导航
GDPR > 第 18 條. 限制處理權
下载PDF

第 18 條 GDPR. 限制處理權

Article 18 GDPR. Right to restriction of processing

1. 於下列情事者,資料主體應有權限制控管者之處理:

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

專家評論
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(a) 資料主體質疑其個人資料之正確性,而給予控管者驗證該個人資 料正確性之期間;

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) 處理係違法的,且資料主體拒絕刪除該個人資料並要求限制其使 用者;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) 控管者就其處理之目的不再需要該個人資料,但該個人資料為資 料主體建立、行使或防禦法律上請求所必須者;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) 資料主體已依照第 21 條第 1 項拒絕該處理,而在等待確認控管 者是否具有優先於資料主體權益之正當理由;

(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

相关文章

2. 處理依據第一項被限制時,該個人資料,除儲存外,應僅限基於 資料主體之同意、或為建立、行使或防禦法律上請求、或為保護他人 或法人之權利、或基於歐盟法或會員國法律所定重要公共利益之理由,始得處理。

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(2) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


访问全文

3. 資料主體依第一項規定已限制處理者,控管者於取消處理限制前, 應通知資料主體。

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18(3) GDPR:

7.3.2 Determining information for PII principals

Control

The organization should determine and document the information to be provided to PII principals regarding the processing of their PII and the timing of such a provision.

Implementation guidance

The organization should determine the legal, regulatory and/or business requirements for when information is to be provided to the PII principal (e.g. prior to processing, within a certain time from when it is requested, etc.) and for the type of information to be provided.


访问全文

專家評論 ISO 27701 献技 发表评论
專家評論

(EN) The right to restriction of processing is one of the eight rights granted by the GDPR, but it is not the easiest one to understand at first glance. It can be summed up as an obligation on behalf of the controller to retain data, but they can neither be processed in any other manner nor modified.


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Request to restrict the processing of my personal data

Dear Madam, Dear Sir,

I am entitled to ask you to restrict the processing of my personal data under Article 18(1) of the General Data Protection Regulation (GDPR)…


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 18 GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


访问全文

献技

(67) 限制個人資料處理之方法得包括但不限於暫時將選取之資料移至其他處理系統、使選取之個人資料無法被使用者取得,或暫時移除 網站上已公開之資料。於自動歸檔系統中,處理之限制原則上應以科 技方式確保個人資料不會繼續成為進一步處理活動之對象且不能改 變。系統中應明確指出個人資料之處理受到限制之事實。

(67) Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

发表评论
[js-disqus]