导航
GDPR > 第 15 條. 資料主體之接近使用權
下载PDF

第 15 條 GDPR. 資料主體之接近使用權

Article 15 GDPR. Right of access by the data subject

1. 資料主體有權向控管者確認其個人資料是否正被處理,於此情形 者,資料主體應有權接近使用其個人資料及下列資訊:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

專家評論
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(a) 處理之目的;

(a) the purposes of the processing;

(b) 個人資料所涉及之類型;

(b) the categories of personal data concerned;

(c) 已揭露或將予揭露之個人資料接收者或接收者類型,尤其是在第三國境內或國際組織之接收者;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) 如可能,個人資料將被儲存之預期期間,或如告知期間不可能者, 確定該期間所採用之標準;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) 向控管者請求更正或刪除或限制處理或拒絕處理與資料主體相關 個人資料之權利;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) 向監管機關提起申訴之權利;

(f) the right to lodge a complaint with a supervisory authority;

(g) 個人資料非自資料主體蒐集所得者,關於該來源之任何充分資 訊;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) 存在第 22 條第 1 項及第 4 項所定自動決策(包括建檔)者,至 少在該等情況,為資料主體之處理所涉及的邏輯性有意義資訊,以及 重要性與預設結果。

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

相关文章

2. 如個人資料移轉至第三國或至國際組織,該資料主體應有權獲知 關於該傳輸依第 46 條所定之適當保護措施;

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 15(2) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


访问全文

相关文章

3. 控管者應提供所在處理之個人資料副本乙份。資料主體所要求之 任何更多副本,控管者得依行政成本收取合理費用。如資料主體係以 電子方式提出請求,除資料主體有不同要求外,該資訊之提供亦應以 電子方式為之。

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

ISO 27701

(RU)

ISO/IEC 27701, принятый в 2019, добавил дополнительное руководство к ISO/IEC 27002 для контролеров персональных данных (ПИИ).

Приводим соответствующий параграф к статье 15(3) GDPR:

8.3.1 Обязательства по отношению к субъектам ПИИ

Средство управления

Организация должна обеспечить клиента механизмами выполнения своих обязательств, связанных с принципами ПИИ.

Руководство по внедрению

Обязанности контролера ПИИ могут быть определены законодательством, регламентом и / или договором.


访问全文

4. 第 3 項所定取得副本之權利不應影響其他人之權利及自由。

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN)

Data Subject Request Letter Sample

Concern: Request to access my personal data

Dear Madam, Dear Sir,

I would like to know if you have any data concerning me, processed manually or by automated means, whether stored in digital databases or paper files…


访问全文

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 15 GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


访问全文

献技

(63) 資料主體應有權接近使用其所受蒐集之個人資料,並得容易地、 於合理之時間間隔行使接近使用權,以知悉並核實該處理之合法性。 此包括資料主體有權接近使用其健康資訊,例如包括診斷、檢驗結果、 醫師所為評鑑及任何治療或干擾措施提供之資訊。因此,各資料主體 應有權知悉及獲得溝通,尤其是個人資料受處理之目的、受處理之可 能期間、個人資料之接收者、任何自動處理個人資料所涉及之邏輯、 以及至少於建檔時之資料處理結果。若有可能,控管者應提供得遠端 使用之安全系統以提供資料主體對其個人資料有直接之接近使用權。 該權利不得對他人之權利或自由有不利之影響,包括營業秘密或智慧 財產權,尤其是保護軟體之著作權。但是,就此等面向之顧慮不得導 致拒絕提供所有資訊予資料主體之結果。當控管者處理有關資料主體 之大量資訊時,應得於資訊傳遞前請求資料主體特定與其請求相關之 資訊或處理活動。

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

(64) 控管者應使用所有合理手段以驗證請求接近使用資料之資料主 體的身分,尤其是在網路服務或網路識別工具之情形。控管者不得為 了回應潛在請求之單獨目的而獲取個人資訊。

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.

指南和案例法 发表评论
[js-disqus]