(75) Maidir leis na rioscaí i dtaca le cearta agus saoirsí daoine nádúrtha, ar rioscaí iad lena ngabhann dóchúlacht agus déine éagsúil, mar thoradh ar phróiseáil sonraí pearsanta as damáiste fisiciúil, ábhartha nó neamhábhartha, go háirithe sna cásanna seo a leanas: i gcás ina n-eascródh idirdhealú, goid aitheantais nó calaois aitheantais, caillteanas airgeadais, damáiste don chlú, caillteanas rúndacht na sonraí pearsanta sin atá faoi chosaint de réir rúndacht ghairmiúil, aisiompú neamhúdaraithe cur i bhfeidhm ainm bréige, nó aon mhíbhuntáiste eacnamaíoch nó sóisialta eile atá suntasach as an bpróiseáil; i gcás ina bhféadfadh sé go ndéanfaí cearta agus saoirsí na n-ábhar sonraí a cheilt orthu nó go gcoisfí iad ó rialú a dhéanamh ar fheidhmiú a gcuid sonraí pearsanta; i gcás ina ndéantar próiseáil ar shonraí pearsanta lena léirítear tionscnamh ciníoch nó eitneach, tuairimí polaitiúla, creideamh reiligiúnach nó fealsúnach, ballraíocht i gceardchumann, agus próiseáil sonraí géiniteacha, sonraí a bhaineann leis an tsláinte nó sonraí a bhaineann le saol gnéis nó le ciontuithe coiriúla agus cionta nó le bearta slándála gaolmhara; i gcás ina ndéantar meastóireacht ar ghnéithe pearsanta, go háirithe anailísiú nó tuar ar ghnéithe maidir le feidhmiú ag an obair, maidir leis an staid eacnamaíoch, sláinte, roghanna nó leas pearsanta, iontaofacht nó iompraíocht, suíomh nó gluaiseachtaí, chun próifílí pearsanta a chruthú nó a úsáid; i gcás ina ndéantar próiseáil ar shonraí pearsanta daoine nádúrtha leochaileacha, go háirithe leanaí; nó i gcás ina bhfuil cainníocht mhór sonraí pearsanta i gceist leis an bpróiseáil agus ina mbíonn tionchar ag an bpróiseáil sin ar líon mór ábhar sonraí.
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
(85) Mura dtéitear i ngleic le sárú i ndáil le sonraí pearsanta ar bhealach iomchuí tráthúil, d'fhéadfadh gurb é an toradh a bheadh air damáiste fisiciúil, ábhartha nó neamhabhartha do dhaoine nádúrtha amhail smacht ar a gcuid sonraí pearsanta a chailleadh, nó teorannú ar a gcearta, idirdhealú, goid aitheantais nó calaois aitheantais, caillteanas airgeadais, aisiompú neamhúdaraithe chur i bhfeidhm ainm bréige, damáiste don chlú, caillteanas rúndacht na sonraí pearsanta sin atá faoi chosaint de réir rúndacht ghairmiúil, nó aon mhíbhuntáiste eacnamaíoch nó sóisialta eile don duine nádúrtha lena mbaineann. Dá bhrí sin, a luaithe a bheidh an rialaitheoir ar an eolas faoi shárú a bheith déanta i ndáil le sonraí pearsanta, ba cheart don rialaitheoir fógra faoin sárú i ndáil le sonraí pearsanta a thabhairt don údarás maoirseachta, gan aon mhoill mhíchuí agus, i gcás inar féidir, tráth nach déanaí ná 72 uair an chloig tar éis dó nó di eolas a fháil ina leith, maidir leis an sárú i ndáil le sonraí pearsanta, ach amháin i gcás ina mbeidh an rialaitheoir in ann a thaispeáint, i gcomhréir le prionsabal na cuntasachta, nach dócha go mbeidh riosca ag gabháil leis an sárú i ndáil le sonraí pearsanta do chearta agus do shaoirsí daoine nádúrtha. I gcás nach féidir fógra den sórt sin a dhéanamh laistigh de 72 uair an chloig, ba cheart na cúiseanna leis an moill sin a chur leis an bhfógra, agus féadfar faisnéis a chur ar fáil i gcéimeanna gan tuilleadh moille míchuí.
(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
(87) Ba cheart a fháil amach an ndearnadh na bearta iomchuí teicneolaíocha cosanta agus na bearta iomchuí eagraíochtúla uile a chur chun feidhme lena suí láithreach an ndearnadh sárú i ndáil le sonraí pearsanta agus chun an t-údarás maoirseachta agus an t-ábhar sonraí a chur ar an eolas go pras. Ba cheart a shuí gur tugadh fógra gan aon mhoill mhíchuí agus aird ar leith á tabhairt ar chineál agus ar thromaíocht an tsáraithe i ndáil le sonraí pearsanta agus ar na hiarmhairtí agus ar na héifeachtaí díobhálacha a bhaineann leis don ábhar sonraí. Féadfaidh idirghabháil ón údarás maoirseachta teacht as fógra den sórt sin i gcomhréir leis na cúraimí sin atá air agus leis na cumhachtaí sin atá aige a leagtar síos sa Rialachán seo.
(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
(88) Agus rialacha mionsonraithe a bhaineann leis an bhformáid agus ne nósanna imeachta is infheidhme maidir le fógairt sáruithe i ndáil le sonraí pearsanta á leagan síos, ba cheart aird chuí a thabhairt ar na dálaí faoina ndearnadh an sárú sin, lena n-áirítear an raibh na sonraí pearsanta á gcosaint ag bearta iomchuí cosanta teicniúla, lenar cuireadh srian go héifeachtach leis an dóchúlacht go ndéanfaí calaois aitheantais nó go mbainfí mí-úsáid eile as na sonraí. Ina theannta sin, ba cheart a chur san áireamh i rialacha den sórt sin agus i nósanna imeachta den sórt sin leasanna dlisteanacha údarás forfheidhmithe dlí i gcás ina bhféadfadh fógairt luath cur isteach, gan chúis, ar an imscrúdú faoi dhálaí an tsáraithe i ndáil le sónraí pearsanta.
(88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 16.1.1.
Here is the relevant paragraph to article 33 GDPR:
6.13.1.1 Responsibilities and procedures
Implementation guidance
As part of the overall information security incident management process, the organization should establish responsibilities and procedures for the identification and recording of breaches of PII. Additionally, the organization should establish responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation.
…
Sisään
pääset käsiksi koko tekstiin