제13조 📖 GDPR. 개인정보가 정보주체로부터 수집되는 경우 제공되는 정보

제13조 GDPR. 개인정보가 정보주체로부터 수집되는 경우 제공되는 정보

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

1. 정보주체에 관련된 개인정보를 정보주체로부터 수집하는 경우, 컨트롤러는 개인정보를 취득할 당시 정보주체에게 다음 각 호의 정보 일체를 제공해야 한다.

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

전문 (Recitals) 관련 교과서

전문 (Recitals)

(60) 공정하고 투명한 처리의 원칙에 따라 정보주체는 처리 작업의 존재 및 그 존재에 대하여 통지 받아야 한다. 컨트롤러는 개인정보가 처리되는 특정 상황 및 맥락을 참작하여 공정하고 투명한 처리 보장에 필요한 모든 추가적인 정보를 정보주체에 제공해야 한다. 또한 정보주체는 프로파일링 유무와 해당 프로파일링의 결과에 대해 통지받아야 한다. 정보주체로부터 개인정보가 수집되는 경우, 해당 정보주체는 본인이 개인정보 제공의 의무가 있는지 여부 및 해당 정보를 제공하지 않을 경우의 결과에 대해 통지받아야 한다. 그 정보는 눈에 잘 띄고 이해하기 쉬우며 가독성이 뛰어난 방식으로 예정된 처리에 대해 중요한 개략적 정보를 제공하기 위해 표준화된 아이콘과 함께 제공될 수 있다. 전자 수단을 이용하여 아이콘을 제공하는 경우에는 기계 판독이 가능해야 한다.

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Timing for provision of information

Articles 13 and 14 set out information which must be provided to the data subject at the commencement phase of the processing cycle. Article 13 applies to the scenario where the data is collected from the data subject. This includes personal data that: • a data subject consciously provides to a data controller (e.g. when completing an online form); or • a data controller collects from a data subject by observation (e.g. using automated data capturing devices or data capturing software such as cameras, network equipment, Wi-Fi tracking, RFID or other types of sensors). Article 14 applies in the scenario where the data have not been obtained from the data subject. This includes personal data which a data controller has obtained from sources such as: • third party data controllers; • publicly available sources; • data brokers; or • other data subjects.

(a) 컨트롤러 또는 해당되는 경우, 컨트롤러의 대리인의 신원 및 상세 연락처

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

This information should allow for easy identification of the controller and preferably allow for different forms of communications with the data controller (e.g. phone number, email, postal address etc.).

(b) 해당되는 경우, 데이터보호담당관의 상세 연락처

(b) the contact details of the data protection officer, where applicable;

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on Data Protection Officers (DPOs) (2017):

The contact details of the DPO should include information allowing data subjects and the supervisory authorities to reach the DPO in an easy way (a postal address, a dedicated telephone number, and/or a dedicated e-mail address). When appropriate, for purposes of communications with the public, other means of communications could also be provided, for example, a dedicated hotline, or a dedicated contact form addressed to the DPO on the organisation’s website.

Article 37(7) does not require that the published contact details should include the name of the DPO. Whilst it may be a good practice to do so, it is for the controller or the processor and the DPO to decide whether this is necessary or helpful in the particular circumstances.

[…]

As a matter of good practice, the WP29 also recommends that an organisation informs its employees of the name and contact details of the DPO. For example, the name and contact details of the DPO could be published internally on organisation’s intranet, internal telephone directory, and organisational charts.

(c) 해당 개인정보의 예정된 처리의 목적뿐 아니라 처리의 법적 근거

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018):

In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 must be specified. In the case of special categories of personal data, the relevant provision of Article 9 (and where relevant, the applicable Union or Member State law under which the data is processed) should be specified. Where, pursuant to Article 10, personal data relating to criminal convictions and offences or related security measures based on Article 6.1 is processed, where applicable the relevant Union or Member State law under which the processing is carried out should be specified.

(d) 제6조(1)의 (f)호에 근거한 처리의 경우, 컨트롤러 또는 제3자의 정당한 이익

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

지침 및 사례 법률 관련 교과서

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The specific interest in question must be identified for the benefit of the data subject. As a matter of best practice, the controller can also provide the data subject with the information from the balancing test, which must be carried out to allow reliance on Article 6.1(f) as a lawful basis for processing, in advance of any collection of data subjects’ personal data. To avoid information fatigue, this can be included within a layered privacy statement/ notice (see paragraph 35). In any case, the WP29 position is that information to the data subject should make it clear that they can obtain information on the balancing test upon request. This is essential for effective transparency where data subjects have doubts as to whether the balancing test has been carried out fairly or they wish to file a complaint with a supervisory authority.

관련 교과서

제6조 GDPR. 처리의 적법성

Article 6 GDPR. Lawfulness of processing

[…]

1. 개인정보 처리는 적어도 다음 각 호의 하나에 해당되고 그 범위에서만 적법하다.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

[…]

(f) 컨트롤러 또는 제3자의 정당한 이익 목적을 위해 처리가 필요한 경우로서, 개인정보가 보호되어야 할 정보주체의 이익 또는 기본적 권리와 자유가 우선되는 경우는 제외한다. 정보주체가 어린이인 경우에는 특히 그러하다.

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

(e) 해당되는 경우, 개인정보의 수령인 또는 수령인의 범주

(e) the recipients or categories of recipients of the personal data, if any;

지침 및 사례 법률 관련 교과서

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The term “recipient” is defined in Article 4.9 as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” [emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” and information on such recipients should be provided in addition to information on third party recipients. The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

관련 교과서

제4조 GDPR. 정의

Article 4 GDPR. Definitions

정의

Definitions

[…]

(9) 수령인은 제3자 포함 여부에 관계없이 개인정보가 제공되는 자연인 또는 법인, 공공기관, 기관, 기타 기구를 가리킨다. 그러나 유럽연합 또는 회원국 법률에 따라 특정 조회업무를 수행하는 체제에서 개인정보를 수령할 수 있는 공공당국은 수령인으로 간주하지 않는다. 그러한 공공당국의 그 같은 개인정보의 처리는 처리 목적에 따라 적용 가능한 개인정보 보호 규칙을 준수하여야 한다.

(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

[…]

(f) 해당되는 경우, 컨트롤러가 제3국이나 국제기구의 수령인에게 개인정보를 이전할 예정이라는 사실과 집행위원회가 내린 적정성 결정의 유무, 또는 제46조, 제47조, 제49조(1)의 두 번째 단락에 명시된 이전의 경우, 적절하고 적합한 안전조치, 그 사본을 입수하기 위한 수단, 안전조치가 사용 가능하게 되는 경우에 대한 언급

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

지침 및 사례 법률 관련 교과서

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

The relevant GDPR article permitting the transfer and the corresponding mechanism (e.g. adequacy decision under Article 45/ binding corporate rules under Article 47/ standard data protection clauses under Article 46.2/ derogations and safeguards under Article 49 etc.) should be specified. Information on where and how the relevant document may be accessed or obtained should also be provided e.g. by providing a link to the mechanism used. In accordance with the principle of fairness, the information provided on transfers to third countries should be as meaningful as possible to data subjects; this will generally mean that the third countries be named.

관련 교과서

제45조 GDPR. 적정성 결정에 따른 이전

Article 45 GDPR. Transfers on the basis of an adequacy decision

제47조 GDPR. 의무적 기업 규칙

Article 47 GDPR. Binding corporate rules

제46조 GDPR. 적정한 안전조치에 의한 이전

Article 46 GDPR. Transfers subject to appropriate safeguards

[…]

2. 제1항의 적정한 안전조치는 감독기관의 특별한 승인을 요하지 아니하고 다음 각 호에 의해 제공될 수 있다.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(b) 제47조에 따른 의무적 기업 규칙

(b) binding corporate rules in accordance with Article 47;

(c) 제93조(2)의 검토 절차에 따라 집행위원회가 채택한 정보보호 표준조항

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

[…]

제49조 GDPR. 특정 상항에 대한 적용의 일부 제외

Article 49 GDPR. Derogations for specific situations

1. 제4조 제3항의 적정성 결정이나 의무적 기업 규칙 등 제46조에 따른 적정한 안전조치가 없는 경우, 제3국이나 국제기구로의 개인정보 이전은 다음 각 호의 조건에 따라서만 가능하다.

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

[…]

정보의 이전이 의무적 기업 규칙에 대한 규정 등 제45조나 제46조의 규정을 근거로 할 수 없고, 본 항 (a)-(g)호에 따른 특정 상황에서의 일부 제외가 적용되지 않는 경우, 정보이전이 반복적이지 않고, 한정된 숫자의 정보주체에만 적용되고 정보주체의 이익이나 권리 및 자유가 우선하지 않는 한 컨트롤러의 정당한 이익의 목적에 필요하며, 컨트롤러가 정보이전과 관련한 일체의 정황을 평가한 후 그 결과를 토대로 개인정보 보호에 적절한 안전조치를 제시하는 경우에만 제3국이나 국제기구로의 정보이전이 가능하다. 컨트롤러는 정보이전 사실을 감독기관에 고지해야 한다. 제13조 및 제14조에 명시된 정보 제공 이외에도 컨트롤러는 해당 이전 및 본인의 설득력 있는 정당한 이익에 관한 정보를 정보주체에 고지해야 한다.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

[…]

2. 제1항의 정보와 함께, 컨트롤러는 개인정보가 입수될 때 공정하고 투명한 처리를 보장하는 데 필요한, 다음 각 호의 추가 정보를 정보주체에 제공해야 한다.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

전문 (Recitals) 관련 교과서

전문 (Recitals)

(61) 정보주체에 관한 개인정보의 처리와 관련한 정보는 정보주체로부터 수집 당시 또는 제3의 출처로부터 정보가 수집된 경우 적절한 기간 내에, 해당 경우의 상황에 따라, 정보주체에 제공되어야 한다. 개인정보가 합법적으로 제3의 수령인에게 제공될 수 있는 경우, 해당 정보주체는 정보가 최초로 해당 수령인에게 제공될 시 이를 통지받아야 한다. 컨트롤러가 당초 수집 목적 외로 개인정보를 처리하려는 경우, 컨트롤러는 추가 처리에 앞서 정보주체에게 추가 목적에 대한 정보 및 기타 필요한 정보를 제공해야 한다. 다양한 출처의 활용으로 인해 정보주체에게 개인정보의 출처를 제공할 수 없는 경우, 일반적인 정보가 제공되어야 한다.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

3.1 Transparency [24]

_{[24]Elaboration on how to understand the concept of transparency can be found in Article 29 Working Party. “Guidelines on transparency under Regulation 2016/679”. WP 260 rev.01, 11 April 2018. ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 – endorsed by the EDPB}

65. The controller must be clear and open with the data subject about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12, 13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.

66. Key design and default elements for the principle of transparency may include:

•Clarity – Information shall be in clear and plain language, concise and intelligible.

•Semantics – Communication should have a clear meaning to the audience in question.

•Accessibility – Information shall be easily accessible for the data subject.

•Contextual – Information should be provided at the relevant time and in the appropriate form.

•Relevance – Information should be relevant and applicable to the specific data subject.

•Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity.

•Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.

• Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject.

• Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

(a) 개인정보의 보관기간, 또는 이것이 여의치 않을 경우, 해당 기간을 결정하는 데 사용하는 기준

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

ISO 27701 지침 및 사례 법률

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(a) GDPR:

7.4.7 Retention

Control

The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.

Implementation guidance

The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.

…

로그인
전체 텍스트에 액세스하려면

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This is linked to the data minimisation requirement in Article 5.1(c) and storage limitation requirement in Article 5.1(e). The storage period (or criteria to determine it) may be dictated by factors such as statutory requirements or industry guidelines but should be phrased in a way that allows the data subject to assess, on the basis of his or her own situation, what the retention period will be for specific data/ purposes. It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods.

EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020):

Storage limitation should consider the true needs and the medical relevance (this may include epidemiology-motivated considerations like the incubation period,etc.) and personal data should be kept only for the duration of the COVID-19 crisis. Afterwards,as a general rule,all personal data should be erased or anonymised.

(b) 컨트롤러에게 본인의 개인정보에 대한 열람, 정정, 삭제를 요구하거나 정보주체 본인에 관한 처리의 제한이나 반대를 요구할 권리, 그리고 본인의 개인정보를 이전할 수 있는 권리의 유무

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

ISO 27701 지침 및 사례 법률

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 13(2)(b) GDPR:

7.3.5 Providing mechanism to object to PII processing

Control

The organization should provide a mechanism for PII principals to object to the processing of their PII.

Implementation guidance

Some jurisdictions provide PII principals with a right to object to the processing of their PII. Organizations subject to the legislation and/or regulation of such jurisdictions should ensure that they implement appropriate measures to enable PII principals to exercize this right.

…

로그인
전체 텍스트에 액세스하려면

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should be specific to the processing scenario and include a summary of what the right involves and how the data subject can take steps to exercise it and any limitations on the right. […] In particular, the right to object to processing must be explicitly brought to the data subject’s attention at the latest at the time of first communication with the data subject and must be presented clearly and separately from any other information.64 In relation to the right to portability, see WP29 Guidelines on the right to data portability.

(c) 해당 처리가 제6조(1)의 (a)호나 제9조(2)의 (a)호에 근거하는 경우, 철회 이전에 동의를 기반으로 하는 처리의 적법성에 영향을 주지 않고 언제든지 동의를 철회할 수 있는 권리의 유무

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

ISO 27701 지침 및 사례 법률 관련 교과서

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(c) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.

…

로그인
전체 텍스트에 액세스하려면

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should include how consent may be withdrawn, taking into account that it should be as easy for a data subject to withdraw consent as to give it.

관련 교과서

제6조 GDPR. 처리의 적법성

Article 6 GDPR. Lawfulness of processing

처리의 적법성

Lawfulness of processing

1. 개인정보 처리는 적어도 다음 각 호의 하나에 해당되고 그 범위에서만 적법하다.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) 정보주체가 하나 이상의 특정 목적에 대해 본인의 개인정보 처리를 동의한 경우

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

[…]

제9조 GDPR. 특별 범주의 개인정보의 처리

Article 9 GDPR. Processing of special categories of personal data

특별 범주의 개인정보의 처리

Processing of special categories of personal data

1. 인종 또는 민족, 정치적 견해, 종교적 또는 철학적 신념, 노동조합의 가입여부를 나타내는 개인정보의 처리와 유전자 정보, 자연인을 고유하게 식별할 목적의 생체정보, 건강정보, 성생활 또는 성적 취향에 관한 정보의 처리는 금지된다.

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2. 다음 각 호의 하나에 해당하는 경우 제1항은 적용되지 않는다.

2. Paragraph 1 shall not apply if one of the following applies:

(a) 정보주체가 단일 또는 복수의 특정한 목적으로 특별 범주의 개인정보를 처리하는 데 명백한 동의를 제공한 경우. 단, 유럽연합 또는 회원국 법률이 정보주체가 제1항의 금지조항을 무효화할 수 없다고 명시적으로 규정하는 경우는 제외된다.

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

[…]

제7조 GDPR. 동의의 조건

Article 7 GDPR. Conditions for consent

동의의 조건

Conditions for consent

[…]

3. 정보주체는 언제든지 본인의 동의를 철회할 권리를 가진다. 동의의 철회는 철회 이전에 동의를 기반으로 한 처리의 적법성에 영향을 미치지 않는다. 정보주체는 동의를 제공하기 전에 이 사실에 대해 고지 받아야 한다. 동의의 철회는 동의의 제공만큼 용이해야 한다.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

[…]

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

3.2 Lawfulness

67. The controller must identify a valid legal basis for the processing of personal data. Measures and safeguards should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.

(d) 감독기관에 민원을 제기할 수 있는 권리

(d) the right to lodge a complaint with a supervisory authority;

지침 및 사례 법률 관련 교과서

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

This information should explain that, in accordance with Article 77, a data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or of an alleged infringement of the GDPR.

관련 교과서

제77조 GDPR. 감독기관에 민원을 제기할 권리

Article 77 GDPR. Right to lodge a complaint with a supervisory authority

감독기관에 민원을 제기할 권리

Right to lodge a complaint with a supervisory authority

1. 다른 행정적 또는 법적 구제책을 침해하지 아니하여, 모든 정보주체는 본인에 관한 개인정보의 처리가 본 규정을 침해한다고 판단될 경우 특히 거주지, 근무지 또는 침해 발생 의혹이 있는 장소가 소재한 회원국의 감독기관에 민원을 제기할 권리가 있다.

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. 민원을 접수한 감독기관은 제78조에 의거한 법적 구제책의 가능성 등 민원 처리 경과 및 결과를 민원인에게 통보해야 한다.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

(e) 개인정보의 제공이 법정 또는 계약상의 요건이거나 계약 체결에 필요한 요건인지의 여부 및 정보주체가 개인정보를 제공할 의무가 있는지의 여부, 그리고 해당 정보를 제공하지 않을 경우 발생할 수 있는 결과

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2016):

For example in an employment context, it may be a contractual requirement to provide certain information to a current or prospective employer. Online forms should clearly identify which fields are “required”, which are not, and what will be the consequences of not filling in the required fields.

(f) 제22조(1) 및 (4)에 규정된 프로파일링 등, 자동화된 의사결정의 유무. 최소한 이 경우, 관련 논리에 관한 유의미한 정보와 그 같은 처리가 정보주체에 미치는 중대성 및 예상되는 결과

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

ISO 27701 지침 및 사례 법률 관련 교과서

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(f) GDPR:

7.3.10 Automated decision making

Control

The organization should identify and address obligations, including legal obligations, to the PII principals resulting from decisions made by the organization which are related to the PII principal based solely on automated processing of PII.

…

로그인
전체 텍스트에 액세스하려면

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) (2018):

Given the core principle of transparency underpinning the GDPR, controllers must ensure they explain clearly and simply to individuals how the profiling or automated decision-making process works.
In particular, where the processing involves profiling-based decision making (irrespective of whether it is caught by Article 22 provisions), then the fact that the processing is for the purposes of both (a) profiling and (b) making a decision based on the profile generated, must be made clear to the data subject.

Recital 60 states that giving information about profiling is part of the controller’s transparency obligations under Article 5(1) (a). The data subject has a right to be informed by the controller about and, in certain circumstances, a right to object to ‘profiling’, regardless of whether solely automated individual decision-making based on profiling takes place.

EDPB, Guidelines 8/2020 on the targeting of social media users (2020).

관련 교과서

제22조 GDPR. 프로파일링 등 자동화된 개별 의사결정

Article 22 GDPR. Automated individual decision-making, including profiling

1. 정보주체는 프로파일링 등, 본인에 관한 법적 효력을 초래하거나 이와 유사하게 본인에게 중대한 영향을 미치는 자동화된 처리에만 의존하는 결정의 적용을 받지 않을 권리를 가진다.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

[…]

4. 제2항의 결정은 제9조(2)의 (a)호와 (g)호가 적용되고, 정보주체의 권리와 자유 및 정당한 이익을 보호하는 적절한 조치가 갖추어진 경우가 아니라면 제9조(1)의 특별 범주의 개인정보를 근거로 해서는 안 된다.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

3. 컨트롤러가 개인정보를 수집한 목적 외로 추가 처리할 예정인 경우, 컨트롤러는 추가 처리 이전에, 정보주체에게 해당하는 기타 목적에 관한 정보와 제2항의 관련 추가 정보 일체를 제공해야 한다.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(3) GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.

…

로그인
전체 텍스트에 액세스하려면

4. 정보주체가 이미 관련 정보를 보유하고 있는 경우, 제1항, 제2항 및 제3항은 적용되지 않는다.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

유럽연합 일반 데이터 보호 규칙(EU GDPR)

Source: http://www.pipc.go.kr/cmt/not/ntc/selectBoardArticle.do?nttId=5969&bbsId=BBSMSTR_000000000121&bbsTyCode=BBST03&bbsAttrbCode=BBSA03&authFlag=Y&pageIndex=6

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

전문가 해설 ISO 27701 전문 (Recitals) 지침 및 사례 법률 코멘트를 남겨주세요

전문가 해설

(EN) To facilitate the work of our consultants, we have collected all the requirements and information that have to be mentioned and created a convenient checklist. Next to each paragraph, we have placed links to specific GDPR articles and guidelines. We grouped all the information into 7 sections:

Controller’s identity
Purpose and lawful basis for processing
Personal data
Transfers of data to third countries
Rights
Changes (in privacy notices)
Form (of information provided)

It looks like this:

…

로그인
전체 텍스트에 액세스하려면

(EN) Author

(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP

(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(EN) Ask a question

(EN)

Data Subject Request Letter Sample

Concern: Request of information regarding my personal data

Dear Madam, Dear Sir,

I have a right to be informed, under Article 13 of the General Data Protection Regulation (GDPR), about personal data concerning me that you are processing…

…

로그인
전체 텍스트에 액세스하려면

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

…

로그인
전체 텍스트에 액세스하려면

전문 (Recitals)

(62) 그러나 정보주체가 이미 해당 정보를 보유하고 있는 경우, 법률이 해당 개인정보의 기록 또는 제공을 명백히 규정한 경우, 또는 정보주체에 해당 정보를 제공하는 것이 불가능하다고 입증되거나 비례하지 않는 노력을 요하는 경우에는 정보 제공의 의무를 부과할 필요가 없다. 후자는 특히 공익적 기록보존 목적, 과학적 또는 역사적 연구 목적, 또는 통계 목적으로 처리가 실시되는 경우가 해당될 수 있다. 이와 관련해 정보주체의 수, 해당 개인정보의 생성시점 및 채택된 모든 적절한 안전장치가 고려되어야 한다.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

(63) 정보주체는 처리의 적법성을 인지하고 검증하기 위해 본인에 관해 수집된 개인정보를 열람하고 그 권리를 용이하게, 그리고 적절한 시간 간격으로 행사할 권리를 가진다. 권리를 가진다. 정보주체가 진단, 검사 결과, 의료진의 평가, 제공된 치료나 조치 등의 정보가 포함된 의료 기록상의 데이터 등 본인의 권강에 관한 데이터를 열람할 권리도 이에 포함된다. 따라서 모든 정보주체는 특히 개인정보가 처리되는 목적, 가능한 경우 처리기간, 개인정보의 수령인, 개인정보 자동 처리에 수반되는 논리, 처리가 프로파일링을 근거로 할 시 최소한 그 처리 결과에 대해 알고 전달(통지)받을 권리를 가진다. 가능한 경우, 컨트롤러는 보안시스템에 대한 원격 접속을 가능하게 하여 정보주체가 본인의 개인정보를 직접 열람하게 할 수 있다. 그 권리가 거래 기밀이나 지적재산권, 그리고 특히 소프트웨어 보호 저작권 등 타인의 권리와 자유에 악영향을 끼쳐서는 안 된다. 그러나 상기 사항을 고려함으로 인해 정보주체에게 일체의 정보를 제공하는 것이 거부되어서는 안 된다. 컨트롤러가 정보주체에 관한 대량의 정보를 처리하는 경우, 컨트롤러는 그 정보를 전달하기 전에 정보주체가 해당 요청에 관련된 정보 또는 처리 활동을 명시하도록 요구할 수 있다.

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

지침 및 사례 법률

(EN)