{"id":2759,"date":"2017-04-25T08:30:13","date_gmt":"2017-04-25T06:30:13","guid":{"rendered":"https:\/\/blog.europrivacy.org\/?p=2759"},"modified":"2017-04-26T05:14:48","modified_gmt":"2017-04-26T03:14:48","slug":"accountability","status":"publish","type":"post","link":"https:\/\/blog.europrivacy.info\/it\/2017\/04\/25\/accountability\/","title":{"rendered":"ACCOUNTABILITY IN PRATICA"},"content":{"rendered":"<p>A parte richiamare codici di condotta e certificazioni il GDPR non si dilunga molto su come un Titolare\/Responsabile possa dimostrare la propria conformit\u00e0 al Regolamento.<\/p>\n<p>Fortunatamente \u00e8 possibile rifarsi a documenti preesistenti o a prese di posizione delle stesse Autorit\u00e0 Garanti.<\/p>\n<p>Il primo documento a cui possiamo riferirci \u00e8 l\u2019OECD PRIVACY FRAMEWORK, del 2013, che recita:<\/p>\n<p><strong>PART THREE. IMPLEMENTING ACCOUNTABILITY<\/strong><\/p>\n<p>A data controller should:<\/p>\n<p>a) Have in place a privacy management programme that:<\/p>\n<p>i. gives effect to these Guidelines for all personal data under its control;<\/p>\n<p>ii. is tailored to the structure, scale, volume and sensitivity of its operations;<\/p>\n<p>iii. provides for appropriate safeguards based on privacy risk assessment;<\/p>\n<p>iv. is integrated into its governance structure and establishes internal oversight mechanisms;<\/p>\n<p>v. includes plans for responding to inquiries and incidents;<\/p>\n<p>vi. is updated in light of ongoing monitoring and periodic assessment;<\/p>\n<p>b) Be prepared to demonstrate its privacy management programme as appropriate, in particular at the request of a competent privacy enforcement authority or another entity responsible for promoting adherence to a code of conduct or similar arrangement giving binding effect to these Guidelines; and<\/p>\n<p>c) Provide notice, as appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data. Where the breach is likely to adversely affect data subjects, a data controller should notify affected data subjects<\/p>\n<p>&nbsp;<\/p>\n<p>Successivi alla formalizzazione del GDPR abbiamo la pubblicazione dell\u2019Autorit\u00e0 Garante inglese del documento <strong>Overview of Generale Data Protection Regulation (GDPR)<\/strong>, che riporta le seguenti indicazioni:<\/p>\n<p>&nbsp;<\/p>\n<p>How can I demonstrate that I comply?<\/p>\n<p>You must:<\/p>\n<ul>\n<li>Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.<\/li>\n<li>Maintain relevant documentation on processing activities.<\/li>\n<li>Where appropriate, appoint a data protection officer.<\/li>\n<li>Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:\n<ul>\n<li>Data minimisation;<\/li>\n<li>Pseudonymisation;<\/li>\n<li>Transparency;<\/li>\n<li>Allowing individuals to monitor processing; and<\/li>\n<li>Creating and improving security features on an ongoing basis.<\/li>\n<\/ul>\n<\/li>\n<li>Use data protection impact assessments where appropriate.<\/li>\n<li>You can also:Adhere to approved codes of conduct and\/or certification schemes.<\/li>\n<\/ul>\n<p>Mentre l\u2019Autorit\u00e0 Garante francese, nella sua guida per prepararsi al GDPR riporta le seguenti indicazioni:<\/p>\n<p><strong>Documenter la conformit\u00e9<\/strong><\/p>\n<p><strong>Votre dossier devra notamment comporter les \u00e9l\u00e9ments suivants<\/strong><\/p>\n<ul>\n<li><strong>La documentation sur vos traitements de donn\u00e9es personnelles<\/strong>\n<ul>\n<li>le registre des traitements (pour les responsables de traitements) ou des cat\u00e9gories d\u2019activit\u00e9s de traitements (pour les sous-traitants),<\/li>\n<li>les analyses d\u2019impact sur la protection des donn\u00e9es (PIA ; voir \u00e9tape 4) pour les traitements susceptibles d\u2019engendrer des risques \u00e9lev\u00e9s pour les droits et libert\u00e9s des personnes,<\/li>\n<li>l\u2019encadrement des transferts de donn\u00e9es hors de l\u2019Union europ\u00e9enne (notamment les clauses contractuelles types ou les BCR).<\/li>\n<\/ul>\n<\/li>\n<li><strong>L\u2019information des personnes<\/strong>\n<ul>\n<li>les mentions d\u2019information,<\/li>\n<li>les mod\u00e8les de recueil du consentement des personnes concern\u00e9es,<\/li>\n<li>les proc\u00e9dures mises en place pour l\u2019exercice des droits des personnes.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Les contrats qui d\u00e9finissent les r\u00f4les et les responsabilit\u00e9s des acteurs<\/strong>\n<ul>\n<li>les contrats avec les sous-traitants,<\/li>\n<li>les proc\u00e9dures internes en cas de violations de donn\u00e9es,<\/li>\n<li>les preuves que les personnes concern\u00e9es ont donn\u00e9 leur consentement lorsque le traitement de leurs donn\u00e9es repose sur cette base.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Tre punti di vista non esattamente identici, ma che sicuramente sono di grande aiuto nel definire criteri concreti ai quali attenersi.<\/p>","protected":false},"excerpt":{"rendered":"<p>A parte richiamare codici di condotta e certificazioni il GDPR non si dilunga molto su come un Titolare\/Responsabile possa dimostrare la propria conformit\u00e0 al Regolamento. Fortunatamente \u00e8 possibile rifarsi a documenti preesistenti o a prese di posizione delle stesse Autorit\u00e0 Garanti. Il primo documento a cui possiamo riferirci \u00e8 l\u2019OECD PRIVACY FRAMEWORK, del 2013, che\u2026 <span class=\"read-more\"><a href=\"https:\/\/blog.europrivacy.info\/it\/2017\/04\/25\/accountability\/\">Leggi tutto &raquo;<\/a><\/span><\/p>\n","protected":false},"author":42,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2759","post","type-post","status-publish","format-standard","hentry","category-legal-framework"],"_links":{"self":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/2759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/comments?post=2759"}],"version-history":[{"count":4,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/2759\/revisions"}],"predecessor-version":[{"id":2765,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/posts\/2759\/revisions\/2765"}],"wp:attachment":[{"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/media?parent=2759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/categories?post=2759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.europrivacy.info\/it\/wp-json\/wp\/v2\/tags?post=2759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}