3. 處理者所為處理應受契約或歐盟法或會員國法之其他立法之拘束, 該等規定對於處理者及控管者具有拘束力,並規定處理標的及處理期 間、處理之本質與目的、個人資料之類型及資料主體之類別以及控管 者之義務及權利。該契約或其他立法尤其應規定處理者:
(a) 僅得依據控管者之書面指示處理個人資料,包括移轉個人資料至第三國或國際組織,但處理者受拘束之歐盟法或會員國法要求其應為 者不在此限;於此情形,除法律基於公共利益之重要理由禁止提供資 訊者外,處理者於處理前應通知控管者該法定要求;
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(a) GDPR:
8.2.2 Organization’s purposes
Control
The organization should ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.
Implementation guidance
The contract between the organization and the customer should include, but not be limited to, the objective and time frame to be achieved by the service.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 13.2.4.
Here is the relevant paragraph to article 28(3)(b) GDPR:
6.10.2.4 Confidentiality or non-disclosure agreements
Implementation guidance
The organization should ensure that individuals operating under its control with access to PII are subject to a confidentiality obligation. The confidentiality agreement, whether part of a contract or separate, should specify the length of time the obligations should be adhered to.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(d) GDPR:
8.5.7 Engagement of a subcontractor to process PII
Control
The organization should only engage a subcontractor to process PII according to the customer contract.
Implementation guidance
Where the organization subcontracts some or all of the processing of that PII to another organization, a written authorization from the customer is required prior to the PII processed by the subcontractor. This can be in the form of appropriate clauses in the customer contract, or can be a specific “one-off” agreement.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(e) GDPR:
8.3.1 Obligations to PII principals
Control
The organization should provide the customer with the means to comply with its obligations related to PII principals.
Implementation guidance
A PII controller’s obligations can be defined by legislation, by regulation and/or by contract. These obligations can include matters where the customer uses the services of the organization for implementation of these obligations.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(3)(g) GDPR:
8.4.2 Return, transfer or disposal of PII
Control
The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.
Implementation guidance
At some point in time, PII can need to be disposed of in some manner. This can involve returning the PII to the customer, transferring it to another organization or to a PII controller (e.g. as a result of a merger), deleting or otherwise destroying it, de-identifying it or archiving it.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraphs to article 28(3)(h) GDPR:
8.2.4 Infringing instruction
Control
The organization should inform the customer if, in its opinion, a processing instruction infringes applicable legislation and/or regulation.
Implementation guidance
The organization’s ability to verify if the instruction infringes legislation and/or regulation can depend on the technological context, on the instruction itself, and on the contract between the organization and the customer.
8.2.5 Customer obligations
Control
The organization should provide the customer with the appropriate information such that the customer can demonstrate compliance with their obligations.
Implementation guidance
The information needed by the customer can include whether the organization allows for and contributes to audits conducted by the customer or another auditor mandated or otherwise agreed by the customer.
4. 當處理者代表控管者與他處理者聯合進行特定之處理活動時,第 3 項所定控管者與處理者間之契約或其他立法規定之相同資料保護義 務,應透過契約或歐盟法或會員國法所定之其他立法,使他處理者亦有其適用,尤其是提供充分保證其將實施適當之科技化且有組織的措 施,使其處理符合本規則之要求。如他處理者未能履行其資料保護義 務,則原處理者應就他處理者義務之履行對控管者負完全責任。
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 28(4) GDPR:
8.5.6 Disclosure of subcontractors used to process PII
Control
The organization should disclose any use of subcontractors to process PII to the customer before use.
Implementation guidance
Provisions for the use of subcontractors to process PII should be included in the customer contract.
[…]
Sign in
to read the full text
Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
A processor is a person or an organization that processes personal data on behalf and under the authority of a controller [Articles 4(8) and 28(1)]. The term used in the English text of the General Data Protection Regulation (GDPR) remains difficult to apprehend by a non-legal audience, so it is useful to turn to other linguistic versions for a better understanding.
[…]
Sign in
to read the full text
ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.
Here is the relevant paragraph to articles 28(5), 28(6), and 28(10) GDPR:
5.2.1 Understanding the organization and its context
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.
[…]
Sign in
to read the full text
(81) 為確保處理者代控管者執行處理活動時遵循本規則,當委託處 理者處理活動時,控管者應只委託具有足夠保證(尤其是就專業知識、 可信度與資源而言)之處理者,以符合本規則之要求而執行科技化與 組織化之措施,包括處理之安全性。處理者採取經核准的行為守則或 認證機制可用以證明其有遵循控管者之義務。處理者就處理之執行應 受到契約或符合歐盟法或會員國法之其他法規控管,將處理者結合至 控管者、明列主體事項及處理持續之時間、處理之本質與目的、個人 資料之類型及資料主體之分類,並考慮所欲執行之處理脈絡下處理者 之特定任務與責任,以及資料主體之權利與自由的風險。控管者與處 理者得選擇使用個別性契約或定型化契約條款,該條款須或為執委會 所直接採用,或經監管機關以一致性機制再由執委會所採用者。代表 控管者完成處理後,基於控管者之選擇,處理者應返還或刪除個人資 料,除非處理者所受拘束之歐盟法或會員國法要求處理者儲存個人資 料。
CJEU, Tietosuojavaltuutettu/Jehovan todistajat – uskonnollinen yhdyskunta (Jehovah’s Witnesses case), Opinion of Advocate General, C‑25/17 (2018).
CJEU, Tietosuojavaltuutettu/Jehovan todistajat – uskonnollinen yhdyskunta (Jehovah’s Witnesses case), C‑25/17 (2018).
Article 29 Working Party, Opinion 1/2010 on the concepts of “controller” and “processor” (2010).
EDPB, Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725 (2019).
EDPB, Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (2019).
EDPB, Guidelines 7/2020 on the Concepts of Controller and Processor in the GDPR (2021).
CNIL, Guide for processors (2017) – Guidelines from the French Supervisory Authority that includes the template of Data Processing Agreement between controllers and processors.
Denmark Supervisory Authority, DK SA Standard Contractual Clauses for the purposes of compliance with art. 28 GDPR (2020).
DPC (Ireland), Guidance for Individuals who Accidentally Receive Personal data (2020).
ICO, Right of Access (2020).
ICO, Data sharing: a code of practice (2020).
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraphs to article 28(2) GDPR:
8.5.6 Disclosure of subcontractors used to process PII
Control
The organization should disclose any use of subcontractors to process PII to the customer before use.
Implementation guidance
Provisions for the use of subcontractors to process PII should be included in the customer contract.
[…]
Sign in
to read the full text