导航
GDPR > 第 30 條. 處理活動之紀錄
下载PDF

第 30 條 GDPR. 處理活動之紀錄

Article 30 GDPR. Records of processing activities

1. 任一控管者及控管者代表(如適用)應維護其負責之處理活動紀 錄。該紀錄應包含下列所有資訊:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) 控管者以及共同控管者(如適用)、控管者代表及資料保護員之 名稱及聯絡方式;

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

(b) 處理目的;

(b) the purposes of the processing;

(c) 資料主體類型及個人資料類別之描述;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) 個人資料已對其或將對其揭露之接收者類型,包括第三國或國際 組織之接收者;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 30(1)(d) GDPR:

7.5.4 Records of PII disclosure to third parties

Control

The organization should record disclosures of PII to third parties, including what PII has been disclosed, to whom and at what time.

Implementation guidance

PII can be disclosed during the course of normal operations.


访问全文

(e) 將個人資料移轉至第三國或國際組織(如適用),包括指明該第 三國或國際組織,且若係第 49 條第 1 項第 2 款所定之移轉者,適當 保護措施之書面文件;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 30(1)(e) GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).


访问全文

相关文章

(f) 刪除不同類別之個人資料之預設時間上限(如可能);

(f) where possible, the envisaged time limits for erasure of the different categories of data;

ISO 27701

(EN) 8.4.2 Return, transfer or disposal of PII

Control

The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.

Implementation guidance

At some point in time, PII can need to be disposed of in some manner.


访问全文

(g) 第 32 條第 1 項所定科技化且有組織之安全措施之概述(如可 能);

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

相关文章

2. 各處理者及處理者代表(如適用)應維護代表控管者所進行之所 有類別處理活動之紀錄,包括:

2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) 各控管者及代各控管者進行處理之一個或多個處理者及該各控管 者或處理者代表(如適用)及資料保護員之名稱及聯絡方式;

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

(b) 各控管者之代表所進行之處理類型;

(b) the categories of processing carried out on behalf of each controller;

(c) 將個人資料移轉至第三國或國際組織(如適用),包括指明該第 三國或國際組織,且若係第 49 條第 1 項第 2 款所定之移轉者,適當 保護措施之書面文件;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 30(2)(c) GDPR:

8.5.2 Countries and international organizations to which PII can be transferred

Control

The organization should specify and document the countries and international organizations to which PII can possibly be transferred.

Implementation guidance

The identities of the countries and international organizations to which PII can possibly be transferred in normal operations should be made available to customers.


访问全文

(d) 第 32 條第 1 項所定科技化且有組織之安全措施之概述(如可 能);

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 15.1.2.

Here is the relevant paragraph to article 30(2)(d) GDPR:

6.12.1.2 Addressing security within supplier agreements

Implementation guidance

The organization should specify in agreements with suppliers whether PII is processed and the minimum technical and organizational measures that the supplier needs to meet in order for the organization to meet its information security and PII protection obligations (see 7.2.6 and 8.2.1).


访问全文

相关文章

3. 第 1 項及第 2 項所定紀錄應以書面為之,包括電子形式。

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. 控管者或處理者及控管者或處理者代表(如適用)應依監管機關之 要求提供紀錄。

4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

5. 第 1 項及第 2 項所定義務不適用於員工人數低於 250 人以下之企 業或組織,除非其所為之處理會造成資料主體權利及自由之風險、非 偶然性之處理、或其處理包括第 9條第 1項所定特殊類型之個人資料、 或為第 10 條所定涉及前科及犯罪之個人資料。

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

指南和案例法 相关文章
專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) Article 30 is pretty straightforward and gives us very direct instructions on what document has to be created and what information has to be in it. Often it is enough to create a spreadsheet or a simple Excel table if the number of your processing activities is not so high, but if it doesn’t scale well, there are also specialised software solutions for Register of Processing Activities. 


访问全文

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 30 GDPR:

7.2.8 Records related to processing PII

Control

The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.

Implementation guidance

A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs. Such an inventory can include:

 


访问全文

献技

(13) 為確保歐盟境內對於當事人之保護程度一致,並防止差異性阻 礙了歐洲市場內個人資訊的自由流通,本規則有必要為業者(包括微 型及中小型企業)提供具法律確定性及透明度之規範,且為個人提供 在全部會員國境內對於控管者與處理者有相同程度之法律上可執行 的權利、義務及責任,以確保不同會員國之監管機關對於個人資料處 理之一致監控、等效制裁及有效合作。為使歐洲市場正常運作,個人資料於歐盟境內之自由流通不得以保護個人資料處理為由而予以限 制或禁止。慮及微型及中小型企業之具體情況,本規則就員工人數少 於 250 人之組織在記錄保存方面定有排除適用條款。此外,本規則鼓 勵歐盟組織及機構以及會員國及其監管機關,考量微型及中小型企業 在適用本規則時之具體需求。所謂微型及中小型企業之定義,應依據 執委會 2003 年公佈之第 2003/361/EC 號建議書附件第 2 條規定定之 [5]。

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC [5].

[5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC

[5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC

(39) 個人資料之任何處理應合法且公正。個人資料之蒐集、利用、 商議或其他處理應向當事人公開,且應及於該個人資料所處理或將處 理之程度。透明原則要求關於個人資料處理之任何資訊或聯繫應方便 取得、易於理解且應以清楚簡易之語言為之。透明原則尤其關注於向 資料主體公開控管者身分、其處理資料之目的及進一步資訊,用以確 保對於相關當事人為公正及透明之個人資料處理,並確保其得確認及 溝通其所被處理之個人資料之權利。當事人應獲告知有關個人資料處 理之風險、規範、保護措施及權利,以及其如何就該等處理行使其權 利。特別是,個人資料處理之特定目的應具明確性及合法性,且應於 蒐集個人資料時告確定。個人資料應適當、相關及限於其所受處理目 的之必要範圍內。尤須確保個人資料之儲存期間係在最小限度範圍內。 個人資料之處理唯有當其處理目的無法經由其他方式合理實現者始 得為之。為確保個人資料未遭留存至超過其所必要之期間,控管者應 設定個人資料銷毀之期限或定期確認之。各種合理措施應被採用以更 正或刪除不正確之個人資料。個人資料之處理應以確保其適當安全性 及保密性之方式為之,包括防止對個人資料及其處理過程所使用設備 之未經授權之接近或使用。

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

(82) 為證明遵循本規則,控管者或處理者應依其職責保留處理活動 之紀錄。各控管者及處理者應有義務配合監管機關並做成前開紀錄, 並依要求提供之,使處理活動受監控。

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

指南和案例法 发表评论
[js-disqus]