导航
GDPR > 第 2 條. 實體適用範圍
下载PDF

第 2 條 GDPR. 實體適用範圍

Article 2 GDPR. Material scope

1. 本規則適用於全部或一部以自動化方式處理之個人資料,且適用 於其他非自動化方式處理而構成檔案系統之一部分或旨在構成檔案 系統之一部分的個人資料。

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

專家評論

(EN) This article limits the scope of the GDPR. The European legislators have decided not to burden the majority of the population with numerous rules in the household and private life. They removed from the Regulation the processes of processing that do not pose a big threat (not automated processing where personal data is not collected in the system).

The combination “automated means” covers primarily…


访问全文

(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
指南和案例法 献技

(15) 為防止產生規避之嚴重風險,當事人之保護應屬技術中立,且 不應依賴於已使用之技術。如檔案系統中已包含或旨在包含個人資料 者,當事人之保護均有適用,而不問其係透過自動化及手動化方式處理之個人資料。未依照特定標準建構之檔案或檔卷及其等封面則不在 本規則之適用範圍內。

(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

2. 下列個人資料處理,不適用本規則:

2. This Regulation does not apply to the processing of personal data:

(a) 於歐盟法外治權領域之活動;

(a) in the course of an activity which falls outside the scope of Union law;

献技

(16) 本規則並不適用於個人資料涉及在歐盟法外治權領域活動(例 如國家安全之活動)所生之基本權及自由保護議題或其自由流通。本 規則不適用於會員國在進行歐盟共同外交及安全政策活動中所為之 個人資料處理。

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(b) 由會員國所進行屬於歐盟條約第二章第 5 節範圍內之活動;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) 當事人所為單純之個人或家庭活動;

(c) by a natural person in the course of a purely personal or household activity;

指南和案例法 献技

(18) 本規則並未適用於當事人於其單純的個人或家庭活動中所為, 並因此不涉及職業行為或商務活動之個人資料處理。個人或家庭活動 得包括通信交流及持有地址資料,或社交網絡及此等活動範圍內所進 行之網路活動。然而,本規則適用於此等個人或家庭活動中為個人資 料處理提供媒介之控管者或處理者。

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

(d) 主管機關為達預防、調查、偵查或追訴刑事犯罪或執行刑罰之目 的(包括為維護及預防對於公共安全造成之威脅)所為之個人資料處 理。

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

献技

(19) 主管機關為達預防、調查、偵查及追訴刑事犯罪或執行刑罰之 目的所為當事人受保護之個人資料處理,包括為維護及預防此等資料 對公共安全及個人資料自由流通造成之威脅,乃係特定歐盟法律之主 題。因此,本規則不適用於有關上開目的所為之個人資料處理。惟公 務機關依本規則處理個人資料時,如其使用係為上開目的,則應受更 為具體之歐盟法案之拘束,即歐洲議會及歐盟理事會所制定之歐盟第 2016/680 號指令[7]。對於歐盟第 2016/680 號指令所定之主管機關, 會員國得委託其非必然為上開預防、調查、偵查及追訴刑事犯罪或執 行刑罰,包括為維護及預防對公共安全造成威脅之目的之職務,而該 等非基於上開目的所處理之個人資料,仍屬於歐盟法之範疇,亦有本 規則之適用。

(19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council [7]. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.

關於主管機關在本規則之目的範圍內所處理之個人資料,會員國應得 維持或採用更具體之規範,使其與本規則規定之適用相符。各會員國 得自行斟酌其憲法、組織及行政法架構,為該等機關因上開目的以外 所為個人資料之處理,訂定更具體化之特定規範。如私人處理個人資 料在本規則之目的範圍內者,本規則應使會員國得於特定情況下以法 律限制其權利義務,且該限制屬在民主社會中所必要且適度之措施, 並係為維護特定重要利益,包括公共安全及預防、調查、偵查或追訴 刑事犯罪或執行刑罰,包括維護及預防對公共安全之威脅。舉例而言, 此關係到洗錢防制架構或鑑識實驗活動等。

With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

[7] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).

[7] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).

3. 歐盟規則第 45/2001 號適用於歐盟當局、機構、辦事處及局處所為 之個人資料處理。歐盟規則第 45/2001 號及其他涉及個人資料處理之 歐盟法案應依本規則第 98 條規定,按本規則之原則與規定調整修正 之。

3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

献技

(17) 歐洲議會及歐盟理事會[6]所訂定 45/2001 號規則適用於歐盟當 局、機構、辦事處及局處所為之個人資料處理。歐盟規則第 45/2001 號及其他涉及個人資料處理之歐盟法案應依本規則所建立之原則與 規定加以調整修正,並按本規則予以解釋適用。為在歐盟內建構強力且一致之資料保護框架,歐盟規則第 45/2001 號應隨本規則通過後作 必要調整,以使其適用同於本規則。

(17) Regulation (EC) No 45/2001 of the European Parliament and of the Council [6] applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

[6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2001:008:TOC

[6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2001:008:TOC

(172) 歐盟資料保護監管機關依歐盟規則第 45/2001 號第 28條第 2項 接受諮詢,並於 2012 年 3 月 7 日發表其意見[17]。

(172) The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012 [17].

4. 本規則不得影響歐盟指令第 2000/31/EC 號之適用,特別是中介服 務商依該指令第 12 至 15 條規定所負之義務。

4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

献技

(21) 本規則不影響歐洲議會及歐盟理事會 [8]所定歐盟指令第 2000/31/EC 號之適用,特別是中介服務商依該指令第 12 至 15 條規定 所負之義務。該指令旨在確保會員國間資訊社會服務之自由流通,以 促進歐洲市場之正常運作。

(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council [8], in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

[8] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2000:178:TOC

[8] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2000:178:TOC

專家評論 献技 指南和案例法 发表评论
專家評論

(EN) This article limits the scope of the GDPR. The European legislator has decided not to burden the majority of the population with numerous rules in the household and private life. They removed from the Regulation processing that…


访问全文

(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
献技

(14) 本規則所保護者,係不論當事人之國籍或住居所,凡涉及其個 人資料之處理均屬之。本規則並未涵蓋法人及具法人資格之特定事業 的個人資料處理(包括法人名稱、設立形式及其聯繫方式)。

(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

(15) 為防止產生規避之嚴重風險,當事人之保護應屬技術中立,且 不應依賴於已使用之技術。如檔案系統中已包含或旨在包含個人資料 者,當事人之保護均有適用,而不問其係透過自動化及手動化方式處理之個人資料。未依照特定標準建構之檔案或檔卷及其等封面則不在 本規則之適用範圍內。

(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

(16) 本規則並不適用於個人資料涉及在歐盟法外治權領域活動(例 如國家安全之活動)所生之基本權及自由保護議題或其自由流通。本 規則不適用於會員國在進行歐盟共同外交及安全政策活動中所為之 個人資料處理。

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(17) 歐洲議會及歐盟理事會[6]所訂定 45/2001 號規則適用於歐盟當 局、機構、辦事處及局處所為之個人資料處理。歐盟規則第 45/2001 號及其他涉及個人資料處理之歐盟法案應依本規則所建立之原則與 規定加以調整修正,並按本規則予以解釋適用。為在歐盟內建構強力且一致之資料保護框架,歐盟規則第 45/2001 號應隨本規則通過後作 必要調整,以使其適用同於本規則。

(17) Regulation (EC) No 45/2001 of the European Parliament and of the Council [6] applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

[6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2001:008:TOC

[6] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2001:008:TOC

(18) 本規則並未適用於當事人於其單純的個人或家庭活動中所為, 並因此不涉及職業行為或商務活動之個人資料處理。個人或家庭活動 得包括通信交流及持有地址資料,或社交網絡及此等活動範圍內所進 行之網路活動。然而,本規則適用於此等個人或家庭活動中為個人資 料處理提供媒介之控管者或處理者。

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

(19) 主管機關為達預防、調查、偵查及追訴刑事犯罪或執行刑罰之 目的所為當事人受保護之個人資料處理,包括為維護及預防此等資料 對公共安全及個人資料自由流通造成之威脅,乃係特定歐盟法律之主 題。因此,本規則不適用於有關上開目的所為之個人資料處理。惟公 務機關依本規則處理個人資料時,如其使用係為上開目的,則應受更 為具體之歐盟法案之拘束,即歐洲議會及歐盟理事會所制定之歐盟第 2016/680 號指令[7]。對於歐盟第 2016/680 號指令所定之主管機關, 會員國得委託其非必然為上開預防、調查、偵查及追訴刑事犯罪或執 行刑罰,包括為維護及預防對公共安全造成威脅之目的之職務,而該 等非基於上開目的所處理之個人資料,仍屬於歐盟法之範疇,亦有本 規則之適用。

(19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council [7]. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.

關於主管機關在本規則之目的範圍內所處理之個人資料,會員國應得 維持或採用更具體之規範,使其與本規則規定之適用相符。各會員國 得自行斟酌其憲法、組織及行政法架構,為該等機關因上開目的以外 所為個人資料之處理,訂定更具體化之特定規範。如私人處理個人資 料在本規則之目的範圍內者,本規則應使會員國得於特定情況下以法 律限制其權利義務,且該限制屬在民主社會中所必要且適度之措施, 並係為維護特定重要利益,包括公共安全及預防、調查、偵查或追訴 刑事犯罪或執行刑罰,包括維護及預防對公共安全之威脅。舉例而言, 此關係到洗錢防制架構或鑑識實驗活動等。

With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

[7] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).

[7] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).

(20) 本規則之適用範圍雖包括但不限於法院及其他司法機關之活動, 但歐盟法或會員國法仍得具體化規範該等法院及其他司法機關於處 理個人資料時所應遵守之要點及程序。法院基於行使其司法權限所為 個人資料之處理,為確保法院履行其司法任務時得以獨立審判,包括 作成判決,監管機關不應干涉之。於會員國特別確保本規則所定規範 之遵守,強化司法人員認知其於本規則下所負之義務,並受理關於處理此類個人資料所生之申訴時,該會員國得於其司法系統下設立監控 此類個人資料處理之單位。

(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

(21) 本規則不影響歐洲議會及歐盟理事會 [8]所定歐盟指令第 2000/31/EC 號之適用,特別是中介服務商依該指令第 12 至 15 條規定 所負之義務。該指令旨在確保會員國間資訊社會服務之自由流通,以 促進歐洲市場之正常運作。

(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council [8], in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

[8] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2000:178:TOC

[8] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2000:178:TOC

指南和案例法 发表评论