(75) Ir-riskji għad-drittijiet u l-libertajiet tal-persuni fiżiċi, bi probabbiltà u gravità li jvarjaw, jistgħu jirriżultaw mill-ipproċessar ta’ data personali li tista’ twassal għal dannu fiżiku, materjali jew mhux materjali, b’mod partikolari fejn l-ipproċessar jista’ jagħti lok għal diskriminazzjoni, serq ta’ identità jew frodi, telf finanzjarju, dannu għar-reputazzjoni, telf ta’ kunfidenzjalità ta’ data personali protetta mis-segretezza professjonali, it-treġġigħ lura mhux awtorizzat tal-psewdonimizzazzjoni, jew kwalunkwe żvantaġġ ekonomiku jew soċjali sinifikanti ieħor; jew fejn is-suġġetti tad-data jistgħu jiġu mċaħħda mid-drittijiet u l-libertajiet tagħhom jew impediti milli jeżerċitaw kontroll fuq id-data personali tagħhom; fejn tiġi pproċessata data personali li tiżvela l-oriġini razzjali jew etnika, l-opinjonijiet politiċi, it-twemmin reliġjuż jew filosofiku, is-sħubija fi trade union, u l-ipproċessar ta’ data ġenetika, data dwar is-saħħa jew data dwar il-ħajja sesswali jew kundanni kriminali u reati jew miżuri ta’ sigurtà relatati; fejn l-aspetti personali jiġu evalwati, b’mod partikolari l-analiżi jew it-tbassir ta’ aspetti rigward il-prestazzjoni fuq ix-xogħol, is-sitwazzjoni ekonomika, is-saħħa, il-preferenzi jew l-interessi personali, l-affidabbiltà jew l-imġiba, il-lokalizzazzjoni jew il-movimenti, sabiex jinħolqu jew jintużaw profili personali; fejn tiġi proċessata data personali ta’ persuni fiżiċi vulnerabbli, b’mod partikolari ta’ tfal; jew fejn l-ipproċessar jinvolvi ammont kbir ta’ data personali u jaffettwa numru kbir ta’ suġġetti tad-data.
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
(84) Sabiex tissaħħaħ il-konformità ma' dan ir-Regolament fejn l-attivitajiet ta' pproċessar x'aktarx li jippreżentaw livell għoli ta' riskju għad-drittijiet u l-libertajiet tal-persuni fiżiċi, il-kontrollur għandu jkun responsabbli għat-twettiq ta' valutazzjoni tal-impatt fuq il-protezzjoni tad-data biex jevalwa, b'mod partikolari, l-oriġini, in-natura, il-partikolarità u l-gravità ta' dak ir-riskju. L-eżitu tal-valutazzjoni għandu jiġi kkunsidrat meta jiġu stabbiliti l-miżuri adatti li għandhom jiġu meħuda biex jintwera li l-ipproċessar tad-data personali hu f'konformità ma' dan ir-Regolament. Fejn valutazzjoni tal-impatt fuq il-protezzjoni tad-data tindika li l-operazzjonijiet ta' pproċessar jinvolvu riskju għoli li l-kontrollur ma jkunx jista' jtaffi permezz ta' miżuri xierqa f'termini tat-teknoloġija disponibbli u l-ispejjeż tal-implimentazzjoni, konsultazzjoni mal-awtorità superviżorja għandha sseħħ qabel l-ipproċessar.
(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
(89) Id-Direttiva 95/46/KE pprevediet obbligu ġenerali biex jiġi nnotifikat l-ipproċessar tad-data personali lill-awtoritajiet superviżorji. Filwaqt li dak l-obbligu jipproduċi oneri amministrattivi u finanzjarji, ma kkontribwixxiex fil-każijiet kollha għat-titjib tal-protezzjoni tad-data personali. Tali obbligi ta' notifika ġenerali bla distinzjonijiet għandhom għalhekk jitneħħew, u jiġu sostitwiti minn proċeduri u mekkaniżmi effettivi li jiffokaw minflok fuq dawk it-tipi ta' attivitajiet ta' pproċessar li x'aktarx li jirriżultaw f'riskju għad-drittijiet u l-libertajiet tal-persuni fiżiċi minħabba n-natura, l-ambitu, il-kuntest u l-għanijiet tagħhom. Tali tipi ta' operazzjonijiet tal-ipproċessar jinkludu, b'mod partikolari, dawk li jinvolvu l-użu ta' teknoloġiji ġodda, jew dawk li huma ta' tip ġdid u li fir-rigward tagħhom il-kontrollur għadu ma wettaqx valutazzjoni tal-impatt fuq il-protezzjoni tad-data, jew fejn valutazzjoni tal-impatt fuq il-protezzjoni tad-data ssir meħtieġa minħabba ż-żmien li għadda mill-ipproċessar inizjali.
(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
(90) F'tali każijiet, għandha ssir valutazzjoni tal-impatt fuq il-protezzjoni tad-data mill-kontrollur qabel l-ipproċessar sabiex jivvaluta l-probabbiltà partikolari u l-gravità tar-riskju għoli, b'kont meħud tan-natura, l-ambitu, il-kuntest u l-għanijiet tal-ipproċessar u s-sorsi tar-riskju. Dik il-valutazzjoni tal-impatt għandha tinkludi b'mod partikolari l-miżuri, is-salvagwardji u l-mekkaniżmi previsti biex jittaffa dak ir-riskju, tiġi żgurata l-protezzjoni tad-data personali u tintwera l-konformità ma' dan ir-Regolament.
(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
(91) Dan għandu b'mod partikolari japplika għal operazzjonijiet ta' pproċessar fuq skala kbira li huma maħsuba biex jipproċessaw ammont konsiderevoli ta' data personali fil-livell reġjonali, nazzjonali jew supranazzjonali u li jistgħu jaffettwaw għadd kbir ta' suġġetti tad-data u li x'aktarx jirriżultaw f'riskju għoli, pereżempju, minħabba s-sensittività tagħhom, fejn skont l-istat tal-għarfien teknoloġiku miksub tintuża teknoloġija ġdida fuq skala kbira kif ukoll għal operazzjonijiet tal-ipproċessar oħra li jirriżultaw f'riskju għoli għad-drittijiet u l-libertajiet tas-suġġetti tad-data, b'mod partikolari fejn dawk l-operazzjonijiet jagħmluha aktar diffiċli għas-suġġetti tad-data biex jeżerċitaw id-drittijiet tagħhom. Valutazzjoni tal-impatt fuq il-protezzjoni tad-data għandha ssir ukoll fejn id-data personali tiġi pproċessata għat-teħid ta' deċiżjonijiet dwar persuni fiżiċi speċifiċi wara kwalunkwe evalwazzjoni sistematika u estensiva tal-aspetti personali relatati ma' persuni fiżiċi bbażata fuq it-tfassil ta' profili bbażati fuq dik id-data jew wara l-ipproċessar ta' kategoriji speċjali ta' data personali, data bijometrika, jew data dwar kundanni kriminali u reati jew miżuri relatati ta' sigurtà. Valutazzjoni tal-impatt fuq il-protezzjoni tad-data hija bl-istess mod meħtieġa għall-monitoraġġ ta' żoni aċċessibbli għall-pubbliku fuq skala kbira, speċjalment meta jintuża apparat elettroniku ottiku jew għal kwalunkwe operazzjonijiet oħra fejn l-awtorità superviżorja kompetenti tqis li x'aktarx l-ipproċessar jirriżulta f'riskju għoli għad-drittijiet u l-libertajiet tas-suġġetti tad-data, b'mod partikolari minħabba li ma jippermettux lis-suġġetti tad-data jeżerċitaw dritt jew jużaw servizz jew kuntratt, jew minħabba li jsiru b'mod sistematiku fuq skala kbira. L-ipproċessar ta' data personali m'għandux jitqies li huwa fuq skala kbira jekk l-ipproċessar jikkonċerna data personali minn pazjenti jew klijenti minn tabib individwali, professjonist ieħor tal-kura tas-saħħa jew avukat individwali. F'tali każijiet, valutazzjoni tal-impatt fuq il-protezzjoni tad-data m'għandhiex tkun obbligatorja.
(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.
(92) Hemm ċirkostanzi li taħthom jista' jkun raġonevoli u ekonomiku li s-suġġett ta' valutazzjoni tal-impatt fuq il-protezzjoni tad-data jkun usa' minn proġett wieħed, pereżempju fejn l-awtoritajiet jew il-korpi pubbliċi jkollhom l-intenzjoni li jistabbilixxu applikazzjoni jew pjattaforma ta' pproċessar komuni jew fejn diversi kontrolluri jippjanaw li jintroduċu applikazzjoni jew ambjent ta' pproċessar komuni f'settur jew taqsima industrijali jew għal attività orizzontali li tintuża b'mod wiesa'.
(92) There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.
(93) Fil-kuntest tal-adozzjoni tal-liġi ta' Stat Membru li fuqha jkun ibbażat it-twettiq tal-kompiti tal-awtorità pubblika jew tal-korp pubbliku u li tirregola l-operazzjoni jew sett ta' operazzjonijiet ta' pproċessar speċifiċi inkwistjoni, l-Istati Membri jistgħu jqisu neċessarju li jwettqu tali valutazzjoni qabel l-attivitajiet ta' pproċessar.
(93) In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to articles 35(1) GDPR:
8.2.1 Customer agreement
Control
The organization should ensure, where relevant, that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations (taking into account the nature of processing and the information available to the organization).
Implementation guidance
The contract between the organization and the customer should include the following wherever relevant, and depending on the customer’s role (PII controller or PII processor) (this list is neither definitive nor exhaustive):
…
Connettersi
per accedere al testo completo