Navigazzjoni
RĠPD (GDPR) > Artikolu 6. Legalità tal-ipproċessar
Download PDF

Artikolu 6 RĠPD (GDPR). Legalità tal-ipproċessar

Article 6 GDPR. Lawfulness of processing

1. L-ipproċessar għandu jkun legali biss jekk u safejn mill-inqas ikun japplika wieħed mill-punti li ġejjin:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) is-suġġett tad-data jkun ta l-kunsens għall-ipproċessar ta’ data personali tiegħu għal fini speċifiku wieħed jew aktar;

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Linji ta 'Gwida & Ġurisprudenza Testi relatati

(b) l-ipproċessar ikun meħtieġ għat-twettiq ta’ kuntratt li għalih is-suġġett tad-data huwa parti jew sabiex jittieħdu passi fuq talba tas-suġġett tad-data qabel ma jidħol f’kuntratt;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Linji ta 'Gwida & Ġurisprudenza Premessi

(44) L-ipproċessar għandu jkun legali fejn ikun meħtieġ fil-kuntest ta' kuntratt jew tal-intenzjoni ta' dħul f'kuntratt.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

Testi relatati

(c) l-ipproċessar ikun meħtieġ għall-konformità ma’ obbligu legali li għalih huwa soġġett il-kontrollur;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

Premessi

(45) Fejn l-ipproċessar jitwettaq f'konformità ma' obbligu legali li għalih ikun soġġett il-kontrollur jew fejn l-ipproċessar ikun meħtieġ għat-twettiq ta' kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali, l-ipproċessar għandu jkollu bażi fil-liġi tal-Unjoni jew ta' Stat Membru. Dan ir-Regolament ma jirrikjedix liġi speċifika għal kull ipproċessar individwali. Tista' tkun biżżejjed liġi li sservi ta' bażi għal diversi operazzjonijiet ta' pproċessar ibbażata fuq obbligu legali li huwa soġġett għalih il-kontrollur jew fejn l-ipproċessar huwa meħtieġ għat-twettiq ta' kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali. Għandha tkun ukoll il-liġi tal-Unjoni jew ta' Stat Membru li tiddetermina l-fini tal-ipproċessar. Barra minn hekk, dik il-liġi tista' tispeċifika l-kondizzjonijiet ġenerali ta' dan ir-Regolament li jirregola l-legalità tal-ipproċessar ta' data personali, tistabbilixxi l-ispeċifikazzjonijiet biex jiġu ddeterminati l-kontrollur, it-tip ta' data soġġetta għall-ipproċessar, is-suġġetti tad-data kkonċernati, l-entitajiet li lilhom tista' tiġi żvelata d-data personali, il-limitazzjonijiet tal-fini, il-perijodu tal-ħażna u miżuri oħra li jiżguraw ipproċessar legali u ġust. Għandha wkoll tkun il-liġi tal-Unjoni jew il-liġi nazzjonali li tistabbilixxi jekk il-kontrollur li jwettaq il-kompitu fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali għandux ikun awtorità pubblika jew xi persuna fiżika jew ġuridika oħra regolata bil-liġi pubblika, jew, fejn ikun fl-interess pubbliku li jsir hekk, inkluż għal skopijiet ta' saħħa bħas-saħħa pubblika u l-protezzjoni soċjali u l-ġestjoni tas-servizzi tal-kura tas-saħħa, bil-liġi privata, bħal assoċjazzjoni professjonali.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(d) l-ipproċessar ikun meħtieġ sabiex ikunu protetti l-interessi vitali tas-suġġett tad-data jew ta’ persuna fiżika oħra;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Premessi

(46) L-ipproċessar tad-data personali għandu wkoll jitqies bħala legali fejn ikun meħtieġ biex jiġi protett interess li huwa essenzjali għall-ħajja tas-suġġett tad-data jew dak ta' persuna fiżika oħra. L-ipproċessar ta' data personali abbażi tal-interess vitali ta' persuna fiżika oħra fil-prinċipju għandu jsir biss fejn l-ipproċessar ma jistax jibbaża manifestament fuq bażi legali oħra. Xi tipi ta' pproċessar jistgħu jservu kemm raġunijiet importanti ta' interess pubbliku u interessi vitali tas-suġġett tad-data bħal pereżempju meta l-ipproċessar ikun meħtieġ għal finijiet umanitarji, inkluż għall-monitoraġġ ta' epidemiji u t-tixrid tagħhom jew f'sitwazzjonijiet ta' emerġenzi umanitarji, b'mod partikolari f'sitwazzjonijiet ta' diżastri naturali u diżastri kkawżati mill-bniedem.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(e) l-ipproċessar ikun meħtieġ għat-twettiq ta’ kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju ta’ awtorità uffiċjali mogħtija lill-kontrollur;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Linji ta 'Gwida & Ġurisprudenza Premessi

(115) Xi pajjiżi terzi jadottaw liġijiet, regolamenti u atti legali oħrajn li jkunu intenzjonati li jirregolaw direttament l-attivitajiet ta' pproċessar ta' persuni fiżiċi jew ġuridiċi taħt il-ġurisdizzjoni tal-Istati Membri. Dan jista' jinkludi sentenzi ta' qrati jew tribunali jew deċiżjonijiet ta' awtoritajiet amministrattivi f'pajjiżi terzi li jirrikjedu li kontrollur jew proċessur jittrasferixxi jew jiżvela data personali, u li mhumiex ibbażati fuq ftehim internazzjonali, bħal trattat ta' assistenza legali reċiproka, li jkun fis-seħħ bejn il-pajjiż terz rikjedenti u l-Unjoni jew Stat Membru. L-applikazzjoni extraterritorjali ta' dawk il-liġijiet, regolamenti u atti legali oħrajn tista' tikser id-dritt internazzjonali u tista' xxekkel il-kisba tal-protezzjoni ta' persuni fiżiċi żgurata fl-Unjoni b'dan ir-Regolament. It-trasferimenti għandhom ikunu permessi biss fejn ikunu ġew sodisfatti l-kundizzjonijiet ta' dan ir-Regolament għal trasferiment lejn pajjiż terz. Dan jista' jkun il-każ, fost l-oħrajn, fejn l-iżvelar huwa meħtieġ għal raġuni importanti ta' interess pubbliku rikonoxxuta fil-liġi tal-Unjoni jew ta' Stat Membru li għaliha jkun soġġett il-kontrollur.

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

(f) l-ipproċessar ikun meħtieġ għall-finijiet tal-interessi leġittimi segwiti mill-kontrollur jew minn parti terza, għajr meta dawn l-interessi jingħelbu mill-interessi jew id-drittijiet u l-libertajiet fundamentali tas-suġġett tad-data li jeħtieġu l-protezzjoni tad-data personali, b’mod partikolari meta s-suġġett tad-data jkun minorenni.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Linji ta 'Gwida & Ġurisprudenza Premessi

(47) L-interessi leġittimi ta' kontrollur inklużi dawk ta' kontrollur li lilu tista' tiġi żvelata d-data personali jew ta' parti terza, jistgħu jipprovdu bażi legali għall-ipproċessar, sakemm l-interessi jew id-drittijiet u l-libertajiet fundamentali tas-suġġett tad-data ma jkunux aktar importanti, b'kont meħud tal-aspettattivi raġonevoli tas-suġġetti tad-data abbażi tar-relazzjoni tagħhom mal-kontrollur. Tali interess leġittimu jista' jeżisti pereżempju fejn ikun hemm relazzjoni rilevanti u adatta bejn is-suġġett tad-data u l-kontrollur f'sitwazzjonijiet bħal fejn is-suġġett tad-data jkun klijent jew fis-servizz tal-kontrollur. Fi kwalunkwe każ il-preżenza ta' interess leġittimu tkun teħtieġ valutazzjoni bir-reqqa inkluż dwar jekk is-suġġett tad-data jkunx jista' raġonevolment jistenna, fil-mument u fil-kuntest tal-ġbir tad-data personali, li l-ipproċessar għal dak il-fini jkun jista' jsir. L-interessi u d-drittijiet fundamentali tas-suġġett tad-data jistgħu, b'mod partikolari, isiru iktar importanti mill-interess tal-kontrollur tad-data fejn tkun ipproċessata data personali f'ċirkostanzi fejn is-suġġetti tad-data jistennew b'mod raġonevoli li ma jsirx iktar ipproċessar. Minħabba li hija r-responsabbiltà tal-leġiżlatur li jipprovdi bil-liġi l-bażi legali għall-awtoritajiet pubbliċi sabiex jipproċessaw id-data personali, dik il-bażi ma għandhiex tapplika għall-ipproċessar mill-awtoritajiet pubbliċi fit-twettiq tal-kompiti tagħhom. L-ipproċessar ta' data personali sal-punt strettament meħtieġ għall-finijiet tal-prevenzjoni u l-monitoraġġ ta' frodi wkoll jikkostitwixxi interess leġittimu tal-kontrollur tad-data kkonċernat. L-ipproċessar ta' data personali għal finijiet ta' kummerċjalizzazzjoni diretta jista' jitqies li twettaq għal interess leġittimu.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Kontrolluri li jkunu parti minn grupp ta' impriżi jew istituzzjonijiet affiljati ma' korp ċentrali jistgħu jkollhom interess leġittimu fit-trażmissjoni ta' data personali fi ħdan il-grupp ta' impriżi għal finijiet amministrattivi interni, inkluż l-ipproċessar ta' data personali ta' klijenti jew impjegati. Il-prinċipji ġenerali għat-trasferiment ta' data personali, fi ħdan grupp ta' impriżi, lejn impriża li tinsab f'pajjiż terz jibqgħu mhumiex affettwati.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) L-ipproċessar ta' data personali sal-punt li huwa strettament meħtieġ u proporzjonat għall-finijiet li tiġi żgurata s-sigurtà tan-netwerk u tal-informazzjoni, jiġifieri l-kapaċità ta' netwerk jew ta' sistema ta' informazzjoni li tirreżisti, b'ċertu livell ta' fiduċja, avvenimenti aċċidentali jew azzjonijiet illegali jew malizzjużi li jikkompromettu d-disponibbiltà, l-awtentiċità, l-integrità u l-konfidenzjalità tad-data personali maħżuna jew trażmessa, u s-sigurtà tas-servizzi relatati offruti minn, jew aċċessibbli permezz ta', dawk in-netwerks u s-sistemi, minn awtoritajiet pubbliċi, skwadri ta' rispons f'emerġenza relatata mal-kompjuters — (CERTs), skwadri ta' rispons għal inċidenti relatati mas-sigurtà tal-kompjuters (CSIRTs), minn fornituri ta' netwerks u servizzi ta' komunikazzjoni elettronika u minn fornituri ta' teknoloġiji u servizzi għas-sigurtà, jikkostitwixxi interess leġittimu tal-kontrollur tad-data kkonċernat. Dan jista', pereżempju, jinkludi l-prevenzjoni ta' aċċess mhux awtorizzat għal netwerks ta' komunikazzjoni elettroniċi u d-distribuzzjoni ta' kodiċi malizzjuż u l-waqfien ta' attakki ta' “ċaħda ta' servizz” u d-danni lill-kompjuter u lil sistemi ta' komunikazzjoni elettroniċi.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Il-punt (f) tal-ewwel subparagrafu m’għandux japplika għall-ipproċessar li jitwettaq minn awtoritajiet pubbliċi fit-twettiq tal-kompiti tagħhom.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Premessi

(40) Sabiex l-ipproċessar ikun legali, id-data personali għandha tkun ipproċessata abbażi tal-kunsens tas-suġġett tad-data kkonċernat jew ta' xi bażi leġittima oħra, stabbilita bil-liġi, jew f'dan ir-Regolament jew f'liġi oħra tal-Unjoni jew ta' Stat Membru kif imsemmi f'dan ir-Regolament, inkluż il-ħtieġa ta' konformità mal-obbligu legali li għalih hu soġġett il-kontrollur jew il-ħtieġa għall-prestazzjoni tal-kuntratt li s-suġġett tad-data ikun parti fih jew li jiġu meħuda passi fuq it-talba tas-suġġett tad-data qabel ma jidħol f'kuntratt.

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(50) L-ipproċessar ta' data personali għal finijiet oħra minbarra dawk li għalihom id-data personali tkun inġabret inizjalment għandu jkun permess biss fejn l-ipproċessar ikun kompatibbli mal-finijiet li għalihom id-data personali tkun inġabret inizjalment. F'tali każ ma tkun meħtieġa l-ebda bażi għajr dik li tkun ippermettiet il-ġbir tad-data personali. Jekk l-ipproċessar ikun meħtieġ għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur, il-liġi tal-Unjoni jew tal-Istat Membru tista' tiddetermina u tispeċifika l-kompiti u l-finijiet li għalihom l-ipproċessar ulterjuri għandu jitqies bħala kompatibbli u legali. L-ipproċessar ulterjuri għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika għandu jitqies bħala operazzjoni ta' pproċessar legali kompatibbli. Il-bażi legali pprovduta mil-liġi tal-Unjoni jew ta' Stat Membru għall-ipproċessar ta' data personali tista' tipprovdi wkoll bażi legali għall-ipproċessar ulterjuri. Sabiex jiġi ddeterminat jekk il-fini tal-ipproċessar ulterjuri jkunx kompatibbli mal-fini li għalih id-data personali tkun inġabret inizjalment, il-kontrollur, wara li jkun issodisfa r-rekwiżiti kollha għal-legalità tal-ipproċessar oriġinali, għandu jieħu kont fost oħrajn ta' kwalunkwe rabta bejn dawk il-finijiet u l-finijiet tal-ipproċessar ulterjuri intenzjonat, il-kuntest li fih id-data personali tkun inġabret, b'mod partikolari l-aspettattivi raġonevoli tas-suġġetti tad-data abbażi tar-relazzjoni tagħhom mal-kontrollur rigward l-użu ulterjuri tagħha, in-natura tad-data personali, il-konsegwenzi tal-ipproċessar ulterjuri intenzjonat għas-suġġetti tad-data, u l-eżistenza ta' salvagwardji adatti kemm fl-operazzjoni tal-ipproċessar oriġinali kif ukoll f'dik tal-ipproċessar ulterjuri intenzjonat.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

Fejn is-suġġett tad-data jkun ta kunsens jew l-ipproċessar ikun bbażat fuq il-liġi tal-Unjoni jew ta' Stat Membru li tikkostitwixxi miżura neċessarja u proporzjonata f'soċjetà demokratika biex jiġu salvagwardati, b'mod partikolari, objettivi importanti ta' interess pubbliku ġenerali, il-kontrollur għandu jkun jista' jwettaq ipproċessar ulterjuri tad-data personali irrispettivament mill-kompatibbiltà tal-għanijiet. Fi kwalunkwe każ, l-applikazzjoni tal-prinċipji stabbiliti f'dan ir-Regolament u b'mod partikolari l-għoti ta' informazzjoni lis-suġġett tad-data dwar dawk il-finijiet l-oħra u dwar id-drittijiet tiegħu jew tagħha, inkluż id-dritt li joġġezzjona, għandhom ikunu żgurati. L-indikar tal-possibbiltà ta' atti kriminali jew theddid għas-sigurtà pubblika mill-kontrollur u t-trażmissjoni tad-data personali rilevanti f'każijiet individwali jew f'diversi każijiet b'rabta mal-istess att kriminali jew theddid għas-sigurtà pubblika lil awtorità kompetenti għandhom jitqiesu bħala li huma fl-interess leġittimu mfittex mill-kontrollur. Madankollu, tali trażmissjoni fl-interess leġittimu tal-kontrollur jew l-ipproċessar ulterjuri ta' data personali għandhom ikunu projbiti jekk l-ipproċessar ma jkunx kompatibbli ma' obbligu ta' segretezza legali, professjonali jew obbligu vinkolanti ieħor ta' segretezza.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

2. L-Istati Membri jistgħu jżommu jew jintroduċu dispożizzjonijiet aktar speċifiċi biex jadattaw l-applikazzjoni tar-regoli ta’ dan ir-Regolament fir-rigward ta’ pproċessar għal konformità mal-punti (c) u (e) tal-paragrafu 1 billi jiddeterminaw b’mod aktar preċiż rekwiżiti speċifiċi għall-ipproċessar u miżuri oħrajn biex jiġi żgurat ipproċessar legali u ġust inkluż għal sitwazzjonijiet speċifiċi oħrajn ta’ pproċessar kif previst fil-Kapitolu IX.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. Il-bażi għall-ipproċessar imsemmi fil-punti (c) u (e) tal-paragrafu 1 għandha tkun stipulata minn:

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) il-liġi tal-Unjoni, jew

(a) Union law; or

(b) il-liġi tal-Istat Membru li għaliha huwa soġġett il-kontrollur.

(b) Member State law to which the controller is subject.

Il-fini tal-ipproċessar għandu jkun iddeterminat fdik il-bażi legali jew, fir-rigward tal-ipproċessar imsemmi fil-punt (e) tal-paragrafu 1, għandu jkun meħtieġ għat-twettiq ta’ kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju tal-atorità uffiċjali mogħtija lill-kontrollur. Dik il-bażi legali jista’ jkun fiha dispożizzjonijiet speċifiċi biex tiġi adattata l-applikazzjoni ta’ regoli ta’ dan ir-Regolament, inklużi l-kondizzjonijiet ġenerali li jirregolaw il-legalità tal-ipproċessar mill-kontrollur; it-tipi ta’ data li huma soġġetti għall-ipproċessar; is-suġġetti tad-data kkonċernati; l-entitajiet li lilhom, jew li għalihom, tista’ tiġi żvelata d-data personali; il-limitazzjoni tal-fini; il-perijodi tal-ħażna u attivitajiet ta’ pproċessar u proċeduri ta’ pproċessar, inklużi miżuri li jiżguraw ipproċessar legali u ġust bħal dawk għal sitwazzjonijiet speċifiċi oħrajn ta’ pproċessar kif previst fil-Kapitolu IX. Il-liġi tal-Unjoni jew il-liġi tal-Istat Membru għandha tissodisfa l-objettiv ta’ interess pubbliku u tkun proporzjonata mal-għan leġittimu mfittex.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

Premessi

(41) Fejn dan ir-Regolament jagħmel referenza għal bażi legali jew miżura leġiżlattiva, din mhux neċessarjament tkun tirrikjedi att leġiżlattiv adottat minn parlament, mingħajr preġudizzju għar-rekwiżiti skont l-ordni kostituzzjonali tal-Istat Membru kkonċernat. Madankollu, tali bażi legali jew miżura leġiżlattiva għandha tkun ċara u preċiża u l-applikazzjoni tagħha għandha tkun prevedibbli għal persuni soġġetti għaliha, f'konformità mal-ġurisprudenza tal-Qorti tal-Ġustizzja tal-Unjoni Ewropea (il-“Qorti tal-Ġustizzja”) u l-Qorti Ewropea tad-Drittijiet tal-Bniedem.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

4. Fejn l-ipproċessar għal finijiet differenti minn dak li għalih id-data personali tkun inġabret ma jkunx ibbażat fuq il-kunsens tas-suġġett tad-data jew fuq liġi tal-Unjoni jew ta’ Stat Membru li tikkostitwixxi miżura meħtieġa u proporzjonata f’soċjetà demokratika biex tissalvagwardja l-objettivi msemmija fl-Artikolu 23(1), il-kontrollur għandu, sabiex jaċċerta jekk l-ipproċessar għal fini ieħor huwiex kompatibbli mal-fini li għalih tkun inġabret id-data personali inizjalment, jieħu kont, fost l-oħrajn, ta’:

4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) kwalunkwe rabta bejn il-fini li għalih tkun inġabret id-data personali u l-fini tal-ipproċessar ulterjuri li jkun maħsub;

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) il-kuntest li fih inġabret id-data personali, b’mod partikolari fir-rigward tar-relazzjoni bejn is-suġġetti tad-data u l-kontrollur;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) in-natura tad-data personali, b’mod partikolari jekk jiġux ipproċessati kategoriji speċjali ta’ data personali, skont l-Artikolu 9, jew jekk tiġix ipproċessata data personali relatata ma’ kundanni kriminali u reati, skont l-Artikolu 10;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) il-konsegwenzi possibbli għas-suġġetti tad-data tal-ipproċessar ulterjuri maħsub;

(d) the possible consequences of the intended further processing for data subjects;

(e) l-eżistenza ta’ salvagwardji xierqa, li jistgħu jinkludu kriptaġġ jew psewdonimizzazzjoni.

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6(4)(e) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).

(EN) […]


to read the full text

ISO 27701 Premessi Linji ta 'Gwida & Ġurisprudenza Testi relatati Ħalli kumment
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:

(EN) […]


to read the full text

Premessi

(40) Sabiex l-ipproċessar ikun legali, id-data personali għandha tkun ipproċessata abbażi tal-kunsens tas-suġġett tad-data kkonċernat jew ta' xi bażi leġittima oħra, stabbilita bil-liġi, jew f'dan ir-Regolament jew f'liġi oħra tal-Unjoni jew ta' Stat Membru kif imsemmi f'dan ir-Regolament, inkluż il-ħtieġa ta' konformità mal-obbligu legali li għalih hu soġġett il-kontrollur jew il-ħtieġa għall-prestazzjoni tal-kuntratt li s-suġġett tad-data ikun parti fih jew li jiġu meħuda passi fuq it-talba tas-suġġett tad-data qabel ma jidħol f'kuntratt.

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(41) Fejn dan ir-Regolament jagħmel referenza għal bażi legali jew miżura leġiżlattiva, din mhux neċessarjament tkun tirrikjedi att leġiżlattiv adottat minn parlament, mingħajr preġudizzju għar-rekwiżiti skont l-ordni kostituzzjonali tal-Istat Membru kkonċernat. Madankollu, tali bażi legali jew miżura leġiżlattiva għandha tkun ċara u preċiża u l-applikazzjoni tagħha għandha tkun prevedibbli għal persuni soġġetti għaliha, f'konformità mal-ġurisprudenza tal-Qorti tal-Ġustizzja tal-Unjoni Ewropea (il-“Qorti tal-Ġustizzja”) u l-Qorti Ewropea tad-Drittijiet tal-Bniedem.

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

(42) Fejn l-ipproċessar ikun ibbażat fuq il-kunsens tas-suġġett tad-data, il-kontrollur għandu jkun jista' juri li s-suġġett tad-data ta l-kunsens tiegħu għall-attività tal-ipproċessar. B'mod partikolari fil-kuntest ta' dikjarazzjoni bil-miktub fuq kwistjoni oħra, is-salvagwardji għandhom jiżguraw li s-suġġett tad-data huwa konxju tal-fatt li jkun qiegħed jingħata kunsens u tal-punt sa fejn dan jingħata. F'konformità mad-Direttiva tal-Kunsill 93/13/KEE (10) għandha tiġi pprovduta dikjarazzjoni ta' kunsens ifformulata minn qabel mill-kontrollur f'forma intelliġibbli u faċilment aċċessibbli, bl-użu ta' lingwaġġ ċar u sempliċi u mingħajr termini inġusti. Biex il-kunsens ikun wieħed informat, is-suġġett tad-data għandu jkun konxju mill-inqas tal-identità tal-kontrollur u l-finijiet tal-ipproċessar li għalihom tkun intenzjonata d-data personali. Il-kunsens ma għandux jitqies li ngħata liberament jekk is-suġġett tad-data ma jkollux għażla ġenwina jew libera jew ma jkunx jista' jiċħad jew jirtira l-kunsens mingħajr ħsara.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(10) Direttiva tal-Kunsill 93/13/KEE tal-5 ta' April 1993 dwar klawżoli inġusti f'kuntratti mal-konsumatur (ĠU L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

(43) Sabiex jiġi żgurat l-għoti ta' kunsens b'mod liberu, il-kunsens ma għandux jipprovdi raġuni legali valida għall-ipproċessar ta' data personali f'każ speċifiku fejn ikun hemm żbilanċ ċar bejn is-suġġett tad-data u l-kontrollur, b'mod partikolari fejn il-kontrollur huwa awtorità pubblika u għalhekk ikun improbabbli li l-kunsens ingħata liberament fiċ-ċirkostanzi kollha ta' dik is-sitwazzjoni speċifika. Il-kunsens huwa preżunt li mhux mogħti b'mod liberu jekk ma jippermettix li jingħata kunsens separat għal operazzjonijiet ta' pproċessar ta' data personali differenti minkejja li jkun xieraq fil-każ partikolari, jew jekk it-twettiq ta' kuntratt, inkluż il-provvediment ta' servizz, ikun jiddependi mill-kunsens minkejja li tali kunsens ma jkunx meħtieġ għal tali twettiq.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(44) L-ipproċessar għandu jkun legali fejn ikun meħtieġ fil-kuntest ta' kuntratt jew tal-intenzjoni ta' dħul f'kuntratt.

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

(45) Fejn l-ipproċessar jitwettaq f'konformità ma' obbligu legali li għalih ikun soġġett il-kontrollur jew fejn l-ipproċessar ikun meħtieġ għat-twettiq ta' kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali, l-ipproċessar għandu jkollu bażi fil-liġi tal-Unjoni jew ta' Stat Membru. Dan ir-Regolament ma jirrikjedix liġi speċifika għal kull ipproċessar individwali. Tista' tkun biżżejjed liġi li sservi ta' bażi għal diversi operazzjonijiet ta' pproċessar ibbażata fuq obbligu legali li huwa soġġett għalih il-kontrollur jew fejn l-ipproċessar huwa meħtieġ għat-twettiq ta' kompitu li jsir fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali. Għandha tkun ukoll il-liġi tal-Unjoni jew ta' Stat Membru li tiddetermina l-fini tal-ipproċessar. Barra minn hekk, dik il-liġi tista' tispeċifika l-kondizzjonijiet ġenerali ta' dan ir-Regolament li jirregola l-legalità tal-ipproċessar ta' data personali, tistabbilixxi l-ispeċifikazzjonijiet biex jiġu ddeterminati l-kontrollur, it-tip ta' data soġġetta għall-ipproċessar, is-suġġetti tad-data kkonċernati, l-entitajiet li lilhom tista' tiġi żvelata d-data personali, il-limitazzjonijiet tal-fini, il-perijodu tal-ħażna u miżuri oħra li jiżguraw ipproċessar legali u ġust. Għandha wkoll tkun il-liġi tal-Unjoni jew il-liġi nazzjonali li tistabbilixxi jekk il-kontrollur li jwettaq il-kompitu fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali għandux ikun awtorità pubblika jew xi persuna fiżika jew ġuridika oħra regolata bil-liġi pubblika, jew, fejn ikun fl-interess pubbliku li jsir hekk, inkluż għal skopijiet ta' saħħa bħas-saħħa pubblika u l-protezzjoni soċjali u l-ġestjoni tas-servizzi tal-kura tas-saħħa, bil-liġi privata, bħal assoċjazzjoni professjonali.

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(46) L-ipproċessar tad-data personali għandu wkoll jitqies bħala legali fejn ikun meħtieġ biex jiġi protett interess li huwa essenzjali għall-ħajja tas-suġġett tad-data jew dak ta' persuna fiżika oħra. L-ipproċessar ta' data personali abbażi tal-interess vitali ta' persuna fiżika oħra fil-prinċipju għandu jsir biss fejn l-ipproċessar ma jistax jibbaża manifestament fuq bażi legali oħra. Xi tipi ta' pproċessar jistgħu jservu kemm raġunijiet importanti ta' interess pubbliku u interessi vitali tas-suġġett tad-data bħal pereżempju meta l-ipproċessar ikun meħtieġ għal finijiet umanitarji, inkluż għall-monitoraġġ ta' epidemiji u t-tixrid tagħhom jew f'sitwazzjonijiet ta' emerġenzi umanitarji, b'mod partikolari f'sitwazzjonijiet ta' diżastri naturali u diżastri kkawżati mill-bniedem.

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) L-interessi leġittimi ta' kontrollur inklużi dawk ta' kontrollur li lilu tista' tiġi żvelata d-data personali jew ta' parti terza, jistgħu jipprovdu bażi legali għall-ipproċessar, sakemm l-interessi jew id-drittijiet u l-libertajiet fundamentali tas-suġġett tad-data ma jkunux aktar importanti, b'kont meħud tal-aspettattivi raġonevoli tas-suġġetti tad-data abbażi tar-relazzjoni tagħhom mal-kontrollur. Tali interess leġittimu jista' jeżisti pereżempju fejn ikun hemm relazzjoni rilevanti u adatta bejn is-suġġett tad-data u l-kontrollur f'sitwazzjonijiet bħal fejn is-suġġett tad-data jkun klijent jew fis-servizz tal-kontrollur. Fi kwalunkwe każ il-preżenza ta' interess leġittimu tkun teħtieġ valutazzjoni bir-reqqa inkluż dwar jekk is-suġġett tad-data jkunx jista' raġonevolment jistenna, fil-mument u fil-kuntest tal-ġbir tad-data personali, li l-ipproċessar għal dak il-fini jkun jista' jsir. L-interessi u d-drittijiet fundamentali tas-suġġett tad-data jistgħu, b'mod partikolari, isiru iktar importanti mill-interess tal-kontrollur tad-data fejn tkun ipproċessata data personali f'ċirkostanzi fejn is-suġġetti tad-data jistennew b'mod raġonevoli li ma jsirx iktar ipproċessar. Minħabba li hija r-responsabbiltà tal-leġiżlatur li jipprovdi bil-liġi l-bażi legali għall-awtoritajiet pubbliċi sabiex jipproċessaw id-data personali, dik il-bażi ma għandhiex tapplika għall-ipproċessar mill-awtoritajiet pubbliċi fit-twettiq tal-kompiti tagħhom. L-ipproċessar ta' data personali sal-punt strettament meħtieġ għall-finijiet tal-prevenzjoni u l-monitoraġġ ta' frodi wkoll jikkostitwixxi interess leġittimu tal-kontrollur tad-data kkonċernat. L-ipproċessar ta' data personali għal finijiet ta' kummerċjalizzazzjoni diretta jista' jitqies li twettaq għal interess leġittimu.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) Kontrolluri li jkunu parti minn grupp ta' impriżi jew istituzzjonijiet affiljati ma' korp ċentrali jistgħu jkollhom interess leġittimu fit-trażmissjoni ta' data personali fi ħdan il-grupp ta' impriżi għal finijiet amministrattivi interni, inkluż l-ipproċessar ta' data personali ta' klijenti jew impjegati. Il-prinċipji ġenerali għat-trasferiment ta' data personali, fi ħdan grupp ta' impriżi, lejn impriża li tinsab f'pajjiż terz jibqgħu mhumiex affettwati.

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) L-ipproċessar ta' data personali sal-punt li huwa strettament meħtieġ u proporzjonat għall-finijiet li tiġi żgurata s-sigurtà tan-netwerk u tal-informazzjoni, jiġifieri l-kapaċità ta' netwerk jew ta' sistema ta' informazzjoni li tirreżisti, b'ċertu livell ta' fiduċja, avvenimenti aċċidentali jew azzjonijiet illegali jew malizzjużi li jikkompromettu d-disponibbiltà, l-awtentiċità, l-integrità u l-konfidenzjalità tad-data personali maħżuna jew trażmessa, u s-sigurtà tas-servizzi relatati offruti minn, jew aċċessibbli permezz ta', dawk in-netwerks u s-sistemi, minn awtoritajiet pubbliċi, skwadri ta' rispons f'emerġenza relatata mal-kompjuters — (CERTs), skwadri ta' rispons għal inċidenti relatati mas-sigurtà tal-kompjuters (CSIRTs), minn fornituri ta' netwerks u servizzi ta' komunikazzjoni elettronika u minn fornituri ta' teknoloġiji u servizzi għas-sigurtà, jikkostitwixxi interess leġittimu tal-kontrollur tad-data kkonċernat. Dan jista', pereżempju, jinkludi l-prevenzjoni ta' aċċess mhux awtorizzat għal netwerks ta' komunikazzjoni elettroniċi u d-distribuzzjoni ta' kodiċi malizzjuż u l-waqfien ta' attakki ta' “ċaħda ta' servizz” u d-danni lill-kompjuter u lil sistemi ta' komunikazzjoni elettroniċi.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

(50) L-ipproċessar ta' data personali għal finijiet oħra minbarra dawk li għalihom id-data personali tkun inġabret inizjalment għandu jkun permess biss fejn l-ipproċessar ikun kompatibbli mal-finijiet li għalihom id-data personali tkun inġabret inizjalment. F'tali każ ma tkun meħtieġa l-ebda bażi għajr dik li tkun ippermettiet il-ġbir tad-data personali. Jekk l-ipproċessar ikun meħtieġ għall-prestazzjoni ta' kompitu mwettaq fl-interess pubbliku jew fl-eżerċizzju ta' awtorità uffiċjali mogħtija lill-kontrollur, il-liġi tal-Unjoni jew tal-Istat Membru tista' tiddetermina u tispeċifika l-kompiti u l-finijiet li għalihom l-ipproċessar ulterjuri għandu jitqies bħala kompatibbli u legali. L-ipproċessar ulterjuri għal finijiet ta' arkivjar fl-interess pubbliku, għal finijiet ta' riċerka xjentifika jew storika jew għal finijiet ta' statistika għandu jitqies bħala operazzjoni ta' pproċessar legali kompatibbli. Il-bażi legali pprovduta mil-liġi tal-Unjoni jew ta' Stat Membru għall-ipproċessar ta' data personali tista' tipprovdi wkoll bażi legali għall-ipproċessar ulterjuri. Sabiex jiġi ddeterminat jekk il-fini tal-ipproċessar ulterjuri jkunx kompatibbli mal-fini li għalih id-data personali tkun inġabret inizjalment, il-kontrollur, wara li jkun issodisfa r-rekwiżiti kollha għal-legalità tal-ipproċessar oriġinali, għandu jieħu kont fost oħrajn ta' kwalunkwe rabta bejn dawk il-finijiet u l-finijiet tal-ipproċessar ulterjuri intenzjonat, il-kuntest li fih id-data personali tkun inġabret, b'mod partikolari l-aspettattivi raġonevoli tas-suġġetti tad-data abbażi tar-relazzjoni tagħhom mal-kontrollur rigward l-użu ulterjuri tagħha, in-natura tad-data personali, il-konsegwenzi tal-ipproċessar ulterjuri intenzjonat għas-suġġetti tad-data, u l-eżistenza ta' salvagwardji adatti kemm fl-operazzjoni tal-ipproċessar oriġinali kif ukoll f'dik tal-ipproċessar ulterjuri intenzjonat.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

Fejn is-suġġett tad-data jkun ta kunsens jew l-ipproċessar ikun bbażat fuq il-liġi tal-Unjoni jew ta' Stat Membru li tikkostitwixxi miżura neċessarja u proporzjonata f'soċjetà demokratika biex jiġu salvagwardati, b'mod partikolari, objettivi importanti ta' interess pubbliku ġenerali, il-kontrollur għandu jkun jista' jwettaq ipproċessar ulterjuri tad-data personali irrispettivament mill-kompatibbiltà tal-għanijiet. Fi kwalunkwe każ, l-applikazzjoni tal-prinċipji stabbiliti f'dan ir-Regolament u b'mod partikolari l-għoti ta' informazzjoni lis-suġġett tad-data dwar dawk il-finijiet l-oħra u dwar id-drittijiet tiegħu jew tagħha, inkluż id-dritt li joġġezzjona, għandhom ikunu żgurati. L-indikar tal-possibbiltà ta' atti kriminali jew theddid għas-sigurtà pubblika mill-kontrollur u t-trażmissjoni tad-data personali rilevanti f'każijiet individwali jew f'diversi każijiet b'rabta mal-istess att kriminali jew theddid għas-sigurtà pubblika lil awtorità kompetenti għandhom jitqiesu bħala li huma fl-interess leġittimu mfittex mill-kontrollur. Madankollu, tali trażmissjoni fl-interess leġittimu tal-kontrollur jew l-ipproċessar ulterjuri ta' data personali għandhom ikunu projbiti jekk l-ipproċessar ma jkunx kompatibbli ma' obbligu ta' segretezza legali, professjonali jew obbligu vinkolanti ieħor ta' segretezza.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

(155) Il-liġi tal-Istat Membru jew ftehimiet kollettivi, inklużi “ftehimiet tax-xogħol”, jistgħu jipprevedu regoli speċifiċi dwar l-ipproċessar tad-data personali tal-impjegati fil-kuntest tax-xogħol, b'mod partikolari għall-kundizzjonijiet li taħthom id-data personali fil-kuntest tal-impjieg tista' tkun ipproċessata fuq il-bażi tal-kunsens tal-impjegat, il-finijiet tar-reklutaġġ, it-twettiq tal-kuntratt tax-xogħol, inkluż it-twettiq tal-obbligi stabbiliti bil-liġi jew bi ftehimiet kollettivi, il-ġestjoni, l-ippjanar u l-organizzazzjoni tax-xogħol, l-ugwaljanza u d-diversità fil-post tax-xogħol, is-saħħa u s-sigurtà fuq il-post tax-xogħol, u għall-għanijiet tal-eżerċizzju u t-tgawdija, fuq bażi individwali jew kollettiva, ta' drittijiet u benefiċċji relatati mal-impjieg, u għall-għan tat-terminazzjoni tar-relazzjoni tal-impjieg.

(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Linji ta 'Gwida & Ġurisprudenza Testi relatati Ħalli kumment
[js-disqus]