Navigacija
GDPR > Članak 5.. Načela obrade osobnih podataka
Preuzmite PDF

Članak 5. GDPR. Načela obrade osobnih podataka

Article 5 GDPR. Principles relating to processing of personal data

1. Osobni podaci moraju biti:

1. Personal data shall be:

(a) zakonito, pošteno i transparentno obrađivani s obzirom na ispitanika („zakonitost, poštenosti transparentnost”);

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 5(1)(a) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]


to read the full text

Smjernice i sudska praksa Uvodne izjave

(39) Svaka obrada osobnih podataka trebala bi biti zakonita i poštena. Za pojedince bi trebalo biti transparentno kako se osobni podaci koji se odnose na njih prikupljaju, upotrebljavaju, daju na uvid ili na drugi način obrađuju, kao i do koje se mjere ti osobni podaci obrađuju ili će se obrađivati. Načelom transparentnosti traži se da svaka informacija i komunikacija u vezi s obradom tih osobnih podataka bude lako dostupna i razumljiva te da se upotrebljava jasan i jednostavan jezik. To se načelo osobito odnosi na informacije ispitaniku o identitetu voditelja obrade i svrhama obrade te daljnje informacije radi osiguravanja poštenosti i transparentnosti obrade s obzirom na pojedince o kojima je riječ i njihovo pravo da dobiju potvrdu i na obavijest o osobnim podacima koji se obrađuju, a koji se odnose na njih. Pojedinci bi trebali biti upoznati s rizicima, pravilima, zaštitnim mjerama i pravima u vezi s obradom osobnih podataka i načinom ostvarenja svojih prava u vezi s obradom. Osobito,određena svrha u koju se osobni podaci obrađuju trebala bi biti izrijekom navedena i opravdana te određena u vrijeme prikupljanja osobnih podataka. Osobni podaci trebali bi biti primjereni, bitni i ograničeni na ono što je nužno za svrhe u koje se podaci obrađuju. Zbog toga je osobito potrebno osigurati da je razdoblje u kojem se osobni podaci pohranjuju ograničeno na strogi minimum. Osobni podaci trebali bi se obrađivati samo ako se svrha obrade opravdano ne bi mogla postići drugim sredstvima. Radi osiguravanja da se osobni podaci ne drže duže nego što je nužno, voditelj obrade trebao bi odrediti rok za brisanje ili periodično preispitivanje. Trebalo bi poduzeti svaki razumno opravdani korak radi osiguravanja da se netočni osobni podaci isprave ili izbrišu. Osobne podatke trebalo bi obrađivati uz odgovarajuće poštovanje sigurnosti i povjerljivosti osobnih podataka, što obuhvaća i sprečavanje neovlaštenog pristupa osobnim podacima i opremi kojom se koristi pri obradi podataka ili njihove neovlaštene upotrebe.

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Vezani tekstovi

(b) prikupljeni u posebne, izričite i zakonite svrhe te se dalje ne smiju obrađivati na način koji nije u skladu s tim svrhama; daljnja obrada u svrhe arhiviranja u javnom interesu, u svrhe znanstvenog ili povijesnog istraživanja ili u statističke svrhe, u skladu s člankom 89. stavkom 1. ne smatra se neusklađenom s prvotnim svrhama („ograničavanje svrhe”);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(b) GDPR:

7.2.1 Identify and document purpose

Control

The organization should identify and document the specific purposes for which the PII will be processed.

Implementation guidance

The organization should ensure that PII principals understand the purpose for which their PII is processed. It is the responsibility of the organization to clearly document and communicate this to PII principals.

(EN) […]


to read the full text

Smjernice i sudska praksa Vezani tekstovi

(c) primjereni, relevantni i ograničeni na ono što je nužno u odnosu na svrhe u koje se obrađuju („smanjenje količine podataka”);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(c) GDPR:

7.4.1 Limit collection

Control

The organization should limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes.

Implementation guidance

The organization should limit the collection of PII to what is adequate, relevant and necessary in relation to the identified purposes. This includes limiting the amount of PII that the organization collects indirectly (e.g. through web logs, system logs, etc.).

Privacy by default implies that, where any optionality in the collection and processing of PII exists, each option should be disabled by default and only enabled by explicit choice of the PII principal.

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

(EN) […]


to read the full text

Smjernice i sudska praksa Vezani tekstovi

(d) točni i prema potrebi ažurni; mora se poduzeti svaka razumna mjera radi osiguravanja da se osobni podaci koji nisu točni, uzimajući u obzir svrhe u koje se obrađuju, bez odlaganja izbrišu ili isprave („točnost”);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(d) GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.

(EN) […]


to read the full text

Vezani tekstovi

(e) čuvani u obliku koji omogućuje identifikaciju ispitanikâ samo onoliko dugo koliko je potrebno u svrhe radi kojih se osobni podaci obrađuju; osobni podaci mogu se pohraniti na dulja razdoblja ako će se osobni podaci obrađivati isključivo u svrhe arhiviranja u javnom interesu, u svrhe znanstvenog ili povijesnog istraživanja ili u statističke svrhe u skladu s člankom 89. stavkom 1., što podliježe provedbi primjerenih tehničkih i organizacijskih mjera propisanih ovom Uredbom radi zaštite prava i sloboda ispitanika („ograničenje pohrane”);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(e) GDPR:

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

Implementation guidance

Organizations should identify how the specific PII and amount of PII collected and processed is limited relative to the identified purposes.

(EN) […]


to read the full text

Smjernice i sudska praksa Vezani tekstovi

(f) obrađivani na način kojim se osigurava odgovarajuća sigurnost osobnih podataka, uključujući zaštitu od neovlaštene ili nezakonite obrade te od slučajnog gubitka, uništenja ili oštećenja primjenom odgovarajućih tehničkih ili organizacijskih mjera („cjelovitost i povjerljivost”);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Stručni komentar
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.2.1.

Here is the relevant paragraphs to article 5(1)(f) GDPR:

6.3.2.1 Mobile device policy

Implementation guidance

The organization should ensure that the use of mobile devices does not lead to a compromise of PII.

(EN) […]


to read the full text

Smjernice i sudska praksa Vezani tekstovi

2. Voditelj obrade odgovoran je za usklađenost sa stavkom 1. te je mora biti u mogućnosti dokazati („pouzdanost”).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 18.1.3.

Here is the relevant paragraphs to article 5(2) GDPR:

6.15.1.3 Protection of records

Implementation guidance

Review of current and historical policies and procedures can be required (e.g. in the cases of customer dispute resolution and investigation by a supervisory authority).

(EN) […]


to read the full text

Smjernice i sudska praksa Uvodne izjave

(82) Voditelj obrade ili izvršitelj obrade trebao bi voditi evidenciju o aktivnostima obrade pod svojom odgovornošću radi dokazivanja sukladnosti s ovom Uredbom. Svaki voditelj obrade i izvršitelj obrade trebao bi imati obvezu surađivati s nadzornim tijelom i omogućiti mu na zahtjev uvid u tu evidenciju kako bi mu mogla poslužiti za praćenje postupaka obrade.

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Vezani tekstovi
Uvodne izjave Smjernice i sudska praksa Ostavite komentar
Uvodne izjave

(39) Svaka obrada osobnih podataka trebala bi biti zakonita i poštena. Za pojedince bi trebalo biti transparentno kako se osobni podaci koji se odnose na njih prikupljaju, upotrebljavaju, daju na uvid ili na drugi način obrađuju, kao i do koje se mjere ti osobni podaci obrađuju ili će se obrađivati. Načelom transparentnosti traži se da svaka informacija i komunikacija u vezi s obradom tih osobnih podataka bude lako dostupna i razumljiva te da se upotrebljava jasan i jednostavan jezik. To se načelo osobito odnosi na informacije ispitaniku o identitetu voditelja obrade i svrhama obrade te daljnje informacije radi osiguravanja poštenosti i transparentnosti obrade s obzirom na pojedince o kojima je riječ i njihovo pravo da dobiju potvrdu i na obavijest o osobnim podacima koji se obrađuju, a koji se odnose na njih. Pojedinci bi trebali biti upoznati s rizicima, pravilima, zaštitnim mjerama i pravima u vezi s obradom osobnih podataka i načinom ostvarenja svojih prava u vezi s obradom. Osobito,određena svrha u koju se osobni podaci obrađuju trebala bi biti izrijekom navedena i opravdana te određena u vrijeme prikupljanja osobnih podataka. Osobni podaci trebali bi biti primjereni, bitni i ograničeni na ono što je nužno za svrhe u koje se podaci obrađuju. Zbog toga je osobito potrebno osigurati da je razdoblje u kojem se osobni podaci pohranjuju ograničeno na strogi minimum. Osobni podaci trebali bi se obrađivati samo ako se svrha obrade opravdano ne bi mogla postići drugim sredstvima. Radi osiguravanja da se osobni podaci ne drže duže nego što je nužno, voditelj obrade trebao bi odrediti rok za brisanje ili periodično preispitivanje. Trebalo bi poduzeti svaki razumno opravdani korak radi osiguravanja da se netočni osobni podaci isprave ili izbrišu. Osobne podatke trebalo bi obrađivati uz odgovarajuće poštovanje sigurnosti i povjerljivosti osobnih podataka, što obuhvaća i sprečavanje neovlaštenog pristupa osobnim podacima i opremi kojom se koristi pri obradi podataka ili njihove neovlaštene upotrebe.

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Smjernice i sudska praksa Ostavite komentar
[js-disqus]