(89) Direktiva 95/46/ES je določala splošno obveznost glede obveščanja nadzornih organov o obdelavi osebnih podatkov. Ta obveznost prinaša upravna in finančna bremena, ni pa v vseh primerih pripomogla k izboljšanju varstva osebnih podatkov. Zato bi bilo treba take nerazlikovalne splošne obveznosti obveščanja odpraviti ter nadomestiti z učinkovitimi postopki in mehanizmi, ki se namesto tega osredotočajo na tiste vrste dejanj obdelave, ki zaradi svoje narave, obsega, okoliščin in namenov verjetno povzročajo veliko tveganje za pravice in svoboščine posameznikov. Take vrste dejanj obdelave so lahko tiste, ki zlasti vključujejo uporabo novih tehnologij ali ki so nove in zanje upravljavec še ni izvedel ocene učinka v zvezi z varstvom podatkov ali postanejo potrebne zaradi časa, ki je pretekel od prvotne obdelave.
(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
(90) V takih primerih bi moral upravljavec pred obdelavo izvesti oceno učinka v zvezi z varstvom podatkov, da bi se ocenili posebna verjetnost in resnost velikega tveganja, pri čemer bi upoštevali naravo, obseg, okoliščine in namene obdelave ter izvor tveganja. Ta ocena učinka pa bi morala obsegati zlasti ukrepe, zaščitne ukrepe in mehanizme, ki so načrtovani za ublažitev tega tveganja, zagotavljanje varstva osebnih podatkov in dokazovanje skladnosti s to uredbo.
(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.
Here is the relevant paragraph to article 40 GDPR:
5.2.1 Understanding the organization and its context
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.
(EN) […]
(EN) Sign in
to read the full text