Artikolu 42 📖 RĠPD (GDPR). Ċertifikazzjoni

Artikolu 42 RĠPD (GDPR). Ċertifikazzjoni

Article 42 GDPR. Certification

1. L-Istati Membri, l-awtoritajiet superviżorji, il-Bord u l-Kummissjoni għandhom jinkoraġġixxu, b’mod partikolari fil-livell tal-Unjoni, l-istabbiliment ta’ mekkaniżmi ta’ ċertifikazzjoni ta’ protezzjoni tad-data u ta’ siġilli u marki tal-protezzjoni tad-data, bil-għan li juru l-konformità ma’ dan ir-Regolament ta’ attivitajiet ta’ pproċessar mill-kontrolluri u mill-proċessuri. Għandu jittieħed kont tal-ħtiġijiet speċifiċi tal-impriżi mikro, żgħar u ta’ daqs medju.

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2. Minbarra l-aderenza minn kontrolluri jew proċessuri soġġetti għal dan ir-Regolament, jistgħu jiġu stabbiliti mekkaniżmi ta’ ċertifikazzjoni ta’ protezzjoni tad-data, siġilli jew marki approvati skont il-paragrafu 5 ta’ dan l-Artikolu għall-għan li tintwera l-eżistenza ta’ salvagwardji xierqa pprovduti minn kontrolluri jew proċessuri li mhumiex soġġetti għal dan ir-Regolament skont l-Artikolu 3 fil-qafas ta’ trasferimenti ta’ data personali lejn pajjiżi terzi jew organizzazzjonijiet internazzjonali skont it-termini msemmija fil-punt (f) tal-Artikolu 46(2). Tali kontrolluri jew proċessuri għandhom jieħdu impenji vinkolanti u infurzabbli, permezz ta’ strumenti kuntrattwali jew legalment vinkolanti oħrajn, biex japplikaw dawk is-salvagwardji xierqa, inkluż fir-rigward tad-drittijiet tas-suġġetti tad-data.

2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

Testi relatati

Artikolu 3 RĠPD (GDPR). Kamp ta' applikazzjoni territorjali

Article 3 GDPR. Territorial scope

Artikolu 46 RĠPD (GDPR). Trasferimenti soġġetti għal salvagwardji xierqa

Article 46 GDPR. Transfers subject to appropriate safeguards

1. Fin-nuqqas ta’ deċiżjoni skont l-Artikolu 45(3), kontrollur jew proċessur jista’ jittrasferixxi data personali lejn pajjiż terz jew organizzazzjoni internazzjonali biss jekk il-kontrollur jew il-proċessur ikun ipprovda salvagwardji xierqa, u bil-kondizzjoni li jkunu disponibbli drittijiet infurzabbli tas-suġġett tad-data u rimedji legali effettivi għas-suġġetti tad-data.

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. Is-salvagwardji xierqa msemmija fil-paragrafu 1 jistgħu jkunu previsti, mingħajr ma jkun jinħtieġ ebda awtorizzazzjoni speċifika minn awtorità superviżorja, permezz ta’:

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

[…]

(f) mekkaniżmu approvat ta’ ċertifikazzjoni skont l-Artikolu 42 flimkien ma’ impenji vinkolanti u infurzabbli tal-kontrollur jew il-proċessur fil-pajjiż terz biex jiġu applikati s-salvagwardji xierqa, inkluż fir-rigward tad-drittijiet tas-suġġetti tad-data.

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

[…]

3. Iċ-ċertifikazzjoni għandha tkun volontarja u disponibbli permezz ta’ proċess li jkun trasparenti.

3. The certification shall be voluntary and available via a process that is transparent.

4. Ċertifikazzjoni skont dan l-Artikolu ma tnaqqasx ir-responsabbiltà tal-kontrollur jew il-proċessur għall-konformità ma’ dan ir-Regolament u huwa mingħajr preġudizzju għall-kompiti u s-setgħat tal-awtoritajiet superviżorji li huma kompetenti skont l-Artikolu 55 jew 56.

4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

Testi relatati

Artikolu 55 RĠPD (GDPR). Kompetenza

Article 55 GDPR. Competence

1. Kull awtorità superviżorja għandha tkun kompetenti biex twettaq il-kompiti assenjati lilha u l-eżerċizzju tas-setgħat ikkonferiti lilha f’konformità ma’ dan ir-Regolament fit-territorju tal-Istat Membru tagħha stess.

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2. Fejn l-ipproċessar titwettaq minn awtoritajiet pubbliċi jew korpi privati li jaġixxu abbażi tal-punt (c) jew (e) tal-Artikolu 6(1), għandha tkun kompetenti l-awtorità superviżorja tal-Istat Membru kkonċernat. F’tali każijiet ma japplikax l-Artikolu 56.

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3. L-awtoritajiet superviżorji ma għandhomx ikunu kompetenti li jissorveljaw l-attivitajiet ta’ pproċessar ta’ qrati li jaġixxu fil-kapaċità ġudizzjarja tagħhom.

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

Artikolu 56 RĠPD (GDPR). Kompetenza tal-awtorità superviżorja ewlenija

Article 56 GDPR. Competence of the lead supervisory authority

1. Mingħajr preġudizzju għall-Artikolu 55, l-awtorità superviżorja tal-istabbiliment ewlieni jew tal-istabbiliment uniku tal-kontrollur jew il-proċessur għandha tkun kompetenti biex taġixxi bħala l-awtorità superviżorja ewlenija għall-ipproċessar transkonfinali li jsir minn dak il-kontrollur jew proċessur f’konformità mal-proċedura prevista fl-Artikolu 60.

1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2. B’deroga mill-paragrafu 1, kull awtorità superviżorja għandha tkun kompetenti biex tittratta lment imressaq lilha jew ksur possibbli ta’ dan ir-Regolament, jekk is-suġġett ikun marbut biss ma’ stabbiliment fl-Istat Membru tagħha jew jaffettwa b’mod sostanzjali suġġetti tad-data fl-Istat Membru tagħha biss.

2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3. Fil-każijiet imsemmija fil-paragrafu 2 ta’ dan l-Artikolu, l-awtorità superviżorja għandha tinforma lill-awtorità superviżorja ewlenija mingħajr dewmien dwar dik il-kwistjoni. F’perijodu ta’ tliet ġimgħat wara li tiġi infurmata l-awtorità superviżorja ewlenija għandha tiddeċiedi jekk hux ser tittratta l-każ f’konformità mal-proċedura prevista fl-Artikolu 60, billi tieħu kont ta’ jekk hemm jew m’hemmx stabbiliment tal-kontrollur jew il-proċessur fl-Istat Membru li l-awtorità superviżorja tkun infurmatha bih.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4. Fejn l-awtorità superviżorja ewlenija tiddeċiedi li tittratta l-każ, għandha tapplika l-proċedura prevista fl-Artikolu 60. L-awtorità superviżorja li tkun infurmat lill-awtorità superviżorja ewlenija tista’ tissottometti abbozz għal deċiżjoni lill-awtorità superviżorja ewlenija. L-awtorità superviżorja ewlenija għandha tieħu kont bl-akbar reqqa dak l-abbozz meta tkun qed tħejji l-abbozz ta’ deċiżjoni msemmi fl-Artikolu 60(3).

4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5. Fejn il-awtorità superviżorja ewlenija tiddeċiedi li ma tittrattax il-każ, l-awtorità superviżorja li tkun infurmat lill-awtorità superviżorja ewlenija għandha tittrattah skont l-Artikoli 61 u 62.

5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6. L-awtorità superviżorja ewlenija għandha tkun l-interlokutur uniku tal-kontrollur jew il-proċessur għall-ipproċessar transkonfinali li jsir minn dak il-kontrollur jew proċessur.

6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

5. Ċertifikazzjoni skont dan l-Artikolu għandha tinħareġ mill-korpi ta’ ċertifikazzjoni msemmija fl-Artikolu 43, jew mill-awtorità superviżorja kompetenti abbażi ta’ kriterji approvati mill-awtorità superviżorja kompetenti jew mill-Bord, skont l-Artikolu 63. Fejn il-kriterji huma approvati mill-Bord, dan jista’ jirriżulta f’ċertifikazzjoni komuni, is-Siġill Ewropew għall-Protezzjoni tad-Data.

5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

Testi relatati

Artikolu 43 RĠPD (GDPR). Korpi ta' ċertifikazzjoni

Article 43 GDPR. Certification bodies

Artikolu 58 RĠPD (GDPR). Setgħat

Article 58 GDPR. Powers

[…]

3. Kull awtorità superviżorja għandu jkollha s-setgħat kollha konsultattivi u ta’ awtorizzazzjoni li ġejjin:

3. Each supervisory authority shall have all of the following authorisation and advisory powers:

(a) li tagħti parir lill-kontrollur f’konformità mal-proċedura ta’ konsultazzjoni minn qabel imsemmija fl-Artikolu 36;

(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

(b) li tagħti, fuq l-inizjattiva tagħha stess jew fuq talba, opinjonijiet lill-parlament nazzjonali, il-gvern tal-Istat Membru jew, f’konformità mal-liġi tal-Istat Membru, lil istituzzjonijiet u korpi oħra kif ukoll lill-pubbliku dwar kwalunkwe kwistjoni marbuta mal-protezzjoni tad-data personali;

(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;

(c) li tawtorizza l-ipproċessar imsemmi fl-Artikolu 36(5), jekk il-liġi tal-Istat Membru teħtieġ tali awtorizzazzjoni minn qabel;

(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

(d) li toħroġ opinjoni u tapprova abbozzi ta’ kodiċijiet ta’ kondotta skont l-Artikolu 40(5);

(d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

(e) li takkredita korpi ta’ ċertifikazzjoni skont l-Artikolu 43;

(e) to accredit certification bodies pursuant to Article 43;

(f) li toħroġ ċertifikazzjonijiet u tapprova kriterji ta’ ċertifikazzjoni f’konformità mal-Artikolu 42(5);

(f) to issue certifications and approve criteria of certification in accordance with Article 42(5);

(g) li tadotta l-klawżoli standard ta’ protezzjoni tad-data msemmija fl-Artikolu 28(8) u fil-punt (d) tal-Artikolu 46(2);

(g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(h) li tawtorizza l-klawżoli kuntrattwali msemmija fil-punt (a) tal-Artikolu 46(3);

(h) to authorise contractual clauses referred to in point (a) of Article 46(3);

(i) li tawtorizza l-arranġamenti amministrattivi msemmija fil-punt (b) tal-Artikolu 46(3);

(i) to authorise administrative arrangements referred to in point (b) of Article 46(3);

(j) li tapprova regoli korporattivi vinkolanti skont l-Artikolu 47.

(j) to approve binding corporate rules pursuant to Article 47.

[…]

Artikolu 63 RĠPD (GDPR). Mekkaniżmu ta' konsistenza

Article 63 GDPR. Consistency mechanism

Sabiex jikkontribwixxu għall-applikazzjoni konsistenti ta’ dan ir-Regolament fl-Unjoni kollha, l-awtoritajiet superviżorji għandhom jikkooperaw ma’ xulxin u, fejn rilevanti, mal-Kummissjoni, permezz tal-mekkaniżmu ta’ konsistenza kif stabbilit f’din it-Taqsima.

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

6. Il-kontrollur jew il-proċessur li jissottometti l-ipproċessar tiegħu għall-mekkaniżmu ta’ ċertifikazzjoni għandu jipprovdi lill-korp ta’ ċertifikazzjoni msemmi fl-Artikolu 43, jew fejn applikabbli, l-awtorità superviżorja kompetenti, bl-informazzjoni kollha u l-aċċess għall-attivitajiet ta’ pproċessar tiegħu li huma meħtieġa biex titwettaq il-proċedura ta’ ċertifikazzjoni.

6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

Testi relatati

Artikolu 43 RĠPD (GDPR). Korpi ta' ċertifikazzjoni

Article 43 GDPR. Certification bodies

7. Iċ-ċertifikazzjoni għandha tinħareġ lil kontrollur jew proċessur għal perijodu massimu ta’ tliet snin u tista’ tiġġedded, skont l-istess kondizzjonijiet, sakemm jibqgħu jiġu sodisfatti r-rekwiżiti rilevanti. Iċ-ċertifikazzjoni għandha tiġi rtirata, fejn applikabbli, mill-korpi ta’ ċertifikazzjoni msemmija fl-Artikolu 43, jew mill-awtorità superviżorja kompetenti fejn ma jiġux sodisfatti jew ma jibqgħux jiġu sodisfatti r-rekwiżiti għaċ-ċertifikazzjoni.

7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.

Testi relatati

Artikolu 43 RĠPD (GDPR). Korpi ta' ċertifikazzjoni

Article 43 GDPR. Certification bodies

8. Il-Bord għandu jiġbor il-mekkaniżmi ta’ ċertifikazzjoni u s-siġilli u l-marki għall-protezzjoni tad-data kollha f’reġistru u għandu jagħmilhom disponibbli għall-pubbliku permezz ta’ kwalunkwe mezz xieraq.

8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

Regolament Ġenerali dwar il-Protezzjoni tad-Data (RĠPD, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Ħalli kumment

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 42 GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.

(EN) […]

(EN) Sign in
to read the full text

Premessi

(100) Sabiex jitjiebu t-trasparenza u l-konformità ma' dan ir-Regolament, għandu jiġi mħeġġeġ l-istabbiliment ta' mekkaniżmi ta' ċertifikazzjoni u siġilli u marki ta' protezzjoni tad-data, sabiex jippermettu lis-suġġetti tad-data li jivvalutaw rapidament il-livell ta' protezzjoni tad-data ta' prodotti u servizzi rilevanti.

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

Linji ta 'Gwida & Ġurisprudenza

(EN)

Document

EDPB, Guidelines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the Regulation (2019).

EDPB, Opinion 1/2022on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR – CARPA certification criteria (2022).

Ħalli kumment

[js-disqus]