(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 30(1)(e) GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
…
Connettersi
per accedere al testo completo
(EN) 8.4.2 Return, transfer or disposal of PII
Control
The organization should provide the ability to return, transfer and/or disposal of PII in a secure manner. It should also make its policy available to the customer.
Implementation guidance
At some point in time, PII can need to be disposed of in some manner.
…
Connettersi
per accedere al testo completo
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 30(2)(c) GDPR:
8.5.2 Countries and international organizations to which PII can be transferred
Control
The organization should specify and document the countries and international organizations to which PII can possibly be transferred.
Implementation guidance
The identities of the countries and international organizations to which PII can possibly be transferred in normal operations should be made available to customers.
…
Connettersi
per accedere al testo completo
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 15.1.2.
Here is the relevant paragraph to article 30(2)(d) GDPR:
6.12.1.2 Addressing security within supplier agreements
Implementation guidance
The organization should specify in agreements with suppliers whether PII is processed and the minimum technical and organizational measures that the supplier needs to meet in order for the organization to meet its information security and PII protection obligations (see 7.2.6 and 8.2.1).
…
Connettersi
per accedere al testo completo
Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30
(EN) Article 30 is pretty straightforward and gives us very direct instructions on what document has to be created and what information has to be in it. Often it is enough to create a spreadsheet or a simple Excel table if the number of your processing activities is not so high, but if it doesn’t scale well, there are also specialised software solutions for Register of Processing Activities.
…
Connettersi
per accedere al testo completo
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 30 GDPR:
7.2.8 Records related to processing PII
Control
The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.
Implementation guidance
A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs. Such an inventory can include:
…
Connettersi
per accedere al testo completo
(13) 為確保歐盟境內對於當事人之保護程度一致,並防止差異性阻 礙了歐洲市場內個人資訊的自由流通,本規則有必要為業者(包括微 型及中小型企業)提供具法律確定性及透明度之規範,且為個人提供 在全部會員國境內對於控管者與處理者有相同程度之法律上可執行 的權利、義務及責任,以確保不同會員國之監管機關對於個人資料處 理之一致監控、等效制裁及有效合作。為使歐洲市場正常運作,個人資料於歐盟境內之自由流通不得以保護個人資料處理為由而予以限 制或禁止。慮及微型及中小型企業之具體情況,本規則就員工人數少 於 250 人之組織在記錄保存方面定有排除適用條款。此外,本規則鼓 勵歐盟組織及機構以及會員國及其監管機關,考量微型及中小型企業 在適用本規則時之具體需求。所謂微型及中小型企業之定義,應依據 執委會 2003 年公佈之第 2003/361/EC 號建議書附件第 2 條規定定之 [5]。
[5] Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2003:124:TOC
(39) 個人資料之任何處理應合法且公正。個人資料之蒐集、利用、 商議或其他處理應向當事人公開,且應及於該個人資料所處理或將處 理之程度。透明原則要求關於個人資料處理之任何資訊或聯繫應方便 取得、易於理解且應以清楚簡易之語言為之。透明原則尤其關注於向 資料主體公開控管者身分、其處理資料之目的及進一步資訊,用以確 保對於相關當事人為公正及透明之個人資料處理,並確保其得確認及 溝通其所被處理之個人資料之權利。當事人應獲告知有關個人資料處 理之風險、規範、保護措施及權利,以及其如何就該等處理行使其權 利。特別是,個人資料處理之特定目的應具明確性及合法性,且應於 蒐集個人資料時告確定。個人資料應適當、相關及限於其所受處理目 的之必要範圍內。尤須確保個人資料之儲存期間係在最小限度範圍內。 個人資料之處理唯有當其處理目的無法經由其他方式合理實現者始 得為之。為確保個人資料未遭留存至超過其所必要之期間,控管者應 設定個人資料銷毀之期限或定期確認之。各種合理措施應被採用以更 正或刪除不正確之個人資料。個人資料之處理應以確保其適當安全性 及保密性之方式為之,包括防止對個人資料及其處理過程所使用設備 之未經授權之接近或使用。
(EN) Information Commissioner’s Office (ICO, Great Britain), Documentation template for controllers
Information Commissioner’s Office (ICO, Great Britain), Documentation template for processors
Information Commissioner’s Office (ICO, Great Britain), Right of Access (2020).
Information Commissioner’s Office (ICO, Great Britain), Data sharing: a code of practice (2020).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 30(1)(d) GDPR:
7.5.4 Records of PII disclosure to third parties
Control
The organization should record disclosures of PII to third parties, including what PII has been disclosed, to whom and at what time.
Implementation guidance
PII can be disclosed during the course of normal operations.
…
Connettersi
per accedere al testo completo