Nawigacja
RODO > Artyku艂 18. Prawo do ograniczenia przetwarzania
Pobierz jako plik PDF

Artyku艂 18 RODO. Prawo do ograniczenia przetwarzania

Article 18 GDPR. Right to restriction of processing

1. Osoba, kt贸rej dane dotycz膮, ma prawo 偶膮dania od administratora ograniczenia przetwarzania w nast臋puj膮cych przypadkach:

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

Komentarz eksperta
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

a) osoba, kt贸rej dane dotycz膮, kwestionuje prawid艂owo艣膰 danych osobowych 鈥 na okres pozwalaj膮cy administratorowi sprawdzi膰 prawid艂owo艣膰 tych danych;

(a)聽the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b) przetwarzanie jest niezgodne z prawem, a osoba, kt贸rej dane dotycz膮, sprzeciwia si臋 usuni臋ciu danych osobowych, 偶膮daj膮c w zamian ograniczenia ich wykorzystywania;

(b)聽the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) administrator nie potrzebuje ju偶 danych osobowych do cel贸w przetwarzania, ale s膮 one potrzebne osobie, kt贸rej dane dotycz膮, do ustalenia, dochodzenia lub obrony roszcze艅;

(c)聽the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) osoba, kt贸rej dane dotycz膮, wnios艂a sprzeciw na mocy art. 21 ust. 1 wobec przetwarzania 鈥 do czasu stwierdzenia, czy prawnie uzasadnione podstawy po stronie administratora s膮 nadrz臋dne wobec podstaw sprzeciwu osoby, kt贸rej dane dotycz膮.

(d)聽the data subject has objected to processing pursuant to Article聽21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Powi膮zane teksty

2. Je偶eli na mocy ust. 1 przetwarzanie zosta艂o ograniczone, takie dane osobowe mo偶na przetwarza膰, z wyj膮tkiem przechowywania, wy艂膮cznie za zgod膮 osoby, kt贸rej dane dotycz膮, lub w celu ustalenia, dochodzenia lub obrony roszcze艅, lub w celu ochrony praw innej osoby fizycznej lub prawnej, lub z uwagi na wa偶ne wzgl臋dy interesu publicznego Unii lub pa艅stwa cz艂onkowskiego.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member聽State.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(2) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


aby uzyska膰 dost臋p do pe艂nego tekstu

3. Przed uchyleniem ograniczenia przetwarzania administrator informuje o tym osob臋, kt贸rej dane dotycz膮, kt贸ra 偶膮da艂a ograniczenia na mocy ust. 1.

3. A data subject who has obtained restriction of processing pursuant to paragraph聽1 shall be informed by the controller before the restriction of processing is lifted.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(3) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


aby uzyska膰 dost臋p do pe艂nego tekstu

Komentarz eksperta ISO 27701 Motywy zostaw komentarz
Komentarz eksperta

(EN) The right to restriction of processing is one of the eight rights granted by the GDPR, but it is not the easiest one to understand at first glance. It can be summed up as an obligation on behalf of the controller to retain data, but they can neither be processed in any other manner nor modified鈥


aby uzyska膰 dost臋p do pe艂nego tekstu

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Request to restrict the processing of my personal data

Dear Madam, Dear Sir,

I am entitled to ask you to restrict the processing of my personal data under Article 18(1) of the General Data Protection Regulation (GDPR)鈥


aby uzyska膰 dost臋p do pe艂nego tekstu

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18 GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


aby uzyska膰 dost臋p do pe艂nego tekstu

Motywy

(67) W艣r贸d metod pozwalaj膮cych ograniczy膰 przetwarzanie danych osobowych mog膮 si臋 znale藕膰 mi臋dzy innymi: czasowe przeniesienie wybranych danych osobowych do innego systemu przetwarzania, uniemo偶liwienie u偶ytkownikom dost臋pu do wybranych danych, lub czasowe usuni臋cie opublikowanych danych ze strony internetowej. W zautomatyzowanych zbiorach danych przetwarzanie nale偶y zasadniczo ograniczy膰 艣rodkami technicznymi w taki spos贸b, by dane osobowe nie podlega艂y dalszemu przetwarzaniu ani nie mog艂y by膰 zmieniane. Fakt ograniczenia przetwarzania danych osobowych nale偶y wyra藕nie zaznaczy膰 w systemie.

(67) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

zostaw komentarz
[js-disqus]