Člen 26 📖 SUVP (GDPR). Skupni upravljavci

Člen 26 SUVP (GDPR). Skupni upravljavci

Article 26 GDPR. Joint controllers

1. Dva ali več upravljavcev, ki skupaj določijo namene in načine obdelave, so skupni upravljavci. Skupni upravljavci na pregleden način z medsebojnim dogovorom določijo dolžnosti vsakega od njih z namenom izpolnjevanja obveznosti v skladu s to uredbo, zlasti v zvezi z uresničevanjem pravic posameznika, na katerega se nanašajo osebni podatki, in nalogami vsakega od njih glede zagotavljanja informacij iz členov 13 in 14, razen če in kolikor so dolžnosti vsakega od upravljavcev določene s pravom Unije ali pravom države članice, ki velja za upravljavce. Z dogovorom se lahko določi kontaktna točka za posameznike, na katere se nanašajo osebni podatki.

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

Povezana besedila

Člen 13 SUVP (GDPR). Informacije, ki se zagotovijo, kadar se osebni podatki pridobijo od posameznika, na katerega se nanašajo osebni podatki

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Člen 14 SUVP (GDPR). Informacije, ki jih je treba zagotoviti, kadar osebni podatki niso bili pridobljeni od posameznika, na katerega se ti nanašajo

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

2. Dogovor iz odstavka 1 ustrezno odraža vlogo vsakega od skupnih upravljavcev in njegovo razmerje do posameznikov, na katere se nanašajo osebni podatki. Vsebina dogovora se da na voljo posamezniku, na katerega se nanašajo osebni podatki.

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

Povezana besedila

Article 29 Working Party Guidelines on transparency under Regulation 2016/679

Separately, the issue of joint controllers is also related to making data subjects aware of the risks, rules and safeguards. Article 26.1 requires joint controllers to determine their respective responsibilities for complying with obligations under the GDPR in a transparent manner, in particular with regard to the exercise by data subjects of their rights and the duties to provide the information under Articles 13 and 14. Article 26.2 requires that the essence of the arrangement between the data controllers must be made available to the data subject. In other words, it must be completely clear to a data a subject as to which data controller he or she can approach where they intend to exercise one or more of their rights under the GDPR.[39]

_{[39] Under Article 26.3, irrespective of the terms of the arrangement between joint data controllers under Article 26.1, a data subject may exercise his or her rights under the GDPR in respect of and against each of the joint data controllers.}

3. Posameznik, na katerega se nanašajo osebni podatki, lahko ne glede na pogoje dogovora iz odstavka 1 uresničuje svoje pravice v skladu s to uredbo glede vsakega od upravljavcev in proti vsakemu od njih.

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Splošna uredba o varstvu podatkov (SUVP, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Komentar ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar

Komentar

(EN) The expression “joint controller” is one of the most difficult to grasp in practice. It is nonetheless essential to delimit the role of the parties involved in the processing of personal data to determine their responsibilities under the General Data Protection Regulation (GDPR).

(EN) […]

(EN) Sign in
to read the full text

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 26(1), 26(2), and 26(3) GDPR:

7.2.7 Joint PII controller

Control

The organization should determine respective roles and responsibilities for the processing of PII (including PII protection and security requirements) with any joint PII controller.

Implementation guidance

Roles and responsibilities for the processing of PII should be determined in a transparent manner.

(EN) […]

(EN) Sign in
to read the full text

Uvodne izjave

(79) Varstvo pravic in svoboščin posameznikov, na katere se nanašajo osebni podatki, pa tudi pristojnost in odgovornost upravljavcev in obdelovalcev, tudi v povezavi s spremljanjem in ukrepi nadzornih organov, zahtevajo jasno dodelitev odgovornosti na podlagi te uredbe, tudi kadar upravljavec namene in sredstva obdelave določi skupaj z drugimi upravljavci ali kadar je dejanje obdelave izvedeno v imenu upravljavca.

(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

Smernice in sodna praksa

(EN)

Documents

Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (2010).

EDPS, Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725 (2019).

EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2021).

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

ICO, Right of Access (2020).

ICO, Data sharing: a code of practice (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).

Case Law

CJEU, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16 (2018).

CJEU, Tietosuojavaltuutettu v Jehovan todistajat, C-25/17 (2018):

The existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. Actual access to personal data is not a prerequisite for joint responsibility (p. 68-72).

CJEU, Fashion ID GmbH & Co. KG/Verbraucherzentrale NRW eV, C-40/17 (2019).

Pustite komentar

[js-disqus]