GDPR
>
Članak 30.. Evidencija aktivnosti obrade
Članak 30. GDPR. Evidencija aktivnosti obrade
Article 30 GDPR. Records of processing activities
1. Svaki voditelj obrade i predstavnik voditelja obrade, ako je primjenjivo, vodi evidenciju aktivnosti obrade za koje je odgovoran. Ta evidencija sadržava sve sljedeće informacije:
1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) ime i kontaktne podatke voditelja obrade i, ako je primjenjivo, zajedničkog voditelja obrade, predstavnika voditelja obrade i službenika za zaštitu podataka;
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(c) opis kategorija ispitanika i kategorija osobnih podataka;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) kategorije primateljâ kojima su osobni podaci otkriveni ili će im biti otkriveni, uključujući primatelje u trećim zemljama ili međunarodne organizacije;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) ako je primjenjivo, prijenose osobnih podataka u treću zemlju ili međunarodnu organizaciju, uključujući identificiranje te treće zemlje ili međunarodne organizacije te, u slučaju prijenosa iz članka 49. stavka 1. drugog podstavka, dokumentaciju o odgovarajućim zaštitnim mjerama;
(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
ISO 27701
Vezani tekstovi
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 30(1)(e) GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
(EN) […]
(EN) Sign in
to read the full text
(f) ako je to moguće, predviđene rokove za brisanje različitih kategorija podataka;
(f) where possible, the envisaged time limits for erasure of the different categories of data;
ISO 27701
(EN) 8.4.2 Return, transfer or disposal of PII
Control
The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.
Implementation guidance
At some point in time, PII can need to be disposed of in some manner.
(EN) […]
(EN) Sign in
to read the full text
2. Svaki izvršitelj obrade i predstavnik izvršitelja obrade, ako je primjenjivo, vodi evidenciju svih kategorija aktivnosti obrade koje se obavljaju za voditelja obrade, koja sadržava:
2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
(a) ime i kontaktne podatke jednog ili više izvršitelja obrade i svakog voditelja obrade u čije ime izvršitelj obrade djeluje te, ako je primjenjivo, predstavnika voditelja obrade ili izvršitelja obrade te službenika za zaštitu podataka;
(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
(b) kategorije obrade koje se obavljaju u ime svakog voditelja obrade;
(b) the categories of processing carried out on behalf of each controller;
(c) ako je primjenjivo, prijenos osobnih podataka u treću zemlju ili međunarodnu organizaciju, uključujući identificiranje te treće zemlje ili međunarodne organizacije te, u slučaju prijenosa iz članka 49. stavka 1. točke (h), dokumentaciju o odgovarajućim zaštitnim mjerama;
(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
ISO 27701
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 30(2)(c) GDPR:
8.5.2 Countries and international organizations to which PII can be transferred
Control
The organization should specify and document the countries and international organizations to which PII can possibly be transferred.
Implementation guidance
The identities of the countries and international organizations to which PII can possibly be transferred in normal operations should be made available to customers.
(EN) […]
(EN) Sign in
to read the full text
(d) ako je moguće, opći opis tehničkih i organizacijskih sigurnosnih mjera iz članka 32. stavka 1.
(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
ISO 27701
Vezani tekstovi
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 15.1.2.
Here is the relevant paragraph to article 30(2)(d) GDPR:
6.12.1.2 Addressing security within supplier agreements
Implementation guidance
The organization should specify in agreements with suppliers whether PII is processed and the minimum technical and organizational measures that the supplier needs to meet in order for the organization to meet its information security and PII protection obligations (see 7.2.6 and 8.2.1).
(EN) […]
(EN) Sign in
to read the full text
3. Evidencija iz stavaka 1. i 2. mora biti u pisanom obliku, uključujući elektronički oblik.
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. Voditelj obrade ili izvršitelj obrade te predstavnik voditelja obrade ili izvršitelja obrade, ako je primjenjivo, na zahtjev daju nadzornom tijelu uvid u evidenciju.
4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.
5. Obveze iz stavaka 1. i 2. ne primjenjuju se na poduzeće ili organizaciju u kojoj je zaposleno manje od 250 osoba, osim ako će obrada koju provodi vjerojatno prouzročiti visok rizik za prava i slobode ispitanika, ako obrada nije povremena ili obrada uključuje posebne kategorije podataka iz članka 9. stavka 1. ili je riječ o osobnim podacima u vezi s kaznenim osudama i kažnjivim djelima iz članka 10.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Opća uredba o zaštiti podataka (GDPR)
General Data Protection Regulation (EU GDPR)
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
Stručni komentar
ISO 27701
Uvodne izjave
Smjernice i sudska praksa
Ostavite komentar
(EN) Article 30 is pretty straightforward and gives us very direct instructions on what document has to be created and what information has to be in it. Often it is enough to create a spreadsheet or a simple Excel table if the number of your processing activities is not so high, but if it doesn’t scale well, there are also specialised software solutions for Register of Processing Activities.
(EN) […]
(EN) Sign in
to read the full text
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 30 GDPR:
7.2.8 Records related to processing PII
Control
The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.
Implementation guidance
A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs. Such an inventory can include:
(EN) […]
(EN) Sign in
to read the full text
(13) Kako bi se osigurala dosljedna razina zaštite pojedinaca širom Unije i spriječila razilaženja koja ometaju slobodno kretanje osobnih podataka na unutarnjem tržištu, potrebna je Uredba radi pružanja pravne sigurnosti i transparentnosti gospodarskim subjektima, uključujući mikropoduzeća, mala i srednja poduzeća, te pružanja pojedincima u svim državama članicama istu razinu pravno primjenjivih prava i obveza te odgovornosti za voditelje obrade i izvršitelje obrade kako bi se osiguralo postojano praćenje obrade osobnih podataka i jednake sankcije u svim državama članicama, kao i djelotvornu suradnju između nadzornih tijela različitih država članica. Za ispravno funkcioniranje unutarnjeg tržišta ne ograničava se niti zabranjuje slobodno kretanje osobnih podataka u Uniji zbog razloga povezanih sa zaštitom pojedinaca u vezi s obradom osobnih podataka. Ova Uredba sadržava odstupanja za organizacije u kojima je zaposleno manje od 250 osoba s obzirom na vođenje evidencije, radi uzimanja u obzir posebnih situacija mikropoduzeća, malih i srednjih poduzeća. Osim toga, institucije i tijela Unije te države članice i njihova nadzorna tijela potiču se da u primjeni ove Uredbe uzmu u obzir posebne potrebe mikropoduzeća, malih i srednjih poduzeća. Pojam mikropoduzeća, malih i srednjih poduzeća trebao bi se temeljiti na članku 2. Priloga Preporuci Komisije 2003/361/EZ (5).
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC [5].
(5) Preporuka Komisije od 6. svibnja 2003. o definiciji mikropoduzeća te malih i srednjih poduzeća (C(2003) 1422) (SL L 124, 20.5.2003., str. 36.). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC
[5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC
(39) Svaka obrada osobnih podataka trebala bi biti zakonita i poštena. Za pojedince bi trebalo biti transparentno kako se osobni podaci koji se odnose na njih prikupljaju, upotrebljavaju, daju na uvid ili na drugi način obrađuju, kao i do koje se mjere ti osobni podaci obrađuju ili će se obrađivati. Načelom transparentnosti traži se da svaka informacija i komunikacija u vezi s obradom tih osobnih podataka bude lako dostupna i razumljiva te da se upotrebljava jasan i jednostavan jezik. To se načelo osobito odnosi na informacije ispitaniku o identitetu voditelja obrade i svrhama obrade te daljnje informacije radi osiguravanja poštenosti i transparentnosti obrade s obzirom na pojedince o kojima je riječ i njihovo pravo da dobiju potvrdu i na obavijest o osobnim podacima koji se obrađuju, a koji se odnose na njih. Pojedinci bi trebali biti upoznati s rizicima, pravilima, zaštitnim mjerama i pravima u vezi s obradom osobnih podataka i načinom ostvarenja svojih prava u vezi s obradom. Osobito,određena svrha u koju se osobni podaci obrađuju trebala bi biti izrijekom navedena i opravdana te određena u vrijeme prikupljanja osobnih podataka. Osobni podaci trebali bi biti primjereni, bitni i ograničeni na ono što je nužno za svrhe u koje se podaci obrađuju. Zbog toga je osobito potrebno osigurati da je razdoblje u kojem se osobni podaci pohranjuju ograničeno na strogi minimum. Osobni podaci trebali bi se obrađivati samo ako se svrha obrade opravdano ne bi mogla postići drugim sredstvima. Radi osiguravanja da se osobni podaci ne drže duže nego što je nužno, voditelj obrade trebao bi odrediti rok za brisanje ili periodično preispitivanje. Trebalo bi poduzeti svaki razumno opravdani korak radi osiguravanja da se netočni osobni podaci isprave ili izbrišu. Osobne podatke trebalo bi obrađivati uz odgovarajuće poštovanje sigurnosti i povjerljivosti osobnih podataka, što obuhvaća i sprečavanje neovlaštenog pristupa osobnim podacima i opremi kojom se koristi pri obradi podataka ili njihove neovlaštene upotrebe.
(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
(82) Voditelj obrade ili izvršitelj obrade trebao bi voditi evidenciju o aktivnostima obrade pod svojom odgovornošću radi dokazivanja sukladnosti s ovom Uredbom. Svaki voditelj obrade i izvršitelj obrade trebao bi imati obvezu surađivati s nadzornim tijelom i omogućiti mu na zahtjev uvid u tu evidenciju kako bi mu mogla poslužiti za praćenje postupaka obrade.
(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
(EN) Information Commissioner’s Office (ICO, Great Britain), Documentation template for controllers
Information Commissioner’s Office (ICO, Great Britain), Documentation template for processors
Information Commissioner’s Office (ICO, Great Britain), Right of Access (2020).
Information Commissioner’s Office (ICO, Great Britain), Data sharing: a code of practice (2020).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
[js-disqus]
(EN) Url-link to highlighted text was copied to the clipboard!
(EN) Preparing download...
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 30(1)(d) GDPR:
7.5.4 Records of PII disclosure to third parties
Control
The organization should record disclosures of PII to third parties, including what PII has been disclosed, to whom and at what time.
Implementation guidance
PII can be disclosed during the course of normal operations.
(EN) […]
(EN) Sign in
to read the full text