a) ili članku 9. stavku 2. točki (a), postojanje prava da se u bilo kojem trenutku povuče privolu, a da to ne utječe na zakonitost obrade koja se temeljila na privoli prije nego što je ona povučena;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

ISO 27701 Smjernice i sudska praksa Vezani tekstovi

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(c) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.

(EN) […]

(EN) Sign in
to read the full text

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.

Vezani tekstovi

Članak 6. GDPR. Zakonitost obrade

Article 6 GDPR. Lawfulness of processing

Zakonitost obrade

Lawfulness of processing

1. Obrada je zakonita samo ako i u onoj mjeri u kojoj je ispunjeno najmanje jedno od sljedećega:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) ispitanik je dao privolu za obradu svojih osobnih podataka u jednu ili više posebnih svrha;

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

[…]

Članak 9. GDPR. Obrada posebnih kategorija osobnih podataka

Article 9 GDPR. Processing of special categories of personal data

Obrada posebnih kategorija osobnih podataka

Processing of special categories of personal data

1. Zabranjuje se obrada osobnih podataka koji otkrivaju rasno ili etničko podrijetlo, politička mišljenja, vjerska ili filozofska uvjerenja ili članstvo u sindikatu te obrada genetskih podataka, biometrijskih podataka u svrhu jedinstvene identifikacije pojedinca, podataka koji se odnose na zdravlje ili podataka o spolnom životu ili seksualnoj orijentaciji pojedinca.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2. Stavak 1. ne primjenjuje se ako je ispunjen jedno od sljedećeg:

2. Paragraph 1 shall not apply if one of the following applies:

(a) ispitanik je dao izričitu privolu za obradu tih osobnih podataka za jednu ili više određenih svrha, osim ako se pravom Unije ili pravom države članice propisuje da ispitanik ne može ukinuti zabranu iz stavka 1.;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

[…]

Članak 7. GDPR. Uvjeti privole

Article 7 GDPR. Conditions for consent

Uvjeti privole

Conditions for consent

[…]

3. Ispitanik ima pravo u svakom trenutku povući svoju privolu. Povlačenje privole ne utječe na zakonitost obrade na temelju privole prije njezina povlačenja. Prije davanja privole, ispitanika se o tome obavješćuje. Povlačenje privole mora biti jednako jednostavno kao i njezino davanje.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.2 Lawfulness

67. The controller must identify a valid legal basis for the processing of personal data. Measures and safeguards should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.

(d) pravo na podnošenje prigovora nadzornom tijelu;

(d) the right to lodge a complaint with a supervisory authority;

Smjernice i sudska praksa Vezani tekstovi

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should explain that, in accordance with Article 77, a data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or of an alleged infringement of the GDPR.

Vezani tekstovi

Članak 77. GDPR. Pravo na pritužbu nadzornom tijelu

Article 77 GDPR. Right to lodge a complaint with a supervisory authority

Pravo na pritužbu nadzornom tijelu

Right to lodge a complaint with a supervisory authority

1. Ne dovodeći u pitanje druga upravna ili sudska pravna sredstva, svaki ispitanik ima pravo podnijeti pritužbu nadzornom tijelu, osobito u državi članici u kojoj ima uobičajeno boravište, u kojoj je njegovo radno mjesto ili mjesto navodnog kršenja, ako ispitanik smatra da obrada osobnih podataka koja se odnosi na njega krši ovu Uredbu.

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. Nadzorno tijelo kojem je podnesena pritužba obavješćuje podnositelja pritužbe o napretku i ishodu pritužbe, uključujući mogućnost pravni lijek na temelju članka 78.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

(e) informaciju o tome je li pružanje osobnih podataka zakonska ili ugovorna obveza ili uvjet nužan za sklapanje ugovora te ima li ispitanik obvezu pružanja osobnih podataka i koje su moguće posljedice ako se takvi podaci ne pruže;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

For example in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer. Online forms should clearly identify which fields are “required”, which are not, and what will be the consequences of not filling in the required fields.

(f) postojanje automatiziranog donošenja odluka, što uključuje izradu profila iz članka 22. stavaka 1. i 4. te, barem u tim slučajevima, smislene informacije o tome o kojoj je logici riječ, kao i važnost i predviđene posljedice takve obrade za ispitanika.

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

ISO 27701 Smjernice i sudska praksa Vezani tekstovi

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(f) GDPR:

7.3.10 Automated decision making

Control

The organization should identify and address obligations, including legal obligations, to the PII principals resulting from decisions made by the organization which are related to the PII principal based solely on automated processing of PII.

(EN) […]

(EN) Sign in
to read the full text

Smjernice i sudska praksa

(EN) Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) (2018):

Given the core principle of transparency underpinning the GDPR, controllers must ensure they explain clearly and simply to individuals how the profiling or automated decision-making process works.
In particular, where the processing involves profiling-based decision making (irrespective of whether it is caught by Article 22 provisions), then the fact that the processing is for the purposes of both (a) profiling and (b) making a decision based on the profile generated, must be made clear to the data subject.

Recital 60 states that giving information about profiling is part of the controller’s transparency obligations under Article 5(1) (a). The data subject has a right to be informed by the controller about and, in certain circumstances, a right to object to ‘profiling’, regardless of whether solely automated individual decision-making based on profiling takes place.

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

Vezani tekstovi

Članak 22. GDPR. Automatizirano pojedinačno donošenje odluka, uključujući izradu profila

Article 22 GDPR. Automated individual decision-making, including profiling

1. Ispitanik ima pravo da se na njega ne odnosi odluka koja se temelji isključivo na automatiziranoj obradi, uključujući izradu profila, koja proizvodi pravne učinke koji se na njega odnose ili na sličan način značajno na njega utječu.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

[…]

4. Odluke iz stavka 2. ne smiju se temeljiti na posebnim kategorijama osobnih podataka iz članka 9. stavka 1., osim ako se primjenjuje članak 9. stavak 2. točka (a) ili (g) te ako su uspostavljene odgovarajuće mjere zaštite prava i sloboda te legitimnih interesa ispitanika.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

3. Ako voditelj obrade namjerava dodatno obrađivati osobne podatke u svrhu koja je različita od one za koju su osobni podaci prikupljeni, voditelj obrade prije te dodatne obrade ispitaniku pruža informacije o toj drugoj svrsi te sve druge relevantne informacije iz stavka 2.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(3) GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.

(EN) […]

(EN) Sign in
to read the full text

4. Stavci 1., 2. i 3. ne primjenjuju se ako i u onoj mjeri u kojoj ispitanik već raspolaže informacijama.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Opća uredba o zaštiti podataka (GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Stručni komentar ISO 27701 Uvodne izjave Smjernice i sudska praksa Ostavite komentar

Stručni komentar

(EN) To facilitate the work of our consultants, we have collected all the requirements and information that have to be mentioned and created a convenient checklist. Next to each paragraph, we have placed links to specific GDPR articles and guidelines. We grouped all the information into 7 sections:

Controller’s identity
Purpose and lawful basis for processing
Personal data
Transfers of data to third countries
Rights
Changes (in privacy notices)
Form (of information provided)

It looks like this:

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP

(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(EN) Ask a question

(EN)

Data Subject Request Letter Sample

Concern: Request of information regarding my personal data

Dear Madam, Dear Sir,

I have a right to be informed, under Article 13 of the General Data Protection Regulation (GDPR), about personal data concerning me that you are processing…

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

(EN) […]

(EN) Sign in
to read the full text

Uvodne izjave

(62) Obvezu pružanja informacija ipak nije potrebno nametati ako ispitanik već posjeduje tu informaciju, ako je bilježenje ili otkrivanje osobnih podataka izrijekom propisano zakonom ili ako je pružanje informacije ispitaniku nemoguće ili bi zahtijevalo nerazmjeran napor. Primjer nemogućnosti pružanja informacija ili nerazmjernog napora posebno bi se mogao javiti ako se obrada obavlja u svrhe arhiviranja u javnom interesu, u svrhe znanstvenih ili povijesnih istraživanja ili u statističke svrhe. U tom smislu trebalo bi razmotriti broj ispitanika, starost podataka i bilo koje druge donesene prikladne zaštitne mjere.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

(63) Ispitanik bi trebao imati pravo pristupa prikupljenim osobnim podacima koji se na njega odnose te ostvarivati to pravo lako i u razumnim intervalima kako bi bio svjestan obrade i provjerio njezinu zakonitost. To uključuje pravo ispitanika na pristup podacima o njegovom zdravstvenom stanju, na primjer podacima u medicinskoj dokumentaciji koja sadržava informacije poput dijagnoza, rezultata pretraga, liječničkih mišljenja, liječenja ili zahvata. Svaki ispitanik stoga bi osobito trebao imati pravo znati i dobiti obavijest o svrhama obrade osobnih podataka, ako je moguće i za koje razdoblje se osobni podaci obrađuju, o primateljima osobnih podataka, o logici automatske obrade osobnih podataka i o posljedicama takve obrade, barem kad se temelji na izradi profila. Ako je moguće, voditelj obrade trebao bi imati mogućnost omogućiti daljinski pristup zaštićenom sustavu koji bi ispitaniku omogućio izravan pristup njegovim osobnim podacima. To pravo ne bi smjelo negativno utjecati na prava ili slobode drugih, uključujući i poslovne tajne ili intelektualno vlasništvo, a osobito na autorsko pravo kojima je zaštićen računalni program. Rezultat tih razmatranja ipak ne bi smjelo biti odbijanje pružanja svih informacija ispitaniku. Ako voditelj obrade obrađuje velike količine informacija koje se odnose na ispitanika, voditelj obrade trebao bi imati mogućnost prije dostave informacije zahtijevati od ispitanika da navede informacije ili aktivnosti obrade na koje se zahtjev odnosi.

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Smjernice i sudska praksa

(EN)