第 46 條 GDPR. 須遵守適當保護措施之移轉
Article 46 GDPR. Transfers subject to appropriate safeguards
第 47 條 GDPR. 有拘束力之企業守則
Article 47 GDPR. Binding corporate rules
第 49 條 GDPR. 特定情形下之例外
Article 49 GDPR. Derogations for specific situations
1. 於欠缺第 45 條第 3 項之充足程度保護之決定、或欠缺第 46 條之 適當保護措施時,包括有拘束力之企業守則、個人資料之移轉或一系 列移轉至第三國或國際組織,僅應於符合下列條件時進行:
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
[…]
[…]
於移轉無法符合第 45 條或第 46 條之規定,包括有拘束力之企業守則 之規定,且無法適用本項第 1 款所稱之任何特定例外情形時,向第三 國或國際組織之移轉僅於該移轉非重複性、僅影響有限數量之資料主 體,對控管者所追求之合法目的為必要而不凌駕於資料主體之利益或 權利及自由,且控管者已評估資料移轉之所有環境,而立於評估對個 人資料保護為適合保護措施之基礎時,方得進行。控管者應將移轉通 知監管機關。於第 13 條及第 14 條提供資訊之情形,控管者應將移轉 及追求之合法利益通知資料主體。
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
[…]
[…]
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 14(2)(a) GDPR:
7.4.7 Retention
Control
The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.
Implementation guidance
The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.
…
Iniciar sesión
para acceder al texto completo