Artikolu 40 📖 RĠPD (GDPR). Kodiċijiet ta' kondotta

Artikolu 40 RĠPD (GDPR). Kodiċijiet ta' kondotta

Article 40 GDPR. Codes of conduct

1. L-Istati Membri, l-awtoritajiet superviżorji, il-Bord u l-Kummissjoni għandhom jinkoraġġixxu t-tfassil ta’ kodiċijiet ta’ kondotta maħsuba biex jikkontribwixxu għall-applikazzjoni xierqa ta’ dan ir-Regolament, b’kont meħud tal-karatteristiċi speċifiċi tad-diversi setturi tal-ipproċessar u l-ħtiġijiet speċifiċi ta’ impriżi mikro, żgħar u ta’ daqs medju.

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. Assoċjazzjonijiet u korpi oħrajn li jirrappreżentaw kategoriji ta’ kontrolluri jew proċessuri jistgħu jħejju kodiċijiet ta’ kondotta, jew jemendaw jew jestendu dawn il-kodiċijiet, bil-għan li jispeċifikaw l-applikazzjoni ta’ dan ir-Regolament, bħal fil-rigward ta’:

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

Premessi

(89) Id-Direttiva 95/46/KE pprevediet obbligu ġenerali biex jiġi nnotifikat l-ipproċessar tad-data personali lill-awtoritajiet superviżorji. Filwaqt li dak l-obbligu jipproduċi oneri amministrattivi u finanzjarji, ma kkontribwixxiex fil-każijiet kollha għat-titjib tal-protezzjoni tad-data personali. Tali obbligi ta' notifika ġenerali bla distinzjonijiet għandhom għalhekk jitneħħew, u jiġu sostitwiti minn proċeduri u mekkaniżmi effettivi li jiffokaw minflok fuq dawk it-tipi ta' attivitajiet ta' pproċessar li x'aktarx li jirriżultaw f'riskju għad-drittijiet u l-libertajiet tal-persuni fiżiċi minħabba n-natura, l-ambitu, il-kuntest u l-għanijiet tagħhom. Tali tipi ta' operazzjonijiet tal-ipproċessar jinkludu, b'mod partikolari, dawk li jinvolvu l-użu ta' teknoloġiji ġodda, jew dawk li huma ta' tip ġdid u li fir-rigward tagħhom il-kontrollur għadu ma wettaqx valutazzjoni tal-impatt fuq il-protezzjoni tad-data, jew fejn valutazzjoni tal-impatt fuq il-protezzjoni tad-data ssir meħtieġa minħabba ż-żmien li għadda mill-ipproċessar inizjali.

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

(90) F'tali każijiet, għandha ssir valutazzjoni tal-impatt fuq il-protezzjoni tad-data mill-kontrollur qabel l-ipproċessar sabiex jivvaluta l-probabbiltà partikolari u l-gravità tar-riskju għoli, b'kont meħud tan-natura, l-ambitu, il-kuntest u l-għanijiet tal-ipproċessar u s-sorsi tar-riskju. Dik il-valutazzjoni tal-impatt għandha tinkludi b'mod partikolari l-miżuri, is-salvagwardji u l-mekkaniżmi previsti biex jittaffa dak ir-riskju, tiġi żgurata l-protezzjoni tad-data personali u tintwera l-konformità ma' dan ir-Regolament.

(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

(a) l-ipproċessar ġust u trasparenti;

(a) fair and transparent processing;

Testi relatati

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. «Guidelines on transparency under Regulation 2016/679». WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 — endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility — Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

(b) l-interessi leġittimi segwiti mill-kontrolluri f’kuntesti speċifiċi;

(b) the legitimate interests pursued by controllers in specific contexts;

(c) il-ġbir tad-data personali;

(c) the collection of personal data;

(d) il-psewdonimizzazzjoni ta’ data personali;

(d) the pseudonymisation of personal data;

(e) l-informazzjoni provduta lill-pubbliku u lis-suġġetti tad-data;

(e) the information provided to the public and to data subjects;

(f) l-eżerċitar tad-drittijiet tas-suġġetti tad-data;

(f) the exercise of the rights of data subjects;

(g) l-informazzjoni provduta lil, u l-protezzjoni ta’, minorenni, u l-mod kif jinkiseb il-kunsens tad-detenturi tar-responsabbiltà ta’ ġenituri fir-rigward ta’ minorenni;

(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

(h) il-miżuri u l-proċeduri msemmija fl-Artikoli 24 u 25 u l-miżuri biex jiżguraw is-sigurtà tal-ipproċessar imsemmija fl-Artikolu 32;

(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

Testi relatati

Artikolu 24 RĠPD (GDPR). Suġġett u objettivi

Article 24 GDPR. Subject-matter and objectives

1. B’kont meħud tan-natura, l-ambitu, il-kuntest, u l-għanijiet tal-ipproċessar kif ukoll ir-riskji ta’ probabbiltà u gravità li jvarjaw għad-drittijiet u l-libertajiet tal-persuni fiżiċi, il-kontrollur għandu jimplimenta miżuri tekniċi u organizzattivi adatti biex jiżgura u jkun jista’ juri li l-ipproċessar isir f’konformità ma’ dan ir-Regolament. Dawk il-miżuri għandhom jiġu rieżaminati u aġġornati fejn meħtieġ.

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Fejn dawn ikunu proporzjonati fir-rigward ta’ attivitajiet ta’ pproċessar, il-miżuri msemmija fil-paragrafu 1 għandhom jinkludu l-implimentazzjoni ta’ politiki adatti dwar il-protezzjoni tad-data mill-kontrollur.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Il-konformità mal-kodiċijiet tal-kondotta kif imsemmi fl-Artikolu 40 jew mekkaniżmi ta’ ċertifikazzjoni approvati kif imsemmi fl-Artikolu 42 jistgħu jintużaw bħala element li bih tintwera l-konformità mal-obbligi tal-kontrollur.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Artikolu 25 RĠPD (GDPR). Protezzjoni ta' data mid-disinn u b'mod awtomatiku

Article 25 GDPR. Data protection by design and by default

1. Wara li jikkunsidra l-ogħla livell ta’ żvilupp tekniku, l-ispejjeż tal-implimentazzjoni u n-natura, l-ambitu, il-kuntest u l-finijiet tal-ipproċessar kif ukoll ir-riskji ta’ probabbiltà u gravità li jvarjaw għad-drittijiet u l-libertajiet tal-persuni fiżiċi kkawżati mill-ipproċessar, il-kontrollur għandu, kemm fiż-żmien tad-determinazzjoni tal-mezzi għall-ipproċessar kif ukoll fiż-żmien tal-ipproċessar innifsu, jimplimenta miżuri tekniċi u organizzattivi xierqa, bħall-psewdonimizzazzjoni, li huma maħsuba biex jimplimentaw il-prinċipji tal-protezzjoni tad-data, bħalma hija l-minimizzazzjoni tad-data, b’mod effettiv u biex jintegraw is-salvagwardji meħtieġa fl-ipproċessar sabiex jissodisfa r-rekwiżiti ta’ dan ir-Regolament u jipproteġi d-drittijiet tas-suġġetti tad-data.

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. Il-kontrollur għandu jimplimenta miżuri tekniċi u organizzattivi adatti biex jiżgura li, b’mod awtomatiku, tiġi pproċessata biss data personali li mhijiex meħtieġa għal kull għan speċifiku tal-ipproċessar. Dak l-obbligu japplika għall-ammont ta’ data personali miġbura, il-livell ta’ pproċessar tagħha, il-perijodu tal-ħażna tagħha u l-aċċessibbiltà tagħha. B’mod partikolari, tali mekkaniżmi għandhom jiżguraw li b’mod awtomatiku d-data personali ma ssirx aċċessibbli mingħajr l-intervent tal-individwu għal numru indefinit ta’ persuni fiżiċi.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

3. Jista’ jintuża mekkaniżmu ta’ ċertifikazzjoni approvat skont l-Artikolu 42 bħala element li juri l-osservanza tar-rekwiżiti mogħtija fil-paragrafi 1 u 2 ta’ dan l-Artikolu.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Artikolu 32 RĠPD (GDPR). Sigurtà tal-ipproċessar

Article 32 GDPR. Security of processing

1. Filwaqt li jikkunsidraw l-ogħla livell ta’ żvilupp tekniku, l-ispejjeż tal-implimentazzjoni u in-natura, l-ambitu, il-kuntest, u l-għanijiet tal-ipproċessar kif ukoll ir-riskju ta’ probabbiltà u gravità li jvarjaw għad-drittijiet u l-libertajiet tal-persuni fiżiċi, il-kontrollur u l-proċessur għandhom jimplimentaw miżuri tekniċi u organizzattivi xierqa, biex jiżguraw livell ta’ sigurtà xieraq għar-riskju, inklużi inter alia kif xieraq:

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) il-psewdonimizzazzjoni u l-kriptaġġ tad-data personali;

(a) the pseudonymisation and encryption of personal data;

(b) il-kapaċità li jiġu żgurati l-kunfidenzjalità, l-integrità, id-disponibbiltà u r-reżiljenza kontinwi tas-sistemi u s-servizzi ta’ pproċessar;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) il-kapaċità li jiġu restawrati d-disponibbiltà u l-aċċess għad-data personali fil-pront fil-każ ta’ inċident fiżiku jew tekniku;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) proċess sabiex tiġi ttestjata, ivvalutata u evalwata l-effettività tal-miżuri tekniċi u organizzattivi li jiżguraw is-sigurtà tal-ipproċessar.

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. Fl-evalwazzjoni tal-livell xieraq ta’ sigurtà ser jitqiesu b’mod partikolari r-riskji li jippreżenta l-ipproċessar, partikolarment minn qerda, telf, bidla, żvelar mhux awtorizzat ta’, jew aċċess għal data personali trażmessa, maħżuna jew ipproċessata mod ieħor, li jkun aċċidentali jew illegali.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. L-osservanza ta’ kodiċi ta’ kondotta approvat kif imsemmi fl-Artikolu 40 jew mekkaniżmu ta’ ċertifikazzjoni approvat kif imsemmi fl-Artikolu 42 jistgħu jintużaw bħala element li bih tintwera konformità mar-rekwiżiti stipulati fil-paragrafu 1 ta’ dan l-Artikolu.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. Il-kontrollur u l-proċessur għandhom jieħdu passi biex jiżguraw li kwalunkwe persuna fiżika li taġixxi taħt l-awtorità tal-kontrollur jew tal-proċessur li jkollhom aċċess għal data personali ma jipproċessawhiex ħlief fuq istruzzjonijiet mingħand il-kontrollur, sakemm ma jkunux meħtieġa jagħmlu dan taħt il-liġi tal-Unjoni jew ta’ Stat Membru.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

(i) in-notifika ta’ ksur ta’ data personali lill-awtoritajiet superviżorji u l-komunikazzjoni ta’ tali ksur ta’ data personali lis-suġġetti tad-data;

(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

(j) trasferiment ta’ data personali lil pajjiżi terzi jew organizzazzjonijiet internazzjonali; jew

(j) the transfer of personal data to third countries or international organisations; or

(k) proċeduri barra l-qorti u proċeduri oħrajn ta’ riżoluzzjoni ta’ tilwim għas-soluzzjoni ta’ tilwim bejn il-kontrolluri u s-suġġetti tad-data fir-rigward tal-ipproċessar, mingħajr preġudizzju għad-drittijiet tas-suġġetti tad-data skont l-Artikoli 77 u 79.

(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

Testi relatati

Artikolu 77 RĠPD (GDPR). Dritt li jitressaq ilment quddiem awtorità superviżorja

Article 77 GDPR. Right to lodge a complaint with a supervisory authority

1. Mingħajr preġudizzju għal kwalunkwe rimedju amministrattiv jew ġudizzjarju ieħor, kull suġġett tad-data għandu d-dritt li jressaq ilment quddiem awtorità superviżorja, b’mod partikolari fl-Istat Membru tar-residenza abitwali tiegħu, il-post tax-xogħol tiegħu jew il-post tal-ksur allegat, jekk is-suġġett tad-data jqis li l-ipproċessar ta’ data personali dwaru jikser dan ir-Regolament.

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. L-awtorità superviżorja li magħha jkun sar l-ilment għandha tinforma lill-ilmentatur dwar il-progress u l-eżitu tal-ilment inkluża l-possibbiltà ta’ rimedju ġudizzjarju skont l-Artikolu 78.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Artikolu 79 RĠPD (GDPR). Dritt għal rimedju ġudizzjarju effettiv kontra kontrollur jew proċessur

Article 79 GDPR. Right to an effective judicial remedy against a controller or processor

1. Mingħajr preġudizzju għal kwalunkwe rimedju amministrattiv jew mhux ġudizzjarju disponibbli, inkluż id-dritt li jitressaq ilment quddiem awtorità superviżorja skont l-Artikolu 77, kull suġġett tad-data għandu d-dritt għal rimedju ġudizzjarju effettiv fejn jikkunsidra li nkisru d-drittijiet tiegħu taħt dan ir-Regolament b’riżultat tal-ipproċessar tad-data personali tiegħu b’nuqqas ta’ konformità ma’ dan ir-Regolament.

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2. Proċedimenti kontra kontrollur jew proċessur għandhom jitressqu quddiem il-qrati tal-Istat Membru fejn il-kontrollur jew il-proċessur ikollu stabbiliment. B’mod alternattiv, tali proċedimenti jistgħu jitressqu quddiem il-qrati tal-Istat Membru fejn is-suġġett tad-data jkollu r-residenza abitwali tiegħu, sakemm il-kontrollur jew il-proċessur ma jkunx awtorità pubblika ta’ Stat Membru li taġixxi fl-eżerċizzju tas-setgħat pubbliċi tagħha.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

3. Minbarra l-konformità mill-kontrolluri jew il-proċessuri suġġett għal dan ir-Regolament, il-kodiċijiet ta’ kondotta approvati skont il-paragrafu 5 ta’ dan l-Artikolu u li jkollhom validità ġenerali skont il-paragrafu 9 ta’ dan l-Artikolu jistgħu wkoll jiġu osservati minn kontrolluri jew proċessuri li mhumiex soġġetti għal dan ir-Regolament skont l-Artikolu 3 sabiex jipprovdu salvagwardji xierqa fi ħdan il-qafas ta’ trasferimenti ta’ data personali lejn pajjiżi terzi jew organizzazzjonijiet internazzjonali skont it-termini msemmija fil-punt (e) tal-Artikolu 46(2). Tali kontrolluri jew proċessuri għandhom jieħdu impenji vinkolanti u eżegwibbli, permezz ta’ strumenti kuntrattwali jew strumenti legalment vinkolanti oħra, biex japplikaw dawk is-salvagwardji xierqa, inkluż fir-rigward tad-drittijiet tas-suġġetti tad-data.

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

Testi relatati

Artikolu 3 RĠPD (GDPR). Kamp ta' applikazzjoni territorjali

Article 3 GDPR. Territorial scope

1. Dan ir-Regolament japplika għall-ipproċessar tad-data personali fil-kuntest tal-attivitajiet ta’ stabbilment ta’ kontrollur jew proċessur fl-Unjoni, indipendentement minn jekk l-ipproċessar iseħħx fl-Unjoni jew le.

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. Dan ir-Regolament japplika għall-ipproċessar tad-data personali ta’ suġġetti tad-data li jinsabu fl-Unjoni minn kontrollur jew proċessur mhux stabbilit fl-Unjoni, meta l-attivitajiet ta’ pproċessar huma relatati ma’:

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) l-offerta ta’ prodotti jew servizzi, irrispettivament jekk ikunx meħtieġ ħlas mis-suġġett tad-data, għal tali suġġetti tad-data fl-Unjoni; jew

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) il-monitoraġġ tal-imġiba tagħhom sakemm l-imġiba tagħhom isseħħ fl-Unjoni.

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. Dan ir-Regolament japplika għall-ipproċessar tad-data personali minn kontrollur mhux stabbilit fl-Unjoni, iżda f’post fejn tapplika l-liġi ta’ Stat Membru permezz tal-liġi internazzjonali pubblika.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Artikolu 46 RĠPD (GDPR). Trasferimenti soġġetti għal salvagwardji xierqa

Article 46 GDPR. Transfers subject to appropriate safeguards

[…]

2. Is-salvagwardji xierqa msemmija fil-paragrafu 1 jistgħu jkunu previsti, mingħajr ma jkun jinħtieġ ebda awtorizzazzjoni speċifika minn awtorità superviżorja, permezz ta’:

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

[…]

(e) kodiċi ta’ kondotta approvat skont l-Artikolu 40 flimkien ma’ impenji vinkolanti u infurzabbli tal-kontrollur jew il-proċessur fil-pajjiż terz biex jiġu applikati s-salvagwardji xierqa, inkluż fir-rigward tad-drittijiet tas-suġġetti tad-data; jew

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or

4. Kodiċi ta’ kondotta msemmi fil-paragrafu 2 ta’ dan l-Artikolu għandu jkun fih mekkaniżmi li jippermettu lill-korp imsemmi fl-Artikolu 41(1) biex iwettaq il-monitoraġġ obbligatorju ta’ konformità mad-dispożizzjonijiet tiegħu mill-kontrolluri jew il-proċessuri li japplikawh, mingħajr preġudizzju għall-kompiti u s-setgħat tal-awtoritajiet superviżorji li huma kompetenti skont l-Artikolu 55 jew 56.

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

Testi relatati

Artikolu 41 RĠPD (GDPR). Monitoraġġ ta' kodiċijiet ta' kondotta approvati

Article 41 GDPR. Monitoring of approved codes of conduct

1. Mingħajr preġudizzju għall-kompiti u s-setgħat tal-awtorità superviżorja kompetenti taħt l-Artikoli 57 u 58, il-monitoraġġ tal-konformità ma’ kodiċi ta’ kondotta skont l-Artikolu 40, jista’ jitwettaq minn korp li għandu l-livell xieraq ta’ għarfien espert b’rabta mas-suġġett tal-kodiċi u huwa akkreditat għal dak il-għan mill-awtorità superviżorja kompetenti.

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.

[…]

Artikolu 55 RĠPD (GDPR). Kompetenza

Article 55 GDPR. Competence

Artikolu 56 RĠPD (GDPR). Kompetenza tal-awtorità superviżorja ewlenija

Article 56 GDPR. Competence of the lead supervisory authority

5. L-assoċjazzjonijiet u korpi oħra msemmija fil-paragrafu 2 ta’ dan l-Artikolu li għandhom l-għan li jħejju kodiċi ta’ kondotta jew li jemendaw jew jestendu kodiċi eżistenti, għandhom jippreżentaw l-abbozz ta’ kodiċi, l-emenda jew l-estensjoni lill-awtorità superviżorja li hija kompetenti skont l-Artikolu 55. L-awtorità superviżorja għandha tipprovdi opinjoni dwar jekk l-abbozz ta’ kodiċi, l-emenda jew l-estensjoni jikkonformawx ma’ dan ir-Regolament u għandha tapprova tali abbozz ta’ kodiċi, emenda jew estensjoni jekk hija tqis li jipprovdu biżżejjed salvagwardji xierqa.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

Testi relatati

Artikolu 55 RĠPD (GDPR). Kompetenza

Article 55 GDPR. Competence

6. Fejn l-opinjoni msemmija fil-paragrafu 5 tapprova l-abbozz ta’ kodiċi, jew l-emenda jew l-estensjoni, u fejn il-kodiċi ta’ kondotta konċernat mhux marbut mal-attivitajiet ta’ pproċessar f’bosta Stati Membri, l-awtorità superviżorja għandha tirreġistra u tippubblika l-kodiċi.

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7. Fejn abbozz ta’ kodiċi ta’ kondotta huwa marbut mal-attivitajiet ta’ pproċessar f’bosta Stati Membri, l-awtorità superviżorja li hi kompetenti skont l-Artikolu 55 għandha, qabel ma tapprova l-abbozz ta’ kodiċi, l-emenda jew l-estensjoni, tippreżentahom fil-proċedura msemmija fl-Artikolu 63 lill-Bord li għandu jagħti opinjoni dwar jekk l-abbozz ta’ kodiċi, l-emenda jew l-estensjoni jikkonformawx ma’ dan ir-Regolament jew, fil-każ imsemmi fil-paragrafu 3 ta’ dan l-Artikolu, jipprovdux salvagwardji xierqa.

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

Testi relatati

Artikolu 55 RĠPD (GDPR). Kompetenza

Article 55 GDPR. Competence

Artikolu 63 RĠPD (GDPR). Mekkaniżmu ta' konsistenza

Article 63 GDPR. Consistency mechanism

Sabiex jikkontribwixxu għall-applikazzjoni konsistenti ta’ dan ir-Regolament fl-Unjoni kollha, l-awtoritajiet superviżorji għandhom jikkooperaw ma’ xulxin u, fejn rilevanti, mal-Kummissjoni, permezz tal-mekkaniżmu ta’ konsistenza kif stabbilit f’din it-Taqsima.

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

8. Fejn l-opinjoni msemmija fil-paragrafu 7 tikkonferma li l-abbozz ta’ kodiċi, l-emenda jew l-estensjoni, jikkonformaw ma’ dan ir-Regolament, jew, fis-sitwazzjoni msemmija fil-paragrafu 3, jipprovdu salvagwardji xierqa, il-Bord għandu jippreżenta l-opinjoni tiegħu lill-Kummissjoni.

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. Il-Kummissjoni tista’, permezz ta’ atti ta’ implimentazzjoni, tiddeċiedi li l-kodiċijiet ta’ kondotta, l-emendi jew l-estensjonijiet approvati ppreżentati lilha skont il-paragrafu 8 ta’ dan l-Artikolu għandhom validità ġenerali fi ħdan l-Unjoni. Dawk l-atti ta’ implimentazzjoni għandhom jiġu adottati skont il-proċedura ta’ eżami stabbilita fl-Artikolu 93(2).

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Testi relatati

Artikolu 93 RĠPD (GDPR). Proċedura ta' kumitat

Article 93 GDPR. Committee procedure

[…]

2. Fejn issir referenza għal dan il-paragrafu, għandu japplika l-Artikolu 5 tar-Regolament (UE) Nru 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

[…]

10. Il-Kummissjoni għandha tiżgura r-reklamar xieraq għall-kodiċijiet approvati li jkun ġie deċiż li għandhom validità ġenerali skont il-paragrafu 9.

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. Il-Bord għandu jiġbor il-kodiċijiet ta’ kondotta, l-emendi u l-estensjonijiet kollha f’reġistru u għandu jagħmilhom disponibbli għall-pubbliku b’mezzi xierqa.

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 40 GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.

(EN) […]

(EN) Sign in
to read the full text

Premessi

(98) L-assoċjazzjonijiet jew korpi oħrajn li jirrappreżentaw kategoriji ta' kontrolluri jew proċessuri għandhom ikunu mħeġġa jfasslu kodiċijiet ta' kondotta, fil-limiti ta' dan ir-Regolament, sabiex jiffaċilitaw l-applikazzjoni effettiva ta' dan ir-Regolament, filwaqt li jikkunsidraw il-karatteristiċi speċifiċi tal-ipproċessar li jsir f'ċerti setturi u l-ħtiġijiet speċifiċi tal-mikrointrapriżi, l-intrapriżi ż-żgħar u dawk ta' daqs medju. B'mod partikolari, tali kodiċijiet ta' kondotta jistgħu jikkalibraw l-obbligi tal-kontrolluri u l-proċessuri, b'kont meħud tar-riskju li x'aktarx jirriżulta mill-ipproċessar għad-drittijiet u l-libertajiet tal-persuni fiżiċi.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) Meta jfasslu kodiċi ta' kondotta, jew meta jemendaw jew jestendu tali kodiċi, l-assoċjazzjonijiet u korpi oħrajn li jirrappreżentaw kategoriji ta' kontrolluri jew proċessuri għandhom jikkonsultaw mal-partijiet interessati rilevanti, inklużi s-suġġetti tad-data fejn fattibbli, u jikkunsidraw is-sottomissjonijiet li jkunu rċevew u l-fehmiet espressi b'rispons għal dawn il-konsultazzjonijiet.

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

Linji ta 'Gwida & Ġurisprudenza

(EN)

Document

EDPB, Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (2019).

EDPB, Guidelines 4/2021 on Codes of Conduct as Tools for Transfers (2021).

Ħalli kumment

[js-disqus]