导航
GDPR > 第 17 條. 刪除權(「被遺忘權」)
下载PDF

第 17 條 GDPR. 刪除權(「被遺忘權」)

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

1. 有下列情事者,資料主體應有權使控管者刪除其個人資料,不得 無故拖延,且控管者應有義務刪除該個人資料,不得無故拖延:

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

專家評論
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(a) 個人資料對於蒐集或處理目的不再需要者;

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) 處理係依據第 6 條第 1 項第 a 點或第 9 條第 2 項第 a 點者,資料 主體撤回其同意,且該處理已無其他法律依據者;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

相关文章

(c) 資料主體依第 21 條第 1 項規定對處理提出異議,且該處理無其他 優先適用之法律依據者,或資料主體依第 21 條第 2 項規定對處理提出異議者;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

相关文章

(d) 該個人資料遭違法處理者;

(d) the personal data have been unlawfully processed;

(e) 控管者依其受拘束之歐盟法或會員國法律有義務應刪除個人資料 者;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) 個人資料係依據第 8 條第 1 項所定為提供資訊社會服務所蒐集 者。

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

相关文章

2. 如控管者已將該個人資料公開,且其有義務依據第 1 項規定刪除 該個人資料者,考量現有科技及執行成本,該控管者應採取合理步驟, 包括科技方式,通知正在處理該個人資料之控管者,資料主體已提出 刪去任何該個人資料之連結或複製或仿製之請求。

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 17(2) GDPR:

8.3.1 Obligations to PII principals

Control

The organization should provide the customer with the means to comply with its obligations related to PII principals.

Implementation guidance

A PII controller’s obligations can be defined by legislation, by regulation and/or by contract.


访问全文

3. 於下列情形者,不適用第 1 項及第 2 項規定:

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 17(3) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


访问全文

(a) 為行使表意自由及資訊權者;

(a) for exercising the right of freedom of expression and information;

(b) 依據控管者所應遵守之歐盟法或會員國法,遵守其法律義務、或 符合公共利益之職務執行、或委託控管者行使公權力所必須者;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) 基於公共衛生領域上之公共利益,且符合第 9 條第 2 項第 h 點及 第 i 點及第 9 條第 3 項規定者;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

相关文章

(d) 為實現公共利益、科學或歷史研究目的或統計目的,且符合第 89 條第 1 項規定者,但以第 1 項所定權利實際上不可能或嚴重損害該處 理目標之實現者為限;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

相关文章

(e) 為了建立、行使或防禦法律上之請求者。

(e) for the establishment, exercise or defence of legal claims.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) The so-called “right to be forgotten” was hailed as a breakthrough with the adoption of the General Data Protection Regulation, even though it existed in a limited form before. Article 17 provides for a broader “right to erasure”, to take into account the exact wording of the provision. European Union residents have a right to ask for the deletion of their personal data, and the organization that holds the data has a corresponding obligation to erase them “without undue delay” under a certain number of circumstances.


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Request to erase my personal data

Dear Madam, Dear Sir,

You have data concerning me that I am asking you to delete…


访问全文

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 17 GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.


访问全文

献技

(65) 資料主體應有更正其個人資料之權利、以及當資料保存違反規 範控管者之本規則、歐盟法或會員國法時應有「被遺忘權」。尤其, 資料主體應享有刪除其個人資料之權利,並於該個人資料就資料蒐集 或另為處理之目的已無必要時、於資料主體已撤回其同意或拒絕其個 人資料之處理時、或於其個人資料處理違反本規則時,資料主體應享有請求不再處理其個人資料之權利。該權利尤其涉及該資料主體於兒 童時期所為同意且未完整理解該處理存在之風險,爾後希望移除其個 人資料(特別是網路上資料)之情形。不問其是否仍為兒童,資料主 體應得行使該權利。然而,為了表意自由權之行使、法律義務之遵守、 符合公共利益之職務執行、或委託控管者行使公權力所必須者、在公 共衛生領域上之公共利益的理由、為了實現公共利益、科學或歷史研 究目的或統計目的時、或為了建立、行使或防禦法律上主張時,於必 要範圍內進一步保留個人資料應屬合法。

(65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(66) 為強化網路環境之被遺忘權,刪除權亦應擴張至公開個人資訊 之控管者有義務通知個人資料處理之控管者刪去任何該個人資料之 連結、複製或仿製。透過此種做法,該控管者應採取合理步驟,考量 現有科技與對控管者可行之手段,包括科技方式,通知依該資料主體 之請求而正在處理該個人資料之控管者。

(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

指南和案例法 发表评论