Expertkommentarer
Skälen
(78) 關於個人資料處理之權利及自由保護必須採取適當之科技化且 有組織的措施,以確保符合本規則之要求。為了得以證明符合本規則, 控管者應採取符合特別是設計與預設資料保護原則之內部規則與執 行措施。該等措施得包括但不限於個人資料處理之最小化、盡可能將 個人資料予以假名化、個人資料之處理與作用予以透明化、使資料主 體得以監控該資料處理、使控管者得以創造與提升安全功能。在開發、 設計及選用處理個人資料或透過處理個人資料完成其任務之應用程 式、服務與產品時,產品、服務與應用程式之製造者應被鼓勵在開發 與設計此類產品、應用程式時將資料保護權納入考量,並在考慮適當 之技術狀態下,確保控管者和處理者得以完成其資料保護之義務。在 公開招標之過程中,設計與預設資料保護原則亦應納入考量。
Riktlinjer & Case Law
(EN)
Documents
WP29, Opinion 05/2014 on Anonymisation Techniques (2014).
WP29, Opinion on data processing at work (2017).
Spanish Data Protection Agency (AEPD), A Guide to Privacy by Design (2019).
EDPB, Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (2020):
Data protection by design must be implemented both at the time of determining the means of processing and at the time of processing itself. It is at the time of determining the means of processing that controllers shall implement measures and safeguards designed to effectively implement the data protection principles. To ensure effective data protection at the time of processing, the controller must regularly review the effectiveness of the chosen measures and safeguards. The EDPB encourages early consideration of data protection by design when planning a new processing operation.
EDPB, Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (2020).
EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).
Spanish Data Protection Agency (AEPD), Guidelines for DataProtection by Default (2020).
Information Commissioner’s Office, Right of Access (2020).
EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification (2021).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
Case Law
ICO, ICO fines Ticketmaster UK Limited £1.25million for failing to protect customers’ payment details (2020).
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 14.2.1.
Here is the relevant paragraphs to article 25(1) GDPR:
6.11.2.1 Secure development policy
Implementation guidance
Policies for system development and design should include guidance for the organization’s processing of PII needs, based on obligations to PII principals and/or any applicable legislation and/or regulation and the types of processing performed by the organization. Clauses 7 and 8 provide control considerations for processing of PII, which can be useful in developing policies for privacy in systems design.
…
Logga in
för att komma åt hela textenу