导航
GDPR > 第 12 條. 資料主體為行使其權利之透明資訊、溝通及管道
下载PDF

第 12 條 GDPR. 資料主體為行使其權利之透明資訊、溝通及管道

Article 12 GDPR. Transparent information, communication and modalities for the exercise of the rights of the data subject

1. 控管者應採取適當措施,以簡明、透明、易懂且方便取得之格式, 並採用清楚簡易之語言,提供第 13 條及第 14 條所定任何資訊及第 15條至第22條及第34條所定關於對資料主體所為處理之任何溝通, 特別是對於兒童之資訊。該資訊應以書面或其他方式提供,包括於適 當情況下之電子格式。當資料主體提出要求,並以其他方式確認資料 主體之身分者,得以口頭提供資訊。

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

献技

(58) 透明原則要求任何傳達予公眾或資料主體之資訊皆須簡潔、容易 取得且容易理解,以清楚簡易之語言作成,並且適當地視覺化。該等 資訊之提供得以電子形式,例如要傳達給公眾時透過網站呈現。尤其 於行為者繁多且實務技術複雜之情形,會造成資料主體難以知悉並理 解其個人資料是否、由誰、以什麼目的被蒐集,例如網路廣告之情形。 有鑑於兒童值得特別保護,任何提供予兒童之資訊及溝通應採用兒童 易於理解之清楚簡易之語言。

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

相关文章

2. 控管者應促使資料主體依照第 15 條至第 22 條規定行使其權利。 於第 11 條第 2 項規定之情形,該控管者不應拒絕資料主體基於第 15 條至第 22 條行使其權利之要求,但該控管者證明其無從識別該資料 主體之地位者,不在此限。

2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 12(2) GDPR:

7.3.1 Determining and fulfilling obligations to PII principals

Control

The organization should determine and document their legal, regulatory and business obligations to PII principals related to the processing of their PII and provide the means to meet these obligations.


访问全文

指南和案例法 献技

(59) 為利於資料主體行使本規則之權利,應提供不同之免費管道,包 括請求之機制及(如有可能)獲得之機制,尤其是接近並更正或刪除 個人資料及行使拒絕權。控管者亦應提供電子化請求之方式,特別是 於個人資料係以電子方式處理時。控管者有義務回應資料主體之請求, 不得無故遲延且最遲於一個月內為之,並於控管者不同意該等請求時 附具理由。

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

(64) 控管者應使用所有合理手段以驗證請求接近使用資料之資料主 體的身分,尤其是在網路服務或網路識別工具之情形。控管者不得為 了回應潛在請求之單獨目的而獲取個人資訊。

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

相关文章

3. 控管者應向資料主體提供其依第 15 條至第 22 條提出之請求所欲 採取行動之資訊,不得無故遲延,且無論如何,最遲應於收到請求後 一個月內為之。考量到請求之複雜性及數量,該期限於必要時得再延 長兩個月,控管者應於收到請求後一個月內通知資料主體該展期,並 說明遲延之原因。資料主體以電子方式提出請求者,除資料主體另有 要求者外,該資訊應盡可能以電子方式提供。

3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

相关文章

4. 如控管者不同意資料主體之要求者,該控管者應立即且最遲於收 到資料主體要求之一個月內附具理由告知該資料主體,並敘明向監管機關提出申訴及尋求司法救濟之可能性。

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5. 第 13 條及第 14 條所定應提供之資訊及第 15 條至第 22 條及第 34 條所定任何溝通及採取之任何行動,應無償提供之。如資料主體之請 求明顯無理由或過度者,尤其是基於該等請求過於重複者,控管者 得:

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

相关文章

(a) 考量所要求提供之資訊或溝通或採取行動之行政成本,收取適當 費用;或

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) 拒絕該請求。

(b) refuse to act on the request.

控管者應就該請求之明顯無理由或過度性負舉證責任。

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

6. 在不影響第 11 條規定之情況下,如控管者對於當事人依照第 15 條至第 21 條提出請求之資料主體身分有合理懷疑者,控管者得要求 提供為確認該資料主體身分所必要之額外資訊。

6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

相关文章

7. 依據第 13 條及第 14 條規定提供予資料主體之資訊,得以標準化 之標誌方式提供,俾提供易見、易懂且清晰易讀之方式,並對於所欲 為之處理進行有意義之概述。於標誌係以電子方式表示時,其須得由 機器辨認之。

7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

相关文章

8. 依照第 92 條規定,為決定該等圖示所呈現之資訊及提供標準化圖 示之程序之目的,執委會應有權通過授權法。

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.

相关文章
專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論
(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 12 GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.


访问全文

献技

(58) 透明原則要求任何傳達予公眾或資料主體之資訊皆須簡潔、容易 取得且容易理解,以清楚簡易之語言作成,並且適當地視覺化。該等 資訊之提供得以電子形式,例如要傳達給公眾時透過網站呈現。尤其 於行為者繁多且實務技術複雜之情形,會造成資料主體難以知悉並理 解其個人資料是否、由誰、以什麼目的被蒐集,例如網路廣告之情形。 有鑑於兒童值得特別保護,任何提供予兒童之資訊及溝通應採用兒童 易於理解之清楚簡易之語言。

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

(59) 為利於資料主體行使本規則之權利,應提供不同之免費管道,包 括請求之機制及(如有可能)獲得之機制,尤其是接近並更正或刪除 個人資料及行使拒絕權。控管者亦應提供電子化請求之方式,特別是 於個人資料係以電子方式處理時。控管者有義務回應資料主體之請求, 不得無故遲延且最遲於一個月內為之,並於控管者不同意該等請求時 附具理由。

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

(64) 控管者應使用所有合理手段以驗證請求接近使用資料之資料主 體的身分,尤其是在網路服務或網路識別工具之情形。控管者不得為 了回應潛在請求之單獨目的而獲取個人資訊。

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

指南和案例法 发表评论