(61) 與資料主體之個人資料處理有關之資訊，應於向資料主體蒐集 資料時，或從其他來源取得該個人資料時，在依個案判定之合理時間 內，給予資料主體。於個人資料得合法揭露予其他接收者時，亦應於 揭露予接收者之初即通知資料主體。控管者欲基於原蒐集目的外之目 的處理個人資料時，控管者應事先將進階處理之其他目的之資訊及其 他必要資訊提供資料主體。當個人資料之來源因來源眾多以致無法提 供給資料主體時，應提供概括之資訊。
(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
(62) 然而，於資料主體已持有資訊，個人資料之儲存或揭露業經法 律規定，或經證明不可能提供資訊予資料主體，或提供資訊須花費過 鉅之勞費時，資訊提供義務之課予即無必要。後者情形尤其發生於處 理資訊係為了公共利益、科學或歷史研究目的或統計目的。此際，資 料主體之數量、資料之年代以及其他適當之保護措施皆應考慮在內。
(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.
(63) 資料主體應有權接近使用其所受蒐集之個人資料，並得容易地、 於合理之時間間隔行使接近使用權，以知悉並核實該處理之合法性。 此包括資料主體有權接近使用其健康資訊，例如包括診斷、檢驗結果、 醫師所為評鑑及任何治療或干擾措施提供之資訊。因此，各資料主體 應有權知悉及獲得溝通，尤其是個人資料受處理之目的、受處理之可 能期間、個人資料之接收者、任何自動處理個人資料所涉及之邏輯、 以及至少於建檔時之資料處理結果。若有可能，控管者應提供得遠端 使用之安全系統以提供資料主體對其個人資料有直接之接近使用權。 該權利不得對他人之權利或自由有不利之影響，包括營業秘密或智慧 財產權，尤其是保護軟體之著作權。但是，就此等面向之顧慮不得導 致拒絕提供所有資訊予資料主體之結果。當控管者處理有關資料主體 之大量資訊時，應得於資訊傳遞前請求資料主體特定與其請求相關之 資訊或處理活動。
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01 (2018)
EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).
EDPB, Guidelines 3/2019 on Processing of Personal Data through Video Devices (2020).
European Commission, Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection Brussels (2020).
EDPB, Guidelines 02/2021 on Virtual Voice Assistants (2021).
CJEU, College van burgemeester en wethouders van Rotterdam/Rijkeboer, C-553/07 (2009).
CJEU, YS/Minister voor Immigratie, Integratie en Asiel, C-141/12 and C-372/12 (2014).
CJEU, ClientEarth/European Food Safety Authority, C‑615/13 P (2015).
CJEU, Nowak/Data Protection Commissioner, C-434/16 (2017).
ECHR, López Ribalda v. Spain, nos 1874/13 and 8567/13 (2019).
Belgian DPA Fines Belgian Telecommunications Provider for Several Data Protection Infringements (2020). Brief description in English.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 13(2)(a) GDPR:
The organization should not retain PII for longer than is necessary for the purposes for which the PII is processed.
The organization should develop and maintain retention schedules for information it retains, taking into account the requirement to retain PII for no longer than is necessary.