(89) 歐盟指令第 95/46/EC 號規範了向監管機關通知個人資料處理之 一般性義務。然而該義務造成了行政與財政上之負擔,並非所有情形 都對提升個人資料之保護有所助益。因此,該未加區別之普遍通知義 務應予廢除,並改以注重依處理活動之本質、範圍、脈絡及目的等特 徵區分容易對當事人權利與自由造成高風險之種類的更有效程序與 機制加以取代。該處理活動之種類尤其可能是涉及新技術之使用,或 未曾由控管者實施資料保護影響評估或基於自開始處理所經過之時間而有必要之新類型處理活動。
(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
(90) 在此種情形,控管者應在處理之前進行資料保護影響評估,以 評估高風險之特定可能性與嚴重性,並考量處理之本質、範圍、脈絡 與目的及風險來源。該影響評估尤其應包括預計用以降低風險、確保 個人資料保護與顯示遵循本規則之措施、保護措施與機制。
(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.
Here is the relevant paragraph to article 40 GDPR:
5.2.1 Understanding the organization and its context
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.
…
Σύνδεση
για πρόσβαση στο πλήρες κείμενο