חומר רקע

PDF 26,901 תווים המסמך המקורי ↗
15 ינ ,ראו2024 הד"פשת ,טבש ' דובכל חטפשמו קוח ,הקוחה תדעו ר"וי ,ןמטור החמש כ" חתסנכה לש טפשמו קוח ,הקוחה תדעו ירב לארשי תסנכ,םילשורי א.,.נ הנ :ןודהצ( תויטרפה תנגה קוח תעת ןוקי14 )תה ,ש פ"ב – 2 202 – בןוידל השק חשירדב רזות ה העדוה ויב הקוח תדעוו ןויד תארקל ם .01.24 1 2 בד םייקתהש ןויבי םו09.01.24 דעווב הקוחה ת, חו" :ןלהל( תסנכה לש טפשמו קההדעוו" וא " והקוח תדעו") ת( תויטרפה תנגה קוח תעצהביק ןו14 ), ב"פשתה – 2022 (לה" :ןלתי ןוק14 "), א ףיעסל םיעצומה םינוקיתה ורשו11 תויטרפה תנגה קוחל, א"משתה– 1981 (להל" :ןח תנגה קו התויטרפ") . ז םע תא, םיעצומה םינוקיתהמש תא םירמ סינהוח הק םייבח תא הנתמ רשא תויטרפה תנגה קו ישיא עדימ תלבקל םדאל היינפ"ב העדוהה ןתמ תבוח לש המויק... " . הז חוסינמצ תבוח תא םצמ העדוהה אך עדימה אשונמ ףסאנ ישיאה עדימה םהב םירקמל קרו עצ וניא ןכ לעו תורישי ומת םאו או תקפסמ הדימב דיתע ינפ הפוצ וניא ,םויה רבכ תומייקה ישיאה עדימה ףוסיא תויגולונכט תא וני ותא תא ם ימואלניבה ןידה. כך, ה תנגהל תויללכה תונקת מי" :ןלהל( יאפוריאה דוחיאה לש עדGDPR ") קו תועבשע לב לע הש( עדימב הטילController ) ב העדוה עדימה אשונל קפסלד ףוסיא תעב ודי לע עדימה ףוסיא רב עדימה כא רש ומצע עדימה אשונמ ףסאנ ישיאה עדימה, 1 ותבוך ישיאה עדימה תלבקמ שדוח או עדימה רשאכ עדימה אשונ תוד עדימה אשונמ תורישי ףסאנ וניא. 2 ה- GDPR מ רפסמ טרפ מ תוריש י ףסאנ אל עדימ ה רשא כ לשמ ל ,העד והה תבוח ל םיגיר חנ העדו הה ןתמ ו עדי מה אשו כנ שרד נ דו ביעה רשאכ ד וחי יב ,רי בס ית לב ץמ אמ שור די וא י רשפא יתלב או העש תו רטמל ה 1 Regulation (EU) 2016/679 General Data Protection (להל" :ןGDPR ") , ס ףיע13 . ףיעסה ןושל מוז ונבתכמל חפסנב העיפו. 2 Regulation (EU) 2016/679 General Data Protection (להל" :ןGDPR ") , ס ףיע14 . ףיעסה ןושל מוז ונבתכמל חפסנב העיפו. ב שיש בוכריא ירוביצ סרטניא ו, יטסיטטס וא ירוטסיה ,יעדמ רקחמ תורטמל וא לבו בד םיטקננש ה יעצמא ב םישרדנה םירחא הנג- GDPR . םוצמצב הז גירח שרפל שיש עבקנ םלוא. 3 גם ח ו( הי נרופילקב םינכרצה תויטרפ קCalifornia Consumer Privacy Act , לה" :ןלCCPA ") מט לי ב בו קוחתק וחוכמ תונ בוחת העדוה ודמה לע " Business ", 4 בע ת וינפל וא עדימה ףוסיא. 5 בת ה לש וחוכמ תונקCCPA מ הטילשל םילכ םינכרצל קפסל איה עודייה תבוח תרטמש רהבו ה ידי לע השענה שומישה לע תיתועמשמ – Business ב.םהיתודוא ישיאה עדימ6 ה- CCPA אי ללכ סחייתמ ונלש םיכר דב ו א עדי מה אש ונמ ת ורישי ף סאנ יש יא עדי מ ם אה הלא תורחא, ש,עדימה אשונ לש עודייה תוכזמ קלח איה העדוהה תבוח ןכ7 ריהבמ ךא שנ םשייל ןתי יאה עדימ ה ףוסיא ינפ ל ו א תעב העדוה ה תבוח תאשי במ ה םהב םיר קBusiness פו דצכ לע עדימה ףוסיא לע טלושה ישילש ב.תויטרפ תוינידמ םוסרפ תועצמא8 הת ה לש וחוכמ תונקCCPA מס ןהב ת וביסנל ת ואמגוד ת וקפתי תועצ מאב ע ודייה ת בוח םשופרס ,ךכ .תויטרפ תוינידמ םו למש ,לאם צד 'אמפ תודוא ישיאה עדימה ףוסיאב טולשל 'ב דצל רשפאמו טנרטניא רתא ליע הג רתאב םישלו ש טנרטניאהלו ש ירה , ולש רתאב תויטרפ תוינידמ לולכל 'א דצ לע; ועל 'ב דצגם כן לפ תויטרפ תוינידמ םסר רתאבים תוינידמב שורדה עדימה תא לולכל וא ותולעבבש הפ תויטר א דצ לש' . עדימ ירחוסהר תויטרפ תוינידמ םסרפל םישרדנ םניא עדימה ירחוס םשרמב םימוש קבב םישורדה םיטרפה תא וללכ םא רל ,םושירה תשבו שקבל םילוכי תוחוקל דציכ רבסה תopt- out ףותיש וא הריכממ עדימ לש יאש.םהיתודוא י9 הר תרגסמב העדוהה תבוחל לנויצשנ םיקוחה י- ה- GDPR הו- CCPA , ונ תוכז אוהשא ע דימה ל ה( עדוי מ תויthe right to be informed ) כשה ת בוחמ ק לח ופיקת (transparency ) שמ ולעפי עדימב הטילשה ילעבש חיטבהל התרטבה דוביעל רושקה לכב תויתו ירחאבו תוניג םמעטמ וא םדי לע ישיא עדימ. חו ,עדוימ תויהל עדימה אשונ תוכז תרזגנ החוכמש ,תופיקשה תב מיו תא ריבגהל תדעאמ עדימה יאשונ ןו לע עיפשמה עדימה דוביע ךילהתב הים על תרבגה ידי ש הנבהה ה תא םהל ו ךילהת וירגתא וילע רשקב םהיתויוכז תא שורדל םדיב םילכ ןתמו. משו ,ךכ ם 3 ר ואcy under elines on transparen Guid , ion Working Party 29 Data Protect Article Regulation 2016/679 (Adopted on 29 Nov., 2017, as last Revised and Adopted on 11 April, 2018) . 4 רא ו(CCPA) f 2018 ia Consumer Privacy Act o aliforn C בס ףיע(d) 1798.140 § – הג תרד Business . 5 רא ו(CCPA) f 2018 nsumer Privacy Act o ia Co aliforn C בס ףיע)a( 00 1798.1 §. 6 רא וrivacy Act Regulations umer P California Cons , הנקת(f) - 7012(a) . 7 ר ףיעס וא1798.110 ל- CCPA . 8 רא ו(CCPA) f 2018 ia Consumer Privacy Act o aliforn C בס ףיע) b ( 00 1798.1 §. 9 רא וy Act Regulations California Consumer Privac , ףיעסב(i) - 7012(g) . תו תוינידמ לש הנכ הפ הנקתב טרופמ תויטר7011 . חו העד והה תבח,עדי מב הטי לשה י לעב לכ לע הל ּונוש ל ןיאו עב ןיב ת מב הטילשה יל כ עד יל מ.לקש10 וצר ךותמ ן מיאתה תא ריבגהלול תדי ושארבו ,ימואלניבה ן ה- GDPR , ותינש דחוימה לקשמה חכונן בת ןוקי14 לס( עדימ ירחוdata brokersחאכ םתרתוה םע ) גהמ דוםושיר תבוחב ושרדיש םימר; מו זו תופיקשה תובישחב הרכה ךותכעדימה אשונ לש עודייה תו – ףיעסב העובקה העדוהה תבוח חוסינ תא תונשל ונתעדל שי11 כ רגאמב הטילש לעב לע לוחתש ך אלו ,עדימ לצמ קר המצלפ הייניש הרילא לכב העדוהה תבוח לוחת ךכ .עדימ לבקל השקבב םד מקר ,ישיא עדימ ףוסיא לש הגם םיימיטיגל םיסיסב יפל שי תנגה קוח לש ידיתע ןוקיתב וצמוא הפ ןכו ,תו יטר קדוהיות ושירדה המ ירחוס יפלכ תונפו מ יא ןו חבל שי ליב קמב .ע דימו ץח םיגיר מה ולאל המודב העדוהה תבוחלע ףיעסב םינגו14 ל- GDPR . נש .הלאש לכב ךתושרל דומעל חמ ר ר"ד ודירא לחר ה ,ץיבוקשר דת ר" הירלושטלא ץרווש הל ימה ןדיעב היטרקומדל תינכותה עד ה ומדל ילארשיה ןוכמ ק היטר ה:קתע - הממס דעלג ד"וע, תויטרפה תנגהל תושרה שאר. - נטואמ ןוריל ד"וע ר יסגול, וביצ טפשמל הקלחמהרי – יתקוח, ץועי ףגא ו,הקיקח מ דרש המ.םיטפש 10 cy under Regulation elines on transparen Guid , 29 Data Protection Working Party Article 2016/679 (Adopted on 29 Nov., 2017, as last Revised and Adopted on 11 April, 2018) . ר וא גם ףיעס 1798.110 ל- CCPA . נס חפ יפיעסם 13 ו- 14 ל- GDPR : Article 13 Information to be provided where personal data are collected from the data subject 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; (c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (d) the right to lodge a complaint with a supervisory authority; (e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information. Article 14 Information to be provided where personal data have not been obtained from the data subject 1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and the contact details of the controller and, if any, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, where applicable; (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed. 4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 5. Paragraphs 1 to 4 shall not apply where and insofar as: (a) the data subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. California Consumer Protection Act of 2018 : דגהרת Business בס ףיע1798.140 : (d) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185. (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. (2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned. (3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business. (4) A person that does business in California, that is not covered by paragraph (1), (2), or (3), and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title. עדימה ףוסיא ינפל וא תעב עודייה תבוח – ס ףיע1798.100 : (a) A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following: (1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section. (2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section. (3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. תבוח פר תויטרפ תוינידמ םוס– ס ףיע1798.100(b) : (b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location. ח תונקתב עודייה תבו– mer Privacy Act Regulations u alifornia Cons C ס עי ף7012 : § 7012. Notice at Collection of Personal Information. (a) The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information. (b) The Notice at Collection shall comply with section 7003, subsections (a) and (b). (c) The Notice at Collection shall be made readily available where consumers will encounter it at or before the point of collection of any personal information. Illustrative examples follow. (1) When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected. (2) When a business collects consumers’ personal information through a webform, it may post a conspicuous link to the notice in close proximity to the fields in which the consumer inputs their personal information, or in close proximity to the button by which the consumer submits their personal information to the business. (3) When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu. (4) When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online. (5) When a business collects personal information over the telephone or in person, it may provide the notice orally. (d) If a business does not give the Notice at Collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer. (e) A business shall include the following in its Notice at Collection: (1) A list of the categories of personal information about consumers, including categories of sensitive personal information, to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected. (2) The purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used. (3) Whether each category of personal information identified in subsection (e)(1) is sold or shared. (4) The length of time the business intends to retain each category of personal information identified in subsection (e)(1), or if that is not possible, the criteria used to determine the period of time it will be retained. (5) If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing, or in the case of offline notices, where the webpage can be found online. (6) A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online. (f) If a business collects personal information from a consumer online, the Notice at Collection may be given to the consumer by providing a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the information required in subsection (e)(1) through (6). Directing the consumer to the beginning of the privacy policy, or to another section of the privacy policy that does not contain the required information, so that the consumer is required to scroll through other information in order to determine the categories of personal information to be collected and/or whether the business sells or shares the personal information collected, does not satisfy this standard. (g) Third Parties that Control the Collection of Personal Information. This subsection shall not affect the first party’s obligations under the CCPA to comply with a consumer’s request to opt-out of sale/sharing. (1) For purposes of giving Notice at Collection, more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a Notice at Collection in accordance with the CCPA and these regulations. For example, a first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a Notice at Collection. The first party and third parties may provide a single Notice at Collection that includes the required information about their collective information practices. (2) A business that, acting as a third party, controls the collection of personal information on another business’s physical premises, such as in a retail store or in a vehicle, shall provide a Notice at Collection in a conspicuous manner at the physical location(s) where it is collecting the personal information. (3) Illustrative examples follow. (A) Business F allows Business G, a third party ad network, to collect consumers’ personal information through Business F’s website. Business F may post a conspicuous link to its Notice at Collection on its homepage(s). Business G shall provide a Notice at Collection on its homepage(s) or include the required information about its information practices in Business F’s Notice at Collection. (B) Business H, a coffee shop, allows Business I, a business providing Wi-Fi services, to collect personal information from consumers using Business I’s services on Business H’s premises. Business H may post conspicuous signage at the entrance of the store or at the point-of-sale directing consumers to where the Notice at Collection for Business H can be found online. In addition, Business I shall post its own Notice at Collection on the first webpage or other interface consumers see before connecting to the Wi-Fi services offered. (C) Business J, a car rental business, allows Business K to collect personal information from consumers within the vehicles Business J rents to consumers. Business J may give its Notice at Collection to the consumer at the point of sale (i.e., at the rental counter) either in writing or orally. Business K may provide its own Notice at Collection within the vehicle, such as through signage on the vehicle’s dashboard directing consumers to where the notice can be found online. (h) A business that neither collects nor controls the collection of personal information directly from the consumer does not need to provide a Notice at Collection to the consumer if it neither sells nor shares the consumer’s personal information. (i) A data broker registered with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. that collects personal information from a source other than directly from the consumer does not need to provide a Notice at Collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out of sale/sharing.