Navigacija
SUVP (GDPR) > Člen 22. Avtomatizirano sprejemanje posameznih odločitev, vključno z oblikovanjem profilov
Prenos PDF

Člen 22 SUVP (GDPR). Avtomatizirano sprejemanje posameznih odločitev, vključno z oblikovanjem profilov

Article 22 GDPR. Automated individual decision-making, including profiling

1. Posameznik, na katerega se nanašajo osebni podatki, ima pravico, da zanj ne velja odločitev, ki temelji zgolj na avtomatizirani obdelavi, vključno z oblikovanjem profilov, ki ima pravne učinke v zvezi z njim ali na podoben način nanj znatno vpliva.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Komentar
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

2. Odstavek 1 se ne uporablja, če je odločitev:

2. Paragraph 1 shall not apply if the decision:

(a) nujna za sklenitev ali izvajanje pogodbe med posameznikom, na katerega se nanašajo osebni podatki, in upravljavcem podatkov;

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) dovoljena v pravu Unije ali pravu države članice, ki velja za upravljavca in določa tudi ustrezne ukrepe za zaščito pravic in svoboščin ter zakonitih interesov posameznika, na katerega se nanašajo osebni podatki, ali

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) utemeljena z izrecno privolitvijo posameznika, na katerega se nanašajo osebni podatki.

(c) is based on the data subject’s explicit consent.

Povezana besedila

3. V primerih, navedenih v točkah (a) in (c) odstavka 2, upravljavec podatkov izvede ustrezne ukrepe za zaščito pravic in svoboščin ter zakonitih interesov posameznika, na katerega se nanašajo osebni podatki, vsaj pravice do osebnega posredovanja upravljavca, do izražanja lastnega stališča in izpodbijanja odločitve.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Odločitve iz odstavka 2 ne temeljijo na posebnih vrstah osebnih podatkov iz člena 9(1), razen če se uporablja točka (a) ali (g) člena 9(2) in se izvajajo ustrezni ukrepi za zaščito pravic in svoboščin ter zakonitih interesov posameznika, na katerega se nanašajo osebni podatki.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Povezana besedila
Komentar ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar
Komentar

(EN)

Data Subject Request Letter Sample

Concern: Request to object to automated decision

Dear Madam, Dear Sir,

I am subject to a decision made by your [company | organization | etc.] based solely on [automated processing | profiling | etc.].

(EN) […]


to read the full text

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 22 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

(EN) […]


to read the full text

Uvodne izjave

(71) Posameznik, na katerega se nanašajo osebni podatki, bi moral imeti pravico, da zanj ne bi veljala odločitev, ki lahko vključuje ukrep, o ocenjevanju osebnih vidikov v zvezi z njim, ki temelji zgolj na avtomatizirani obdelavi in ima pravne učinke v zvezi z njim ali podobno znatno vpliva nanj, kot so avtomatska zavrnitev spletne prošnje za posojilo ali prakse zaposlovanja prek spleta brez človekovega posredovanja. Taka obdelava vključuje „oblikovanje profilov“ v kakršni koli obliki avtomatizirane obdelave osebnih podatkov, na podlagi katerih se ocenjujejo osebni vidiki v zvezi s posameznikom, na katerega se nanašajo osebni podatki, zlasti za analizo ali predvidevanje uspešnosti pri delu, ekonomskega položaja, zdravja, osebnega okusa ali interesov, zanesljivosti ali vedenja, lokacije ali gibanja, kadar ustvarja pravne učinke v zvezi z njim ali nanj podobno znatno vpliva. Sprejemanje odločitev na podlagi take obdelave, vključno z oblikovanjem profilov, pa bi moralo biti dovoljeno, kadar ga izrecno dovoljuje pravo Unije ali pravo države članice, ki velja za upravljavca, tudi za namene spremljanja in preprečevanja zlorab in davčnih utaj v skladu s predpisi, standardi in priporočili institucij Unije ali nacionalnih nadzornih teles ter zagotavljanje varnosti in zanesljivosti storitve, ki jo zagotavlja upravljavec, ali kadar je to nujno za sklepanje ali izvajanje pogodbe med posameznikom, na katerega se nanašajo osebni podatki, in upravljavcem, ali kadar je posameznik, na katerega se nanašajo osebni podatki, v to izrecno privolil. V vsakem primeru bi morali za tako obdelavo veljati ustrezni zaščitni ukrepi, ki bi morali vključevati konkretno seznanitev posameznika, na katerega se nanašajo osebni podatki, in pravico do osebnega posredovanja, pravico izraziti svoje stališče, pravico dobiti pojasnilo o odločitvi, ki je bila sprejeta po takem ocenjevanju, in pravico do izpodbijanja odločitve. Taki ukrepi ne bi smeli zadevati otroka.

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

Da bi upravljavec ob upoštevanju posebnih okoliščin in okvira, v katerih se osebni podatki obdelujejo, zagotovil pošteno in pregledno obdelavo osebnih podatkov za posameznika, na katerega se osebni podatki nanašajo, bi moral uporabiti ustrezne matematične ali statistične postopke za oblikovanje profilov, izvajati tehnične in organizacijske ukrepe, s katerimi bi na ustrezen način zagotovil zlasti, da se dejavniki, ki povzročijo netočnost osebnih podatkov, popravijo in tveganje napak čim bolj zmanjša, zavarovati osebne podatke tako, da se upoštevajo morebitne nevarnosti, povezane z interesi in pravicami posameznika, na katerega se nanašajo osebni podatki, ter da se preprečijo tudi diskriminatorne posledice za posameznike na podlagi rasnega ali etničnega porekla, političnega mnenja, vere ali prepričanja, članstva v sindikatu, genetskega ali zdravstvenega stanja, spolne usmerjenosti ali učinki, ki privedejo do ukrepov, ki imajo takšne posledice. Avtomatizirano sprejemanje odločitev in oblikovanje profilov na podlagi posebnih vrst osebnih podatkov bi bilo treba dovoliti le pod posebnimi pogoji.

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(72) Za samo oblikovanje profilov veljajo pravila iz te uredbe, ki urejajo obdelavo osebnih podatkov, na primer pravna podlaga za obdelavo ali načela varstva podatkov. Evropski odbor za varstvo podatkov, ustanovljen s to uredbo (v nadaljnjem besedilu: odbor), bi moral imeti možnost, da o tem izda smernice.

(72) Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the ‘Board’) should be able to issue guidance in that context.

Smernice in sodna praksa Pustite komentar
[js-disqus]