Navigacija
SUVP (GDPR) > Člen 13. Informacije, ki se zagotovijo, kadar se osebni podatki pridobijo od posameznika, na katerega se nanašajo osebni podatki
Prenos PDF

Člen 13 SUVP (GDPR). Informacije, ki se zagotovijo, kadar se osebni podatki pridobijo od posameznika, na katerega se nanašajo osebni podatki

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

1. Kadar se osebni podatki v zvezi s posameznikom, na katerega se nanašajo osebni podatki, pridobijo od tega posameznika, upravljavec zadevnemu posamezniku takrat, ko pridobi osebne podatke, zagotovi vse naslednje informacije:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

Uvodne izjave

(60) Načeli poštene in pregledne obdelave zahtevata, da je treba posameznika, na katerega se nanašajo osebni podatki, obvestiti o obstoju dejanja obdelave in njegovih namenih. Upravljavec bi moral posamezniku, na katerega se nanašajo osebni podatki, zagotoviti vse dodatne informacije, potrebne za zagotavljanje poštene in pregledne obdelave ob upoštevanju specifičnih okoliščin in okvira obdelave osebnih podatkov. Poleg tega bi moral biti ta posameznik obveščen o obstoju oblikovanja profilov in njegovih posledicah. Kadar se osebni podatki pridobijo od posameznika, na katerega se nanašajo osebni podatki, bi ga bilo treba obvestiti tudi o tem, ali je dolžan predložiti osebne podatke, in o posledicah, kadar takih podatkov ne predloži. Te informacije se lahko navedejo skupaj z uporabo standardiziranih ikon, da se na jasno razviden, razumljiv in berljiv način zagotovi smiseln pregled načrtovane obdelave. Kadar so ikone navedene v elektronski obliki, bi morale biti strojno berljive.

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Povezana besedila

(a) identiteto in kontaktne podatke upravljavca in njegovega predstavnika, kadar ta obstaja;

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

Smernice in sodna praksa

(b) kontaktne podatke pooblaščene osebe za varstvo podatkov, kadar ta obstaja;

(b) the contact details of the data protection officer, where applicable;

Smernice in sodna praksa

(c) namene, za katere se osebni podatki obdelujejo, kakor tudi pravno podlago za njihovo obdelavo;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

Smernice in sodna praksa

(d) kadar obdelava temelji na točki (f) člena 6(1), zakonite interese, za uveljavljanje katerih si prizadeva upravljavec ali tretja oseba;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

Smernice in sodna praksa Povezana besedila

(e) uporabnike ali kategorije uporabnikov osebnih podatkov, če obstajajo;

(e) the recipients or categories of recipients of the personal data, if any;

Smernice in sodna praksa Povezana besedila

(f) kadar je ustrezno, dejstvo, da upravljavec namerava prenesti osebne podatke v tretjo državo ali mednarodno organizacijo, ter obstoj ali neobstoj sklepa Komisije o ustreznosti ali v primeru prenosov iz člena 46 ali 47 ali drugega pododstavka člena 49(1) sklic na ustrezne ali primerne zaščitne ukrepe in sredstva za pridobitev njihove kopije ali kje so na voljo.

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Smernice in sodna praksa Povezana besedila

2. Poleg informacij iz odstavka 1 upravljavec takrat, ko pridobi osebne podatke posamezniku, na katerega se ti nanašajo, zagotovi naslednje dodatne informacije, ki so potrebne za zagotovitev poštene in pregledne obdelave:

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

Uvodne izjave

(61) Posameznike, na katere se nanašajo osebni podatki, bi bilo treba o obdelavi osebnih podatkov v zvezi z njimi obvestiti v trenutku zbiranja podatkov od posameznika, na katerega se nanašajo osebni podatki, ali, kadar se osebni podatki pridobijo iz drugega vira, v ustreznem roku odvisno od okoliščin primera. Kadar se lahko osebni podatki zakonito razkrijejo drugemu uporabniku, bi moral biti posameznik, na katerega se nanašajo osebni podatki, obveščen, ko se osebni podatki prvič razkrijejo uporabniku. Kadar namerava upravljavec obdelovati osebne podatke za namen, ki ni namen, za katerega so bili zbrani, bi moral upravljavec posamezniku, na katerega se nanašajo osebni podatki, pred tako nadaljnjo obdelavo podatkov zagotoviti informacije o tem drugem namenu in druge potrebne informacije. Kadar temu posamezniku ni mogoče sporočiti izvora osebnih podatkov zaradi uporabe različnih virov, bi mu bilo treba zagotoviti splošne informacije.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

Povezana besedila

(a) obdobje hrambe osebnih podatkov ali, kadar to ni mogoče, merila, ki se uporabijo za določitev tega obdobja;

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(a) GDPR:

7.4.7 Retention

Control

The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.

Implementation guidance

The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.

(EN) […]


to read the full text

Smernice in sodna praksa

(b) obstoj pravice, da se od upravljavca zahtevajo dostop do osebnih podatkov in popravek ali izbris osebnih podatkov ali omejitev obdelave v zvezi s posameznikom, na katerega se nanašajo osebni podatki, ali obstoj pravice do ugovora obdelavi in pravice do prenosljivosti podatkov;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 13(2)(b) GDPR:

7.3.5 Providing mechanism to object to PII processing

Control

The organization should provide a mechanism for PII principals to object to the processing of their PII.

Implementation guidance

Some jurisdictions provide PII principals with a right to object to the processing of their PII. Organizations subject to the legislation and/or regulation of such jurisdictions should ensure that they implement appropriate measures to enable PII principals to exercize this right.

(EN) […]


to read the full text

Smernice in sodna praksa

(c) kadar obdelava temelji na točki (a) člena 6(1) ali točki (a) člena 9(2), obstoj pravice, da se lahko privolitev kadar koli prekliče, ne da bi to vplivalo na zakonitost obdelave podatkov, ki se je na podlagi privolitve izvajala do njenega preklica;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(c) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.

(EN) […]


to read the full text

Smernice in sodna praksa Povezana besedila

(d) pravico do vložitve pritožbe pri nadzornem organu;

(d) the right to lodge a complaint with a supervisory authority;

Smernice in sodna praksa Povezana besedila

(e) ali je zagotovitev osebnih podatkov statutarna ali pogodbena obveznost ali pa obveznost, ki je potrebna za sklenitev pogodbe, ter ali mora posameznik, na katerega se nanašajo osebni podatki, zagotoviti osebne podatke ter kakšne so morebitne posledice, če se taki podatki ne zagotovijo, in

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Smernice in sodna praksa

(f) obstoj avtomatiziranega sprejemanja odločitev, vključno z oblikovanjem profilov iz člena 22(1) in (4), ter vsaj v takih primerih smiselne informacije o razlogih zanj, kot tudi pomen in predvidene posledice take obdelave za posameznika, na katerega se nanašajo osebni podatki.

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(f) GDPR:

7.3.10 Automated decision making

Control

The organization should identify and address obligations, including legal obligations, to the PII principals resulting from decisions made by the organization which are related to the PII principal based solely on automated processing of PII.

(EN) […]


to read the full text

Smernice in sodna praksa Povezana besedila

3. Kadar namerava upravljavec nadalje obdelovati osebne podatke za namen, ki ni namen, za katerega so bili osebni podatki zbrani, upravljavec posamezniku, na katerega se nanašajo osebni podatki, pred tako nadaljnjo obdelavo podatkov zagotovi informacije o tem drugem namenu in vse nadaljnje relevantne informacije iz odstavka 2.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(3) GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.

(EN) […]


to read the full text

4. Odstavki 1, 2 in 3 se ne uporabljajo, kadar in kolikor posameznik, na katerega se nanašajo osebni podatki, že ima informacije.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Komentar ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar
Komentar

(EN) To facilitate the work of our consultants, we have collected all the requirements and information that have to be mentioned and created a convenient checklist. Next to each paragraph, we have placed links to specific GDPR articles and guidelines. We grouped all the information into 7 sections:

  • Controller’s identity
  • Purpose and lawful basis for processing
  • Personal data
  • Transfers of data to third countries
  • Rights
  • Changes (in privacy notices)
  • Form (of information provided)

It looks like this:

(EN) […]


to read the full text

(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(EN)

Data Subject Request Letter Sample

Concern: Request of information regarding my personal data

Dear Madam, Dear Sir,

I have a right to be informed, under Article 13 of the General Data Protection Regulation (GDPR), about personal data concerning me that you are processing…

(EN) […]


to read the full text

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

 

(EN) […]


to read the full text

Uvodne izjave

(61) Posameznike, na katere se nanašajo osebni podatki, bi bilo treba o obdelavi osebnih podatkov v zvezi z njimi obvestiti v trenutku zbiranja podatkov od posameznika, na katerega se nanašajo osebni podatki, ali, kadar se osebni podatki pridobijo iz drugega vira, v ustreznem roku odvisno od okoliščin primera. Kadar se lahko osebni podatki zakonito razkrijejo drugemu uporabniku, bi moral biti posameznik, na katerega se nanašajo osebni podatki, obveščen, ko se osebni podatki prvič razkrijejo uporabniku. Kadar namerava upravljavec obdelovati osebne podatke za namen, ki ni namen, za katerega so bili zbrani, bi moral upravljavec posamezniku, na katerega se nanašajo osebni podatki, pred tako nadaljnjo obdelavo podatkov zagotoviti informacije o tem drugem namenu in druge potrebne informacije. Kadar temu posamezniku ni mogoče sporočiti izvora osebnih podatkov zaradi uporabe različnih virov, bi mu bilo treba zagotoviti splošne informacije.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

(62) Vendar pa uvedba obveznosti zagotavljanja informacij ni nujna, kadar ima posameznik, na katerega se nanašajo osebni podatki, informacije že na voljo ali kadar je shranjevanje ali razkritje osebnih podatkov izrecno določeno z zakonom ali kadar bi se zagotavljanje informacij posamezniku, na katerega se nanašajo osebni podatki, izkazalo za nemogoče ali bi vključevalo nesorazmeren napor. Primer, ko je zagotavljanje nemogoče ali bi vključevalo nesorazmeren napor, bi lahko zlasti bil, kadar se obdelava izvaja za namene arhiviranja v javnem interesu, znanstveno- ali zgodovinskoraziskovalne namene ali statistične namene. V zvezi s tem bi se morali upoštevati število posameznikov, na katere se nanašajo osebni podatki, starost podatkov in vsi sprejeti ustrezni zaščitni ukrepi.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

(63) Posameznik, na katerega se nanašajo osebni podatki, bi moral imeti pravico dostopa do osebnih podatkov, ki so bili zbrani v zvezi z njim, in do enostavnega uresničevanja te pravice v razumnih časovnih presledkih, da bi se seznanil z obdelavo in preveril njeno zakonitost. To vključuje pravico posameznikov, na katere se nanašajo osebni podatki, da imajo dostop do podatkov v zvezi s svojim zdravjem, na primer podatkov v njihovi zdravstveni kartoteki, ki vključuje informacije, kot so diagnoze, izvidi preiskav, ocene lečečih zdravnikov in druga zdravljenja ali posegi. Zato bi moral vsak posameznik, na katerega se nanašajo osebni podatki, imeti pravico do seznanitve s sporočilom in njegove pridobitve, zlasti o namenih obdelave osebnih podatkov, po možnosti o obdobju, za katerega so osebni podatki obdelani, uporabnikih osebnih podatkov, o razlogih za morebitno avtomatsko obdelavo osebnih podatkov in, vsaj v primerih, kadar obdelava temelji na oblikovanju profilov, o posledicah take obdelave. Kadar je mogoče, bi upravljavec moral imeti možnost zagotoviti dostop na daljavo do varnega sistema, ki bi posamezniku, na katerega se nanašajo osebni podatki, omogočil neposreden dostop do njegovih osebnih podatkov. Ta pravica ne bi smela negativno vplivati na pravice ali svoboščine drugih, vključno s poslovnimi skrivnostmi ali intelektualno lastnino, ter predvsem na avtorske pravice, ki ščitijo programsko opremo. To pa ne bi smelo povzročiti, da se posamezniku, na katerega se nanašajo osebni podatki, zavrne dostop do vseh informacij. Kadar upravljavec obdeluje veliko količino informacij v zvezi s posameznikom, na katerega se nanašajo osebni podatki, bi moral upravljavec imeti možnost, da pred zagotovitvijo informacij od tega posameznika zahteva, naj podrobno opredeli, na katere informacije ali dejavnosti obdelave se zahteva nanaša.

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

Smernice in sodna praksa Pustite komentar
[js-disqus]