Navigazzjoni
RĠPD (GDPR) > Artikolu 22. Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili
Download PDF

Artikolu 22 RĠPD (GDPR). Teħid ta' deċiżjonijiet individwali awtomatizzati, inkluż tfassil ta' profili

Article 22 GDPR. Automated individual decision-making, including profiling

1. Is-suġġett tad-data għandu d-dritt li ma jkunx soġġett għal deċiżjoni bbażata unikament fuq ipproċessar awtomatizzat, inkluż it-tfassil ta’ profili, li jipproduċi effetti legali li jikkonċernaw lilu jew li bl-istess mod jaffettwa lilu b’mod sinifikanti.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Kummentarju
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

2. Il-paragrafu 1 ma għandux japplika jekk id-deċiżjoni:

2. Paragraph 1 shall not apply if the decision:

(a) tkun meħtieġa biex wieħed jidħol f’kuntratt, jew iwettaq kuntratt, bejn is-suġġett tad-data u kontrollur tad-data;

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) tkun awtorizzata mil-liġi tal-Unjoni jew ta’ Stat Membru li għaliha jkun soġġett il-kontrollur u li tistabbilixxi wkoll miżuri adatti għas-salvagwardja tad-drittijiet u l-libertajiet u l-interessi leġittimi tas-suġġett tad-data; jew

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) tkun ibbażata fuq il-kunsens espliċitu tas-suġġett tad-data.

(c) is based on the data subject’s explicit consent.

Testi relatati

3. F’każijiet imsemmija fil-punt (a) u (c) tal-paragrafu 2, il-kontrollur tad-data għandu jimplimenta miżuri adatti biex jiġu salvagwardati d-drittijiet u l-libertajiet u l-interessi leġittimi tas-suġġett tad-data, mill-inqas id-dritt li jikseb intervent uman min-naħa tal-kontrollur, li jesprimi l-fehma tiegħu u li jikkontesta d-deċiżjoni.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Id-deċiżjonijiet imsemmija fil-paragrafu 2 ma għandhomx ikunu bbażati fuq kategoriji speċjali ta’ data personali msemmija fl-Artikolu 9(1), sakemm ma japplikax il-punt (a) jew (g) tal-Artikolu 9(2) u ma jkunux fis-seħħ miżuri biex jiġu salvagwardati d-drittijiet u l-libertajiet u l-interessi leġittimi tas-suġġett tad-data.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Testi relatati
Kummentarju ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment
Kummentarju

(EN)

Data Subject Request Letter Sample

Concern: Request to object to automated decision

Dear Madam, Dear Sir,

I am subject to a decision made by your [company | organization | etc.] based solely on [automated processing | profiling | etc.].

(EN) […]


to read the full text

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 22 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]


to read the full text

Premessi

(71) Is-suġġett tad-data għandu jkollu d-dritt li ma jkunx soġġett għal deċiżjoni, li tista' tinkludi miżura, li tevalwa aspetti personali relatati miegħu li hija bbażata unikament fuq ipproċessar awtomatizzat u li tipproduċi effetti legali li jikkonċernaw lilu jew li taffettwah b'mod ugwalment sinifikanti, bħal rifjut awtomatiku ta' applikazzjoni għal kreditu online jew prattiki ta' reklutaġġ elettroniku mingħajr l-ebda intervent tal-bniedem. Tali pproċessar jinkludi “tfassil ta' profili” li jikkonsisti fi kwalunkwe forma ta' pproċessar awtomatizzat ta' data personali li tevalwa l-aspetti personali relatati ma' persuna fiżika, b'mod partikolari biex jiġu analizzati jew imbassrin aspetti li jikkonċernaw il-prestazzjoni fuq ix-xogħol, is-sitwazzjoni ekonomika, is-saħħa, il-preferenzi jew l-interessi personali, l-affidabbiltà jew l-imġiba, il-lokalizzazzjoni jew il-movimenti tas-suġġett tad-data, fejn dan jipproduċi effetti legali li jikkonċernaw lilu jew jaffettwah b'mod ugwalment sinifikanti. Madankollu, it-teħid ta' deċiżjonijiet ibbażat fuq tali pproċessar, inkluż it-tfassil ta' profili, għandu jkun permess fejn dan ikun espressament awtorizzat mil-liġi tal-Unjoni jew ta' Stat Membru li għaliha jkun soġġett il-kontrollur, inkluż għal monitoraġġ ta' frodi u evażjoni ta' taxxa u għanijiet preventivi li jsiru f'konformità mar-regolamenti, l-istandards u r-rakkomandazzjonijiet tal-istituzzjonijiet tal-Unjoni jew il-korpi ta' sorveljanza nazzjonali u biex jiġu żgurati s-sigurtà u l-affidabbiltà ta' servizz ipprovdut mill-kontrollur, jew meħtieġ biex wieħed jidħol f'kuntratt jew jeżegwixxi kuntratt bejn is-suġġett tad-data u kontrollur, jew meta s-suġġett tad-data jkun ta l-kunsens espliċitu tiegħu. Fi kwalunkwe każ, dan l-ipproċessar għandu jkun soġġett għal salvagwardji adatti, li għandhom jinkludu informazzjoni speċifika dwar is-suġġett tad-data u d-dritt li dan jikseb intervent uman, id-dritt li jesprimi l-fehma tiegħu, id-dritt li jikseb spjegazzjoni tad-deċiżjoni li tkun ittieħdet wara tali valutazzjoni u d-dritt li jikkontesta d-deċiżjoni. Tali miżura m'għandhiex tikkonċerna tfal.

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

Sabiex jiġi żgurat ipproċessar ġust u trasparenti fir-rigward tas-suġġett tad-data, b'kont meħud taċ-ċirkostanzi speċifiċi u l-kuntest li fih tiġi pproċessata d-data personali, il-kontrollur għandu juża proċeduri matematiċi jew statistiċi adegwati għat-teħid ta' profili, jimplimenta miżuri tekniċi u organizzattivi adatti biex jiġi żgurat, b'mod partikolari, li fatturi li jirriżultaw f'ineżattezzi fid-data personali jiġu kkoreġuti u jitnaqqas ir-riskju ta' żbalji, jiżgura d-data personali f'mod li jieħu kont tar-riskji potenzjali involuti għall-interessi u d-drittijiet tas-suġġett tad-data u li jipprevjeni, fost oħrajn, effetti diskriminatorji fuq persuni fiżiċi abbażi tar-razza jew oriġini etnika, opinjoni politika, reliġjon jew twemmin, sħubija fi trade union, stat ġenetiku jew tas-saħħa jew orjentazzjoni sesswali, jew li jirriżulta f'miżuri li jkollhom dan l-effett. It-teħid ta' deċiżjonijiet u t-teħid ta' profili b'mod awtomatizzat ibbażati fuq kategoriji speċjali ta' data personali għandhom ikunu permessi biss taħt kondizzjonijiet speċifiċi.

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(72) It-tfassil ta' profili huwa soġġett għar-regoli ta' dan ir-Regolament li jirregolaw l-ipproċessar tad-data personali, bħar-raġunijiet legali għall-ipproċessar jew prinċipji ta' protezzjoni tad-data. Il-Bord Ewropew għall-Protezzjoni tad-Data stabbilit minn dan ir-Regolament (il-“Bord”) għandu jkun jista' joħroġ linji gwida f'dak il-kuntest.

(72) Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.

Linji ta 'Gwida & Ġurisprudenza Ħalli kumment
[js-disqus]