Člen 47 📖 SUVP (GDPR). Zavezujoča poslovna pravila

Člen 47 SUVP (GDPR). Zavezujoča poslovna pravila

Article 47 GDPR. Binding corporate rules

1. Pristojni nadzorni organ odobri zavezujoča poslovna pravila v skladu z mehanizmom za skladnost iz člena 63, če:

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

Povezana besedila

Člen 63 SUVP (GDPR). Mehanizem za skladnost

Article 63 GDPR. Consistency mechanism

Da bi prispevali k dosledni uporabi te uredbe v vsej Uniji, nadzorni organi sodelujejo med seboj in po potrebi s Komisijo, in sicer prek mehanizma za skladnost, kakor je določen v tem oddelku.

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

(a) so pravno zavezujoča, se uporabljajo za vsakega zadevnega člana povezane družbe ali skupin podjetij, ki skupaj opravljajo gospodarsko dejavnost, tudi za njihove zaposlene, in jih vsak od teh članov izvršuje;

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b) posameznikom, na katere se nanašajo osebni podatki, izrecno podeljujejo izvršljive pravice v zvezi z obdelavo njihovih osebnih podatkov, ter

(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c) izpolnjujejo zahteve iz odstavka 2.

(c) fulfil the requirements laid down in paragraph 2.

2. Zavezujoča poslovna pravila iz odstavka 1 določajo vsaj naslednje:

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) strukturo in kontaktne podatke povezane družbe ali skupin podjetij, ki opravljajo skupno gospodarsko dejavnost, in vsakega od njenih članov;

(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b) prenose podatkov ali nize prenosov, vključno z vrstami osebnih podatkov, vrsto obdelave in njenimi nameni, kategorijami posameznikov, na katere se nanašajo osebni podatki in na katere ta pravila vplivajo, ter identifikacijo zadevne tretje države ali držav;

(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c) njihovo pravno zavezujočo naravo, tako notranjo kot zunanjo;

(c) their legally binding nature, both internally and externally;

(d) uporabo splošnih načel o varstvu podatkov, zlasti omejitev namena, najmanjši obseg podatkov, omejen čas hrambe, kakovost podatkov, vgrajeno in privzeto varstvo podatkov, pravno podlago za obdelavo, obdelavo posebnih vrst osebnih podatkov, ukrepe za zagotavljanje varnosti podatkov in zahteve v zvezi z nadaljnjim prenosom na telesa, ki jih zavezujoča poslovna pravila ne zavezujejo;

(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

Povezana besedila

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.4 Purpose Limitation [34]

_{[34] The Article 29 Working Party provided guidance for the understanding of the principle of purpose limitation under Directive 95/46/EC. Although the Opinion is not adopted by the EDBP, it may still be relevant as the wording of the principle is the same under the GDPR. Article 29 Working Party. “Opinion 03/2013 on purpose limitation”. WP 203, 2 April 2013. ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2013/wp203_en.pdf}

71. The controller must collect data for specified, explicit, and legitimate purposes, and not further process the data in a manner that is incompatible with the purposes for which they were collected.[35] The design of the processing should therefore be shaped by what is necessary to achieve the purposes. If any further processing is to take place, the controller must first make sure that this processing has purposes compatible with the original ones and design such processing accordingly. Whether a new purpose is compatible or not, shall be assessed according to the criteria in Article 6(4).

_{[35] Art. 5.1.b GDPR}

(e) pravice posameznikov, na katere se nanašajo osebni podatki, v zvezi z obdelavo in sredstvi za uresničevanje teh pravic, vključno s pravico, da zanje ne veljajo odločitve, ki temeljijo zgolj na avtomatizirani obdelavi, vključno z oblikovanjem profilov, v skladu s členom 22, pravico do vložitve pritožbe pri pristojnem nadzornem organu in pristojnih sodiščih držav članic v skladu s členom 79 ter do pridobitve varstva in po potrebi odškodnine za kršitev zavezujočih poslovnih pravil;

(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

Povezana besedila

Člen 22 SUVP (GDPR). Avtomatizirano sprejemanje posameznih odločitev, vključno z oblikovanjem profilov

Article 22 GDPR. Automated individual decision-making, including profiling

Člen 79 SUVP (GDPR). Pravica do učinkovitega pravnega sredstva zoper upravljavca ali obdelovalca

Article 79 GDPR. Right to an effective judicial remedy against a controller or processor

1. Brez poseganja v katero koli razpoložljivo upravno ali izvensodno sredstvo, vključno s pravico do vložitve pritožbe pri nadzornem organu na podlagi člena 77, ima vsak posameznik, na katerega se nanašajo osebni podatki, pravico do učinkovitega pravnega sredstva, kadar meni, da so bile njegove pravice iz te uredbe kršene zaradi obdelave njegovih osebnih podatkov, ki ni bila v skladu s to uredbo.

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2. Za postopke zoper upravljavca ali obdelovalca so pristojna sodišča države članice, v kateri ima upravljavec ali obdelovalec sedež. Alternativno so za takšne postopke pristojna tudi sodišča države članice, v kateri ima posameznik, na katerega se nanašajo osebni podatki, svoje običajno prebivališče, razen če je upravljavec ali obdelovalec javni organ države članice, ki izvaja svoja javna pooblastila.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

(f) sprejemanje odgovornosti s strani upravljavca ali obdelovalca s sedežem na ozemlju države članice za morebitne kršitve zavezujočih poslovnih pravil s strani katerega koli zadevnega člana, ki nima sedeža v Uniji; upravljavec ali obdelovalec je iz te odgovornosti delno ali v celoti izvzet samo, če dokaže, da zadevni član ni odgovoren za dogodek, zaradi katerega je škoda nastala;

(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g) kako se poleg informacij iz členov 13 in 14 informacije o zavezujočih poslovnih pravilih, zlasti o določbah iz točk (d), (e) in (f) tega odstavka, zagotovijo posameznikom, na katere se nanašajo osebni podatki;

(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

Povezana besedila

Člen 13 SUVP (GDPR). Informacije, ki se zagotovijo, kadar se osebni podatki pridobijo od posameznika, na katerega se nanašajo osebni podatki

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

Člen 14 SUVP (GDPR). Informacije, ki jih je treba zagotoviti, kadar osebni podatki niso bili pridobljeni od posameznika, na katerega se ti nanašajo

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

(h) naloge vsake pooblaščene osebe za varstvo podatkov, imenovane v skladu s členom 37, ali katere koli druge osebe ali subjekta, odgovornega za spremljanje skladnosti z zavezujočimi poslovnimi pravili v povezani družbi ali skupini podjetij, ki opravljajo skupno gospodarsko dejavnost, pa tudi za spremljanje usposabljanja in obravnavanje pritožb;

(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

Povezana besedila

Člen 37 SUVP (GDPR). Imenovanje pooblaščene osebe za varstvo podatkov

Article 37 GDPR. Designation of the data protection officer

(i) pritožbene postopke;

(i) the complaint procedures;

(j) mehanizme v povezani družbi ali skupini podjetij, ki opravljajo skupno gospodarsko dejavnost, ki zagotavljajo preverjanje skladnosti z zavezujočimi poslovnimi pravili. Takšni mehanizmi vključujejo preverjanje varstva podatkov in metode za zagotavljanje popravljalnih ukrepov za zaščito pravic posameznika, na katerega se nanašajo osebni podatki. Rezultate teh preverjanj bi bilo treba sporočiti osebi ali subjektu iz točke (h) in odboru obvladujoče družbe v povezani družbi ali skupine podjetij, ki opravljajo skupno gospodarsko dejavnost, na zahtevo pa bi morali biti na razpolago pristojnemu nadzornemu organu;

(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;

(k) mehanizme za poročanje in evidentiranje sprememb pravil ter poročanje o teh spremembah nadzornemu organu;

(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

(l) mehanizem sodelovanja z nadzornim organom, s katerim se zagotovi, da vsak član povezane družbe ali skupine podjetij, ki opravljajo skupno gospodarsko dejavnost, upošteva pravila, zlasti tako, da se nadzornemu organu dajo na razpolago rezultati preverjanj ukrepov iz točke (j);

(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);

(m) mehanizme za poročanje pristojnemu nadzornemu organu o vseh pravnih zahtevah, ki veljajo za člana povezane družbe ali skupine podjetij, ki opravljajo skupno gospodarsko dejavnost, v tretji državi in bi lahko imele znaten negativen učinek na jamstva iz zavezujočih poslovnih pravil, in

(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(n) ustrezno usposabljanje o varstvu podatkov za osebje, ki stalno ali redno dostopa do osebnih podatkov.

(n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3. Komisija lahko za zavezujoča poslovna pravila v smislu tega člena določi obliko in postopke za izmenjavo informacij med upravljavci, obdelovalci in nadzornimi organi. Ti izvedbeni akti se sprejmejo v skladu s postopkom pregleda iz člena 93(2).

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Povezana besedila

Člen 93 SUVP (GDPR). Postopek v odboru

Article 93 GDPR. Committee procedure

[…]

2. Pri sklicevanju na ta odstavek se uporablja člen 5 Uredbe (EU) št. 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

[…]

Splošna uredba o varstvu podatkov (SUVP, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

ISO 27701 Uvodne izjave Smernice in sodna praksa Pustite komentar

ISO 27701

(EN) ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 47 GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).

(EN) […]

(EN) Sign in
to read the full text

Uvodne izjave

(110) Povezana družba ali skupina podjetij, ki opravljajo skupno gospodarsko dejavnost, bi morala imeti možnost, da za svoje mednarodne prenose iz Unije v organizacije znotraj iste povezane družbe ali skupine podjetij, ki opravljajo skupno gospodarsko dejavnost, uporabijo odobrena zavezujoča poslovna pravila, če ta poslovna pravila zajemajo vsa bistvena načela in izvršljive pravice za zagotavljanje ustreznih zaščitnih ukrepov za prenose ali niz prenosov osebnih podatkov.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Smernice in sodna praksa

(EN)