Artikolu 13 📖 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn tinġabar data personali mis-suġġett tad-data

Artikolu 13 RĠPD (GDPR). Informazzjoni li għandha tiġi pprovduta fejn tinġabar data personali mis-suġġett tad-data

1. Fejn data personali relatata ma’ suġġett tad-data tinġabar mingħand is-suġġett tad-data, il-kontrollur għandu, fil-ħin li tinkiseb id-data personali, jipprovdi l-informazzjoni kollha li ġejja lis-suġġett tad-data:

Premessi Testi relatati

Premessi

(60) Il-prinċipji ta' pproċessar ġust u trasparenti jeħtieġu li s-suġġett tad-data jkun informat bl-eżistenza tal-attività tal-ipproċessar u l-għanijiet tagħha. Il-kontrollur għandu jipprovdi lis-suġġett tad-data bi kwalunkwe informazzjoni ulterjuri li tkun meħtieġa biex jiġi żgurat ipproċessar ġust u trasparenti b'kont meħud taċ-ċirkostanzi speċifiċi u l-kuntest li fih tiġi pproċessata d-data personali. Barra minn hekk, is-suġġett tad-data għandu jkun informat bl-eżistenza tat-tfassil tal-profil, u l-konsegwenzi ta' dan it-tfassil tal-profil. Fejn id-data personali tinġabar mis-suġġett tad-data, is-suġġett tad-data għandu jiġi infurmat ukoll dwar jekk hux obbligat jipprovdi d-data personali u dwar il-konsegwenzi, fejn huwa ma jipprovdix tali data. Dik l-informazzjoni tista' tingħata flimkien ma' ikoni standardizzati sabiex tingħata ħarsa ġenerali lejn l-ipproċessar intenzjonat b'mod li jidher faċilment, li jinftiehem u li jinqara sew. Fejn l-ikoni jkunu ppreżentati b'mod elettroniku, dawn għandhom ikunu jistgħu jinqraw minn magna.

Testi relatati

(a) l-identità u d-dettalji ta’ kuntatt tal-kontrollur u, fejn applikabbli, tar-rappreżentant tal-kontrollur;

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

This information should allow for easy identification of the controller and preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address etc.).

(b) id-dettalji ta’ kuntatt tal-uffiċjal tal-protezzjoni tad-data, fejn applikabbli;

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on Data Protection Officers (DPOs) (2017):

The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website.

Article 37(7) does not require that the published contact details should include the name of the DPO. Whilst it may be a good practice to do so, it is for the controller or the processor and the DPO to decide whether this is necessary or helpful in the particular circumstances.

[…]

As a matter of good practice, the WP29 also recommends that an organisation informs its employees of the name and contact details of the DPO. For example, the name and contact details of the DPO could be published internally on organisation’s intranet, internal telephone directory, and organisational charts.

(c) l-għanijiet tal-ipproċessar li għalihom hija maħsuba d-data personali kif ukoll il-bażi legali għall-ipproċessar;

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 must be specified. In the case of special categories of personal data, the relevant provision of Article 9 (and where relevant, the applicable Union or Member State law under which the data is processed) should be specified. Where, pursuant to Article 10, personal data relating to criminal convictions and offences or related security measures based on Article 6.1 is processed, where applicable the relevant Union or Member State law under which the processing is carried out should be specified.

(d) fejn l-ipproċessar ikun ibbażat fuq il-punt (f) tal-Artikolu 6(1), l-interessi leġittimi segwiti mill-kontrollur jew minn parti terza;

Linji ta 'Gwida & Ġurisprudenza Testi relatati

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The specific interest in question must be identified for the benefit of the data subject. As a matter of best practice, the controller can also provide the data subject with the information from the balancing test, which must be carried out to allow reliance on Article 6.1(f) as a lawful basis for processing, in advance of any collection of data subjects’ personal data. To avoid information fatigue, this can be included within a layered privacy statement/ notice (see paragraph 35). In any case, the WP29 position is that information to the data subject should make it clear that they can obtain information on the balancing test upon request. This is essential for effective transparency where data subjects have doubts as to whether the balancing test has been carried out fairly or they wish to file a complaint with a supervisory authority.

Testi relatati

Artikolu 6 RĠPD (GDPR). Legalità tal-ipproċessar

[…]

1. L-ipproċessar għandu jkun legali biss jekk u safejn mill-inqas ikun japplika wieħed mill-punti li ġejjin:

[…]

(f) l-ipproċessar ikun meħtieġ għall-finijiet tal-interessi leġittimi segwiti mill-kontrollur jew minn parti terza, għajr meta dawn l-interessi jingħelbu mill-interessi jew id-drittijiet u l-libertajiet fundamentali tas-suġġett tad-data li jeħtieġu l-protezzjoni tad-data personali, b’mod partikolari meta s-suġġett tad-data jkun minorenni.

(e) ir-riċevituri jew il-kategoriji ta’ riċevituri tad-data personali, jekk jeżistu;

Linji ta 'Gwida & Ġurisprudenza Testi relatati

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The term “recipient” is defined in Article 4.9 as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” [emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” and information on such recipients should be provided in addition to information on third party recipients. The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

Testi relatati

Artikolu 4 RĠPD (GDPR). Definizzjonijiet

Definizzjonijiet

[…]

(9) “riċevitur” tfisser persuna fiżika jew ġuridika, awtorità pubblika, aġenzija jew korp ieħor, li lilha tiġi żvelata d-data personali, irrispettivament milli huwiex parti terza jew le. Madankollu, l-awtoritajiet pubbliċi li jistgħu jirċievu data personali fil-qafas ta’ inkjesta partikolari f’konformità mal-liġi tal-Unjoni jew ta’ Stat Membru m’għandhomx jitqiesu bħala riċevituri; l-ipproċessar ta’ dik id-data minn dawk l-awtoritajiet pubbliċi għandu jkun f’konformità mar-regoli ta’ protezzjoni tad-data applikabbli skont il-finijiet tal-ipproċessar;

[…]

(f) fejn applikabbli, il-fatt li l-kontrollur għandu l-ħsieb li jittrasferixxi data personali lejn pajjiż terz jew organizzazzjoni internazzjonali u l-eżistenza jew l-assenza ta’ deċiżjoni ta’ adegwatezza mill-Kummissjoni, jew fil-każ ta’ trasferimenti msemmija fl-Artikolu 46 jew 47, jew it-tieni subparagrafu tal-Artikolu 49(1), referenza għas-salvagwardji xierqa jew adatti u l-mezzi li bihom tinkiseb kopja tagħhom jew fejn dawn ikunu saru disponibbli.

Linji ta 'Gwida & Ġurisprudenza Testi relatati

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. adequacy decision under Article 45/ binding corporate rules under Article 47/ standard data protection clauses under Article 46.2/ derogations and safeguards under Article 49 etc.) should be specified. Information on where and how the relevant document may be accessed or obtained should also be provided e.g. by providing a link to the mechanism used. In accordance with the principle of fairness, the information provided on transfers to third countries should be as meaningful as possible to data subjects; this will generally mean that the third countries be named.

Testi relatati

Artikolu 45 RĠPD (GDPR). Trasferimenti abbażi ta' deċiżjoni ta' adegwatezza

Artikolu 47 RĠPD (GDPR). Regoli korporattivi vinkolanti

Artikolu 46 RĠPD (GDPR). Trasferimenti soġġetti għal salvagwardji xierqa

[…]

2. Is-salvagwardji xierqa msemmija fil-paragrafu 1 jistgħu jkunu previsti, mingħajr ma jkun jinħtieġ ebda awtorizzazzjoni speċifika minn awtorità superviżorja, permezz ta’:

(b) regoli korporattivi vinkolanti f’konformità mal-Artikolu 47;

(c) klawżoli standard ta’ protezzjoni tad-data adottati mill-Kummissjoni f’konformità mal-proċedura ta’ eżami msemmija fl-Artikolu 93(2);

[…]

Artikolu 49 RĠPD (GDPR). Derogi għal sitwazzjonijiet speċifiċi

1. Fin-nuqqas ta’ deċiżjoni dwar l-adegwatezza skont l-Artikolu 45(3), jew salvagwardji xierqa skont l-Artikolu 46, inklużi regoli korporattivi vinkolanti, trasferiment jew sett ta’ trasferimenti ta’ data personali lejn pajjiż terz jew organizzazzjoni internazzjonali għandu jseħħ biss b’waħda mill-kondizzjonijiet li ġejjin:

[…]

Fejn trasferiment ma setgħax ikun ibbażat fuq dispożizzjoni fl-Artikoli 45 jew 46, inklużi d-dispożizzjonijiet dwar regoli korporattivi vinkolanti, u l-ebda waħda mid-derogi għal sitwazzjoni speċifika msemmija fl-ewwel subparagrafu ta’ dan il-paragrafu ma tkun applikabbli, it-trasferiment ma jkunx ripetittiv, jikkonċerna biss għadd limitat ta’ suġġetti tad-data, ikun meħtieġ għall-għanijiet ta’ interessi leġittimi konvinċenti mfittxija mill-kontrollur li ma jingħelbux mill-interessi jew id-drittijiet u l-libertajiet tas-suġġett tad-data, u l-kontrollur ikun ivvaluta ċ-ċirkostanzi kollha madwar it-trasferiment tad-data u abbażi ta’ dik il-valutazzjoni pprovda salvagwardji xierqa fir-rigward tal-protezzjoni tad-data personali. Il-kontrollur għandu jinforma lill-awtorità superviżorja bit-trasferiment. Il-kontrollur għandu, barra milli jipprovdi l-informazzjoni msemmija fl-Artikolu 13 u 14, jinforma lis-suġġett tad-data dwar it-trasferiment u dwar l-interessi leġittimi konvinċenti segwiti.

[…]

2. Minbarra l-informazzjoni msemmija fil-paragrafu 1, il-kontrollur għandu, meta tinkiseb id-data personali, jipprovdi lis-suġġett tad-data l-informazzjoni ulterjuri li ġejja meħtieġa biex jiġi żgurat ipproċessar ġust u trasparenti:

Premessi Testi relatati

Premessi

(61) L-informazzjoni fir-rigward tal-ipproċessar ta' data personali relatata mas-suġġett tad-data għandha tingħatalu meta tinġabar mis-suġġett tad-data, jew, fejn id-data personali tinkiseb minn sors ieħor, f'perijodu ta' żmien raġonevoli, skont iċ-ċirkostanzi tal-każ. Fejn id-data personali tista' tkun żvelata b'mod leġittimu lil riċevitur ieħor, is-suġġett tad-data għandu jkun informat meta d-data personali tkun żvelata għall-ewwel darba lir-riċevitur. Fejn il-kontrollur jkollu l-intenzjoni li jipproċessa d-data personali għal fini differenti minn dak li għalih tkun inġabret, il-kontrollur għandu jipprovdi lis-suġġett tad-data, qabel dak l-ipproċessar ulterjuri, b'informazzjoni dwar dak il-fini l-ieħor u informazzjoni meħtieġa oħra. Fejn il-oriġini tad-data personali ma setgħetx tingħata lis-suġġett tad-data peress li jkunu intużaw diversi sorsi, għandha tingħata informazzjoni ġenerali.

Testi relatati

(a) il-perijodu li matulu d-data personali tkun ser tinħażen, jew jekk dak ma jkunx possibbli, il-kriterji użati biex jiġi ddeterminat dak il-perijodu;

ISO 27701 Linji ta 'Gwida & Ġurisprudenza

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(a) GDPR:

7.4.7 Retention

Control

The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.

Implementation guidance

The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.

(EN) […]

(EN) Sign in
to read the full text

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This is linked to the data minimisation requirement in Article 5.1(c) and storage limitation requirement in Article 5.1(e). The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes. It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods.

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020):

Storage limitation should consider the true needs and the medical relevance (this may include epidemiology-motivated considerations like the incubation period,etc.) and personal data should be kept only for the duration of the COVID-19 crisis. Afterwards,as a general rule,all personal data should be erased or anonymised.

(b) l-eżistenza tad-dritt li jitlob mingħand il-kontrollur aċċess jew rettifika jew tħassir ta’ data personali jew restrizzjoni tal-ipproċessar rigward is-suġġett tad-data jew li joġġezzjona għall-ipproċessar kif ukoll id-dritt għall-portabbiltà tad-data;

ISO 27701 Linji ta 'Gwida & Ġurisprudenza

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 13(2)(b) GDPR:

7.3.5 Providing mechanism to object to PII processing

Control

The organization should provide a mechanism for PII principals to object to the processing of their PII.

Implementation guidance

Some jurisdictions provide PII principals with a right to object to the processing of their PII. Organizations subject to the legislation and/or regulation of such jurisdictions should ensure that they implement appropriate measures to enable PII principals to exercize this right.

(EN) […]

(EN) Sign in
to read the full text

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should be specific to the processing scenario and include a summary of what the right involves and how the data subject can take steps to exercise it and any limitations on the right. […] In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of first communication with the data subject and must be presented clearly and separately from any other information.64 In relation to the right to portability, see WP29 Guidelines on the right to data portability.

(c) fejn l-ipproċessar ikun ibbażat fuq il-punt (a) tal-Artikolu 6(1) jew il-punt (a) tal-Artikolu 9(2), l-eżistenza tad-dritt li jiġi irtirat il-kunsens fi kwalunkwe ħin, mingħajr ma tiġi affettwata l-legalità tal-ipproċessar abbażi ta’ kunsens qabel l-irtirar tiegħu;

ISO 27701 Linji ta 'Gwida & Ġurisprudenza Testi relatati

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(c) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.

(EN) […]

(EN) Sign in
to read the full text

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.

Testi relatati

Artikolu 6 RĠPD (GDPR). Legalità tal-ipproċessar

Legalità tal-ipproċessar

1. L-ipproċessar għandu jkun legali biss jekk u safejn mill-inqas ikun japplika wieħed mill-punti li ġejjin:

(a) is-suġġett tad-data jkun ta l-kunsens għall-ipproċessar ta’ data personali tiegħu għal fini speċifiku wieħed jew aktar;

[…]

Artikolu 9 RĠPD (GDPR). Ipproċessar ta' kategoriji speċjali ta' data personali

Ipproċessar ta’ kategoriji speċjali ta’ data personali

1. L-ipproċessar ta’ data personali, li jiżvela oriġini razzjali jew etnika, opinjonijiet politiċi, twemmin reliġjuż jew filosofiku, jew sħubija fi trade union, u l-ipproċessar ta’ data ġenetika, data bijometrika sabiex tidentifika b’mod uniku persuna fiżika, data dwar is-saħħa jew data dwar il-ħajja sesswali u l-orjentazzjoni sesswali ta’ persuna fiżika huma projbiti.

2. Il-paragrafu 1 ma għandux japplika jekk japplika wieħed minn dawn li ġejjin:

(a) is-suġġett tad-data jkun ta kunsens espliċitu għall-ipproċessar ta’ dik id-data personali għal fini speċifiku wieħed jew aktar, għajr fejn il-liġi tal-Unjoni jew il-liġi ta’ Stat Membru tipprevedi li l-projbizzjoni msemmija fil-paragrafu 1 ma tistax titneħħa mis-suġġett tad-data;

[…]

Artikolu 7 RĠPD (GDPR). Kondizzjonijiet għal kunsens

Kondizzjonijiet għal kunsens

[…]

3. Is-suġġett tad-data għandu d-dritt li jirtira l-kunsens tiegħu fi kwalunkwe ħin. L-irtirar tal-kunsens ma għandux jaffettwa l-legalità tal-ipproċessar ibbażat fuq kunsens qabel ma dan jiġi rtirat. Qabel ma jagħti l-kunsens, is-suġġett tad-data għandu jiġi informat b’dan. Għandu jkun faċli li jiġi rtirat kunsens daqs kemm li dan jingħata.

[…]

(d) id-dritt li jitressaq ilment quddiem awtorità superviżorja;

Linji ta 'Gwida & Ġurisprudenza Testi relatati

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should explain that, in accordance with Article 77, a data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or of an alleged infringement of the GDPR.

Testi relatati

Artikolu 77 RĠPD (GDPR). Dritt li jitressaq ilment quddiem awtorità superviżorja

Dritt li jitressaq ilment quddiem awtorità superviżorja

1. Mingħajr preġudizzju għal kwalunkwe rimedju amministrattiv jew ġudizzjarju ieħor, kull suġġett tad-data għandu d-dritt li jressaq ilment quddiem awtorità superviżorja, b’mod partikolari fl-Istat Membru tar-residenza abitwali tiegħu, il-post tax-xogħol tiegħu jew il-post tal-ksur allegat, jekk is-suġġett tad-data jqis li l-ipproċessar ta’ data personali dwaru jikser dan ir-Regolament.

2. L-awtorità superviżorja li magħha jkun sar l-ilment għandha tinforma lill-ilmentatur dwar il-progress u l-eżitu tal-ilment inkluża l-possibbiltà ta’ rimedju ġudizzjarju skont l-Artikolu 78.

(e) jekk il-forniment ta’ data personali huwiex rekwiżit statutorju jew kuntrattwali, jew rekwiżit meħtieġ biex wieħed jidħol f’kuntratt, kif ukoll jekk is-suġġett tad-data huwiex obbligat jipprovdi d-data personali u l-konsegwenzi possibbli meta wieħed jonqos milli jipprovdi tali data;

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

For example in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer. Online forms should clearly identify which fields are “required”, which are not, and what will be the consequences of not filling in the required fields.

(f) l-eżistenza ta’ teħid awtomatizzat ta’ deċiżjonijiet inkluż it-tfassil ta’ profili msemmi fl-Artikolu 22(1) u (4) u għall-inqas f’dawk il-każijiet, l-informazzjoni importanti dwar il-loġika involuta, kif ukoll is-sinifikat u l-konsegwenzi previsti ta’ tali pproċessar għas-suġġett tad-data.

ISO 27701 Linji ta 'Gwida & Ġurisprudenza Testi relatati

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(f) GDPR:

7.3.10 Automated decision making

Control

The organization should identify and address obligations, including legal obligations, to the PII principals resulting from decisions made by the organization which are related to the PII principal based solely on automated processing of PII.

(EN) […]

(EN) Sign in
to read the full text

Linji ta 'Gwida & Ġurisprudenza

(EN) Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) (2018):

Given the core principle of transparency underpinning the GDPR, controllers must ensure they explain clearly and simply to individuals how the profiling or automated decision-making process works.
In particular, where the processing involves profiling-based decision making (irrespective of whether it is caught by Article 22 provisions), then the fact that the processing is for the purposes of both (a) profiling and (b) making a decision based on the profile generated, must be made clear to the data subject.

Recital 60 states that giving information about profiling is part of the controller’s transparency obligations under Article 5(1) (a). The data subject has a right to be informed by the controller about and, in certain circumstances, a right to object to ‘profiling’, regardless of whether solely automated individual decision-making based on profiling takes place.

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

Testi relatati

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

1. Is-suġġett tad-data għandu d-dritt li ma jkunx soġġett għal deċiżjoni bbażata unikament fuq ipproċessar awtomatizzat, inkluż it-tfassil ta’ profili, li jipproduċi effetti legali li jikkonċernaw lilu jew li bl-istess mod jaffettwa lilu b’mod sinifikanti.

[…]

4. Id-deċiżjonijiet imsemmija fil-paragrafu 2 ma għandhomx ikunu bbażati fuq kategoriji speċjali ta’ data personali msemmija fl-Artikolu 9(1), sakemm ma japplikax il-punt (a) jew (g) tal-Artikolu 9(2) u ma jkunux fis-seħħ miżuri biex jiġu salvagwardati d-drittijiet u l-libertajiet u l-interessi leġittimi tas-suġġett tad-data.

3. Fejn il-kontrollur ikollu l-intenzjoni li jipproċessa d-data personali ulterjorment għal fini differenti minn dak li għalih tkun inġabret id-data personali, il-kontrollur għandu jipprovdi lis-suġġett tad-data, qabel dak l-ipproċessar ulterjuri, b’informazzjoni dwar dak il-fini l-ieħor u kwalunkwe informazzjoni ulterjuri rilevanti kif imsemmi fil-paragrafu 2.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(3) GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.

(EN) […]

(EN) Sign in
to read the full text

4. Il-paragrafi 1, 2 u 3 ma għandhomx japplikaw meta u sa fejn is-suġġett tad-data diġà jkollu l-informazzjoni.

Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)

Kummentarju ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment

Kummentarju

(EN) To facilitate the work of our consultants, we have collected all the requirements and information that have to be mentioned and created a convenient checklist. Next to each paragraph, we have placed links to specific GDPR articles and guidelines. We grouped all the information into 7 sections:

Controller’s identity
Purpose and lawful basis for processing
Personal data
Transfers of data to third countries
Rights
Changes (in privacy notices)
Form (of information provided)

It looks like this:

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP

(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(EN) Ask a question

(EN)

Data Subject Request Letter Sample

Concern: Request of information regarding my personal data

Dear Madam, Dear Sir,

I have a right to be informed, under Article 13 of the General Data Protection Regulation (GDPR), about personal data concerning me that you are processing…

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

(EN) […]

(EN) Sign in
to read the full text

Premessi

(62) Madankollu, mhuwiex meħtieġ li l-obbligu li tiġi provduta informazzjoni jiġi impost fejn is-suġġett tad-data diġà jkollu l-informazzjoni, fejn ir-reġistrazzjoni jew l-iżvelar tad-data personali tkun espressament stabbilita bil-liġi, jew fejn l-għoti tal-informazzjoni lis-suġġett tad-data tirriżulta impossibbli jew tinvolvi sforz sproporzjonat. Dan tal-aħħar jista' jkun il-każ partikolarment fejn l-ipproċessar isir għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika. F'dak ir-rigward, għandhom jiġu kkunsidrati l-għadd ta' suġġetti tad-data, l-età tad-data, u kwalunkwe salvagwardja adatta adottati.

(63) Suġġett tad-data għandu jkollu d-dritt ta' aċċess għal data li tkun inġabret dwaru, u li jeżerċita dak id-dritt faċilment u f'intervalli raġonevoli, sabiex ikun jaf dwar, u jivverifika, il-legalità tal-ipproċessar. Dan jinkludi d-dritt tas-suġġetti tad-data li jkollhom aċċess għad-data dwar saħħithom, pereżempju d-data fir-reġistri mediċi tagħhom li jkun fihom informazzjoni bħal dijanjosi, riżultati ta' eżamijiet, valutazzjonijiet mit-tobba li qed jittrattawhom u kwalunkwe kura jew intervent ipprovdut. Kull suġġett tad-data għandu għalhekk ikollu d-dritt li jkun jaf u jikseb komunikazzjoni b'mod partikolari fir-rigward tal-għanijiet li għalihom tkun qiegħda tiġi pproċessata d-data personali, fejn possibbli il-perijodu li għalih id-data personali tiġi pproċessata, ir-riċevituri tad-data personali, il-loġika involuta fi kwalunkwe pproċessar awtomatiku tad-data personali u, għallinqas meta bbażata fuq it-tfassil ta' profili, il-konsegwenzi ta' dan l-ipproċessar. Fejn possibbli, il-kontrollur għandu jkun jista' jipprovdi aċċess mill-bogħod għal sistema sikura li tipprovdi lis-suġġett tad-data b'aċċess dirett għad-data personali tiegħu. Dak id-dritt ma għandux jaffettwa negattivament id-drittijiet jew il-libertajiet ta' persuni oħrajn, inklużi sigrieti tan-negozju jew proprjetà intellettwali u b'mod partikolari d-dritt tal-awtur li jipproteġi s-software. Madankollu, ir-riżultat ta' dawn il-kunsiderazzjonijiet m'għandux ikun rifjut li tiġi provduta l-informazzjoni kollha lis-suġġett tad-data. Fejn il-kontrollur jipproċessa kwantità kbira ta' informazzjoni rigward is-suġġett tad-data, il-kontrollur għandu jkun jista' jitlob li qabel ma tingħata din l-informazzjoni, is-suġġett tad-data jispeċifika l-informazzjoni jew l-attivitajiet ta' pproċessar li għalihom tkun tirreferi t-talba.

Linji ta 'Gwida & Ġurisprudenza

(EN)