Člen 37 📖 SUVP (GDPR). Imenovanje pooblaščene osebe za varstvo podatkov

Člen 37 SUVP (GDPR). Imenovanje pooblaščene osebe za varstvo podatkov

Article 37 GDPR. Designation of the data protection officer

1. Upravljavec in obdelovalec imenujeta pooblaščeno osebo za varstvo podatkov vedno, kadar:

1. The controller and the processor shall designate a data protection officer in any case where:

(a) obdelavo opravlja javni organ ali telo, razen sodišč, kadar delujejo kot sodni organ;

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

Povezana besedila

Guidelines on Data Protection Officers (‘DPOs’)

2.1.1 ‘PUBLIC AUTHORITY OR BODY’

The GDPR does not define what constitutes a ‘public authority or body’. The WP29 considers that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by public law [12]. In such cases, the designation of a DPO is mandatory.

_{[12] See, e.g. the definition of ‘public sector body’ and ‘body governed by public law’ in Article 2(1) and (2) of Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public-sector information (OJ L 345, 31.12.2003, p. 90).}

A public task may be carried out, and public authority may be exercised [13] not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State, public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.

_{[13] Article 6(1)(e).}

(b) temeljne dejavnosti upravljavca ali obdelovalca zajemajo dejanja obdelave, pri katerih je treba zaradi njihove narave, obsega in/ali namenov posameznike, na katere se nanašajo osebni podatki, redno in sistematično obsežno spremljati, ali

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

Povezana besedila

Guidelines on Data Protection Officers (‘DPOs’)

3. What does ‘large scale’ mean?

The GDPR does not define what constitutes large-scale processing. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:

• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population

• the volume of data and/or the range of different data items being processed

• the duration, or permanence, of the data processing activity

• the geographical extent of the processing activity.

Examples of large scale processing include:

• processing of patient data in the regular course of business by a hospital

• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)

• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities

• processing of customer data in the regular course of business by an insurance company or a bank

• processing of personal data for behavioural advertising by a search engine

• processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:

• processing of patient data by an individual physician

• processing of personal data relating to criminal convictions and offences by an individual lawyer.

Guidelines on Data Protection Officers (‘DPOs’)

2.1.2 ‘CORE ACTIVITIES’

Article 37(1)(b) and (c) of the GDPR refers to the ‘core activities of the controller or processor’. Recital 97 specifies that the core activities of a controller relate to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals.

However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.

2.1.4 ‘REGULAR AND SYSTEMATIC MONITORING’

WP29 interprets ‘regular’ as meaning one or more of the following:

• ongoing or occurring at particular intervals for a particular period

• recurring or repeated at fixed times

• constantly or periodically taking place.

WP29 interprets ‘systematic’ as meaning one or more of the following:

• occurring according to a system

• pre-arranged, organised or methodical

• taking place as part of a general plan for data collection

• carried out as part of a strategy.

(c) temeljne dejavnosti upravljavca ali obdelovalca zajemajo obsežno obdelavo posebnih vrst podatkov v skladu s členom 9 in osebnih podatkov v zvezi s kazenskimi obsodbami in prekrški iz člena 10.

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Povezana besedila

Člen 9 SUVP (GDPR). Obdelava posebnih vrst osebnih podatkov

Article 9 GDPR. Processing of special categories of personal data

1. Prepovedani sta obdelava osebnih podatkov, ki razkrivajo rasno ali etnično poreklo, politično mnenje, versko ali filozofsko prepričanje ali članstvo v sindikatu, in obdelava genetskih podatkov, biometričnih podatkov za namene edinstvene identifikacije posameznika, podatkov v zvezi z zdravjem ali podatkov v zvezi s posameznikovim spolnim življenjem ali spolno usmerjenostjo.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2. Odstavek 1 se ne uporablja, če velja eno od naslednjega:

2. Paragraph 1 shall not apply if one of the following applies:

(a) posameznik, na katerega se nanašajo osebni podatki, je dal izrecno privolitev v obdelavo navedenih osebnih podatkov za enega ali več določenih namenov, razen kadar pravo Unije ali pravo države članice določa, da posameznik, na katerega se nanašajo osebni podatki, ne sme odstopiti od prepovedi iz odstavka 1;

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

[…]

Člen 10 SUVP (GDPR). Obdelava osebnih podatkov v zvezi s kazenskimi obsodbami in prekrški

Article 10 GDPR. Processing of personal data relating to criminal convictions and offences

Obdelava osebnih podatkov v zvezi s kazenskimi obsodbami in prekrški ali s tem povezanimi varnostnimi ukrepi na podlagi člena 6(1) se izvaja le pod nadzorom uradnega organa ali če obdelavo dovoljuje pravo Unije ali pravo države članice, ki zagotavlja ustrezne zaščitne ukrepe za pravice in svoboščine posameznikov, na katere se nanašajo osebni podatki. Kakršni koli celoviti registri kazenskih obsodb se vodijo samo pod nadzorom uradnega organa.

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Guidelines on Data Protection Officers (‘DPOs’)

• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population

• the volume of data and/or the range of different data items being processed

• the duration, or permanence, of the data processing activity

• the geographical extent of the processing activity.

Examples of large scale processing include:

• processing of patient data in the regular course of business by a hospital

• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)

• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities

• processing of customer data in the regular course of business by an insurance company or a bank

• processing of personal data for behavioural advertising by a search engine

• processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:

• processing of patient data by an individual physician

• processing of personal data relating to criminal convictions and offences by an individual lawyer.

Guidelines on Data Protection Officers (‘DPOs’)

2.1.2 ‘CORE ACTIVITIES’

2. Povezana družba lahko imenuje eno pooblaščeno osebo za varstvo podatkov, če je ta pooblaščena oseba za varstvo podatkov lahko dostopna iz vsake enote.

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

Povezana besedila

Article 29 Working Party Guidelines on transparency under Regulation 2016/679

The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc. These mechanisms are further considered below, including at paragraphs 33 to 40).

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

“An establishment in the Union”

The threshold for “stable arrangement [9]” can actually be quite low when the centre of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement (amounting to an ‘establishment’ for the purposes of Art 3(1)) if that employee or agent acts with a sufficient degree of stability. Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee.

_{[9] Weltimmo, paragraph 31.}

The fact that the non-EU entity responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there within the meaning of EU data protection law. Although the notion of establishment is broad, it is not without limits. It is not possible to conclude that the non-EU entity has an establishment in the Union merely because the undertaking’s website is accessible in the Union [10].

_{[10] CJEU, Verein für Konsumenteninformation v. Amazon EU Sarl, Case C‑191/15, 28 July 2016, paragraph 76 (hereafter “Verein für Konsumenteninformation”).}

Guidelines on Data Protection Officers (‘DPOs’)

2.3. Designation of a single DPO for several organisations

Article 37(2) allows a group of undertakings to designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects [19], the supervisory authority [20] but also internally within the organisation, considering that one of the tasks of the DPO is ‘to inform and advise the controller and the processor and the employees who carry out processing of their obligations pursuant to this Regulation’ [21].

_{[19] Article 38(4): ‘data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation’.}

_{[20] Article 39(1)(e): ‘act as a contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 and to consult, where appropriate, with regard to any other matter’.}

_{[21] Article 39(1)(a).}

In order to ensure that the DPO, whether internal or external, is accessible it is important to make sure that their contact details are available in accordance with the requirements of the GDPR [22].

_{[22] See also Section 2.6 below.}

He or she, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects [23] and cooperate [24] with the supervisory authorities concerned. This also means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.

_{[23] Article 12(1): ’The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child’.}

_{[24] Article 39(1)(d) : ‘to cooperate with the supervisory authority’}

3. Kadar je upravljavec ali obdelovalec javni organ ali telo, se lahko za več takšnih organov ali teles ob upoštevanju njihove organizacijske strukture in velikosti imenuje ena sama pooblaščena oseba za varstvo podatkov.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

Povezana besedila

Guidelines on Data Protection Officers (‘DPOs’)

2.1.1 ‘PUBLIC AUTHORITY OR BODY’

_{[13] Article 6(1)(e).}

4. V primerih, ki niso navedeni v odstavku 1, upravljavec ali obdelovalec ali združenja in druga telesa, ki predstavljajo vrste upravljavcev ali obdelovalcev, smejo imenovati ali, kadar tako zahteva pravo Unije ali pravo države članice, imenujejo pooblaščeno osebo za varstvo podatkov. Pooblaščena oseba za varstvo podatkov lahko deluje v imenu teh združenj in drugih teles, ki predstavljajo upravljavce ali obdelovalce.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. Pooblaščena oseba za varstvo podatkov se imenuje na podlagi poklicnih odlik in zlasti strokovnega znanja o zakonodaji in praksi na področju varstva podatkov ter zmožnosti za izpolnjevanje nalog iz člena 39.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

Povezana besedila

Člen 39 SUVP (GDPR). Naloge pooblaščene osebe za varstvo podatkov

Article 39 GDPR. Tasks of the data protection officer

1. Pooblaščena oseba za varstvo podatkov ima vsaj naslednje naloge:

1. The data protection officer shall have at least the following tasks:

(a) obveščanje upravljavca ali obdelovalca in zaposlenih, ki izvajajo obdelavo, ter svetovanje navedenim o njihovih obveznostih v skladu s to uredbo in drugimi določbami prava Unije ali prava države članice o varstvu podatkov;

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

(b) spremljanje skladnosti s to uredbo, drugimi določbami prava Unije ali prava države članice o varstvu podatkov in politikami upravljavca ali obdelovalca v zvezi z varstvom osebnih podatkov, vključno z dodeljevanjem nalog, ozaveščanjem in usposabljanjem osebja, vključenega v dejanja obdelave, ter s tem povezanimi revizijami;

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(c) svetovanje, kadar je to zahtevano, glede ocene učinka v zvezi z varstvom podatkov in spremljanje njenega izvajanja v skladu s členom 35;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

(d) sodelovanje z nadzornim organom;

(d) to cooperate with the supervisory authority;

(e) delovanje kot kontaktna točka za nadzorni organ pri vprašanjih v zvezi z obdelavo, vključno s predhodnim posvetovanjem iz člena 36, in, kjer je ustrezno, posvetovanje glede katere koli druge zadeve.

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

2. Pooblaščena oseba za varstvo podatkov pri opravljanju svojih nalog upošteva tveganje, povezano z dejanji obdelave, ter naravo, obseg, okoliščine in namene obdelave.

2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Guidelines on Data Protection Officers (‘DPOs’)

8. What are the professional qualities that the DPO should have?

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.

Relevant skills and expertise include:

• expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR

• understanding of the processing operations carried out

• understanding of information technologies and data security

• knowledge of the business sector and the organisation

• ability to promote a data protection culture within the organisation.

6. Pooblaščena oseba za varstvo podatkov je lahko član osebja upravljavca ali obdelovalca ali pa naloge opravlja na podlagi pogodbe o storitvah.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. Upravljavec ali obdelovalec objavi kontaktne podatke pooblaščene osebe za varstvo podatkov in jih sporoči nadzornemu organu.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Splošna uredba o varstvu podatkov (SUVP, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Komentar ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar

Komentar

(EN) The article explains when and under what conditions a Data Protection Officer (DPO) should be appointed or hired. In most cases, at least one of the following conditions is sufficient for the company to be required to have a DPO:

if data processing is performed by state authorities (except for courts)

(EN) […]

(EN) Sign in
to read the full text

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 37 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).

(EN) […]

(EN) Sign in
to read the full text

Uvodne izjave

(97) Kadar obdelavo izvaja javni organ, razen sodišč ali neodvisnih pravosodnih organov, kadar delujejo kot sodni organi, ali kadar v zasebnem sektorju obdelavo izvaja upravljavec, katerega temeljne dejavnosti obsegajo dejanja obdelave, ki zahtevajo obsežno redno in sistematično spremljanje posameznikov, na katere se nanašajo osebni podatki, ali kadar temeljne dejavnosti upravljavca ali obdelovalca zajemajo obsežno obdelavo posebnih vrst osebnih podatkov in podatkov v zvezi s kazenskimi obsodbami in prekrški, bi morala upravljavcu ali obdelovalcu pri spremljanju notranje skladnosti s to uredbo pomagati oseba s strokovnim znanjem s področja prava o varstvu podatkov in poznavanjem zadevnih praks. V zasebnem sektorju se temeljne dejavnosti upravljavca nanašajo na njegove osnovne dejavnosti in ne na obdelavo osebnih podatkov kot postranske dejavnosti. Določiti bi bilo treba stopnjo potrebnega strokovnega znanja, zlasti glede na izvedena dejanja obdelave podatkov in varstvo, ki je potrebno pri osebnih podatkih, obdelanih s strani upravljavca ali obdelovalca. Taka pooblaščena oseba za varstvo podatkov bi morala svoje dolžnosti in naloge izvajati neodvisno, ne glede na to, ali je pri upravljavcu zaposlena ali ne.

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

Smernice in sodna praksa

(EN)

Document

Article 29 Working Party, Guidelines on Data Protection Officers (DPOs) (2017).

Pustite komentar

[js-disqus]