5 straipsnis 📖 BDAR. Su asmens duomenų tvarkymu susiję principai

5 straipsnis BDAR. Su asmens duomenų tvarkymu susiję principai

Article 5 GDPR. Principles relating to processing of personal data

1. Asmens duomenys turi būti:

1. Personal data shall be:

a) duomenų subjekto atžvilgiu tvarkomi teisėtu, sąžiningu ir skaidriu būdu (teisėtumo, sąžiningumo ir skaidrumo principas);

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

Ekspertų komentarai ISO 27701 Gairės & Byla Teisė Konstatuojamosios dalys Jungtys

Ekspertų komentarai

(EN) Example of lawful processing:

Example A bank plans to offer a service to improve efficiency in the management of loan applications. The idea behind the service is that the bank, by requesting permission from the customer, can be able to retrieve data from public authorities about the customer. This may be, for example, tax data from the tax administration.

Initially, this personal data is necessary in order to take steps at the request of the data subject prior to entering into a contract. However, this specific way of processing the personal data is not necessary for entering into a contract, because a loan may be granted without obtaining data directly from public authorities. The customer is able to enter into a contract by providing the information from the tax administration herself.

When implementing the principle of lawfulness, the controller realizes that they cannot use the “necessary for contract-”basis for the part of the processing that involves gathering personal data directly from the tax authorities. The fact that this specific processing presents a risk of the data subject becoming less involved in the processing of their data is also a relevant factor in assessing the lawfulness of the processing itself. The bank concludes that this part of the processing must rely on consent.

The bank therefore presents information about the processing on the online application platform in such a manner that makes it easy for data subjects to understand what processing is mandatory and what is optional. The processing options, by default, do not allow retrieval of data directly from other sources than the data subject herself, and the option for direct information retrieval is presented in a manner that does not deter the data subject from abstaining. Any consent given to collect data directly from other controllers is a temporary right of access to a specific set of information.

Any given consent is processed electronically in a documentable manner, and data subjects are presented with an easy way of controlling what they have consented to and to withdraw their consent.

The controller has assessed these Data protection by design and default (DPbDD) requirements beforehand and includes all of these criteria in their requirements specification for the tender to procure the platform. The controller is aware that if they do not include the DPbDD requirements in the tender, it may either be too late or a very costly process to implement data protection afterwards.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Example of transparency measures:

A controller is designing a privacy policy in order to comply with the requirements of transparency. The privacy policy cannot contain a lengthy bulk of information that is difficult for the average data subject to penetrate and understand, it must be written in clear and concise language and make it easy for the user of the website to understand how their personal data is processed. The controller therefore provides information in a multi-layered manner, where the most important points are highlighted. Drop-down menus and links to other pages are provided to further explain the concepts in the policy. The controller also makes sure that the information is provided in a multi-channel manner, providing video clips to explain the most important points of the information.

The privacy policy cannot be difficult for data subjects to access. The privacy policy is thus made available and visible on all internal web-pages of the site in question, so that the data subject is always only one click away from accessing the information. The information provided is also designed in accordance with the best practices and standards of universal design to make it accessible to all.

Moreover, necessary information must also be provided in the right context, at the appropriate time. This means, that generally a privacy policy on the website alone is not sufficient for the controller to meet the requirements of transparency. The controller therefore designs an information flow, presenting the data subject with relevant information within the appropriate contexts using e.g. informational snippets or pop-ups. For example, when asking the data subject to enter personal data, the controller informs the data subject of how the personal data will be processed and why that personal data is necessary for the processing.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

(EN) Examples of fairness considerations:

Example 1

A controller operates a search engine that processes mostly user-generated personal data. The controller benefits from having large amounts of personal data and being able to use that personal data for targeted advertisements. The controller therefore wishes to influence data subjects to allow extensive collection and use of their personal data.

When implementing the fairness principle, taking into account the nature, scope, context and purpose of the processing, the controller realizes that they cannot present the options in a way that nudges the data subject in the direction of allowing the controller to collect more personal data than if the options were presented in an equal and neutral way. This means that they cannot present the processing options in such a manner that makes it difficult for data subjects to abstain from sharing their data, or make it difficult for the data subjects to adjust their privacy settings and limit the processing. The default options for the processing must be the least invasive, and the choice for further processing must be presented in a manner that does not deter the data subject from abstaining.

Example 2

Another controller processes personal data for the provision of a streaming service where users may choose between a regular subscription of standard quality and a premium subscription with higher quality. As part of the premium subscription, subscribers get prioritized customer service. With regard to the fairness principle, the prioritized customer service granted to premium subscribers cannot discriminate other data subjects’ rights according to the GDPR Article 12. This means that although the premium subscribers get prioritized service, such prioritization cannot result in a lack of appropriate measures to respond to request from regular subscribers without undue delay and in any event within one month of receipt of the requests.

Prioritized customers may pay to get better service, but all data subjects shall have equal and indiscriminate access to enforce their rights and freedoms according to the GDPR.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 5(1)(a) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

Konstatuojamosios dalys

(39) bet kuris asmens duomenų tvarkymas turėtų būti teisėtas ir sąžiningas. Taikant skaidrumo principą, fiziniams asmenims turėtų būti aišku, kaip su jais susiję asmens duomenys yra renkami, naudojami, su jais susipažįstama arba jie yra kitaip tvarkomi, taip pat kokiu mastu tie asmens duomenys yra ar bus tvarkomi. Pagal skaidrumo principą informacija ir pranešimai, susiję su tų asmens duomenų tvarkymu, turi būti lengvai prieinami ir suprantami, pateikiami aiškia ir paprasta kalba. Tas principas visų pirma susijęs su duomenų subjektų informavimu apie duomenų valdytojo tapatybę ir duomenų tvarkymo tikslus, taip pat su tolesniu informavimu, kad būtų užtikrintas sąžiningas ir skaidrus duomenų tvarkymas atitinkamų fizinių asmenų atžvilgiu, jų teise gauti patvirtinimą dėl su jais susijusių asmens duomenų tvarkymo ir teise tuos duomenis gauti. Fiziniai asmenys turėtų būti informuoti apie su asmens duomenų tvarkymu susijusius pavojus, taisykles, apsaugos priemones bei teises ir apie tai, kaip naudotis savo teisėmis tokio asmens duomenų tvarkymo srityje. Visų pirma konkretūs tikslai, kuriais tvarkomi asmens duomenys, turėtų būti aiškūs, teisėti ir nustatyti duomenų rinkimo metu. Asmens duomenys turėtų būti tinkami, susiję su tikslais, kuriais jie tvarkomi, ir riboti pagal tai, kiek jų yra būtina turėti atsižvelgiant į tikslus, kuriais jie tvarkomi; tam pirmiausia reikia užtikrinti, kad asmens duomenų saugojimo laikotarpis būtų tikrai minimalus. Asmens duomenys turėtų būti tvarkomi tik tuomet, jei asmens duomenų tvarkymo tikslo pagrįstai negalima pasiekti kitomis priemonėmis. Siekiant užtikrinti, kad duomenys nebūtų laikomi ilgiau nei būtina, duomenų valdytojas turėtų nustatyti duomenų ištrynimo arba periodinės peržiūros terminus. Reikėtų imtis visų pagrįstų priemonių, siekiant užtikrinti, kad netikslūs asmens duomenys būtų ištaisyti arba ištrinti. Asmens duomenys turėtų būti tvarkomi taip, kad būtų užtikrintas tinkamas asmens duomenų saugumas ir konfidencialumas, be kita ko, užkertant kelią neteisėtai prieigai prie asmens duomenų ir jų tvarkymui skirtos įrangos ar neteisėtam jų naudojimui;

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Jungtys

6 straipsnis BDAR. Tvarkymo teisėtumas

Article 6 GDPR. Lawfulness of processing

1. Duomenų tvarkymas yra teisėtas tik tuo atveju, jeigu taikoma bent viena iš šių sąlygų, ir tik tokiu mastu, kokiu ji yra taikoma:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

a) duomenų subjektas davė sutikimą, kad jo asmens duomenys būtų tvarkomi vienu ar keliais konkrečiais tikslais;

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) tvarkyti duomenis būtina siekiant įvykdyti sutartį, kurios šalis yra duomenų subjektas, arba siekiant imtis veiksmų duomenų subjekto prašymu prieš sudarant sutartį;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) tvarkyti duomenis būtina, kad būtų įvykdyta duomenų valdytojui taikoma teisinė prievolė;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) tvarkyti duomenis būtina siekiant apsaugoti gyvybinius duomenų subjekto ar kito fizinio asmens interesus;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) tvarkyti duomenis būtina siekiant atlikti užduotį, vykdomą viešojo intereso labui arba vykdant duomenų valdytojui pavestas viešosios valdžios funkcijas;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) tvarkyti duomenis būtina siekiant teisėtų duomenų valdytojo arba trečiosios šalies interesų, išskyrus atvejus, kai tokie duomenų subjekto interesai arba pagrindinės teisės ir laisvės, dėl kurių būtina užtikrinti asmens duomenų apsaugą, yra už juos viršesni, ypač kai duomenų subjektas yra vaikas.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. „Guidelines on transparency under Regulation 2016/679“. WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 – endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility – Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

3.2 Lawfulness

67. The controller must identify a valid legal basis for the processing of personal data. Measures and safeguards should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.

68. Key design and default elements for lawfulness may include:

• Relevance – The correct legal basis shall be applied to the processing.

• Differentiation [26] – The legal basis used for each processing activity shall be differentiated.

_{[26] EDPB. „Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects“. Version 2.0, 8 October 2019. edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines-art_6-1-b- adopted_after_public_consultation_en.pdf}

• Specified purpose – The appropriate legal basis must be clearly connected to the specific purpose of processing.[27]

_{[27] See section on purpose limitation below.}

• Necessity– Processing must be necessary and unconditional for the purpose to be lawful.

• Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data within the frames of the legal basis.

• Gaining consent – consent must be freely given, specific, informed and unambiguous.[28] Particular consideration should be given to the capacity of children and young people to provide informed consent.

_{[28] See Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en}

• Consent withdrawal – Where consent is the legal basis, the processing should facilitate withdrawal of consent. Withdrawal shall be as easy as giving consent. If not, then the consent mechanism of the controller does not comply with the GDPR.[29]

_{[29] See Guidelines 05/2020 on consent under Regulation 2016/679, p. 24. https://edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en}

• Balancing of interests – Where legitimate interests is the legal basis, the controller must carry out a weighted balancing of interest, giving particular consideration to the power imbalance, specifically children under the age of 18 and other vulnerable groups. There shall be measures and safeguards to mitigate the negative impact on the data subjects.

• Predetermination – The legal basis shall be established before the processing takes place.

• Cessation – If the legal basis ceases to apply, the processing shall cease accordingly.

• Adjust – If there is a valid change of legal basis for the processing, the actual processing must be adjusted in accordance with the new legal basis.[30]

_{[30] If the original legal basis is consent, see Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under- regulation-2016679_en}

• Allocation of responsibility – Whenever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject, and design the measures of the processing in accordance with this allocation.

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.3 Fairness

69. Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject. Measures and safeguards implementing the principle of fairness also support the rights and freedoms of data subjects, specifically the right to information (transparency), the right to intervene (access, erasure, data portability, rectify) and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination of data subjects in such processes).

70. Key design and default elements may include:

• Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as over the scope and conditions of that use or processing.

• Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.

• Expectation – Processing should correspond with data subjects’ reasonable expectations.

• Non-discrimination – The controller shall not unfairly discriminate against data subjects.

• Non-exploitation – The controller shall not exploit the needs or vulnerabilities of data subjects.

• Consumer choice – The controller should not „lock in“ their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20.

• Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.

• No risk transfer – Controllers should not transfer the risks of the enterprise to the data subjects.

• No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.

• Respect rights – The controller must respect the fundamental rights of data subjects and implement appropriate measures and safeguards and not impinge on those rights unless expressly justified by law.

• Ethical – The controller should see the processing’s wider impact on individuals’ rights and dignity.

• Truthful – The controller must make available information about how they process personal data, they should act as they declare they will and not mislead the data subjects.

• Human intervention – The controller must incorporate qualified human intervention that is capable of uncovering biases that machines may create in accordance with the right to not be subject to automated individual decision making in Article 22.[32]

_{[32] See Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49826}

• Fair algorithms – Regularly assess whether algorithms are functioning in line with the purposes and adjust the algorithms to mitigate uncovered biases and ensure fairness in the processing. Data subjects should be informed about the functioning of the processing of personal data based on algorithms that analyse or make predictions about them, such as work performance, economic situation, health, personal preferences, reliability or behaviour, location or movements.[33]

b) renkami nustatytais, aiškiai apibrėžtais bei teisėtais tikslais ir toliau netvarkomi su tais tikslais nesuderinamu būdu; tolesnis duomenų tvarkymas archyvavimo tikslais viešojo intereso labui, mokslinių ar istorinių tyrimų tikslais arba statistiniais tikslais pagal 89 straipsnio 1 dalį nėra laikomas nesuderinamu su pirminiais tikslais (tikslo apribojimo principas);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Ekspertų komentarai ISO 27701 Gairės & Byla Teisė Jungtys

Ekspertų komentarai

(EN) Examples of purpose limitation

Example

The controller processes personal data about its customers. The purpose of the processing is to fulfil a contract, i.e. to be able to deliver goods to the correct address and obtain payment. The personal data stored is the purchase history, name, address, e-mail address and telephone number.

The controller is considering buying a Customer Relationship Management (CRM) product that gathers all the customer data such as sales, marketing and customer service in one place. The product gives the opportunity of storing all phone calls, activities, documents, emails and marketing campaigns to get a 360-degree view of the customer. Ultimately the CRM automatically analyses the customers’ purchasing power by using public information. The purpose of the analysis is to target the advertising better but is not a part of the original lawful purpose of the processing.

To be in line with the principle of purpose limitation, the controller requires the provider of the product to map the different processing activities using personal data with the purposes relevant for the controller. Another requirement is that the product shall be able to flag which kind of processing activities using personal data that is not in line with the legitimate purposes of the controller.

After receiving the results of the mapping, the controller assesses whether the new marketing purpose and the targeted advertisement purpose are within the contractual purposes or if they need another legal ground for this processing. Alternatively the controller could choose to not make use of this functionality in the product.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(b) GDPR:

7.2.1 Identify and document purpose

Control

The organization should identify and document the specific purposes for which the PII will be processed.

Implementation guidance

The organization should ensure that PII principals understand the purpose for which their PII is processed. It is the responsibility of the organization to clearly document and communicate this to PII principals.

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) WP29, Opinion 03/2013 on purpose limitation (2013).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

Jungtys

89 straipsnis BDAR. Apsaugos priemonės ir nukrypti leidžiančios nuostatos, susijusios su duomenų tvarkymu archyvavimo tikslais viešojo intereso labui, mokslinių ar istorinių tyrimų tikslais arba statistiniais tikslais

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Apsaugos priemonės ir nukrypti leidžiančios nuostatos, susijusios su duomenų tvarkymu archyvavimo tikslais viešojo intereso labui, mokslinių ar istorinių tyrimų tikslais arba statistiniais tikslais

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Duomenų tvarkymui archyvavimo tikslais viešojo intereso labui, mokslinių ar istorinių tyrimų tikslais arba statistiniais tikslais pagal šį reglamentą taikomos tinkamos duomenų subjekto teisių ir laisvių apsaugos priemonės. Tomis apsaugos priemonėmis užtikrinama, kad būtų įdiegtos techninės ir organizacinės priemonės, visų pirma siekiant užtikrinti, kad būtų laikomasi duomenų kiekio mažinimo principo. Tos priemonės gali apimti pseudonimų suteikimą, jeigu tie tikslai gali būti pasiekti tuo būdu. Visais atvejais, kai tuos tikslus galima pasiekti toliau tvarkant duomenis, iš kurių negalima arba nebegalima nustatyti duomenų subjektų tapatybės, tų tikslų siekiama tuo būdu.

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.4 Purpose Limitation [34]

_{[34] The Article 29 Working Party provided guidance for the understanding of the principle of purpose limitation under Directive 95/46/EC. Although the Opinion is not adopted by the EDBP, it may still be relevant as the wording of the principle is the same under the GDPR. Article 29 Working Party. „Opinion 03/2013 on purpose limitation“. WP 203, 2 April 2013. ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2013/wp203_en.pdf}

71. The controller must collect data for specified, explicit, and legitimate purposes, and not further process the data in a manner that is incompatible with the purposes for which they were collected.[35] The design of the processing should therefore be shaped by what is necessary to achieve the purposes. If any further processing is to take place, the controller must first make sure that this processing has purposes compatible with the original ones and design such processing accordingly. Whether a new purpose is compatible or not, shall be assessed according to the criteria in Article 6(4).

_{[35] Art. 5.1.b GDPR}

c) adekvatūs, tinkami ir tik tokie, kurių reikia siekiant tikslų, dėl kurių jie tvarkomi (duomenų kiekio mažinimo principas);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Ekspertų komentarai ISO 27701 Gairės & Byla Teisė Jungtys

Ekspertų komentarai

(EN) Examples of data minimisation

Example 1

A bookshop wants to add to their revenue by selling their books online. The bookshop owner wants to set up a standardised form for the ordering process. To prevent that customers don’t fill out all the necessary information the bookshop owner makes all of the fields in the form a required field (if you don’t fill out all the fields the customer can’t place the order) using a standard contact form. The webshop owner initially uses a standard contact form, which asks the customer’s date of birth, phone number and home address. However, not all the fields in the form are strictly necessary for the purpose of buying and delivering the books. The data subject’s date of birth and phone number are not necessary for the purchase of the product. This means that these cannot be required fields in the web form to order the product. Moreover, there are situations where an address will not be necessary. For example, when ordering an eBook the customer can download the product and his or her address does not need to be processed by the webshop.

The webshop owner therefore decides to make two web forms: one for ordering books, with a field for the customer’s address and one web form for ordering eBooks without a field for the customer’s address.

Example 2

A public transportation company wishes to gather statistical information based on travellers’ routes. This is useful for the purposes of making proper choices on changes in public transport schedules and proper routings of the trains. The passengers must pass their ticket through a reader every time they enter or exit a means of transport. Having carried out a risk assessment related to the rights and freedoms of passengers’ regarding the collection of passengers’ travel routes, the controller establishes that it is possible to identify the passengers based on the ticket identifier. Therefore, since it is not necessary for the purpose of optimizing the public transport schedules and routings of the trains, the controller does not store the ticket identifier. Once the trip is over, the controller only stores the individual travel routes so as to not be able to identify trips connected to a single ticket, but only retains information about separate travel routes.

In cases where there can be a risk of identifying a person solely by their travel route (this might be the case in remote areas) the controller implements measures to aggregate the travel route, such as cutting the beginning and the end of the route.

Example 3

A courier aims at assessing the effectiveness of its deliveries in terms of delivery times, workload scheduling and fuel consumption. In order to reach this goal, the courier has to process a number of personal data relating to both employees (drivers) and customers (addresses, items to be delivered, etc.). This processing operation entails risks of both monitoring employees, which requires specific legal safeguards, and tracking customers’ habits through the knowledge of the delivered items over time. These risks can be significantly reduced with appropriate pseudonymization of employees and customers. In particular if pseudonymization keys are frequently rotated and macro areas are considered instead of detailed addresses, an effective data minimization is pursued, and the controller can solely focus on the delivery process and on the purpose of resource optimization, without crossing the threshold of monitoring individuals’ (customers’ or employees’) behaviours.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(c) GDPR:

7.4.1 Limit collection

Control

The organization should limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes.

Implementation guidance

The organization should limit the collection of PII to what is adequate, relevant and necessary in relation to the identified purposes. This includes limiting the amount of PII that the organization collects indirectly (e.g. through web logs, system logs, etc.).

Privacy by default implies that, where any optionality in the collection and processing of PII exists, each option should be disabled by default and only enabled by explicit choice of the PII principal.

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

Jungtys

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.5 Data Minimisation

73. Only personal data that is adequate, relevant and limited to what is necessary for the purpose shall be processed. [36] As a result, the controller has to predetermine which features and parameters of processing systems and their supporting functions are permissible. Data minimisation substantiates and operationalises the principle of necessity. In the further processing, the controller should periodically consider whether processed personal data is still adequate, relevant and necessary, or if the data shall be deleted or anonymized.

_{[36] Art. 5(1)(c) GDPR}

74. Controllers should first of all determine whether they even need to process personal data for their relevant purposes. The controller should verify whether the relevant purposes can be achieved by processing less personal data, or having less detailed or aggregated personal data or without having to process personal data at all.[37] Such verification should take place before any processing takes place, but could also be carried out at any point during the processing lifecycle. This is also consistent with Article 11.

_{[37] Recital 39 GDPR so states: „…Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.“}

75. Minimising can also refer to the degree of identification. If the purpose of the processing does not require the final set of data to refer to an identified or identifiable individual (such as in statistics), but the initial processing does (e.g. before data aggregation), then the controller shall delete or anonymize personal data as soon as identification is no longer needed. Or, if continued identification is needed for other processing activities, personal data should be pseudonymized to mitigate risks for the data subjects’ rights.

76. Key design and default data minimisation elements may include:

• Data avoidance – Avoid processing personal data altogether when this is possible for the relevant purpose.

• Limitation – Limit the amount of personal data collected to what is necessary for the purpose

• Access limitation – Shape the data processing in a way that a minimal number of people need access to personal data to perform their duties, and limit access accordingly.

• Relevance – Personal data should be relevant to the processing in question, and the controller should be able to demonstrate this relevance.

• Necessity – Each personal data category shall be necessary for the specified purposes and should only be processed if it is not possible to fulfil the purpose by other means.

• Limitation – Limit the amount of personal data collected to what is necessary for the purpose

• Aggregation – Use aggregated data when possible.

• Pseudonymization – Pseudonymize personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately.

• Anonymization and deletion – Where personal data is not, or no longer necessary for the purpose, personal data shall be anonymized or deleted.

• Data flow – The data flow should be made efficient enough to not create more copies than necessary.

• „State of the art“ – The controller should apply up to date and appropriate technologies for data avoidance and minimisation.

d) tikslūs ir prireikus atnaujinami; turi būti imamasi visų pagrįstų priemonių užtikrinti, kad asmens duomenys, kurie nėra tikslūs, atsižvelgiant į jų tvarkymo tikslus, būtų nedelsiant ištrinami arba ištaisomi (tikslumo principas);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

Ekspertų komentarai ISO 27701 Jungtys

Ekspertų komentarai

(EN) Examples of the measures ensuring data accuracy

Example 1

A bank wishes to use artificial intelligence (AI) to profile customers applying for bank loans as a basis for their decision making. When determining how their AI solutions should be developed, they are determining the means of processing and must consider data protection by design when choosing an AI from a vendor and when deciding on how to train the AI.

When determining how to train the AI, the controller must have accurate data to achieve precise results. Therefore, the controller must ensure that the data used to train the AI is accurate.

Granted they have the legal basis to train the AI using personal data from a large pool of their existing customers, the controller chooses a pool of customers that is representative of the population to also avoid bias.

Customer data is gathered from their own systems, gathering data about the existing loan customers’ payment history, bank transactions, credit card debt, they conduct new credit checks, and they gather data from public registries that they have legal access to use.

To ensure that the data used for AI training is as accurate as possible, the controller only collects data from data sources with correct and up-to date information.

Finally, the bank tests whether the AI is reliable and provides non-discriminatory results. When the AI is fully trained and operative, the bank uses the results as a part of the loan assessments, and will never rely solely on the AI to decide whether to grant loans.

The bank will also review the reliability of the results from the AI at regular intervals.

Example 2

The controller is a health institution looking to find methods to ensure the integrity and accuracy of personal data in their client registers.

In situations where two persons arrive at the institution at the same time and receive the same treatment, there is a risk of mistaking them if the only parameter to separate them is by name. To ensure accuracy, the controller needs a unique identifier for each person, and therefore more information than just the name of the client.

The institution uses several systems containing personal information of clients, and need to ensure that the information related to the client is correct, accurate and consistent in all the systems at any point in time. The institution has identified several risks that may arise if information is changed in one system but not another.

The controller decides to mitigate the risk by using a hashing technique that can be used to ensure integrity of data in the treatment journal. Immutable hash signatures are created for treatment journal records and the employee associated with them so that any changes can be recognized, correlated and traced if required.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(d) GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.

…

Prisijungti
norėdami pasiekti visą tekstą

Jungtys

16 straipsnis BDAR. Teisė reikalauti ištaisyti duomenis

Article 16 GDPR. Right to rectification

Duomenų subjektas turi teisę reikalauti, kad duomenų valdytojas nepagrįstai nedelsdamas ištaisytų netikslius su juo susijusius asmens duomenis. Atsižvelgiant į tikslus, kuriais duomenys buvo tvarkomi, duomenų subjektas turi teisę reikalauti, kad būtų papildyti neišsamūs asmens duomenys, be kita ko, pateikdamas papildomą pareiškimą.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.6 Accuracy

77. Personal data shall be accurate and kept up to date, and every reasonable step shall be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. [38]

_{[38] Art. 5(1)(d) GDPR}

78. The requirements should be seen in relation to the risks and consequences of the concrete use of data. Inaccurate personal data could be a risk to the data subjects’ rights and freedoms, for example when leading to a faulty diagnosis or wrongful treatment of a health protocol, or an incorrect image of a person can lead to decisions being made on the wrong basis either manually, using automated decision-making, or through artificial intelligence.

79. Key design and default accuracy elements may include:

• Data source – Sources of personal data should be reliable in terms of data accuracy.

• Degree of accuracy – Each personal data element should be as accurate as necessary for the specified purposes.

• Measurably accurate – Reduce the number of false positives/negatives, for example biases in automated decisions and artificial intelligence.

• Verification – Depending on the nature of the data, in relation to how often it may change, the controller should verify the correctness of personal data with the data subject before and at different stages of the processing (e.g. to age requirements).

• Erasure/rectification – The controller shall erase or rectify inaccurate data without delay. The controller shall in particular facilitate this where the data subjects are or were children and later want to remove such personal data.[39]

_{[39] Cf. Recital 65.}

• Error propagation avoidance – Controllers should mitigate the effect of an accumulated error in the processing chain.

• Access – Data subjects should be given information about and effective access to personal data in accordance with the GDPR articles 12 to 15 in order to control accuracy and rectify as needed.

• Continued accuracy – Personal data should be accurate at all stages of the processing, tests of accuracy should be carried out at critical steps.

• Up to date – Personal data shall be updated if necessary for the purpose.

• Data design – Use of technological and organisational design features to decrease inaccuracy, for example present concise predetermined choices instead of free text fields.

e) laikomi tokia forma, kad duomenų subjektų tapatybę būtų galima nustatyti ne ilgiau, nei tai yra būtina tais tikslais, kuriais asmens duomenys yra tvarkomi; asmens duomenis galima saugoti ilgesnius laikotarpius, jeigu asmens duomenys bus tvarkomi tik archyvavimo tikslais viešojo intereso labui, mokslinių ar istorinių tyrimų tikslais arba statistiniais tikslais pagal 89 straipsnio 1 dalį, įgyvendinus atitinkamas technines ir organizacines priemones, kurių reikalaujama šiuo reglamentu siekiant apsaugoti duomenų subjekto teises ir laisves (saugojimo trukmės apribojimo principas);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Ekspertų komentarai ISO 27701 Gairės & Byla Teisė Jungtys

Ekspertų komentarai

(EN) Example of storage limitation

The controller collects personal data where the purpose of the processing is to administer a membership with the data subject, the personal data shall be deleted when the membership is terminated.

The controller makes an internal procedure for data retention and deletion. According to this, employees must manually delete personal data after the retention period ends. The employee follows the procedure to regularly delete and correct data from any devices, from backups, logs, e-mails and other relevant storage media.

To make deletion more effective, the controller instead implements an automatic system to delete data automatically and more regularly. The system is configured to follow the given procedure for data deletion which then occurs at a predefined regular interval to remove personal data from all of the company’s storage media. The controller reviews and tests the retention policy regularly.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(e) GDPR:

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

Implementation guidance

Organizations should identify how the specific PII and amount of PII collected and processed is limited relative to the identified purposes.

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) Article 29 Working Party, Opinion 1/2008 on data protection issues related to search engines (2008).

In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.

In case search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service.

European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

Jungtys

Article 89 GDPR. Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.7 Storage limitation

80. The controller must ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.[40] It is vital that the controller knows exactly what personal data the company processes and why. The purpose of the processing shall be the main criterion to decide in how long personal data shall be stored.

_{[40] Art. 5(1)(c) GDPR}

81. Measures and safeguards that implement the principle of storage limitation shall complement the rights and freedoms of the data subjects, specifically, the right to erasure and the right to object.

82. Key design and default storage limitation elements may include:

• Deletion and anonymization – The controller should have clear internal procedures and functionalities for deletion and/or anonymization.

• Automation – Deletion of certain personal data should be automated

• Storage criteria – The controller must determine what data and length of storage is necessary for the purpose.

• Enforcement of retention policies – The controller must enforce internal retention policies and conduct tests of whether the organization practices its policies.

• Effectiveness of anonymization/deletion – The controller shall make sure that it is not possible to re-identify anonymized data or recover deleted data, and should test whether this is possible.

• Automation – Deletion of certain personal data should be automated.

• Storage criteria – The controller shall determine what data and length of storage is necessary for the purpose.

• Justification – The controller shall be able to justify why the period of storage is necessary for the purpose and the personal data in question, and be able to disclose the rationale behind, and legal grounds for the retention period.

• Enforcement of retention policies – The controller should enforce internal retention policies and conduct tests of whether the organization practices its policies.

• Backups/logs – Controllers shall determine what personal data and length of storage is necessary for back-ups and logs.

• Data flow – Controllers should beware of the flow of personal data, and the storage of any copies thereof, and seek to limit their „temporary“ storage.

Guidelines on consent under Regulation 2016/679

Scientific research

153. Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research. Recital 33 states: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

f) tvarkomi tokiu būdu, kad taikant atitinkamas technines ar organizacines priemones būtų užtikrintas tinkamas asmens duomenų saugumas, įskaitant apsaugą nuo duomenų tvarkymo be leidimo arba neteisėto duomenų tvarkymo ir nuo netyčinio praradimo, sunaikinimo ar sugadinimo (vientisumo ir konfidencialumo principas).

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Ekspertų komentarai ISO 27701 Gairės & Byla Teisė Jungtys

Ekspertų komentarai

(EN) Example of integrity and confidentiality measures

A controller wants to extract personal data from a medical database to a server in the company. The company has assessed the risk for routing the extracts to a server that is accessible to all of the company’s employees as likely to be high for data subjects’ rights and freedoms. There is only one department in the company who needs to process these patient data. The extracts will also have a high value to the company.

To regulate access and mitigate possible damage from malware, the company decides to segregate the network, and establish access controls to the server and the directory. In addition, they put up security monitoring and an intrusion detection and prevention system. The controller activates access control on the server and isolates it from routine use. An automated auditing system is put in place to monitor access and changes. Reporting and automated alerts are generated from this when certain events related to usage are configured. This security measure will ensure that all users have access on a need to know basis and with the appropriate access level. Inappropriate use can be quickly and easily recognised.

Some of the extracts have to be compared with new extracts, and must therefore be stored for three months. The controller decides to put them into separate directories and encrypt the stored extracts.

Handling the incident makes the system more robust, and reliable, both for the controller and the data subjects. The data controller understands that preventative and effective measures and safeguards should be built into all personal data processing undertakes now and in the future, and that doing so may help prevent future such data breach incidents.

The controller establishes these security measures both to ensure accuracy, integrity and confidentiality, but also to prevent malware spread by cyber-attacks to make the solution robust.

Source: EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (Version for public consultation) (2019).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.2.1.

Here is the relevant paragraphs to article 5(1)(f) GDPR:

6.3.2.1 Mobile device policy

Implementation guidance

The organization should ensure that the use of mobile devices does not lead to a compromise of PII.

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).

Jungtys

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.8 Integrity and confidentiality

83. The principle of integrity and confidentiality includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The security of personal data requires appropriate measures designed to prevent and manage data breach incidents; to guarantee the proper execution of data processing tasks, and compliance with the other principles; and to facilitate the effective exercise of individuals’ rights.

2. Duomenų valdytojas yra atsakingas už tai, kad būtų laikomasi 1 dalies, ir turi sugebėti įrodyti, kad jos laikomasi (atskaitomybės principas).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

ISO 27701 Gairės & Byla Teisė Konstatuojamosios dalys Jungtys

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 18.1.3.

Here is the relevant paragraphs to article 5(2) GDPR:

6.15.1.3 Protection of records

Implementation guidance

Review of current and historical policies and procedures can be required (e.g. in the cases of customer dispute resolution and investigation by a supervisory authority).

…

Prisijungti
norėdami pasiekti visą tekstą

Gairės & Byla Teisė

(EN) WP29, Opinion 3/2010 on the principle of accountability (2010).

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).

Konstatuojamosios dalys

(82) kad įrodytų, jog laikosi šio reglamento, duomenų valdytojas arba duomenų tvarkytojas turėtų tvarkyti tvarkymo veiklos, už kurią yra atsakingas, įrašus. Kiekvienas duomenų valdytojas ir duomenų tvarkytojas turėtų būti įpareigotas bendradarbiauti su priežiūros institucija ir jos prašymu pateikti tuos įrašus, kad pagal juos būtų galima stebėti tas duomenų tvarkymo operacijas;

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Jungtys

30 straipsnis BDAR. Duomenų tvarkymo veiklos įrašai

Article 30 GDPR. Records of processing activities

1. Kiekvienas duomenų valdytojas ir, kai taikoma, duomenų valdytojo atstovas tvarko duomenų tvarkymo veiklos, už kurią jis atsako, įrašus. Tame įraše pateikiama visa toliau nurodyta informacija:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

[…]

7 straipsnis BDAR. Sutikimo sąlygos

Article 7 GDPR. Conditions for consent

1. Kai duomenys tvarkomi remiantis sutikimu, duomenų valdytojas turi galėti įrodyti, kad duomenų subjektas davė sutikimą, kad būtų tvarkomi jo asmens duomenys.

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

[…]

28 straipsnis BDAR. Duomenų tvarkytojas

Article 28 GDPR. Processor

1. Kai duomenys turi būti tvarkomi duomenų valdytojo vardu, duomenų valdytojas pasitelkia tik tuos duomenų tvarkytojus, kurie pakankamai užtikrina, kad tinkamos techninės ir organizacinės priemonės bus įgyvendintos tokiu būdu, kad duomenų tvarkymas atitiktų šio reglamento reikalavimus ir būtų užtikrinta duomenų subjekto teisių apsauga.

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

[…]

82 straipsnis BDAR. Teisė į kompensaciją ir atsakomybė

Article 82 GDPR. Right to compensation and liability

[…]

2. Tvarkant duomenis dalyvaujantis duomenų valdytojas atsako už žalą, padarytą dėl vykdyto duomenų tvarkymo pažeidžiant šį reglamentą. Duomenų tvarkytojas už dėl duomenų tvarkymo sukeltą žalą atsako tik tuo atveju, jei jis nesilaikė šiame reglamente konkrečiai duomenų tvarkytojams nustatytų prievolių arba jei jis veikė nepaisydamas teisėtų duomenų valdytojo nurodymų arba juos pažeisdamas.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

[…]

83 straipsnis BDAR. Bendrosios administracinių baudų skyrimo sąlygos

Article 83 GDPR. General conditions for imposing administrative fines

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.9 Accountability [41]

_{[41] See Recital 74, where controllers are required to demonstrate the effectiveness of their measures.}

86. The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with all of the abovementioned principles.

87. The controller needs to be able to demonstrate compliance with the principles. In doing so, the controller may demonstrate the effects of the measures taken to protect the data subjects’ rights, and why the measures are considered to be appropriate and effective. For example, demonstrating why a measure is appropriate to ensure the principle of storage limitation in an effective manner.

Europos Sąjungos Bendrasis duomenų apsaugos reglamentas (BDAR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Konstatuojamosios dalys Gairės & Byla Teisė Palikite komentarą

Konstatuojamosios dalys