Stručni komentar
ISO 27701
Uvodne izjave
(61) Ispitaniku bi tijekom prikupljanja podataka trebalo dati informacije o obradi osobnih podataka koji se odnose na njega, ili ako se osobni podaci ne uzimaju od ispitanika već su prikupljeni iz drugog izvora, u razumnom roku ovisno o okolnostima slučaja. Ako se osobni podaci legitimno mogu otkriti drugom primatelju, ispitanika bi trebalo informirati kada se osobni podaci prvi put otkrivaju primatelju. Ako voditelj obrade namjerava obrađivati osobne podatke u svrhu koja je različita od one za koju su prikupljeni, voditelj obrade bi prije te daljnje obrade ispitaniku trebao pružiti informacije o toj drugoj svrsi te druge potrebne informacije. Ako se izvor osobnih podataka ne može dati ispitaniku jer su upotrebljavani razni izvori, trebalo bi dati opće informacije.
(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
(62) Obvezu pružanja informacija ipak nije potrebno nametati ako ispitanik već posjeduje tu informaciju, ako je bilježenje ili otkrivanje osobnih podataka izrijekom propisano zakonom ili ako je pružanje informacije ispitaniku nemoguće ili bi zahtijevalo nerazmjeran napor. Primjer nemogućnosti pružanja informacija ili nerazmjernog napora posebno bi se mogao javiti ako se obrada obavlja u svrhe arhiviranja u javnom interesu, u svrhe znanstvenih ili povijesnih istraživanja ili u statističke svrhe. U tom smislu trebalo bi razmotriti broj ispitanika, starost podataka i bilo koje druge donesene prikladne zaštitne mjere.
(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
(63) Ispitanik bi trebao imati pravo pristupa prikupljenim osobnim podacima koji se na njega odnose te ostvarivati to pravo lako i u razumnim intervalima kako bi bio svjestan obrade i provjerio njezinu zakonitost. To uključuje pravo ispitanika na pristup podacima o njegovom zdravstvenom stanju, na primjer podacima u medicinskoj dokumentaciji koja sadržava informacije poput dijagnoza, rezultata pretraga, liječničkih mišljenja, liječenja ili zahvata. Svaki ispitanik stoga bi osobito trebao imati pravo znati i dobiti obavijest o svrhama obrade osobnih podataka, ako je moguće i za koje razdoblje se osobni podaci obrađuju, o primateljima osobnih podataka, o logici automatske obrade osobnih podataka i o posljedicama takve obrade, barem kad se temelji na izradi profila. Ako je moguće, voditelj obrade trebao bi imati mogućnost omogućiti daljinski pristup zaštićenom sustavu koji bi ispitaniku omogućio izravan pristup njegovim osobnim podacima. To pravo ne bi smjelo negativno utjecati na prava ili slobode drugih, uključujući i poslovne tajne ili intelektualno vlasništvo, a osobito na autorsko pravo kojima je zaštićen računalni program. Rezultat tih razmatranja ipak ne bi smjelo biti odbijanje pružanja svih informacija ispitaniku. Ako voditelj obrade obrađuje velike količine informacija koje se odnose na ispitanika, voditelj obrade trebao bi imati mogućnost prije dostave informacije zahtijevati od ispitanika da navede informacije ili aktivnosti obrade na koje se zahtjev odnosi.
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
Smjernice i sudska praksa
(EN)
Document
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018)
EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).
EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).
European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
Case Law
CJEU, College van burgemeester en wethouders van Rotterdam/Rijkeboer, C-553/07 (2009).
CJEU, YS/Minister voor Immigratie, Integratie en Asiel, C-141/12 and C-372/12 (2014).
CJEU, ClientEarth/European Food Safety Authority, C‑615/13 P (2015).
CJEU, Nowak/Data Protection Commissioner, C-434/16 (2017).
ECHR, López Ribalda v. Spain, nos 1874/13 and 8567/13 (2019).
Belgian DPA Fines Belgian Telecommunications Provider for Several Data Protection Infringements (2020). Brief description in English.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 13(2)(a) GDPR:
7.4.7 Retention
Control
The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.
Implementation guidance
The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.
(EN) […]
(EN) Sign in
to read the full text