导航
GDPR > 第 11 條. 不須識別之處理
下载PDF

第 11 條 GDPR. 不須識別之處理

Article 11 GDPR. Processing which does not require identification

1. 控管者處理個人資料之目的非為識別資料主體,或不再需要由控 管者識別資料主體時,該控管者應無義務維護、取得或處理依照本規 則以識別該資料主體為唯一目的之額外資訊。

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 11(1) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).


访问全文

2. 本條第一項所定情形,如控管者得證明其非立於識別該資料主體 之地位者,該控管者應於可能範圍內通知該資料主體。於此情形,第 15 條至第 20 條規定應不予適用,但資料主體依該等規定,為行使其 權利之目的,提供得識別其身分之額外資訊者,不在此限。

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 11(2) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

Depending on the requirements, the information can take the form of a notice. Examples of types of information that can be provided to PII principals are:

 


访问全文

相关文章
献技 发表评论
献技

(57) 於經資料控管者處理之個人資料不允許其識別該當事人時,資料 控管者即不得單獨為達成本規則之任何條款之目的,為識別資料主體 而獲取額外資訊。但控管者不得拒絕接受資料主體為行使其權利所提 供之額外資訊。識別應包括資料主體之數位辨識在內,例如透過資料 主體登入資料控管者提供之網路服務時所使用之相同憑證等認證機 制。

(57) If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.

(64) 控管者應使用所有合理手段以驗證請求接近使用資料之資料主 體的身分,尤其是在網路服務或網路識別工具之情形。控管者不得為 了回應潛在請求之單獨目的而獲取個人資訊。

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

发表评论