항해
GDPR > 제18조. 처리에 대한 제한권
다운로드 PDF

제18조 GDPR. 처리에 대한 제한권

Article 18 GDPR. Right to restriction of processing

1. 다음 각 호의 하나에 해당하는 경우, 정보주체는 컨트롤러로부터 처리의 제한을 얻을 권리를 가진다.

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

전문가 해설
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(a) 컨트롤러가 개인정보의 정확성을 증명할 수 있는 기간 동안, 정보주체가 해당 개인정보의 정확성에 대해 이의를 제기하는 경우

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) 처리가 불법적이고 정보주체가 해당 개인정보의 삭제에 반대하고 대신 개인정보에 대한 이용제한을 요청하는 경우

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) 컨트롤러가 처리 목적을 위해 해당 개인정보가 더 이상 필요하지 않으나, 컨트롤러가 법적 권리의 확립, 행사, 방어를 위해 요구하는 경우

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) 컨트롤러의 정당한 이익이 정보주체의 정당한 이익에 우선하는지 여부를 확인할 때까지, 정보주체가 제21조(1)에 따라 처리에 대해 반대하는 경우

(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

관련 교과서

2. 개인정보의 처리가 제1항에 따라 제한되는 경우, 그 개인정보는, 보관을 제외하고, 정보주체의 동의가 있거나 법적 권리의 확립, 행사 또는 방어를 위해, 또는 제3자나 법인의 권리를 보호하거나 유럽연합 또는 회원국의 중요한 공익상의 이유에 한해서만 처리될 수 있다.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(2) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


전체 텍스트에 액세스하려면

3. 제1항에 따라 처리의 제한을 취득한 정보주체는 처리제한이 해제되기 전에 컨트롤러로부터 이를 고지 받아야 한다.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(3) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


전체 텍스트에 액세스하려면

전문가 해설 ISO 27701 전문 (Recitals) 코멘트를 남겨주세요
전문가 해설

(EN) The right to restriction of processing is one of the eight rights granted by the GDPR, but it is not the easiest one to understand at first glance. It can be summed up as an obligation on behalf of the controller to retain data, but they can neither be processed in any other manner nor modified…


전체 텍스트에 액세스하려면

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Request to restrict the processing of my personal data

Dear Madam, Dear Sir,

I am entitled to ask you to restrict the processing of my personal data under Article 18(1) of the General Data Protection Regulation (GDPR)…


전체 텍스트에 액세스하려면

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18 GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


전체 텍스트에 액세스하려면

전문 (Recitals)

(67) 개인정보 처리를 제한하는 방법에는 특히 선택된 정보를 기타 처리 시스템으로 임시 이전시키거나 선택된 정보를 이용자가 열람하지 못하게 하거나 공개된 개인정보를 웹사이트에서 임시 삭제하는 것이 포함될 수 있다. 자동화 파일링시스템에서 처리 제한은 원칙적으로 개인정보가 추가 처리되지 않고 변경되지 않는 방식으로 기술적 수단에 의해 보장되어야 한다. 개인정보 처리가 제한된다는 사실은 시스템 내에 명백하게 표시되어야 한다.

(67) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

코멘트를 남겨주세요
[js-disqus]