Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.
Here is the relevant paragraph to article 37 GDPR:
6.3.1.1 Information security roles and responsibilities
Implementation guidance
The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).
(EN) […]
(EN) Sign in
to read the full text
(97) 於下述情形時,就資料保護之法律與實務有專業知識者應協助 控管者或處理者內部監督本規則之遵守,亦即:當資料處理係由除了 法院和獨立司法機關執行其司法權之公務機關執行時、於私部門之處 理係由核心活動包括需要經常且有體系的監控大規模資料主體的控 管者所為之處理活動、或於控管者及處理者之核心活動包括處理大規 模特殊類型之個人資料及涉及前科及犯罪之資料時。在私部門中,控 管者之核心活動係連結到其主要活動,而與作為輔助活動之個人資料 處理無關。專業知識所需程度尤應依據所執行之資料處理活動及由控 管者或處理者處理之個人資料所需之保護而定。該等資料保護員,不 問是否為控管者之雇員,都應以獨立之態度堅守職位以執行其任務。
(EN) The article explains when and under what conditions a Data Protection Officer (DPO) should be appointed or hired. In most cases, at least one of the following conditions is sufficient for the company to be required to have a DPO:
(EN) […]
(EN) Sign in
to read the full text