ISO 27701
Preambulumbekezdése
(108) 在欠缺有提供充足保護之決定時,控管者或處理者應為資料主 體採取適當保護措施,以彌補第三國對資料保護之欠缺。該等適當保 護措施可能包括利用有拘束力之企業守則、執委會採用之標準資料保護條款、監管機關採用之標準資料保護條款或由監管機關授權之契約 條款。該等保護措施應確保符合資料保護之要求及資料主體之權利在 歐盟境內適當地處理,包括可實現之資料主體權利以及有效之法律救 濟,包括在歐盟內或第三國獲得有效的行政或司法救濟並請求補償。 該等適當保護措施尤應符合個人資料處理之基本原則及設計與預設 資料保護之原則。移轉之執行亦得由第三國之公務機關或公務機構向 第三國之公務機關或公務機構或具對應責任或功能之國際組織為之, 包括在規範基礎上加入諸如同意備忘錄、提供資料主體可執行且有效 權利等行政安排。保護措施係以不具法拘束力之行政安排所提供者, 應獲得有關監管機關之授權。
(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.
(109) 控管者或處理者使用執委會採用或監管機關採用之定型化資 料保護條款的可能性,應避免控管者或處理者將定型化資料保護條款 擴張適用於更廣泛之契約,例如處理者與其他處理者間之契約,亦應 避免以增訂其他條款或額外保護措施而直接或間接牴觸執委會或監 管機關所採用之定型化契約條款,或侵害資料主體之基本權或自由。 控管者與處理者應被鼓勵透過補充定型化保護條款之契約上承諾來 提供額外保護措施。
(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.
Irányelvek & Case Law
(EN)
Documents
EDPB, Guidelines 2/2020 on Articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for Transfers of Personal Data Between EEA and Non-EEA Public Authorities and Bodies (2020).
EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).
EDPS, Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ Ruling (2020).
EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (2020).
This document seeks to provide guidance as to the application of Articles 46 (2) (a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission.
EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (2021).
EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (2020).
EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (2021).
EDPB, Government access to data in third countries (2022).
Case law
CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 46 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
(EN) […]
(EN) Sign in
to read the full text