Fixes GDPR linefeeds

alsmola · Apr 6, 2024 · 2618b9d · 2618b9d
1 parent bb4c77c
commit 2618b9d
Show file tree

Hide file tree

Showing 53 changed files with 441 additions and 228 deletions.
diff --git a/gdpr/art1.md b/gdpr/art1.md
@@ -1,13 +1,16 @@
 # GDPR - Article 1
 ## **Subject-matter and objectives**
 
+
 ## Article 1.1
 This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.  
-
+  
 ## Article 1.2
 1. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
-
+  
 ### Mapped SCF controls
 - [CPL-01 - Statutory, Regulatory & Contractual Compliance](../scf/cpl-01-statutory,regulatory&contractualcompliance.md)
+
 ## Article 1.3
 1. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
+
diff --git a/gdpr/art10.md b/gdpr/art10.md
@@ -1,3 +1,4 @@
 # GDPR - Article 10
 ## Processing of personal data relating to criminal convictions and offences
-Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
+Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
+
diff --git a/gdpr/art11.md b/gdpr/art11.md
@@ -1,19 +1,22 @@
 # GDPR - Article 11
 ## Processing which does not require identification
 
+
 ## Article 11.1
 If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
-
+  
 ### Mapped SCF controls
 - [IAC-09.6 - Pairwise Pseudonymous Identifiers (PPID)](../scf/iac-096-pairwisepseudonymousidentifiers(ppid).md)
 - [PRI-05.1 - Internal Use of Personal Data For Testing, Training and Research](../scf/pri-051-internaluseofpersonaldatafortesting,trainingandresearch.md)
 - [PRI-05.4 - Usage Restrictions of Sensitive Personal Data](../scf/pri-054-usagerestrictionsofsensitivepersonaldata.md)
+
 ## Article 11.2
 Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
 ##CHAPTER III
 ###Rights of the data subject
 <span class="expanded">Section 1
 <span class="bold"><span class="expanded">Transparency and modalities
-
+  
 ### Mapped SCF controls
-- [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
+- [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
+
diff --git a/gdpr/art12.md b/gdpr/art12.md
@@ -1,49 +1,56 @@
 # GDPR - Article 12
 ## Transparent information, communication and modalities for the exercise of the rights of the data subject
 
+
 ## Article 12.1
 The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+
 ## Article 12.2
 The controller shall facilitate the exercise of data subject rights under Articles 15 to 22\. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
-
+  
 ### Mapped SCF controls
 - [PRI-03.1 - Tailored Consent](../scf/pri-031-tailoredconsent.md)
 - [PRI-03.2 - Just-In-Time Notice & Updated Consent](../scf/pri-032-just-in-timenotice&updatedconsent.md)
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+
 ## Article 12.3
 The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
-
+  
 ### Mapped SCF controls
 - [DCH-22.1 - Updating & Correcting Personal Data (PD)](../scf/dch-221-updating&correctingpersonaldata(pd).md)
 - [PRI-03.1 - Tailored Consent](../scf/pri-031-tailoredconsent.md)
 - [PRI-03.2 - Just-In-Time Notice & Updated Consent](../scf/pri-032-just-in-timenotice&updatedconsent.md)
 - [PRI-06.1 - Correcting Inaccurate Personal Data](../scf/pri-061-correctinginaccuratepersonaldata.md)
 - [PRI-06.2 - Notice of Correction or Processing Change](../scf/pri-062-noticeofcorrectionorprocessingchange.md)
+
 ## Article 12.4
 If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
-
+  
 ### Mapped SCF controls
 - [PRI-03.1 - Tailored Consent](../scf/pri-031-tailoredconsent.md)
 - [PRI-03.2 - Just-In-Time Notice & Updated Consent](../scf/pri-032-just-in-timenotice&updatedconsent.md)
+
 ## Article 12.5
 Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
 (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
 (b) refuse to act on the request.
 The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
-
+  
 ## Article 12.6
 Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
-
+  
 ### Mapped SCF controls
 - [PRI-03 - Choice & Consent](../scf/pri-03-choice&consent.md)
+
 ## Article 12.7
 The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
-
+  
 ## Article 12.8
 The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
 <span class="expanded">Section 2
 <span class="bold"><span class="expanded">Information and access to personal data
+
diff --git a/gdpr/art13.md b/gdpr/art13.md
@@ -1,6 +1,7 @@
 # GDPR - Article 13
 ## Information to be provided where personal data are collected from the data subject
 
+
 ## Article 13.1
 Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
 (a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
@@ -9,10 +10,11 @@ Where personal data relating to a data subject are collected from the data subje
 (d) where the processing is based on point (f)  of Article 6(1), the legitimate interests pursued by the controller or by a third party;
 (e) the recipients or categories of recipients of the personal data, if any;
 (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-02.1 - Purpose Specification](../scf/pri-021-purposespecification.md)
+
 ## Article 13.2
 In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
 (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
@@ -21,15 +23,18 @@ In addition to the information referred to in paragraph 1, the controller shall,
 (d) the right to lodge a complaint with a supervisory authority;
 (e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
 (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+
 ## Article 13.3
 Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-03.2 - Just-In-Time Notice & Updated Consent](../scf/pri-032-just-in-timenotice&updatedconsent.md)
+
 ## Article 13.4
 Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
+
diff --git a/gdpr/art14.md b/gdpr/art14.md
@@ -1,6 +1,7 @@
 # GDPR - Article 14
 ## Information to be provided where personal data have not been obtained from the data subject
 
+
 ## Article 14.1
 Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
 (a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
@@ -9,10 +10,11 @@ Where personal data have not been obtained from the data subject, the controller
 (d) the categories of personal data concerned;
 (e) the recipients or categories of recipients of the personal data, if any;
 (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-02.1 - Purpose Specification](../scf/pri-021-purposespecification.md)
+
 ## Article 14.2
 In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
 (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
@@ -22,30 +24,33 @@ In addition to the information referred to in paragraph 1, the controller shall
 (e) the right to lodge a complaint with a supervisory authority;
 (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
 (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
-
+  
 ### Mapped SCF controls
 - [DCH-22.1 - Updating & Correcting Personal Data (PD)](../scf/dch-221-updating&correctingpersonaldata(pd).md)
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-02.1 - Purpose Specification](../scf/pri-021-purposespecification.md)
 - [PRI-02.2 - Automated Data Management Processes](../scf/pri-022-automateddatamanagementprocesses.md)
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
 - [PRI-06.1 - Correcting Inaccurate Personal Data](../scf/pri-061-correctinginaccuratepersonaldata.md)
+
 ## Article 14.3
 The controller shall provide the information referred to in paragraphs 1 and 2:
 (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
 (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
 (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
-
+  
 ### Mapped SCF controls
 - [PRI-02 - Data Privacy Notice](../scf/pri-02-dataprivacynotice.md)
 - [PRI-03 - Choice & Consent](../scf/pri-03-choice&consent.md)
 - [PRI-03.2 - Just-In-Time Notice & Updated Consent](../scf/pri-032-just-in-timenotice&updatedconsent.md)
+
 ## Article 14.4
 Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
-
+  
 ## Article 14.5
 Paragraphs 1 to 4 shall not apply where and insofar as:
 (a) the data subject already has the information;
 (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
 (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
 (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
+
diff --git a/gdpr/art15.md b/gdpr/art15.md
@@ -1,6 +1,7 @@
 # GDPR - Article 15
 ## Right of access by the data subject
 
+
 ## Article 15.1
 The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
 (a) the purposes of the processing;
@@ -11,24 +12,28 @@ The data subject shall have the right to obtain from the controller confirmation
 (f) the right to lodge a complaint with a supervisory authority;
 (g) where the personal data are not collected from the data subject, any available information as to their source;
 (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
-
+  
 ### Mapped SCF controls
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+
 ## Article 15.2
 Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
-
+  
 ### Mapped SCF controls
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
 - [PRI-07 - Information Sharing With Third Parties](../scf/pri-07-informationsharingwiththirdparties.md)
+
 ## Article 15.3
 The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
-
+  
 ### Mapped SCF controls
 - [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+
 ## Article 15.4
 The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
 <span class="expanded">Section 3
 <span class="bold"><span class="expanded">Rectification and erasure
-
+  
 ### Mapped SCF controls
-- [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+- [PRI-06 - Data Subject Access](../scf/pri-06-datasubjectaccess.md)
+