(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
(84) 就處理活動可能造成當事人之權利或自由有高度風險之情形, 為了促進對本規則之遵守,控管者應負責執行資料保護影響評估,以 衡量(特別是)風險的來源、本質、特殊性與嚴重性。為證明個人資 料之處理符合本規則,在決定適當措施時,評估結果應納入考量。當 資料保護影響評估指出處理活動涉及高度風險而控管者無法以現有 技術及執行成本提供適當措施降低風險時,應於處理前徵詢監管機 關。
(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
(89) 歐盟指令第 95/46/EC 號規範了向監管機關通知個人資料處理之 一般性義務。然而該義務造成了行政與財政上之負擔,並非所有情形 都對提升個人資料之保護有所助益。因此,該未加區別之普遍通知義 務應予廢除,並改以注重依處理活動之本質、範圍、脈絡及目的等特 徵區分容易對當事人權利與自由造成高風險之種類的更有效程序與 機制加以取代。該處理活動之種類尤其可能是涉及新技術之使用,或 未曾由控管者實施資料保護影響評估或基於自開始處理所經過之時間而有必要之新類型處理活動。
(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.
(90) 在此種情形,控管者應在處理之前進行資料保護影響評估,以 評估高風險之特定可能性與嚴重性,並考量處理之本質、範圍、脈絡 與目的及風險來源。該影響評估尤其應包括預計用以降低風險、確保 個人資料保護與顯示遵循本規則之措施、保護措施與機制。
(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
(91) 此尤其適用於預定處理地區、國家或超國家層級可觀數量之個 人資料,且可能影響大量資料主體並導致高風險之大規模處理活動, 例如,基於其敏感性,按照現存技術知識狀況,大規模使用新技術並 用於對資料主體之權利與自由造成高風險之其他處理活動,尤其是該 等活動使得資料主體更難以行使其權利者。透過建檔資料,就相關當 事人之個人特徵為體系性及密集性之評估、或透過特殊類型之個人資 料、生物資料、或前科及犯罪資料或相關保安措施等之資料處理,以 取得特定當事人之決策所為之個人資料處理者,亦應進行資料保護影 響評估。資料保護影響評估也在大規模監控公共場合時有其必要,特 別是使用光學電子裝置或主管監管機關認為該處理有可能對資料主 體之權利與自由造成高風險之任何其他活動,尤其是因該等裝置或活 動使資料主體無法行使權利、或使用服務或契約,或是因其係被有系 統性地大規模執行者。若由個別醫生、其他健康照護專業者或律師處 理來自於病患或客戶之個人資料時,不應被視為大規模之處理。在此 種情形,資料保護影響評估並非強制。
(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.
(92) 有些情況下,資料保護影響評估之主體比單一計畫更廣泛將是 合理且經濟的,例如,當公務機關或機構欲建立普遍性的應用程式或 處理平台、或當許多控管者計畫引進普遍性的應用程式或跨產業或跨 界之處理環境,或為廣泛使用的水平整合活動。
(92) There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.
(93) 於公務機關或公務機構執行任務係依據會員國法,且其所通過 之內容係在規範相關之特定或系列處理活動時,,該會員國得視其為 有必要在處理活動前進行該等評估。
(93) In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to articles 35(1) GDPR:
8.2.1 Customer agreement
Control
The organization should ensure, where relevant, that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations (taking into account the nature of processing and the information available to the organization).
Implementation guidance
The contract between the organization and the customer should include the following wherever relevant, and depending on the customer’s role (PII controller or PII processor) (this list is neither definitive nor exhaustive):
…
Iniciar sesión
para acceder al texto completo