导航
GDPR > 第 13 條. 蒐集資料主體之個人資料時所提供之資訊
下载PDF

第 13 條 GDPR. 蒐集資料主體之個人資料時所提供之資訊

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

1. 從資料主體蒐集其有關之個人資料時,控管者應於取得個人資料時,提供資料主體下列所有資訊:

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

献技

(60) 公平及透明處理原則要求資料主體須受處理方式及其目的之通 知。控管者應提供資料主體任何需要之進一步資訊以確保考慮到個人 資料處理之特定情形及過程而為公平及透明之處理。再者,資料之建 檔及其建檔結果應通知資料主體。當個人資料係收集自資料主體時, 資料主體應獲告知其是否有義務提供個人資料及不提供該等資料時 之結果。該資訊得以標準化之標誌方式提供,俾提供易見、易懂且清 晰易讀之方式,並對於所欲為之處理進行有意義之概述。於標誌係以 電子方式表示時,其須得由機器辨認之。

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

相关文章

(a) 控管者及其代表(如適用)之身分及聯繫方式;

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

指南和案例法

(b) 資料保護員(如適用)之聯繫方式;

(b) the contact details of the data protection officer, where applicable;

指南和案例法

(c) 所欲處理之個人資料之處理目的及該處理之法律依據;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

指南和案例法

(d) 處理係依據第 6 條第 1 項第 f 點者,該控管者或第三人所追求之 正當利益;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

指南和案例法 相关文章

(e) 個人資料之接收者或接收者類型(如有);

(e) the recipients or categories of recipients of the personal data, if any;

指南和案例法 相关文章

(f) 控管者欲將個人資料移轉至第三國或國際組織,及執委會是否提 供充足保護之決定,或於第 46 條或第 47 條或第 49 條第 1 項第 2 款 所定傳輸之情形者,告知合適或適當之保護措施及取得該副本或該副 本可得取用之方式(如適用)。

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

指南和案例法 相关文章

2. 除第一項所定資訊外,控管者於取得個人資料時,應提供資料主 體下列必要之進階資訊,以確保公平及透明之處理:

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

献技

(61) 與資料主體之個人資料處理有關之資訊,應於向資料主體蒐集 資料時,或從其他來源取得該個人資料時,在依個案判定之合理時間 內,給予資料主體。於個人資料得合法揭露予其他接收者時,亦應於 揭露予接收者之初即通知資料主體。控管者欲基於原蒐集目的外之目 的處理個人資料時,控管者應事先將進階處理之其他目的之資訊及其 他必要資訊提供資料主體。當個人資料之來源因來源眾多以致無法提 供給資料主體時,應提供概括之資訊。

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

相关文章

(a) 個人資料將被儲存之期間,或如告知期間不可能者,確定該期間 所採用之標準;

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(a) GDPR:

7.4.7 Retention

Control

The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.

Implementation guidance

The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.


访问全文

指南和案例法

(b) 向控管者請求接近使用及更正或刪除或限制處理或拒絕處理與 資料主體相關個人資料之權利,以及資料可攜性之權利;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 13(2)(b) GDPR:

7.3.5 Providing mechanism to object to PII processing

Control

The organization should provide a mechanism for PII principals to object to the processing of their PII.

Implementation guidance

Some jurisdictions provide PII principals with a right to object to the processing of their PII. Organizations subject to the legislation and/or regulation of such jurisdictions should ensure that they implement appropriate measures to enable PII principals to exercize this right.


访问全文

指南和案例法

(c) 處理係依據第 6 條第 1 項第 a 點或第 9 條第 2 項第 a 點者,得隨 時撤回其同意之權利,但不影響撤回前基於該同意所為處理之合法 性;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(c) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


访问全文

指南和案例法 相关文章

(d) 向監管機關提起申訴之權利;

(d) the right to lodge a complaint with a supervisory authority;

指南和案例法 相关文章

(e) 個人資料之提供是否為法定或契約要求,或係訂立契約之必要要 件,以及資料主體是否有義務提供個人資料以及未提供該資料可能產 生之後果;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

指南和案例法

(f) 存在第 22 條第 1 項及第 4 項所定自動決策(包括建檔)者,至少 在該等情況,為資料主體之處理所涉及的邏輯性有意義資訊,以及重 要性與預設結果。

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(2)(f) GDPR:

7.3.10 Automated decision making

Control

The organization should identify and address obligations, including legal obligations, to the PII principals resulting from decisions made by the organization which are related to the PII principal based solely on automated processing of PII.


访问全文

指南和案例法 相关文章

3. 如控管者所欲進階處理個人資料之目的非基於蒐集該個人資料之 目的者,控管者在進階處理前,應提供資料主體該其他目的之資訊及 第 2 項所定之任何相關進階資訊。

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13(3) GDPR:

7.3.3 Providing information to PII principals

Control

The organization should provide PII principals with clear and easily accessible information identifying the PII controller and describing the processing of their PII.

Implementation guidance

The organization should provide the information detailed in 7.3.2 to PII principals in a timely, concise, complete, transparent, intelligible and easily accessible form, using clear and plain language, as appropriate to the target audience.


访问全文

4. 第 1 項、第 2 項及第 3 項不適用於資料主體已有該資訊之內容及 範圍。

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) To facilitate the work of our consultants, we have collected all the requirements and information that have to be mentioned and created a convenient checklist. Next to each paragraph, we have placed links to specific GDPR articles and guidelines. We grouped all the information into 7 sections:

  • Controller’s identity
  • Purpose and lawful basis for processing
  • Personal data
  • Transfers of data to third countries
  • Rights
  • Changes (in privacy notices)
  • Form (of information provided)

It looks like this:


访问全文

(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(EN)

Data Subject Request Letter Sample

Concern: Request of information regarding my personal data

Dear Madam, Dear Sir,

I have a right to be informed, under Article 13 of the General Data Protection Regulation (GDPR), about personal data concerning me that you are processing…


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 13 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.

 


访问全文

献技

(61) 與資料主體之個人資料處理有關之資訊,應於向資料主體蒐集 資料時,或從其他來源取得該個人資料時,在依個案判定之合理時間 內,給予資料主體。於個人資料得合法揭露予其他接收者時,亦應於 揭露予接收者之初即通知資料主體。控管者欲基於原蒐集目的外之目 的處理個人資料時,控管者應事先將進階處理之其他目的之資訊及其 他必要資訊提供資料主體。當個人資料之來源因來源眾多以致無法提 供給資料主體時,應提供概括之資訊。

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

(62) 然而,於資料主體已持有資訊,個人資料之儲存或揭露業經法 律規定,或經證明不可能提供資訊予資料主體,或提供資訊須花費過 鉅之勞費時,資訊提供義務之課予即無必要。後者情形尤其發生於處 理資訊係為了公共利益、科學或歷史研究目的或統計目的。此際,資 料主體之數量、資料之年代以及其他適當之保護措施皆應考慮在內。

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

(63) 資料主體應有權接近使用其所受蒐集之個人資料,並得容易地、 於合理之時間間隔行使接近使用權,以知悉並核實該處理之合法性。 此包括資料主體有權接近使用其健康資訊,例如包括診斷、檢驗結果、 醫師所為評鑑及任何治療或干擾措施提供之資訊。因此,各資料主體 應有權知悉及獲得溝通,尤其是個人資料受處理之目的、受處理之可 能期間、個人資料之接收者、任何自動處理個人資料所涉及之邏輯、 以及至少於建檔時之資料處理結果。若有可能,控管者應提供得遠端 使用之安全系統以提供資料主體對其個人資料有直接之接近使用權。 該權利不得對他人之權利或自由有不利之影響,包括營業秘密或智慧 財產權,尤其是保護軟體之著作權。但是,就此等面向之顧慮不得導 致拒絕提供所有資訊予資料主體之結果。當控管者處理有關資料主體 之大量資訊時,應得於資訊傳遞前請求資料主體特定與其請求相關之 資訊或處理活動。

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

指南和案例法 发表评论
[js-disqus]