(111) 於資料主體已明確同意時,以及於移轉基於契約或法律上主張 之必要而不具經常性時,不問係於訴訟、行政程序或任何法庭外程序, 包括管制機構前之程序,關於特定情況下移轉資料有其可能性之規定 應予制定。在基於歐盟法或會員國法所訂定之重要公益理由要求時, 或該移轉係來自法定登記且係為公眾或具正當利益之私人進行查詢 時,關於移轉資料有其可能性之規定亦應予制定。在後者之情形,該 移轉不應涵蓋全部之個人資料或該登記所涉及之全類別所含之全部 資料,且當該登記係為有正當利益之私人進行查詢時,移轉應僅在其 請求下進行,或若其為接收者,應完整考量資料主體之利益與基本 權。
(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.
(112) 該等例外尤應適用於受要求且基於公共利益之重要理由而有 必要之資料移轉,例如國際間主管機關、稅務或關務機關間、金融監 管機關之間、社會安全或公共衛生服務專責機關間之資料交換;例如 傳染病之接觸追蹤或為了降低並/或消除藥物濫用之情形。若資料主 體無法給予同意,於有必要保護資料主體之重要利益或其他人之重要 利益,包括身體完整性或生命時,個人資料之移轉亦應被視為合法。 在欠缺有充足保護程度之決定時,歐盟法或會員國法可能基於公共利 益之重要理由,明確限制特定類別之資料移轉至第三國或國際組織。 會員國應向執委會通知此種規定。任何於資料主體身體上或法律上無 能力給予同意下所為之個人資料移轉至國際人道組織,按照完成目前 在日內瓦公約之任務或遵循於武裝衝突時所適用之國際人道法的觀 點,可以被視為必要的公共利益之重要理由或因為其屬於資料主體之 重要利益。
(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.
(113) 當移轉係控管者為實現重大正當利益,且該利益並未劣後於資 料主體之利益或權利及自由,並且該控管者已評估有關該資料移轉之 所有情況者,合乎不具反覆性且僅涉及有限人數之資料主體之移轉亦 屬可行。該控管者應特別考量個人資料之性質、所提議單一或多個處 理活動之目的及持續期間以及起源國、第三國與最終目的地國之狀況, 且應就該等個人資料處理提供適當保護措施,以確保當事人之基本權 及自由。該等資料移轉應僅在其無其他得適用之合法性基礎之其餘案 例上始有適用之可能。為科學或歷史研究目的或統計目的,社會知識 增長之合理期待應被納入考量。控管者應將該移轉通知監管機關及資 料主體。
(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.
(114) 在任何情況下,於執委會尚未作成第三國關於資料處理有充足 保護程度之決定時,一旦在歐盟境內所處理之資料已被移轉,控管者 或處理者應設法提供資料主體可實現且有效之權利,使其等能繼續享 有基本權及保護措施之利益。
(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.
(115) 有些第三國會採用旨在直接規範個人或法人在會員國管轄權 內所為處理活動之法律、規則或其他法令。此可能包括第三國之法院 或法庭之判決或行政機關之決定要求控管者或處理者移轉或揭露個 人資料,而其並非基於如司法互助條約等在要求資料之第三國與歐盟 或會員國間之國際協議。該等法律、規則及其他法令對於治外法權之 適用可能違反國際法,且可能妨礙本規則達成對個人在歐盟之保護。 移轉應僅得在本規則對於移轉至第三國所規定之條件皆成就時始被 允許。此包括但不限於發生在揭露係基於歐盟法或會員國法所承認之 公共利益的重要理由而控管者受該法之拘束且有必要之情形。
(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 49 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
(EN) […]
(EN) Sign in
to read the full text