(42) 個人資料處理係基於資料主體之同意者,控管者應舉證證明資 料主體同意該處理活動。尤其是在為他事件所為書面聲明時,保護措 施應確保資料主體知悉其所為同意之事實及其同意之範圍。根據歐盟 理事會所定第 93/13/EEC 號指令[10],控管者事先擬定之同意聲明書,應以易懂且方便取得之格式為之,並採用清楚簡易之語言,且不得有不公平條款。為同意所為之告知,資料主體至少應知悉控管者之身分及其個人資料處理所要達成之目的。於資料主體並非出於真意或無從自由選擇或其無法拒絕或無法於不損及其權益之情況下撤銷同意者,該同意應認定為不具自主性。
[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 7(4) GDPR:
8.2.3 Marketing and advertising use
Control
The organization should not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal.
…
Logi sisse
terviktekstile juurdepääsuks
Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
(EN) A controller relying on consent as a legal basis to collect, store or use data should respect the basic principles stated in article 4 (11), which provides a legal definition of the notion, and always make sure that it meets the additional conditions listed in article 7. A person must supply a “freely given” consent, distinct from other related matters, and s/he should be offered a “genuine choice” between accepting or refusing to provide it without having to suffer any negative consequences (Guidelines on Consent and recital 42). It is also essential to offer a person full control over her/his consent, including the possibility to withdraw it at any time, and to keep adequate records of consents.
…
Logi sisse
terviktekstile juurdepääsuks
(EN)
Concern: Withdrawal of consent to process my personal data
Dear Madam, Dear Sir,
You are currently processing my personal data based on my consent…
…
Logi sisse
terviktekstile juurdepääsuks
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to articles 7(1) and 7(2) GDPR:
7.2.4 Obtain and record consent
Control
The organization should obtain and record consent from PII principals according to the documented processes.
Implementation guidance
The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).
…
Logi sisse
terviktekstile juurdepääsuks
(32) 同意之給予必須是資料主體依其意思決定就其個人資料處理所 為具體肯定且自由形成、明確、受充分告知及非模糊之指示,諸如: 口頭或書面之聲明,包括以電子方式為之者。同意可能包括於瀏覽網 頁時所點選之選項、為資訊社會服務所做技術設定之選擇或其他聲明, 或依其脈絡清楚顯示資料主體接受被提案之個人資料處理的行為。因 此,單純沉默、預設選項為同意或不為表示不構成同意。同意應涵蓋 基於相同之一個或多個目的所為之全部處理活動。如個人資料之處理 具有多重目的者,應為全部目的取得同意。如資料主體之同意係基於 電子方式之請求者,該請求必須清楚、簡潔且對所提供服務之使用不 構成非必要之破壞。
(33) 為科學研究目的所為之個人資料處理,於資料蒐集當時,通常 不可能完整指明該處理之目的。因此,當科學研究符合公認之道德標 準時,應允許資料主體僅就科學研究之特定範圍為同意之表示。資料 主體應有機會僅就特定研究範圍或預期目的所允許範圍內之部分研 究計畫表示同意。
(42) 個人資料處理係基於資料主體之同意者,控管者應舉證證明資 料主體同意該處理活動。尤其是在為他事件所為書面聲明時,保護措 施應確保資料主體知悉其所為同意之事實及其同意之範圍。根據歐盟 理事會所定第 93/13/EEC 號指令[10],控管者事先擬定之同意聲明書,應以易懂且方便取得之格式為之,並採用清楚簡易之語言,且不得有不公平條款。為同意所為之告知,資料主體至少應知悉控管者之身分及其個人資料處理所要達成之目的。於資料主體並非出於真意或無從自由選擇或其無法拒絕或無法於不損及其權益之情況下撤銷同意者,該同意應認定為不具自主性。
[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC
(EN)
Article 29 Working Party, Opinion 4/2012 on Cookie Consent Exemption (2012).
Article 29 Working Party, Working Document 2/2013 Providing Guidance on Obtaining Consent for Cookies (2013).
EDPB, Guidelines 5/2020 on Consent under Regulation 2016/679 (2020).
CNIL, Guidelines on Cookies and Tracking Devices (in French) (2019).
European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).
CJEU, Judgment in Planet 49 Gmbh, Case C-673/17 (2019).
Belgian DPA Fines Belgian Telecommunications Provider for Several Data Protection Infringements, (2020). Brief description in English.
CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).
CNIL, Cookies : sanction de 35 millions d’euros à l’encontre d’AMAZON EUROPE CORE and sanction de 60 millions d’euros à l’encontre de GOOGLE LLC et de 40 millions d’euros à l’encontre de GOOGLE IRELAND LIMITED (2020).
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 7(3) GDPR:
7.3.4 Providing mechanism to modify or withdraw consent
Control
The organization should provide a mechanism for PII principals to modify or withdraw their consent.
Implementation guidance
The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.
…
Logi sisse
terviktekstile juurdepääsuks