2. 如控管者已將該個人資料公開,且其有義務依據第 1 項規定刪除 該個人資料者,考量現有科技及執行成本,該控管者應採取合理步驟, 包括科技方式,通知正在處理該個人資料之控管者,資料主體已提出 刪去任何該個人資料之連結或複製或仿製之請求。
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 17(2) GDPR:
8.3.1 Obligations to PII principals
Control
The organization should provide the customer with the means to comply with its obligations related to PII principals.
Implementation guidance
A PII controller’s obligations can be defined by legislation, by regulation and/or by contract.
…
Logi sisse
terviktekstile juurdepääsuks
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 17(3) GDPR:
7.2.2 Identify lawful basis
Control
The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.
Implementation guidance
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.
…
Logi sisse
terviktekstile juurdepääsuks
Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
(EN) The so-called “right to be forgotten” was hailed as a breakthrough with the adoption of the General Data Protection Regulation, even though it existed in a limited form before. Article 17 provides for a broader “right to erasure”, to take into account the exact wording of the provision. European Union residents have a right to ask for the deletion of their personal data, and the organization that holds the data has a corresponding obligation to erase them “without undue delay” under a certain number of circumstances.
…
Logi sisse
terviktekstile juurdepääsuks
(EN)
Concern: Request to erase my personal data
Dear Madam, Dear Sir,
You have data concerning me that I am asking you to delete…
…
Logi sisse
terviktekstile juurdepääsuks
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 17 GDPR:
7.3.6 Access, correction and/or erasure
Control
The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.
Implementation guidance
The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.
…
Logi sisse
terviktekstile juurdepääsuks
(65) 資料主體應有更正其個人資料之權利、以及當資料保存違反規 範控管者之本規則、歐盟法或會員國法時應有「被遺忘權」。尤其, 資料主體應享有刪除其個人資料之權利,並於該個人資料就資料蒐集 或另為處理之目的已無必要時、於資料主體已撤回其同意或拒絕其個 人資料之處理時、或於其個人資料處理違反本規則時,資料主體應享有請求不再處理其個人資料之權利。該權利尤其涉及該資料主體於兒 童時期所為同意且未完整理解該處理存在之風險,爾後希望移除其個 人資料(特別是網路上資料)之情形。不問其是否仍為兒童,資料主 體應得行使該權利。然而,為了表意自由權之行使、法律義務之遵守、 符合公共利益之職務執行、或委託控管者行使公權力所必須者、在公 共衛生領域上之公共利益的理由、為了實現公共利益、科學或歷史研 究目的或統計目的時、或為了建立、行使或防禦法律上主張時,於必 要範圍內進一步保留個人資料應屬合法。
(EN)
Article 29 Working Party, Guidelines on the Implementation of the Court of Justice of the European Union Judgment on Google Spain Inc. v. Agencia Española de protección de datos (AEPD) and Mario Costeja González C-131/12 (2014).
EDPB, Guidelines 5/2019 on the Criteria of the Right to be Forgotten in the Search Engines Cases under the GDPR (part 1) (2019).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
CJEU, Google Spain SL/Agencia española de protección de datos, C-131/12 (2014).
CJEU, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce/Manni, C-398/15 (2019).
CJEU, GC e.a./Commission nationale de l’informatique et des libertés, C-136/17 (2019).
CJEU, Google LLC/Commission nationale de l’informatique et des libertés, C-507/17 (2019).
(EN)