Člen 58 📖 SUVP (GDPR). Pooblastila

Člen 58 SUVP (GDPR). Pooblastila

Article 58 GDPR. Powers

1. Vsak nadzorni organ ima vsa naslednja preiskovalna pooblastila:

1. Each supervisory authority shall have all of the following investigative powers:

(a) da upravljavcu in obdelovalcu ter, če je ustrezno, predstavniku upravljavca ali obdelovalca odredi, naj zagotovi vse informacije, ki jih potrebuje za opravljanje svojih nalog;

(a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

(b) da izvaja preiskave v obliki pregledov na področju varstva podatkov;

(b) to carry out investigations in the form of data protection audits;

(c) da izvaja preglede potrdil, izdanih v skladu s členom 42(7);

(c) to carry out a review on certifications issued pursuant to Article 42(7);

Povezana besedila

Člen 42 SUVP (GDPR). Potrjevanje

Article 42 GDPR. Certification

[…]

7. Potrdilo se izda upravljavcu ali obdelovalcu za obdobje največ treh let in se pod enakimi pogoji lahko podaljša, če so zadevne zahteve še naprej izpolnjene. Organi za potrjevanje iz člena 43 ali pristojni nadzorni organ, kakor je ustrezno, potrdilo prekličejo, kadar zahteve v zvezi s potrdilom niso ali niso več izpolnjene.

7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.

[…]

(d) da upravljavca ali obdelovalca uradno obvesti o domnevni kršitvi te uredbe;

(d) to notify the controller or the processor of an alleged infringement of this Regulation;

(e) da od upravljavca ali obdelovalca pridobi dostop do vseh osebnih podatkov in informacij, ki jih potrebuje za opravljanje svojih nalog;

(e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

(f) da pridobi dostop do vseh prostorov upravljavca ali obdelovalca, vključno z vso opremo in sredstvi za obdelavo podatkov, v skladu s pravom Unije ali postopkovnim pravom države članice.

(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2. Vsak nadzorni organ ima vsa naslednja popravljalna pooblastila:

2. Each supervisory authority shall have all of the following corrective powers:

(a) da izda upravljavcu ali obdelovalcu opozorilo, da bi predvidena dejanja obdelave verjetno kršila določbe te uredbe;

(a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b) da upravljavcu ali obdelovalcu izreče opomin, kadar so bile z dejanji obdelave kršene določbe te uredbe;

(b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c) da upravljavcu ali obdelovalcu odredi, naj ugodi zahtevam posameznika, na katerega se nanašajo osebni podatki, glede uresničevanja njegovih pravic na podlagi te uredbe;

(c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d) da upravljavcu ali obdelovalcu odredi, naj dejanja obdelave, če je to ustrezno, na določen način in v določenem roku uskladi z določbami te uredbe;

(d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e) da upravljavcu odredi, naj posameznika, na katerega se nanašajo osebni podatki, obvesti o kršitvi varstva osebnih podatkov;

(e) to order the controller to communicate a personal data breach to the data subject;

(f) da uvede začasno ali dokončno omejitev obdelave, vključno s prepovedjo obdelave;

(f) to impose a temporary or definitive limitation including a ban on processing;

(g) da v skladu s členi 16, 17 in 18 odredi popravek ali izbris osebnih podatkov oziroma omejitev obdelave in o takšnih ukrepih v skladu s členom 17(2) in členom 19 uradno obvesti uporabnike, ki so jim bili osebni podatki razkriti;

(g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

Povezana besedila

Člen 16 SUVP (GDPR). Pravica do popravka

Article 16 GDPR. Right to rectification

Posameznik, na katerega se nanašajo osebni podatki, ima pravico doseči, da upravljavec brez nepotrebnega odlašanja popravi netočne osebne podatke v zvezi z njim. Posameznik, na katerega se nanašajo osebni podatki, ima ob upoštevanju namenov obdelave, pravico do dopolnitve nepopolnih osebnih podatkov, vključno s predložitvijo dopolnilne izjave.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Člen 17 SUVP (GDPR). Pravica do izbrisa („pravica do pozabe“)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

[…]

2. Kadar upravljavec objavi osebne podatke in je v skladu z odstavkom 1 osebne podatke obvezan izbrisati, ob upoštevanju razpoložljive tehnologije in stroškov izvajanja sprejme razumne ukrepe, vključno s tehničnimi, da upravljavce, ki obdelujejo osebne podatke, obvesti, da posameznik, na katerega se nanašajo osebni podatki, od njih zahteva, naj izbrišejo morebitne povezave do teh osebnih podatkov ali njihove kopije.

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

[…]

Člen 18 SUVP (GDPR). Pravica do omejitve obdelave

Article 18 GDPR. Right to restriction of processing

Člen 19 SUVP (GDPR). Obveznost obveščanja v zvezi s popravkom ali izbrisom osebnih podatkov ali omejitvijo obdelave

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

Upravljavec vsakemu uporabniku, ki so mu bili osebni podatki razkriti, sporoči vse popravke ali izbrise osebnih podatkov ali omejitve obdelave v skladu s členom 16, členom 17(1) in členom 18, razen če se to izkaže za nemogoče ali vključuje nesorazmeren napor. Upravljavec o teh uporabnikih obvesti posameznika, na katerega se nanašajo osebni podatki, če ta posameznik tako zahteva.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

(h) da prekliče potrdilo ali organu za potrjevanje odredi preklic potrdila, izdanega v skladu s členoma 42 in 43, ali da organu za potrjevanje odredi, naj ne izda potrdila, kadar zahteve v zvezi s potrdilom niso ali niso več izpolnjene;

(h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

Povezana besedila

Člen 42 SUVP (GDPR). Potrjevanje

Article 42 GDPR. Certification

Člen 43 SUVP (GDPR). Organi za potrjevanje

Article 43 GDPR. Certification bodies

(i) da glede na okoliščine posameznega primera poleg ali namesto ukrepov iz tega odstavka naloži upravno globo v skladu s členom 83;

(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) da odredi prekinitev prenosov podatkov uporabniku v tretji državi ali mednarodni organizaciji.

(j) to order the suspension of data flows to a recipient in a third country or to an international organisation.

3. Vsak nadzorni organ ima vsa naslednja pooblastila v zvezi z dovoljenji in svetovalnimi pristojnostmi:

3. Each supervisory authority shall have all of the following authorisation and advisory powers:

(a) da svetuje upravljavcu v skladu s postopkom predhodnega posvetovanja iz člena 36;

(a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

Povezana besedila

Člen 36 SUVP (GDPR). Predhodno posvetovanje

Article 36 GDPR. Prior consultation

(b) da na lastno pobudo ali na zahtevo izdaja mnenja za nacionalni parlament, vlado države članice ali, v skladu s pravom države članice, druge institucije in telesa, pa tudi za javnost, o vseh vprašanjih v zvezi z varstvom osebnih podatkov;

(b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data;

(c) da odobri obdelavo iz člena 36(5), če pravo države članice zahteva tako predhodno dovoljenje;

(c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

Povezana besedila

Člen 36 SUVP (GDPR). Predhodno posvetovanje

Article 36 GDPR. Prior consultation

[…]

5. Ne glede na odstavek 1 lahko pravo države članice od upravljavcev zahteva, naj se posvetujejo z nadzornim organom in od njega prejmejo predhodno dovoljenje v zvezi z obdelavo s strani upravljavca z namenom izvajanja naloge, ki jo upravljavec izvaja v javnem interesu, vključno z obdelavo v zvezi s socialnim varstvom in javnim zdravjem.

5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

(d) da izdaja mnenja in odobri osnutke kodeksov ravnanja v skladu s členom 40(5);

(d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

Povezana besedila

Člen 40 SUVP (GDPR). Kodeksi ravnanja

Article 40 GDPR. Codes of conduct

[…]

5. Združenja in druga telesa iz odstavka 2 tega člena, ki nameravajo pripraviti kodeks ravnanja oziroma spremeniti ali razširiti veljaven kodeks, predložijo osnutek kodeksa, spremembo ali razširitev nadzornemu organu, pristojnemu v skladu s členom 55. Nadzorni organ poda mnenje, ali je osnutek kodeksa, sprememba ali razširitev skladna s to uredbo, in takšen osnutek kodeksa, spremembo ali razširitev potrdi, če oceni, da zagotavlja zadostne ustrezne zaščitne ukrepe.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

[…]

(e) da pooblasti organe za potrjevanje v skladu s členom 43;

(e) to accredit certification bodies pursuant to Article 43;

Povezana besedila

Člen 43 SUVP (GDPR). Organi za potrjevanje

Article 43 GDPR. Certification bodies

(f) da izdaja potrdila in odobri merila za potrjevanje v skladu s členom 42(5);

(f) to issue certifications and approve criteria of certification in accordance with Article 42(5);

Povezana besedila

Člen 42 SUVP (GDPR). Potrjevanje

Article 42 GDPR. Certification

[…]

5. Potrdilo v skladu s tem členom izdajo organi za potrjevanje iz člena 43 ali pristojni nadzorni organ, in sicer na podlagi meril, ki jih odobri ta pristojni nadzorni organ na podlagi člena 58(3) ali odbor na podlagi člena 63. Kadar merila odobri odbor, je lahko rezultat meril skupno potrjevanje, evropski pečat za varstvo podatkov.

5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

[…]

(g) da sprejme standardna določila o varstvu podatkov iz člena 28(8) in iz točke (d) člena 46(2);

(g) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

Povezana besedila

Člen 28 SUVP (GDPR). Obdelovalec

Article 28 GDPR. Processor

[…]

8. Nadzorni organ lahko sprejme standardna pogodbena določila za zadeve iz odstavkov 3 in 4 tega člena ter v skladu z mehanizmom za skladnost iz člena 63.

8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

[…]

Člen 46 SUVP (GDPR). Prenosi, za katere se uporabljajo ustrezni zaščitni ukrepi

Article 46 GDPR. Transfers subject to appropriate safeguards

2. Ustrezni zaščitni ukrepi iz odstavka 1 se lahko, ne da bi bilo potrebno posebno dovoljenje nadzornih organov, zagotovijo s:

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(d) standardnimi določili o varstvu podatkov, ki jih sprejme nadzorni organ in odobri Komisija v skladu s postopkom pregleda iz člena 93(2);

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

(h) da odobri pogodbena določila iz točke (a) člena 46(3);

(h) to authorise contractual clauses referred to in point (a) of Article 46(3);

Povezana besedila

Člen 46 SUVP (GDPR). Prenosi, za katere se uporabljajo ustrezni zaščitni ukrepi

Article 46 GDPR. Transfers subject to appropriate safeguards

3. Ustrezni zaščitni ukrepi iz odstavka 1 se lahko z dovoljenjem ustreznega nadzornega organa zagotovijo tudi zlasti s:

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) pogodbenimi določili med upravljavcem ali obdelovalcem in upravljavcem, obdelovalcem ali uporabnikom osebnih podatkov v tretji državi ali mednarodni organizaciji, ali

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(i) da odobri upravne dogovore iz točke (b) člena 46(3);

(i) to authorise administrative arrangements referred to in point (b) of Article 46(3);

Povezana besedila

Člen 46 SUVP (GDPR). Prenosi, za katere se uporabljajo ustrezni zaščitni ukrepi

Article 46 GDPR. Transfers subject to appropriate safeguards

3. Ustrezni zaščitni ukrepi iz odstavka 1 se lahko z dovoljenjem ustreznega nadzornega organa zagotovijo tudi zlasti s:

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(b) določbami, ki se vstavijo v upravne dogovore med javnimi organi ali telesi in v katere so vključene izvršljive in učinkovite pravice za posameznike, na katere se nanašajo podatki.

(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

(j) da odobri zavezujoča poslovna pravila v skladu s členom 47.

(j) to approve binding corporate rules pursuant to Article 47.

Povezana besedila

Člen 47 SUVP (GDPR). Zavezujoča poslovna pravila

Article 47 GDPR. Binding corporate rules

4. Nadzorni organ izvaja pooblastila, ki so mu dodeljena v skladu s tem členom, na podlagi ustreznih zaščitnih ukrepov, vključno z učinkovitim pravnim sredstvom in ustreznim pravnim postopkom, kot je določeno v pravu Unije in pravu države članice v skladu z Listino.

4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5. Vsaka država članica z zakonom določi, da ima njen nadzorni organ pooblastila, da sodne organe opozori na kršitve te uredbe in po potrebi začne sodne postopke ali v njih drugače sodeluje, da se zagotovi izvajanje določb te uredbe.

5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6. Vsaka država članica z zakonom določi, da ima njen nadzorni organ poleg pooblastil iz odstavkov 1, 2 in 3 še dodatna pooblastila. Izvajanje teh pooblastil ne vpliva na učinkovitost izvajanja poglavja VII.

6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

Splošna uredba o varstvu podatkov (SUVP, GDPR)

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Uvodne izjave Smernice in sodna praksa Pustite komentar

Uvodne izjave

(129) Za zagotovitev doslednega spremljanja in izvajanja te uredbe v vsej Uniji bi morali biti naloge in učinkovita pooblastila nadzornih organov v vseh državah članicah enaki, vključno s pooblastili za preiskovanje, popravljalnimi pooblastili in sankcijami ter pooblastili v zvezi z dovoljenji in svetovalnimi pristojnostmi, zlasti v primerih pritožb posameznikov, hkrati pa ne bi smeli vplivati na pooblastila organov, pristojnih za pregon v skladu s pravom držav članic, da sodne organe opozorijo na kršitve te uredbe in sodelujejo v sodnih postopkih. Taka pooblastila bi morala vključevati tudi pooblastilo za uvedbo začasne ali dokončne omejitve ali prepoved obdelave. Države članice lahko določijo še druge naloge, povezane z varstvom osebnih podatkov v skladu s to uredbo. Pooblastila nadzornih organov bi bilo treba izvajati nepristransko, pravično in v razumnem roku v skladu z ustreznimi postopkovnimi zaščitnimi ukrepi, določenimi v pravu Unije in pravu držav članic. Zlasti bi moral biti vsak ukrep ustrezen, potreben in sorazmeren, da se zagotovi skladnost s to uredbo, pri tem pa se upoštevajo okoliščine posameznega primera, spoštuje pravica vsake osebe, da izrazi svoje mnenje, preden se sprejme kakršen koli posamezen ukrep, ki bi imel zanjo negativne posledice, ter preprečijo nepotrebni stroški in pretirane nevšečnosti za vpletene osebe. Preiskovalna pooblastila glede dostopa v prostore bi bilo treba izvajati v skladu s posebnimi zahtevami postopkovnega prava držav članic, kot je na primer zahteva pridobitve predhodnega sodnega dovoljenja. Vsak pravno zavezujoč ukrep nadzornega organa bi moral biti v pisni obliki, jasen in nedvoumen, v njem pa bi morala biti navedena nadzorni organ, ki je ukrep izdal, in datum izdaje ukrepa, podpisati bi ga moral vodja ali član nadzornega organa, ki ga ta pooblasti, vsebovati bi moral razloge za ukrep ter sklic na pravico do učinkovitega pravnega sredstva. To ne bi smelo izključevati dodatnih zahtev v skladu s postopkovnim pravom držav članic. Sprejetje pravno zavezujoče odločitve pomeni, da je lahko v državi članici nadzornega organa, ki jo je sprejel, predmet sodne presoje.

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

Smernice in sodna praksa

(EN)

Case law

CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).

Pustite komentar

[js-disqus]