Člen 30 📖 SUVP (GDPR). Evidenca dejavnosti obdelave

Člen 30 SUVP (GDPR). Evidenca dejavnosti obdelave

Article 30 GDPR. Records of processing activities

1. Vsak upravljavec in predstavnik upravljavca, kadar ta obstaja, vodi evidenco dejavnosti obdelave osebnih podatkov v okviru svoje odgovornosti. Ta evidenca vsebuje vse naslednje informacije:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) naziv ali ime in kontaktne podatke upravljavca in, kadar obstajajo, skupnega upravljavca, predstavnika upravljavca in pooblaščene osebe za varstvo podatkov;

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

(b) namene obdelave;

(b) the purposes of the processing;

(c) opis kategorij posameznikov, na katere se nanašajo osebni podatki, in vrst osebnih podatkov;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) kategorije uporabnikov, ki so jim bili ali jim bodo razkriti osebni podatki, vključno z uporabniki v tretjih državah ali mednarodnih organizacijah;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 30(1)(d) GDPR:

7.5.4 Records of PII disclosure to third parties

Control

The organization should record disclosures of PII to third parties, including what PII has been disclosed, to whom and at what time.

Implementation guidance

PII can be disclosed during the course of normal operations.

(EN) […]

(EN) Sign in
to read the full text

(e) kadar je ustrezno, informacije o prenosih osebnih podatkov v tretjo državo ali mednarodno organizacijo, vključno z identifikacijo te tretje države ali mednarodne organizacije, v primeru prenosov iz drugega pododstavka člena 49(1) pa tudi dokumentacijo o ustreznih zaščitnih ukrepih;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

ISO 27701 Povezana besedila

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 30(1)(e) GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).

(EN) […]

(EN) Sign in
to read the full text

Povezana besedila

Člen 49 SUVP (GDPR). Odstopanja v posebnih primerih

Article 49 GDPR. Derogations for specific situations

[…]

Kadar podlaga za prenos ne morejo biti določbe iz člena 45 ali 46, vključno z določbami zavezujočih poslovnih pravil, in ne velja nobeno od odstopanj v posebnih primerih iz prvega pododstavka tega odstavka, se lahko prenos v tretjo državo ali mednarodno organizacijo izvede samo, če prenos ni ponovljiv, zadeva le omejeno število posameznikov, na katere se nanašajo osebni podatki, je potreben zaradi nujnih zakonitih interesov, za katere si prizadeva upravljavec in nad katerimi ne prevladajo interesi ali pravice in svoboščine posameznika, na katerega se nanašajo osebni podatki, in pod pogojem, da je upravljavec ocenil vse okoliščine v zvezi s prenosom podatkov in na podlagi te ocene predvidel ustrezne zaščitne ukrepe v zvezi z varstvom osebnih podatkov. Upravljavec o prenosu obvesti nadzorni organ. Poleg informacij iz členov 13 in 14 upravljavec posreduje posamezniku, na katerega se nanašajo osebni podatki, tudi informacije o zadevnem prenosu in nujnih zakonitih interesih, za katere si prizadeva upravljavec.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

[…]

(f) kadar je mogoče, predvidene roke za izbris različnih vrst podatkov;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

ISO 27701

(EN) 8.4.2 Return, transfer or disposal of PII

Control

The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.

Implementation guidance

At some point in time, PII can need to be disposed of in some manner.

(EN) […]

(EN) Sign in
to read the full text

(g) kadar je mogoče, splošni opis tehničnih in organizacijskih varnostnih ukrepov iz člena 32(1).

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Povezana besedila

Člen 32 SUVP (GDPR). Varnost obdelave

Article 32 GDPR. Security of processing

1. Ob upoštevanju najnovejšega tehnološkega razvoja in stroškov izvajanja ter narave, obsega, okoliščin in namenov obdelave, pa tudi tveganj za pravice in svoboščine posameznikov, ki se razlikujejo po verjetnosti in resnosti, upravljavec in obdelovalec z izvajanjem ustreznih tehničnih in organizacijskimi ukrepov zagotovita ustrezno raven varnosti glede na tveganje, vključno med drugim z naslednjimi ukrepi, kot je ustrezno:

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) psevdonimizacijo in šifriranjem osebnih podatkov;

(a) the pseudonymisation and encryption of personal data;

(b) zmožnostjo zagotoviti stalno zaupnost, celovitost, dostopnost in odpornost sistemov in storitev za obdelavo;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) zmožnostjo pravočasno povrniti razpoložljivost in dostop do osebnih podatkov v primeru fizičnega ali tehničnega incidenta;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) postopkom rednega testiranja, ocenjevanja in vrednotenja učinkovitosti tehničnih in organizacijskih ukrepov za zagotavljanje varnostni obdelave.

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

[…]

2. Vsak obdelovalec in predstavnik obdelovalca, kadar ta obstaja, vodita evidenco vseh vrst dejavnosti obdelave, ki jih izvajata v imenu upravljavca, ki vsebuje:

2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) naziv ali ime in kontaktne podatke obdelovalca ali obdelovalcev in vsakega upravljavca, v imenu katerega deluje obdelovalec, ter, kadar obstajajo, predstavnika upravljavca ali obdelovalca, in pooblaščene osebe za varstvo podatkov;

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

(b) vrste obdelave, ki se izvaja v imenu posameznega upravljavca;

(b) the categories of processing carried out on behalf of each controller;

(c) kadar je ustrezno, prenose osebnih podatkov v tretjo državo ali mednarodno organizacijo, vključno z identifikacijo te tretje države ali mednarodne organizacije, v primeru prenosov iz drugega pododstavka člena 49(1) pa tudi dokumentacijo o ustreznih zaščitnih ukrepih;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 30(2)(c) GDPR:

8.5.2 Countries and international organizations to which PII can be transferred

Control

The organization should specify and document the countries and international organizations to which PII can possibly be transferred.

Implementation guidance

The identities of the countries and international organizations to which PII can possibly be transferred in normal operations should be made available to customers.

(EN) […]

(EN) Sign in
to read the full text

(d) kadar je mogoče, splošni opis tehničnih in organizacijskih varnostnih ukrepov iz člena 32(1).

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

ISO 27701 Povezana besedila

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 15.1.2.

Here is the relevant paragraph to article 30(2)(d) GDPR:

6.12.1.2 Addressing security within supplier agreements

Implementation guidance

The organization should specify in agreements with suppliers whether PII is processed and the minimum technical and organizational measures that the supplier needs to meet in order for the organization to meet its information security and PII protection obligations (see 7.2.6 and 8.2.1).

(EN) […]

(EN) Sign in
to read the full text

Povezana besedila

Člen 32 SUVP (GDPR). Varnost obdelave

Article 32 GDPR. Security of processing

(a) psevdonimizacijo in šifriranjem osebnih podatkov;

(a) the pseudonymisation and encryption of personal data;

(b) zmožnostjo zagotoviti stalno zaupnost, celovitost, dostopnost in odpornost sistemov in storitev za obdelavo;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) zmožnostjo pravočasno povrniti razpoložljivost in dostop do osebnih podatkov v primeru fizičnega ali tehničnega incidenta;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) postopkom rednega testiranja, ocenjevanja in vrednotenja učinkovitosti tehničnih in organizacijskih ukrepov za zagotavljanje varnostni obdelave.

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

[…]

3. Evidence iz odstavkov 1 in 2 so v pisni, vključno v elektronski obliki.

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. Upravljavec, obdelovalec ali predstavnik upravljavca ali obdelovalca, kadar ta obstaja, nadzornemu organu na zahtevo omogočijo dostop do evidenc.

4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

5. Obveznosti iz odstavkov 1 in 2 se ne uporabljajo za podjetje ali organizacijo, ki zaposluje manj kot 250 oseb, razen če je verjetno, da obdelava, ki jo izvaja, predstavlja tveganje za pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki, in ni občasna, ali obdelava vključuje posebne vrste podatkov iz člena 9(1) ali osebne podatke v zvezi s kazenskimi obsodbami in prekrški iz člena 10.

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Smernice in sodna praksa Povezana besedila

Smernice in sodna praksa

(EN)

Document

Article 29 Working Party, Position Paper on the Derogations from the Obligation to Maintain Records of Processing Activities pursuant to Article 30(5) GDPR (2018).

Povezana besedila

Člen 9 SUVP (GDPR). Obdelava posebnih vrst osebnih podatkov

Article 9 GDPR. Processing of special categories of personal data

1. Prepovedani sta obdelava osebnih podatkov, ki razkrivajo rasno ali etnično poreklo, politično mnenje, versko ali filozofsko prepričanje ali članstvo v sindikatu, in obdelava genetskih podatkov, biometričnih podatkov za namene edinstvene identifikacije posameznika, podatkov v zvezi z zdravjem ali podatkov v zvezi s posameznikovim spolnim življenjem ali spolno usmerjenostjo.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

[…]

Člen 10 SUVP (GDPR). Obdelava osebnih podatkov v zvezi s kazenskimi obsodbami in prekrški

Article 10 GDPR. Processing of personal data relating to criminal convictions and offences

Obdelava osebnih podatkov v zvezi s kazenskimi obsodbami in prekrški ali s tem povezanimi varnostnimi ukrepi na podlagi člena 6(1) se izvaja le pod nadzorom uradnega organa ali če obdelavo dovoljuje pravo Unije ali pravo države članice, ki zagotavlja ustrezne zaščitne ukrepe za pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki. Kakršni koli celoviti registri kazenskih obsodb se vodijo samo pod nadzorom uradnega organa.

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Splošna uredba o varstvu podatkov (SUVP, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Komentar ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar

Komentar

(EN) Article 30 is pretty straightforward and gives us very direct instructions on what document has to be created and what information has to be in it. Often it is enough to create a spreadsheet or a simple Excel table if the number of your processing activities is not so high, but if it doesn’t scale well, there are also specialised software solutions for Register of Processing Activities.

(EN) […]

(EN) Sign in
to read the full text

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 30 GDPR:

7.2.8 Records related to processing PII

Control

The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.

Implementation guidance

A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs. Such an inventory can include:

(EN) […]

(EN) Sign in
to read the full text

Uvodne izjave

(13) Da se zagotovi skladna raven varstva posameznikov v vsej Uniji in prepreči, da bi razlike ovirale prosti pretok osebnih podatkov na notranjem trgu, je potrebna uredba, ki bo gospodarskim subjektom, tudi mikro, malim in srednjim podjetjem, zagotovila pravno varnost in preglednost, posameznikom v vseh državah članicah zagotovila enako raven pravno izvršljivih pravic ter obveznosti in odgovornosti upravljavcev in obdelovalcev, zagotovila dosledno spremljanje obdelave osebnih podatkov, enakovredne sankcije v vseh državah članicah in učinkovito sodelovanje nadzornih organov različnih držav članic. Za pravilno delovanje notranjega trga prosti pretok osebnih podatkov v Uniji ne sme biti niti omejen niti prepovedan iz razlogov, povezanih z varstvom posameznikov pri obdelavi osebnih podatkov. Za upoštevanje posebnega položaja mikro, malih in srednjih podjetij ta uredba vsebuje odstopanja glede vodenja evidenc za organizacije, ki zaposlujejo manj kot 250 oseb. Poleg tega se institucije in organe Unije ter države članice in njihove nadzorne organe spodbuja, da posebne potrebe mikro, malih in srednjih podjetij upoštevajo pri uporabi te uredbe. Pojem mikro, malih in srednjih podjetij bi moral temeljiti na členu 2 Priloge k Priporočilu Komisije 2003/361/ES (5).

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC [5].

_{(5) Priporočilo Komisije z dne 6. maja 2003 o opredelitvi mikro, malih in srednje velikih podjetij (C(2003) 1422) (UL L 124, 20.5.2003, str. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC}

_{[5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC}

(39) Vsaka obdelava osebnih podatkov bi morala biti zakonita in poštena. Načini zbiranja, uporabe, pregledovanja ali drug način obdelave ter obseg obdelave ali prihodnje obdelave osebnih podatkov, ki se nanašajo na posameznike, bi morali za posameznike biti pregledni. Načelo preglednosti zahteva, da so vse informacije in sporočila, ki se nanašajo na obdelavo teh osebnih podatkov, lahko dostopni in razumljivi ter izraženi v jasnem in preprostem jeziku. To načelo zadeva zlasti informacije za posameznike, na katere se nanašajo osebni podatki, o istovetnosti upravljavca in namenih obdelave ter dodatne informacije za zagotovitev poštene in pregledne obdelave glede zadevnih posameznikov in njihove pravice do pridobitve potrditve in sporočila o obdelavi osebnih podatkov v zvezi z njimi. Posameznike bi bilo treba opozoriti na tveganja, pravila, zaščitne ukrepe in pravice v zvezi z obdelavo njihovih osebnih podatkov ter na to, kako lahko uresničujejo njihove pravice v zvezi s tako obdelavo. Zlasti posebni nameni, za katere se osebni podatki obdelujejo, bi morali biti izrecni in zakoniti ter določeni v času zbiranja osebnih podatkov. Osebni podatki bi morali biti ustrezni, relevantni in omejeni na to, kar je potrebno za namene, za katere se obdelujejo. Zato bi bilo treba zlasti zagotoviti, da je obdobje hrambe osebnih podatkov omejeno na najkrajše mogoče obdobje. Osebni podatki bi se lahko obdelali le, če namena obdelave ne bi bilo mogoče razumno doseči z drugimi sredstvi. Za zagotovitev, da se osebni podatki hranijo le toliko časa, kolikor je potrebno, bi moral upravljavec določiti roke za izbris ali občasno preverjanje. Sprejeti bi bilo treba vse smiselne ukrepe za popravek ali izbris netočnih osebnih podatkov. Osebne podatke bi bilo treba obdelovati na način, ki zagotavlja ustrezno varnost in zaupnost osebnih podatkov, tudi za preprečitev nedovoljenega dostopa do osebnih podatkov ali uporabe osebnih podatkov in opreme za obdelavo.

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

(82) Za dokaz skladnosti s to uredbo bi moral upravljavec ali obdelovalec hraniti evidence o dejavnostih obdelave, za katere je odgovoren. Vsak upravljavec in obdelovalec bi moral biti zavezan k sodelovanju z nadzornimi organi in na zahtevo omogočiti dostop do teh evidenc, da bi bile tako lahko namenjene spremljanju dejanj obdelave.

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

Smernice in sodna praksa

(EN) Information Commissioner’s Office (ICO, Great Britain), Documentation template for controllers

Information Commissioner’s Office (ICO, Great Britain), Documentation template for processors

Information Commissioner’s Office (ICO, Great Britain), Right of Access (2020).

Information Commissioner’s Office (ICO, Great Britain), Data sharing: a code of practice (2020).

EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).

Pustite komentar

[js-disqus]