2. 본 조 제1항에 규정된 사례의 경우 컨트롤러가 정보주체를 식별할 수 없음을 입증할 수 있다면, 제15조부터 제20조까지의 조문은 적용되지 않는다. 단, 정보주체가 해당 조문에 따라 본인의 권리를 행사하기 위한 목적으로 본인의 신원을 확인할 수 있는 추가 정보를 제공하는 경우는 예외로 한다.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraphs to article 11(2) GDPR:
7.3.2 Determining information for PII principals
The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.
Implementation guidance
The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.
Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:
Zaloguj się
aby uzyskać dostęp do pełnego tekstu
Source: http://www.pipc.go.kr/cmt/not/ntc/selectBoardArticle.do?nttId=5969&bbsId=BBSMSTR_000000000121&bbsTyCode=BBST03&bbsAttrbCode=BBSA03&authFlag=Y&pageIndex=6
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 11(1) GDPR:
7.4.5 PII de-identification and deletion at the end of processing
The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).
Zaloguj się
aby uzyskać dostęp do pełnego tekstu