Navigazzjoni
RĠPD (GDPR) > Artikolu 4. Definizzjonijiet
Download PDF

Artikolu 4 RĠPD (GDPR). Definizzjonijiet

Article 4 GDPR. Definitions

Għall-finijiet ta’ dan ir-Regolament:

For the purposes of this Regulation:

(1) “data personali” tfisser kwalunkwe informazzjoni relatata ma’ persuna fiżika identifikata jew identifikabbli (“suġġett tad-data”); persuna fiżika identifikabbli hija persuna li tista’ tiġi identifikata, direttament jew indirettament, b’mod partikolari b’referenza għal mezz ta’ identifikazzjoni bħal isem, numru ta’ identifikazzjoni, data ta’ lokalizzazzjoni, identifikatur online jew għal fattur wieħed jew aktar speċifiċi għall-identità fiżika, fiżjoloġika, ġenetika, mentali, ekonomika, kulturali jew soċjali ta’ dik il-persuna fiżika;

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Kummentarju

(RU)

Когда номер телефона – персональные данные?

(1) В настоящем комментарии рассматривается Позиция WP29 4/2007 о концепции
персональных данных от 20 июня 2007 года (далее—Позиция WP29).

В европейской доктрине и законодательстве определение персональных данных умышленно дано широко, не имеет и, скорее всего, никогда не будет иметь четких и однозначных критериев. Для чего эксперты в области приватности в составе WP29, а затем и законодатели это сделали?

Раздел III Позиции WP29 выделяет в конструкции персональных данных 4 «несущих» блока: «любая информация», «относящаяся к», «идентифицированному или идентифицируемому», «физическому лицу». Для целей нашего анализа потребуются два центральных элемента: «относящаяся к» и «идентифицированному или идентифицируемому», поскольку они в наибольшей степени характеризуют сторону контролера персональных данных как участника правоотношений.

(2) Данные, «относящиеся к» субъекту, включают в себя не только информацию о самом субъекте, но и о принадлежащих ему или иным образом связанных с ним объектах, питомцах. Таким образом, данными, «относящимися к» субъекту, являются не только номер телефона, автомобиля, компьютера, банковской карты, фитнес трекера, чипа питомца, но и иные характеристики этих объектов и животных: цена, износ, серийные номера, поломки, диагнозы, результаты анализов и т.д.

Позиция WP29 также выделяет три элемента, каждый из которых, независимо от наличия других, может сделать любую информацию «относящейся к» субъекту — это содержание, цель и результат.

Информация может относиться к субъекту по своему содержанию, если она о конкретном физическом лице, например, результаты тестов на экзамене, номер телефона конкретного лица, профиль определенного пользователя в соцсетях.

Информация может относиться к субъекту также по цели, если она используется или, вероятнее всего, будет использована в целях оценки, влияния на статус или поведение субъекта, проявления определенного рода отношения к субъекту. Например, список посещенных сотрудниками компании интернет страниц в корпоративной сети, может быть использован для целей мониторинга эффективности использования рабочего времени каждым сотрудником, или для блокировки определенных страниц определенным сотрудникам.

Информация может относиться к субъекту персональных данных, даже в отсутствие признаков «содержания» и «цели», если есть признак результата: если обработка данных, вероятнее всего, повлияет на права и интересы субъекта, например, даже если слегка изменит отношение окружающих к нему, заставит выделять его среди остальных в сообществе. Например, информация о том, что дедушка школьника получил премию Дарвина, может вызвать насмешки и издевательства со стороны сверстников.

Эти три элемента относимости данных к субъекту применяются каждый в отдельности, но, если присутствует хотя бы один элемент, нет надобности выявлять остальные два — данные точно относятся к субъекту.

(3) Третий блок конструкции персональных данных: «идентифицированному или идентифицируемому» — имеет квалифицирующее значение для номера телефона и прочих номеров, характеристик объектов и живых существ, относящихся к субъектам.

Позиция WP29 определяет лицо как идентифицируемое, если оно еще не идентифицировано, но его возможно идентифицировать прямо, например, по имени (если оно позволяет выделить субъекта из группы) или косвенно — по номеру паспорта, автомобиля, телефона или комбинации существенных критериев, позволяющих выделить субъекта из группы (это может быть возраст, место проживания, внешний вид и т.д.).

Однако одна лишь гипотетическая вероятность идентификации субъекта не делает информацию персональными данными. Если возможность идентифицировать субъекта отсутствует или ничтожно мала, данные не считаются персональными. В этом месте некоторые контролеры с радостью воскликнут, что у них и в мыслях не было идентифицировать кого либо, что они всего лишь собирают номера телефонов, автомобилей и некоторых карт, принадлежащих субъектам. Но мы понимаем, что идентификация по этим номерам возможна при сопоставлении с другой базой данных, например, в рамках межведомственного обмена данными, получения данных от сотовых контролеров, с дорожных камер видеонаблюдения, либо в рамках интеграции систем.

Как же определить степень и вероятность того, что контролер или любое третье лицо, завладевшее информацией, решит воспользоваться возможностью идентифицировать субъектов?

Для этого необходимо определить какие разумные усилия контролер или любое третье лицо должны будут приложить для идентификации конкретных субъектов: затраты денежных средств на такие усилия; временные и человеческие ресурсы; наличие технологии, позволяющей выполнить идентификацию без особых усилий и затрат; подразумеваемая (а не декларируемая цель) и построение обработки; какие выгоды может извлечь контролер или любое другое третье лицо; продолжительность хранения данных и потенциальное развитие технологий для идентификации в этот период.

В каждом конкретном случае необходимо определять наличие возможности и прилагаемые ресурсы контролера для идентификации субъектов по номеру телефона. Если возможность есть, или цель и контекст обработки предполагает идентификацию субъекта, то номер телефона является персональными данными.

Номер телефона — является персональными данными, так как он в зависимости от ситуации либо служит идентификатором личности, либо представляет собой информацию, относящуюся к идентифицированному или идентифицируемому физическому лицу. Все прочие номера и характеристики принадлежащих субъекту объектов и живых существ, в том или ином контексте обработки, также могут квалифицироваться в качестве персональных данных.

(4) Даже при отсутствии ФИО субъекта персональных данных у контролера и любого третьего лица, и даже при отсутствии у них возможности идентифицировать субъекта, они все же имеют возможность очень серьезно повлиять на поведение субъекта, нарушить его права и интересы.

Ведь номер телефона, существенно отличается от остальных номеров вещей принадлежностей еще и тем, что по нему можно непосредственно связаться с субъектом и вмешаться в его частную жизнь, причинить ему беспокойство. Возможны: мошенничество, пранк, звонки ночью или ранним утром в выходные, нежелательные смс, звонки, спам. Все это может не только причинить вред здоровью субъекта, нанести ущерб его материальному благосостоянию, но и заставить субъекта сменить номер телефона, и даже поменять контролера, по вине которого произошло нарушение его прав.

Контактные данные в целом (номер телефона, email, адрес и т.д.) позволяют злоумышленникам вступить в непосредственный контакт с субъектом против его воли, чтобы, предположим, угрожать его жизни и безопасности, манипулировать им, назойливо завладеть его вниманием, мешать работе и личной жизни (вторжение согласно Таксономии приватности). Дополнением к мерам защиты таких данных должна быть разумная осмотрительность самого субъекта при раскрытии своих контактных данных третьим лицам, поскольку их компрометация может заставить субъекта сменить номер или переехать, а также нарушить интересы третьих лиц, например семьи субъекта.

Как показано выше, даже без полной идентификации субъекта по контактным данным возможно нарушение его прав. Конфиденциальность этих данных обеспечивает безопасность жизни и здоровья субъекта, его близких, позволяет держать под контролем свои внешние коммуникации, снижает его доступность для внешнего мира, выстраивает личные границы субъекта, оберегает его личное пространство, что дает субъекту комфорт и уверенность.

(EN) […]


to read the full text

(EN) Author
(EN) Elena Sebjakina CIPP/E, Privacy by design
(EN) Data Protection Officer, GDPR Consultant
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
Linji ta 'Gwida & Ġurisprudenza Premessi

(26) Il-prinċipji ta' protezzjoni tad-data għandhom japplikaw għal kwalunkwe informazzjoni dwar persuna fiżika identifikata jew identifikabbli. Id-data personali li tkun għaddiet minn psewdonimizzazzjoni, li tista' tiġi attribwita lil persuna fiżika bl-użu ta' informazzjoni addizzjonali, għandha titqies bħala informazzjoni dwar persuna fiżika identifikabbli. Sabiex jiġi ddeterminat jekk persuna fiżika hijiex identifikabbli, għandhom jitqiesu l-mezzi kollha li raġonevolment x'aktarx ikunu jintużaw, bħas-singolarizzazzjoni, mill-kontrollur jew minn kwalunkwe persuna oħra sabiex persuna fiżika tiġi identifikata direttament jew indirettament. Sabiex jiġi aċċertat liema mezzi huma raġonevolment mistennija jintużaw għall-identifikazzjoni tal-persuna fiżika, għandu jittieħed kont tal-fatturi oġġettivi kollha, bħall-ispejjeż tal-identifikazzjoni u l-ammont ta' żmien meħtieġ għall-identifikazzjoni, b'kont meħud tat-teknoloġija disponibbli fil-mument tal-ipproċessar u tal-iżviluppi teknoloġiċi. Il-prinċipji tal-protezzjoni tad-data m'għandhomx għalhekk japplikaw għall-informazzjoni anonima, jiġifieri informazzjoni li mhijiex marbuta ma' persuna fiżika identifikat jew identifikabbli jew għal data personali li ssir anonima b'tali mod li s-suġġett tad-data ma jkunx jew ma jkunx għadu identifikabbli. Għaldaqstant, dan ir-Regolament ma jikkonċernax l-ipproċessar ta' tali informazzjoni anonima, inkluż għal finijiet ta' statistika jew ta' riċerka.

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(2) “ipproċessar” tfisser kwalunkwe attività jew sett ta’ attivitajiet li jitwettqu fuq data personali jew fuq settijiet ta’ data personali, sew jekk b’mezzi awtomatizzati u sew jekk mingħajrhom, bħalma huma l-ġbir, ir-reġistrazzjoni, l-organizzazzjoni, l-istrutturar, il-ħażna, l-adattament jew il-bidliet, l-irkupru, il-konsultazzjoni, l-użu, l-iżvelar bi trażmissjoni, it-tixrid jew it-tqegħid għad-dispożizzjoni b’xi mezz ieħor, l-allinjament jew it-taħlita, ir-restrizzjoni, it-tħassir jew il-qerda;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Kummentarju

(EN) Though GDPR Art.4(2) does not mention «purpose», a «processing» should actually be understood as an operation or set of operations united by one purpose. The purpose determines the role of data controller, legal ground for processing, defines the exception allowing for the processing of special categories of data, it limits processing to one purpose (purpose limitation principle), serves as a criteria for data minimisation, and determines a risk level and scope of data subject rights.

Some operations may serve multiple purposes, for instance, storage of email addresses allows a company to provide login to its website (purpose 1) and to send marketing communications (purpose 2). In that case this operation (storage) is  a part of two processing activities at the same time. Stopping one of them (for example as a result of a withdrawal of consent for marketing emails) does not prevent company from continuing the another one (allowing the user to login).

(EN) […]


to read the full text

(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
Linji ta 'Gwida & Ġurisprudenza

(3) “restrizzjoni tal-ipproċessar” tfisser l-immarkar ta’ data personali maħżuna bil-għan li jiġi limitat l-ipproċessar tagħha fil-ġejjieni;

(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

(4) “tfassil tal-profil” tfisser kwalunkwe forma ta’ pproċessar awtomatizzat ta’ data personali li jikkonsisti fl-użu ta’ data personali biex jiġu evalwati ċerti aspetti personali relatati ma’ persuna fiżika, b’mod partikolari biex jiġu analizzati jew imbassra aspetti rigward il-prestazzjoni fuq ix-xogħol, is-sitwazzjoni ekonomika, is-saħħa, il-preferenzi personali, l-interessi, l-affidabbiltà, l-imġiba, il-lokalizzazzjoni jew il-movimenti ta’ dik il-persuna fiżika;

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Linji ta 'Gwida & Ġurisprudenza

(5) “psewdonimizzazzjoni” tfisser l-ipproċessar ta’ data personali b’tali mod li d-data personali ma tkunx tista’ tibqa’ tiġi attribwita għal suġġett tad-data speċifiku mingħajr l-użu ta’ informazzjoni addizzjonali, dment li tali informazzjoni addizzjonali tinżamm separatament u tkun soġġetta għal miżuri tekniċi u organizzattivi biex jiġi żgurat li d-data personali ma tiġix attribwita għal persuna fiżika identifikata jew identifikabbli;

(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Kummentarju
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
Linji ta 'Gwida & Ġurisprudenza Premessi

(26) Il-prinċipji ta' protezzjoni tad-data għandhom japplikaw għal kwalunkwe informazzjoni dwar persuna fiżika identifikata jew identifikabbli. Id-data personali li tkun għaddiet minn psewdonimizzazzjoni, li tista' tiġi attribwita lil persuna fiżika bl-użu ta' informazzjoni addizzjonali, għandha titqies bħala informazzjoni dwar persuna fiżika identifikabbli. Sabiex jiġi ddeterminat jekk persuna fiżika hijiex identifikabbli, għandhom jitqiesu l-mezzi kollha li raġonevolment x'aktarx ikunu jintużaw, bħas-singolarizzazzjoni, mill-kontrollur jew minn kwalunkwe persuna oħra sabiex persuna fiżika tiġi identifikata direttament jew indirettament. Sabiex jiġi aċċertat liema mezzi huma raġonevolment mistennija jintużaw għall-identifikazzjoni tal-persuna fiżika, għandu jittieħed kont tal-fatturi oġġettivi kollha, bħall-ispejjeż tal-identifikazzjoni u l-ammont ta' żmien meħtieġ għall-identifikazzjoni, b'kont meħud tat-teknoloġija disponibbli fil-mument tal-ipproċessar u tal-iżviluppi teknoloġiċi. Il-prinċipji tal-protezzjoni tad-data m'għandhomx għalhekk japplikaw għall-informazzjoni anonima, jiġifieri informazzjoni li mhijiex marbuta ma' persuna fiżika identifikat jew identifikabbli jew għal data personali li ssir anonima b'tali mod li s-suġġett tad-data ma jkunx jew ma jkunx għadu identifikabbli. Għaldaqstant, dan ir-Regolament ma jikkonċernax l-ipproċessar ta' tali informazzjoni anonima, inkluż għal finijiet ta' statistika jew ta' riċerka.

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(28) L-applikazzjoni ta' psewdonimizzazzjoni ta' data personali tista' tnaqqas ir-riskji għas-suġġetti tad-data kkonċernati u tgħin lill-kontrolluri u l-proċessuri biex jissodisfaw l-obbligi tagħhom tal-protezzjoni ta' data. L-introduzzjoni espliċita ta' “psewdonimizzazzjoni” f'dan ir-Regolament mhijiex intiża biex tipprekludi kwalunkwe miżura oħra tal-protezzjoni ta' data.

(28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(29) Sabiex jinħolqu inċentivi biex tkun applikata l-psewdonimizzazzjoni fl-ipproċessar ta' data personali, waqt li ssir analiżi ġenerali, għandhom ikunu possibbli miżuri ta' psewdonimizzazzjoni fi ħdan l-istess kontrollur meta dak il-kontrollur ikun ħa miżuri tekniċi u organizzattivi meħtieġa biex jiżgura, għall-ipproċessar ikkonċernat, li dan ir-Regolament jiġi implimentat, u li l-informazzjoni addizzjonali li tattribwixxi d-data personali ma' suġġett tad-data speċifiku tinżamm separata. Il-kontrollur li jipproċessa d-data personali għandu jindika l-persuni awtorizzati fi ħdan l-istess kontrollur.

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

(6) “sistema ta’ arkivjar” tfisser kwalunkwe sett strutturat ta’ data personali li tkun aċċessibbli skont kriterji speċifiċi, sew jekk ċentralizzat, deċentralizzat jew mifrux fuq bażi funzjonali jew ġeografika;

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Kummentarju
Linji ta 'Gwida & Ġurisprudenza Testi relatati

(7) “kontrollur” tfisser persuna fiżika jew ġuridika, awtorità pubblika, aġenzija jew kwalunkwe korp ieħor li, waħdu jew flimkien ma’ oħrajn, jiddetermina l-għanijiet u l-mezzi tal-ipproċessar ta’ data personali; fejn l-għanijiet u l-mezzi tal-ipproċessar ikunu ddeterminati mil-liġi tal-Unjoni jew ta’ Stat Membru, il-kontrollur jew il-kriterji speċifiċi għall-ħatra tiegħu jistgħu jiġu determinati mil-liġi tal-Unjoni jew ta’ Stat Membru;

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Kummentarju
Linji ta 'Gwida & Ġurisprudenza

(8) “proċessur” tfisser persuna fiżika jew ġuridika, awtorità pubblika, aġenzija jew korp ieħor li jipproċessa data personali f’isem il-kontrollur;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(9) “riċevitur” tfisser persuna fiżika jew ġuridika, awtorità pubblika, aġenzija jew korp ieħor, li lilha tiġi żvelata d-data personali, irrispettivament milli huwiex parti terza jew le. Madankollu, l-awtoritajiet pubbliċi li jistgħu jirċievu data personali fil-qafas ta’ inkjesta partikolari f’konformità mal-liġi tal-Unjoni jew ta’ Stat Membru m’għandhomx jitqiesu bħala riċevituri; l-ipproċessar ta’ dik id-data minn dawk l-awtoritajiet pubbliċi għandu jkun f’konformità mar-regoli ta’ protezzjoni tad-data applikabbli skont il-finijiet tal-ipproċessar;

(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Premessi

(31) L-awtoritajiet pubbliċi li lilhom tiġi żvelata data personali f'konformità ma' obbligu legali għall-eżerċizzju tal-missjoni uffiċjali tagħhom, bħall-awtoritajiet tat-taxxa u doganali, l-unitajiet ta' investigazzjoni finanzjarja, l-awtoritajiet amministrattivi indipendenti, jew l-awtoritajiet tas-swieq finanzjarji, responsabbli mir-regolazzjoni u s-superviżjoni tas-swieq tat-titoli ma għandhomx jitqiesu bħala destinatarji jekk jirċievu data personali li tkun meħtieġa biex issir inkjesta partikolari fl-interess ġenerali, f'konformità mal-liġi tal-Unjoni jew ta' Stat Membru. It-talbiet għal żvelar li jintbagħtu mill-awtoritajiet pubbliċi għandhom dejjem ikunu bil-miktub, motivati u okkażjonali u m'għandhomx jikkonċernaw sistema sħiħa ta' arkivjar jew iwasslu għall-interkonnessjoni ta' sistemi ta' arkivjar. L-ipproċessar ta' data personali minn dawk l-awtoritajiet pubbliċi għandu jikkonforma mar-regoli applikabbli dwar il-protezzjoni tad-data skont l-għanijiet tal-ipproċessar.

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(10) “parti terza” tfisser persuna fiżika jew ġuridika, awtorità pubblika, aġenzija jew korp għajr is-suġġett tad-data, il-kontrollur, il-proċessur u l-persuni li, taħt l-awtorità diretta tal-kontrollur jew tal-proċessur, ikunu awtorizzati li jipproċessaw id-data personali;

(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(11) “kunsens” tas-suġġett tad-data tfisser kwalunkwe indikazzjoni tax-xewqat tas-suġġett tad-data mogħtija b’mod liberu, speċifika, infurmata u mhux ambigwa li permezz tagħha s-suġġett tad-data, permezz ta’ dikjarazzjoni jew permezz ta’ azzjoni affermattiva ċara, juri li jaqbel mal-ipproċessar ta’ data personali relatata miegħu;

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Linji ta 'Gwida & Ġurisprudenza Premessi

(32) Il-kunsens għandu jingħata b'att affermattiv ċar li jistabbilixxi indikazzjoni mogħtija liberament, speċifika, infurmata u mhux ambigwa tal-qbil tas-suġġett tad-data li huwa jaqbel li tiġi pproċessata data personali b'rabta miegħu, pereżempju b'dikjarazzjoni bil-miktub, inkluż b'mod elettroniku, jew bil-fomm. Dan jista' jinkludi l-immarkar ta' kaxxa meta jżur sit elettroniku tal-internet, l-għażla ta' settings tekniċi għas-servizzi tas-soċjetà tal-informazzjoni jew xi dikjarazzjoni jew imġiba oħra li f'dan il-kuntest jindikaw b'mod ċar l-aċċettazzjoni tas-suġġett tad-data tal-ipproċessar propost tad-data personali tiegħu. Is-silenzju, kaxxi mmarkati minn qabel jew in-nuqqas ta' attività għaldaqstant ma għandhomx jitqiesu bħala kunsens. Il-kunsens għandu jkopri l-attivitajiet tal-ipproċessar kollha li jsiru għall-istess fini jew finijiet. Meta l-ipproċessar ikollu diversi finijiet, għandu jingħata kunsens għalihom kollha. Jekk il-kunsens tas-suġġett tad-data jkollu jingħata wara talba b'mod elettroniku, it-talba għandha tkun ċara, konċiża u li ma toħloqx tfixkil bla bżonn għall-użu tas-servizz li tkun qed tiġi pprovduta għalih.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) Ħafna drabi ma jkunx possibbli li jiġi identifikat kompletament l-iskop tal-ipproċessar ta' data personali għal finijiet ta' riċerka xjentifika fil-ħin tal-ġbir tad-data. Għalhekk is-suġġetti tad-data għandhom jitħallew jagħtu l-kunsens tagħhom għal ċerti oqsma ta' riċerka xjentifika meta dan ikun konformi ma' standards etiċi rikonoxxuti għar-riċerka xjentifika. Is-suġġetti tad-data għandu jkollhom l-opportunità li jagħtu l-kunsens tagħhom biss għal ċerti oqsma tar-riċerka jew partijiet ta' proġetti tar-riċerka sa fejn ikun permessibbli mill-fini intenzjonat.

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Testi relatati

(12) “ksur ta’ data personali” tfisser ksur tas-sigurtà li jwassal għal qerda aċċidentali jew illegali, telf, bidliet, żvelar mhux awtorizzat ta’, jew aċċess għal, data personali trażmessa, maħżuna jew ipproċessata b’xi mod ieħor;

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Linji ta 'Gwida & Ġurisprudenza

(13) “data ġenetika” tfisser id-data personali relatata mal-karatteristiċi ġenetiċi ta’ persuna fiżika li jkunu ntirtu jew inkisbu li tagħti informazzjoni unika dwar il-fiżjoloġija jew is-saħħa ta’ dik il-persuna fiżika, u li tirriżulta, b’mod partikolari, minn analiżi ta’ kampjun bijoloġiku mill-persuna fiżika inkwistjoni;

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Linji ta 'Gwida & Ġurisprudenza Premessi

(34) Id-data ġenetika għandha tiġi definita bħala data personali relatata mal-karatteristiċi ġenetiċi, li ntirtu jew inkisbu, ta' persuna fiżika li jirriżultaw mill-analiżi ta' kampjun bijoloġiku mill-persuna fiżika kkonċernata, b'mod partikolari l-analiżi kromosomika, l-analiżi tal-aċidu deossiribonuklejku (DNA) jew tal-aċidu ribonuklejku (RNA), jew mill-analiżi ta' xi element ieħor li jippermetti li tinkiseb informazzjoni ekwivalenti.

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(14) “data bijometrika” tfisser data personali li tirriżulta mill-ipproċessar tekniku speċifiku relatat mal-karatteristiċi fiżiċi, fiżjoloġiċi jew tal-imġiba ta’ persuna fiżika, li tippermetti jew tikkonferma l-identifikazzjoni unika ta’ dik il-persuna fiżika, bħall-immaġnijiet tal-wiċċ jew id-data dattiloskopika;

(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Linji ta 'Gwida & Ġurisprudenza

(15) “data dwar is-saħħa” tfisser data personali relatata mas-saħħa fiżika jew mentali ta’ persuna fiżika, inkluża l-provvista ta’ servizzi tal-kura tas-saħħa, li tiżvela informazzjoni rigward l-istat ta’ saħħitha;

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Linji ta 'Gwida & Ġurisprudenza Premessi

(35) Id-data personali dwar is-saħħa għandha tinkludi d-data kollha dwar l-istat tas-saħħa ta' suġġett tad-data li tiżvela informazzjoni relatata mal-istat tas-saħħa fiżika jew mentali tas-suġġett tad-data fil-passat, fil-preżent jew fil-ġejjieni. Din tinkludi informazzjoni miġbura dwar il-persuna fiżika matul ir-reġistrazzjoni u għal, jew il-forniment ta', servizzi tal-kura tas-saħħa kif imsemmi fid-Direttiva 2011/24/UE tal-Parlament Ewropew u tal-Kunsill (9) lil dik il-persuna fiżika; numru, simbolu jew element partikolari assenjat lill-persuna fiżika għall-identifikazzjoni unika tal-persuna fiżika għall-finijiet ta' saħħa; informazzjoni miġbura mill-ittestjar jew l-eżami ta' parti mill-ġisem jew sustanza tal-ġisem, inkluża dik minn data ġenetika u kampjuni bijoloġiċi; u kwalunkwe informazzjoni dwar, pereżempju marda, diżabbiltà, riskju ta' mard, storja medika, kura klinika jew l-istat fiżjoloġiku jew bijomediku tas-suġġett tad-data indipendentement mis-sors tiegħu, bħal pereżempju mingħand tabib jew professjonista tas-saħħa ieħor, sptar, apparat mediku, jew test dijanjostiku in vitro.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council [9] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(9) Direttiva 2011/24/UE tal-Parlament Ewropew u tal-Kunsill tad-9 ta' Marzu 2011 dwar l-applikazzjoni tad-drittijiet tal-pazjenti fil-qasam tal-kura tas-saħħa transkonfinali (ĠU L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

(16) “stabbiliment ewlieni” tfisser:

(16) ‘main establishment’ means:

Premessi

(36) L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun il-post tal-amministrazzjoni ċentrali tiegħu fl-Unjoni, għajr jekk id-deċiżjonijiet dwar il-finijiet u l-mezzi tal-ipproċessar ta' data personali jittieħdu fi stabbiliment ieħor tal-kontrollur fl-Unjoni, u f'dan il-każ, l-istabbiliment l-ieħor għandu jitqies bħala l-istabbiliment ewlieni. L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun stabbilit skont kriterji oġġettivi u għandu jimplika l-eżerċizzju effettiv u reali ta' attivitajiet ta' ġestjoni li jiddeterminaw id-deċiżjonijiet ewlenin dwar il-finijiet u l-mezzi tal-ipproċessar permezz ta' arranġamenti stabbli. Dak il-kriterju ma għandux jiddependi minn jekk l-ipproċessar ta' data personali jitwettaqx f'dak il-post. Il-preżenza u l-użu ta' mezzi tekniċi u teknoloġiji għall-ipproċessar ta' data personali jew l-ipproċessar ta' attivitajiet, minnhom infushom, ma jikkostitwixxux stabbiliment ewlieni u għaldaqstant mhumiex kriterju determinanti għal stabbiliment ewlieni. L-istabbiliment ewlieni tal-proċessur għandu jkun il-post fejn tinsab l-amministrazzjoni ċentrali tiegħu fl-Unjoni jew, jekk ma għandux amministrazzjoni ċentrali fl-Unjoni, il-post fejn iseħħu l-attivitajiet ta' pproċessar ewlenin fl-Unjoni. F'każijiet li jinvolvu kemm il-kontrollur kif ukoll il-proċessur, l-awtorità superviżorja ewlenija kompetenti għandha tibqa' l-awtorità superviżorja tal-Istat Membru fejn il-kontrollur ikollu l-istabbiliment ewlieni tiegħu iżda l-awtorità superviżorja tal-proċessur għandha titqies bħala awtorità superviżorja kkonċernata u dik l-awtorità superviżorja għandha tipparteċipa fil-proċedura ta' kooperazzjoni prevista minn dan ir-Regolament. Fi kwalunkwe każ, l-awtoritajiet superviżorji tal-Istat Membru jew l-Istati Membri fejn il-proċessur ikollu stabbiliment wieħed jew aktar m'għandhomx jitqiesu bħala awtoritajiet superviżorji kkonċernati fejn l-abbozz ta' deċiżjoni jikkonċerna biss lill-kontrollur. Fejn l-ipproċessar jitwettaq minn grupp ta' impriżi, l-istabbiliment ewlieni tal-impriża li tikkontrolla għandu jitqies bħala l-istabbiliment ewlieni tal-grupp ta' impriżi, għajr fejn il-finijiet u l-mezzi tal-ipproċessar jiġu ddeterminati minn impriża oħra.

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(a) fir-rigward ta’ kontrollur bi stabbilimenti f’aktar minn Stat Membru wieħed, il-post tal-amministrazzjoni ċentrali tiegħu fl-Unjoni, għajr jekk id-deċiżjonijiet dwar l-għanijiet u l-mezzi tal-ipproċessar tad-data personali jittieħdu fi stabbiliment ieħor tal-kontrollur fl-Unjoni u dan l-istabbiliment tal-aħħar ikollu s-setgħa li jesiġi l-implimentazzjoni ta’ tali deċiżjonijiet, u f’dan il-każ l-istabbiliment li jkun ħa tali deċiżjonijiet għandu jitqies bħala l-istabbiliment ewlieni;

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) fir-rigward ta’ proċessur bi stabbilimenti f’aktar minn Stat Membru wieħed, il-post tal-amministrazzjoni ċentrali tiegħu fl-Unjoni, jew, jekk il-proċessur ma jkollu l-ebda amministrazzjoni ċentrali fl-Unjoni, l-istabbiliment tal-proċessur fl-Unjoni fejn isiru l-attivitajiet ta’ pproċessar ewlenin fil-kuntest tal-attivitajiet ta’ stabbiliment tal-proċessur sa fejn il-proċessur ikun soġġett għal obbligi speċifiċi taħt dan ir-Regolament;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

Testi relatati

(17) “rappreżentant” tfisser persuna fiżika jew ġuridika stabbilita fl-Unjoni li, maħtura bil-miktub mill-kontrollur jew mill-proċessur skont l-Artikolu 27, tirrappreżenta l-kontrollur jew il-proċessur fir-rigward tal-obbligi rispettivi skont dan ir-Regolament;

(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

Testi relatati

(18) “impriża” tfisser persuna fiżika jew ġuridika involuta f’attività ekonomika, irrispettivament mill-forma legali tagħha, inkluż sħubiji jew assoċjazzjonijiet regolarment involuti f’attività ekonomika;

(18) ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19) “grupp ta’ impriżi” tfisser impriża li tikkontrolla u l-impriżi kkontrollati minnha;

(19) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

Kummentarju
Premessi

(37) Grupp ta' impriżi għandu jkopri impriża li tikkontrolla u l-impriżi kkontrollati tagħha, fejn l-impriża li tikkontrolla għandha tkun l-impriża li tista' teżerċita influwenza dominanti fuq l-impriżi l-oħra pereżempju permezz tas-sjieda, il-parteċipazzjoni finanzjarja jew ir-regoli li jirregolawha jew is-setgħa li timplimenta r-regoli dwar il-protezzjoni ta' data personali. Impriża li tikkontrolla l-ipproċessar ta' data personali f'impriżi affiljati magħha għandha titqies, flimkien ma' dawk l-impriżi, bħala “grupp ta' impriżi”.

(37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.

(20) “regoli korporattivi vinkolanti” tfisser politiki ta’ protezzjoni tad-data personali li jiġu sodisfatti minn kontrollur jew proċessur stabbilit fit-territorju ta’ Stat Membru għal trasferimenti jew sett ta’ trasferimenti ta’ data personali lil kontrollur jew proċessur f’pajjiż terz wieħed jew aktar fi grupp ta’ impriżi, jew grupp ta’ intrapriżi involuti f’attività ekonomika konġunta;

(20) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

(21) “awtorità superviżorja” tfisser awtorità pubblika indipendenti li tiġi stabbilita minn Stat Membru skont l-Artikolu 51;

(21) ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22) “awtorità superviżorja kkonċernata” tfisser awtorità superviżorja li tkun ikkonċernata bl-ipproċessar ta’ data personali peress li:

(22) ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

Premessi

(36) L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun il-post tal-amministrazzjoni ċentrali tiegħu fl-Unjoni, għajr jekk id-deċiżjonijiet dwar il-finijiet u l-mezzi tal-ipproċessar ta' data personali jittieħdu fi stabbiliment ieħor tal-kontrollur fl-Unjoni, u f'dan il-każ, l-istabbiliment l-ieħor għandu jitqies bħala l-istabbiliment ewlieni. L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun stabbilit skont kriterji oġġettivi u għandu jimplika l-eżerċizzju effettiv u reali ta' attivitajiet ta' ġestjoni li jiddeterminaw id-deċiżjonijiet ewlenin dwar il-finijiet u l-mezzi tal-ipproċessar permezz ta' arranġamenti stabbli. Dak il-kriterju ma għandux jiddependi minn jekk l-ipproċessar ta' data personali jitwettaqx f'dak il-post. Il-preżenza u l-użu ta' mezzi tekniċi u teknoloġiji għall-ipproċessar ta' data personali jew l-ipproċessar ta' attivitajiet, minnhom infushom, ma jikkostitwixxux stabbiliment ewlieni u għaldaqstant mhumiex kriterju determinanti għal stabbiliment ewlieni. L-istabbiliment ewlieni tal-proċessur għandu jkun il-post fejn tinsab l-amministrazzjoni ċentrali tiegħu fl-Unjoni jew, jekk ma għandux amministrazzjoni ċentrali fl-Unjoni, il-post fejn iseħħu l-attivitajiet ta' pproċessar ewlenin fl-Unjoni. F'każijiet li jinvolvu kemm il-kontrollur kif ukoll il-proċessur, l-awtorità superviżorja ewlenija kompetenti għandha tibqa' l-awtorità superviżorja tal-Istat Membru fejn il-kontrollur ikollu l-istabbiliment ewlieni tiegħu iżda l-awtorità superviżorja tal-proċessur għandha titqies bħala awtorità superviżorja kkonċernata u dik l-awtorità superviżorja għandha tipparteċipa fil-proċedura ta' kooperazzjoni prevista minn dan ir-Regolament. Fi kwalunkwe każ, l-awtoritajiet superviżorji tal-Istat Membru jew l-Istati Membri fejn il-proċessur ikollu stabbiliment wieħed jew aktar m'għandhomx jitqiesu bħala awtoritajiet superviżorji kkonċernati fejn l-abbozz ta' deċiżjoni jikkonċerna biss lill-kontrollur. Fejn l-ipproċessar jitwettaq minn grupp ta' impriżi, l-istabbiliment ewlieni tal-impriża li tikkontrolla għandu jitqies bħala l-istabbiliment ewlieni tal-grupp ta' impriżi, għajr fejn il-finijiet u l-mezzi tal-ipproċessar jiġu ddeterminati minn impriża oħra.

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(a) il-kontrollur jew il-proċessur ikun stabbilit fit-territorju tal-Istat Membru ta’ dik l-awtorità superviżorja;

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;

(b) is-suġġetti tad-data li jgħixu fl-Istat Membru ta’ dik l-awtorità superviżorja jiġu affettwati sostanzjalment jew x’aktarx li jkunu ser jiġu affettwati sostanzjalment mill-ipproċessar; jew

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) ikun tressaq ilment quddiem dik l-awtorità superviżorja;

(c) a complaint has been lodged with that supervisory authority;

(23) “ipproċessar transkonfinali” tfisser jew:

(23) ‘cross-border processing’ means either:

(a) l-ipproċessar ta’ data personali li jsir fil-kuntest tal-attivitajiet ta’ stabbilimenti f’iktar minn Stat Membru wieħed ta’ kontrollur jew proċessur fl-Unjoni fejn il-kontrollur jew il-proċessur ikun stabbilit f’iktar minn Stat Membru wieħed; jew

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) l-ipproċessar ta’ data personali li jsir fil-kuntest tal-attivitajiet ta’ stabbiliment uniku ta’ kontrollur jew proċessur fl-Unjoni li madankollu jaffettwa sostanzjalment lil suġġetti tad-data f’aktar minn Stat Membru wieħed, jew li x’aktarx li ser jaffettwahom sostanzjalment.

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Testi relatati

(24) “oġġezzjoni rilevanti u motivata” tfisser oġġezzjoni għal abbozz ta’ deċiżjoni dwar jekk ikunx hemm ksur ta’ dan ir-Regolament, jew jekk azzjoni maħsuba fir-rigward tal-kontrollur jew il-proċessur tkunx konformi ma’ dan ir-Regolament, li turi b’mod ċar is-sinifikat tar-riskji maħluqa mill-abbozz ta’ deċiżjoni rigward id-drittijiet u l-libertajiet fundamentali tas-suġġetti tad-data u fejn applikabbli, iċ-ċirkolazzjoni libera ta’ data personali fi ħdan l-Unjoni;

(24) ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

(25) “servizz tas-soċjetà tal-informazzjoni” tfisser servizz kif definit fil-punt (b) tal-Artikolu 1(1) tad-Direttiva (UE) 2015/1535 tal-Parlament Ewropew u tal-Kunsill (19);

(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council [19];

Testi relatati

(19) Direttiva (UE) 2015/1535 tal-Parlament Ewropew u tal-Kunsill tad-9 ta’ Settembru 2015 li tistabbilixxi proċedura għall-għoti ta’ informazzjoni fil-qasam tar-regolamenti tekniċi u tar-regoli dwar is-servizzi tas-Soċjetà tal-Informatika (ĠU L 241, 17.9.2015, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

[19] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

(26) “organizzazzjoni internazzjonali” tfisser organizzazzjoni u l-korpi subordinati tagħha rregolati mid-dritt internazzjonali pubbliku jew kwalunkwe korp ieħor li jiġi stabbilit bi ftehim bejn żewġ pajjiżi jew aktar, jew abbażi tiegħu.

(26) ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Premessi Ħalli kumment
Premessi

(26) Il-prinċipji ta' protezzjoni tad-data għandhom japplikaw għal kwalunkwe informazzjoni dwar persuna fiżika identifikata jew identifikabbli. Id-data personali li tkun għaddiet minn psewdonimizzazzjoni, li tista' tiġi attribwita lil persuna fiżika bl-użu ta' informazzjoni addizzjonali, għandha titqies bħala informazzjoni dwar persuna fiżika identifikabbli. Sabiex jiġi ddeterminat jekk persuna fiżika hijiex identifikabbli, għandhom jitqiesu l-mezzi kollha li raġonevolment x'aktarx ikunu jintużaw, bħas-singolarizzazzjoni, mill-kontrollur jew minn kwalunkwe persuna oħra sabiex persuna fiżika tiġi identifikata direttament jew indirettament. Sabiex jiġi aċċertat liema mezzi huma raġonevolment mistennija jintużaw għall-identifikazzjoni tal-persuna fiżika, għandu jittieħed kont tal-fatturi oġġettivi kollha, bħall-ispejjeż tal-identifikazzjoni u l-ammont ta' żmien meħtieġ għall-identifikazzjoni, b'kont meħud tat-teknoloġija disponibbli fil-mument tal-ipproċessar u tal-iżviluppi teknoloġiċi. Il-prinċipji tal-protezzjoni tad-data m'għandhomx għalhekk japplikaw għall-informazzjoni anonima, jiġifieri informazzjoni li mhijiex marbuta ma' persuna fiżika identifikat jew identifikabbli jew għal data personali li ssir anonima b'tali mod li s-suġġett tad-data ma jkunx jew ma jkunx għadu identifikabbli. Għaldaqstant, dan ir-Regolament ma jikkonċernax l-ipproċessar ta' tali informazzjoni anonima, inkluż għal finijiet ta' statistika jew ta' riċerka.

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(27) Dan ir-Regolament ma japplikax għad-data personali ta' persuni deċeduti. L-Istati Membri jistgħu jipprevedu regoli dwar l-ipproċessar ta' data personali ta' persuni deċeduti.

(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

(28) L-applikazzjoni ta' psewdonimizzazzjoni ta' data personali tista' tnaqqas ir-riskji għas-suġġetti tad-data kkonċernati u tgħin lill-kontrolluri u l-proċessuri biex jissodisfaw l-obbligi tagħhom tal-protezzjoni ta' data. L-introduzzjoni espliċita ta' “psewdonimizzazzjoni” f'dan ir-Regolament mhijiex intiża biex tipprekludi kwalunkwe miżura oħra tal-protezzjoni ta' data.

(28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(29) Sabiex jinħolqu inċentivi biex tkun applikata l-psewdonimizzazzjoni fl-ipproċessar ta' data personali, waqt li ssir analiżi ġenerali, għandhom ikunu possibbli miżuri ta' psewdonimizzazzjoni fi ħdan l-istess kontrollur meta dak il-kontrollur ikun ħa miżuri tekniċi u organizzattivi meħtieġa biex jiżgura, għall-ipproċessar ikkonċernat, li dan ir-Regolament jiġi implimentat, u li l-informazzjoni addizzjonali li tattribwixxi d-data personali ma' suġġett tad-data speċifiku tinżamm separata. Il-kontrollur li jipproċessa d-data personali għandu jindika l-persuni awtorizzati fi ħdan l-istess kontrollur.

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

(30) Il-persuni fiżiċi jistgħu jiġu assoċjati ma' identifikaturi online ipprovduti mill-apparat, l-applikazzjonijiet, l-għodod u l-protokolli tagħhom, bħal indirizzi tal-protokoll tal-internet, identifikaturi tal-cookies jew identifikaturi oħrajn bħal tags tal-identifikazzjoni bil-frekwenza tar-radju. Dan jista' jħalli traċċi li, b'mod partikolari flimkien ma' identifikaturi uniċi u informazzjoni oħra li jirċievu s-servers, jistgħu jintużaw sabiex joħolqu profili tal-persuni fiżiċi u jidentifikawhom.

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(31) L-awtoritajiet pubbliċi li lilhom tiġi żvelata data personali f'konformità ma' obbligu legali għall-eżerċizzju tal-missjoni uffiċjali tagħhom, bħall-awtoritajiet tat-taxxa u doganali, l-unitajiet ta' investigazzjoni finanzjarja, l-awtoritajiet amministrattivi indipendenti, jew l-awtoritajiet tas-swieq finanzjarji, responsabbli mir-regolazzjoni u s-superviżjoni tas-swieq tat-titoli ma għandhomx jitqiesu bħala destinatarji jekk jirċievu data personali li tkun meħtieġa biex issir inkjesta partikolari fl-interess ġenerali, f'konformità mal-liġi tal-Unjoni jew ta' Stat Membru. It-talbiet għal żvelar li jintbagħtu mill-awtoritajiet pubbliċi għandhom dejjem ikunu bil-miktub, motivati u okkażjonali u m'għandhomx jikkonċernaw sistema sħiħa ta' arkivjar jew iwasslu għall-interkonnessjoni ta' sistemi ta' arkivjar. L-ipproċessar ta' data personali minn dawk l-awtoritajiet pubbliċi għandu jikkonforma mar-regoli applikabbli dwar il-protezzjoni tad-data skont l-għanijiet tal-ipproċessar.

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(32) Il-kunsens għandu jingħata b'att affermattiv ċar li jistabbilixxi indikazzjoni mogħtija liberament, speċifika, infurmata u mhux ambigwa tal-qbil tas-suġġett tad-data li huwa jaqbel li tiġi pproċessata data personali b'rabta miegħu, pereżempju b'dikjarazzjoni bil-miktub, inkluż b'mod elettroniku, jew bil-fomm. Dan jista' jinkludi l-immarkar ta' kaxxa meta jżur sit elettroniku tal-internet, l-għażla ta' settings tekniċi għas-servizzi tas-soċjetà tal-informazzjoni jew xi dikjarazzjoni jew imġiba oħra li f'dan il-kuntest jindikaw b'mod ċar l-aċċettazzjoni tas-suġġett tad-data tal-ipproċessar propost tad-data personali tiegħu. Is-silenzju, kaxxi mmarkati minn qabel jew in-nuqqas ta' attività għaldaqstant ma għandhomx jitqiesu bħala kunsens. Il-kunsens għandu jkopri l-attivitajiet tal-ipproċessar kollha li jsiru għall-istess fini jew finijiet. Meta l-ipproċessar ikollu diversi finijiet, għandu jingħata kunsens għalihom kollha. Jekk il-kunsens tas-suġġett tad-data jkollu jingħata wara talba b'mod elettroniku, it-talba għandha tkun ċara, konċiża u li ma toħloqx tfixkil bla bżonn għall-użu tas-servizz li tkun qed tiġi pprovduta għalih.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) Ħafna drabi ma jkunx possibbli li jiġi identifikat kompletament l-iskop tal-ipproċessar ta' data personali għal finijiet ta' riċerka xjentifika fil-ħin tal-ġbir tad-data. Għalhekk is-suġġetti tad-data għandhom jitħallew jagħtu l-kunsens tagħhom għal ċerti oqsma ta' riċerka xjentifika meta dan ikun konformi ma' standards etiċi rikonoxxuti għar-riċerka xjentifika. Is-suġġetti tad-data għandu jkollhom l-opportunità li jagħtu l-kunsens tagħhom biss għal ċerti oqsma tar-riċerka jew partijiet ta' proġetti tar-riċerka sa fejn ikun permessibbli mill-fini intenzjonat.

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(34) Id-data ġenetika għandha tiġi definita bħala data personali relatata mal-karatteristiċi ġenetiċi, li ntirtu jew inkisbu, ta' persuna fiżika li jirriżultaw mill-analiżi ta' kampjun bijoloġiku mill-persuna fiżika kkonċernata, b'mod partikolari l-analiżi kromosomika, l-analiżi tal-aċidu deossiribonuklejku (DNA) jew tal-aċidu ribonuklejku (RNA), jew mill-analiżi ta' xi element ieħor li jippermetti li tinkiseb informazzjoni ekwivalenti.

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(35) Id-data personali dwar is-saħħa għandha tinkludi d-data kollha dwar l-istat tas-saħħa ta' suġġett tad-data li tiżvela informazzjoni relatata mal-istat tas-saħħa fiżika jew mentali tas-suġġett tad-data fil-passat, fil-preżent jew fil-ġejjieni. Din tinkludi informazzjoni miġbura dwar il-persuna fiżika matul ir-reġistrazzjoni u għal, jew il-forniment ta', servizzi tal-kura tas-saħħa kif imsemmi fid-Direttiva 2011/24/UE tal-Parlament Ewropew u tal-Kunsill (9) lil dik il-persuna fiżika; numru, simbolu jew element partikolari assenjat lill-persuna fiżika għall-identifikazzjoni unika tal-persuna fiżika għall-finijiet ta' saħħa; informazzjoni miġbura mill-ittestjar jew l-eżami ta' parti mill-ġisem jew sustanza tal-ġisem, inkluża dik minn data ġenetika u kampjuni bijoloġiċi; u kwalunkwe informazzjoni dwar, pereżempju marda, diżabbiltà, riskju ta' mard, storja medika, kura klinika jew l-istat fiżjoloġiku jew bijomediku tas-suġġett tad-data indipendentement mis-sors tiegħu, bħal pereżempju mingħand tabib jew professjonista tas-saħħa ieħor, sptar, apparat mediku, jew test dijanjostiku in vitro.

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council [9] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(9) Direttiva 2011/24/UE tal-Parlament Ewropew u tal-Kunsill tad-9 ta' Marzu 2011 dwar l-applikazzjoni tad-drittijiet tal-pazjenti fil-qasam tal-kura tas-saħħa transkonfinali (ĠU L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

(36) L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun il-post tal-amministrazzjoni ċentrali tiegħu fl-Unjoni, għajr jekk id-deċiżjonijiet dwar il-finijiet u l-mezzi tal-ipproċessar ta' data personali jittieħdu fi stabbiliment ieħor tal-kontrollur fl-Unjoni, u f'dan il-każ, l-istabbiliment l-ieħor għandu jitqies bħala l-istabbiliment ewlieni. L-istabbiliment ewlieni ta' kontrollur fl-Unjoni għandu jkun stabbilit skont kriterji oġġettivi u għandu jimplika l-eżerċizzju effettiv u reali ta' attivitajiet ta' ġestjoni li jiddeterminaw id-deċiżjonijiet ewlenin dwar il-finijiet u l-mezzi tal-ipproċessar permezz ta' arranġamenti stabbli. Dak il-kriterju ma għandux jiddependi minn jekk l-ipproċessar ta' data personali jitwettaqx f'dak il-post. Il-preżenza u l-użu ta' mezzi tekniċi u teknoloġiji għall-ipproċessar ta' data personali jew l-ipproċessar ta' attivitajiet, minnhom infushom, ma jikkostitwixxux stabbiliment ewlieni u għaldaqstant mhumiex kriterju determinanti għal stabbiliment ewlieni. L-istabbiliment ewlieni tal-proċessur għandu jkun il-post fejn tinsab l-amministrazzjoni ċentrali tiegħu fl-Unjoni jew, jekk ma għandux amministrazzjoni ċentrali fl-Unjoni, il-post fejn iseħħu l-attivitajiet ta' pproċessar ewlenin fl-Unjoni. F'każijiet li jinvolvu kemm il-kontrollur kif ukoll il-proċessur, l-awtorità superviżorja ewlenija kompetenti għandha tibqa' l-awtorità superviżorja tal-Istat Membru fejn il-kontrollur ikollu l-istabbiliment ewlieni tiegħu iżda l-awtorità superviżorja tal-proċessur għandha titqies bħala awtorità superviżorja kkonċernata u dik l-awtorità superviżorja għandha tipparteċipa fil-proċedura ta' kooperazzjoni prevista minn dan ir-Regolament. Fi kwalunkwe każ, l-awtoritajiet superviżorji tal-Istat Membru jew l-Istati Membri fejn il-proċessur ikollu stabbiliment wieħed jew aktar m'għandhomx jitqiesu bħala awtoritajiet superviżorji kkonċernati fejn l-abbozz ta' deċiżjoni jikkonċerna biss lill-kontrollur. Fejn l-ipproċessar jitwettaq minn grupp ta' impriżi, l-istabbiliment ewlieni tal-impriża li tikkontrolla għandu jitqies bħala l-istabbiliment ewlieni tal-grupp ta' impriżi, għajr fejn il-finijiet u l-mezzi tal-ipproċessar jiġu ddeterminati minn impriża oħra.

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(37) Grupp ta' impriżi għandu jkopri impriża li tikkontrolla u l-impriżi kkontrollati tagħha, fejn l-impriża li tikkontrolla għandha tkun l-impriża li tista' teżerċita influwenza dominanti fuq l-impriżi l-oħra pereżempju permezz tas-sjieda, il-parteċipazzjoni finanzjarja jew ir-regoli li jirregolawha jew is-setgħa li timplimenta r-regoli dwar il-protezzjoni ta' data personali. Impriża li tikkontrolla l-ipproċessar ta' data personali f'impriżi affiljati magħha għandha titqies, flimkien ma' dawk l-impriżi, bħala “grupp ta' impriżi”.

(37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.

Ħalli kumment
[js-disqus]