... (46) 為保護資料主體或他人生活中之重大利益所必要者,個人資料 之處理亦應被認定為合法。基於他人重大利益所為之個人資料處理, 原則上僅有當該處理明顯無法基於其他法律依據為之者始得為之。有 些處理類型得同時符合公共利益及資料主體重大利益之兩項重要理 由,舉例而言,當個人資料之處理係基於人道目的所必要者,包括監 測傳染病及其蔓延或人道救援之情況,特別是天災人禍之情形。 ...
... (46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters. ...
... (45) 個人資料處理係基於控管者為遵守其法定義務所為,或係基於 公共利益為履行任務所必要,或係公務機關行使公權力所必要者,該 處理應具備歐盟法或會員國法之依據。本規則不要求就每一個別之處 理定有具體法律規定。就控管者為遵守其法定義務所為、因公共利益 為履行任務所必要或公務機關行使公權力所必要之數個處理方式明 定其所依據之法律,可謂充分。其亦應由歐盟法或會員國法決定處理 之目的。此外,該法得具體化規定本規則關於個人資料處理之合法性 規範的一般條款、建構控管者之決定性標準、個人資料處理所涉個人 資料之類型、相關個人資料主體、得向其揭露個人資料之實體、限制 之目的、儲存期間及用以確保處理合法性與公正性之其他措施。歐盟 法或會員國法亦應決定,為公共利益執行任務或行使公權力之控管者 是否為公務機關或其他受公法所規範之個人或法人,或於其為公共利 益所為之者時,是否包括為了如公眾健康與社會保障及健康照顧服務 之管理等健康目的者、或依私法者,如職業工會。 ...
... (45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association. ...
... (g) 尊重資料保護之實質權利,並提供適當及具體之保護措施,以保 護資料主體之基本權及利益,而基於歐盟法或會員國法律且與所追求 目的合比例性之重大公共利益之理由所必要之處理; ...
... (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; ...
... 凡經資料主體之同意或係歐盟法或會員國法所定於民主社會中用以 確保特別如一般公眾利益之重要目的所必要且成比例之措施者,不問 目的間之兼容性,進階處理個人資料應予允許。在任何情況下,本規 則所定原則之適用及特別是關於其他目的所知之資料主體之資訊及 其包括拒絕權等權利均應予確保。由控管者指出可能之犯罪行為或對 於公共安全之威脅,以及將特定案件或相同犯罪行為之相關案件或造 成公共安全威脅所涉及之相關個人資料傳輸予主管機關,應被認定係 控管者所作為之正當利益。惟如進階處理未遵守法定、專業或其他有 拘束力之保密義務者,控管者基於正當利益所為之傳輸或進階處理應 予禁止。 ...
... Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy. ...
... (156) 為符合公共利益、達成科學或歷史研究目的或統計目的所為個 人資料之處理應受本規則為資料主體之權利或自由所定適當保護措 施之拘束。該等保護措施應確保已備妥技術上及組織上之措施,用以 確保,特別是資料最少蒐集原則之落實。為符合公共利益、達成科學 或歷史研究目的或統計目的,當控管者已評估實現該等目的之可行性, 且藉由不允許或不再允許識別資料主體為該處理,並有適當的保護措 施存在(例如,資料之假名化)時,個人資料將得進行進階處理。會 員國對於為達成公共利益目的之個人資料處理,應提供適當之保護措施。在進行符合公共利益、達成科學或歷史研究目的或統計目的之個 人資料處理時,會員國在符合特定條件且有提供資料主體適當保護措 施時,應有權具體化及除外化關於資訊之要求,以及關於更正、刪除、 被遺忘、限制處理、資料可攜性及拒絕之權利。若依照特定資料處理 所追求之目的為適當,且其技術上及組織上之措施係為落實適當性及 必要性原則而減少個人資料處理時,其條件及保護措施可能需要有特 定程序使資料主體得行使該等權利。為科學目的之個人資料處理亦應 遵守其他相關之法規,例如對於臨床試驗之規範。 ...
... (156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials. ...
... (65) 資料主體應有更正其個人資料之權利、以及當資料保存違反規 範控管者之本規則、歐盟法或會員國法時應有「被遺忘權」。尤其, 資料主體應享有刪除其個人資料之權利,並於該個人資料就資料蒐集 或另為處理之目的已無必要時、於資料主體已撤回其同意或拒絕其個 人資料之處理時、或於其個人資料處理違反本規則時,資料主體應享有請求不再處理其個人資料之權利。該權利尤其涉及該資料主體於兒 童時期所為同意且未完整理解該處理存在之風險,爾後希望移除其個 人資料(特別是網路上資料)之情形。不問其是否仍為兒童,資料主 體應得行使該權利。然而,為了表意自由權之行使、法律義務之遵守、 符合公共利益之職務執行、或委託控管者行使公權力所必須者、在公 共衛生領域上之公共利益的理由、為了實現公共利益、科學或歷史研 究目的或統計目的時、或為了建立、行使或防禦法律上主張時,於必 要範圍內進一步保留個人資料應屬合法。 ...
... (65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. ...
... (158) 當個人資料處理係為達成某些目的,本規則亦應適用於該處理, 惟須特別注意本規則不應適用於死者。依照歐盟法或會員國法,持有 公共利益紀錄之公務機關或公務機構或私人應有提供服務之法律義 務,亦即有義務取得、保存、評估、安排、描述、溝通、促進、宣傳 及提供對於一般公共利益有持久價值之記錄的存取。會員國亦應被授 權規範為達成某些目的所為個人資料之進階處理,例如規範在早期極 權主義國家政權、種族滅絕、納粹大屠殺等違反人類罪、或戰爭罪之 下的政治行為之相關特定資訊。 ...
... (158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest. Member States should also be authorised to provide for the further processing of personal data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes. ...
... (53) 值得受較高度保護之特殊類型個人資料,於下述情形始得處理 之,亦即:僅有基於與健康相關之目的,且基於全體人類及社會整體 之利益為達成該等目的所必要者,特別是在健康或社會照護服務及系 統之管理,包括為品質控制、管理資訊及一般國內及地方監管健康或 社會照護系統之目的管理及整合國內醫療院所之該等資料之處理,以 及為確保健康或社會照護及跨境醫療保健或健康安全之永續性、為監 控及警示目的或符合公共利益之存檔目的、科學或歷史研究或統計目 的、基於符合公共利益目的之歐盟法或會員國法以及符合公共利益在 公共衛生領域所為之研究。因此,本規則應就涉及健康之該等特殊類 型個人資料之處理,針對特殊需求,為一致性之規範,尤其是該等資 料之處理係為特定醫療相關目的,由因職業持有秘密而負法定保密義 務之人所為之者。歐盟法或會員國法應明文規定具體適當之措施,以 保障個人基本權及其個人資料。會員國應被允許維持或採用進一步規定,包括但不限於關於基因資料、生物特徵識別資訊或與健康相關資訊之個人資料處理。惟該等條款適用於該等個人資料之跨境處理時,不得妨礙個人資料於歐盟境內之自由流通。 ...
... (53) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data. ...
... 4. 第 1 項第 1 款第 d 點之公共利益應為歐盟法或控管者受拘束之會 員國法所承認者。 ...
... 4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject. ...
... (69) 然而,於個人資料得被合法處理係因有處理之必要且符合公共 利益之執行職務、或委託控管者行使公權力、或基於控管者或第三人 之有正當利益之理由時,資料主體仍應有權基於其特殊情形拒絕任何 個人資料之處理。此時應由控管者證明其正當利益優先於資料主體之 利益或基本權與自由。 ...
... (69) Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject. ...