第 33 條 GDPR. 向監管機關進行個人資料侵害之通報
1. 於個人資料侵害發生時,控管者即應依第 55 條向監管機關通報, 不得無故遲延,且如可能,應於發現後 72 小時內通報,但個人資料 侵害無造成對當事人權利及自由之風險時,不在此限。於未於 72 小 時內向監管機關通報之情形,通報應附遲延之理由。
[…]
3. 第 1 項之通報至少應:
[…]
(b) 告知資料保護員之姓名及聯絡細節,或其他得獲得更多資訊之聯 絡者;
(c) 描述個人資料侵害之可能結果;
(d) 描述控管者已採取或預計採取用以處理個人資料侵害之措施,如 適當,應包括降低可能不利影響之措施。
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 16.1.1.
Here is the relevant paragraph to article 34 GDPR:
6.13.1.1 Responsibilities and procedures
Implementation guidance
As part of the overall information security incident management process, the organization should establish responsibilities and procedures for the identification and recording of breaches of PII. Additionally, the organization should establish responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation.
…
Sisään
pääset käsiksi koko tekstiin