导航
GDPR > 第 20 條. 資料可攜性權利
下载PDF

第 20 條 GDPR. 資料可攜性權利

Article 20 GDPR. Right to data portability

1. 資料主體應有權以有結構的、通常使用的、機器可讀的形式,接 收其提供予控管者之資料,並有權將之傳輸給其他控管者,而不受其 提供個人資料之控管者之妨礙,如:

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

專家評論
(EN) Author
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

(a) 處理係基於第 6 條第 1 項第 a 點或第 9 條第 2 項第 a 點之同意或 係基於第 6 條第 1 項第 b 點契約所為之者;及

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

相关文章

(b) 處理係以自動化方式為之者。

(b) the processing is carried out by automated means.

2. 依據第一項行使其資料可攜性之權利者,如技術許可時,資料主 體應有權使該個人資料由一控管者直接傳輸予其他控管者。

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. 本條第一項所定權利之行使不得優先於第 17 條規定。該權利於符 合公共利益執行職務或委託資料控管者行使公權力而有必要為之處 理者,不適用之。

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

相关文章

4. 第一項所定權利不得影響他人之權利與自由。

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) The right to data portability is presented primarily as a way to support “user choice, user control, and user empowerment” (Guidelines on the Right to Data Portability), as it aims at reinforcing an individual’s control over her/his personal information (recital 68). Data portability allows users to receive a copy of their personal data and can be seen in that sense as an extension of the right of access (article 15). It can also help them to switch services without losing their data, enabling users to transfer their information from one service to a potentially better one.


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Exercise my right to data portability

Dear Madam, Dear Sir,

I would like to exercise my right to data portability under Article 20 of the General Data Protection Regulation (GDPR)…


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 20 GDPR:

7.3.8 Providing copy of PII processed

Control

The organization should be able to provide a copy of the PII that is processed when requested by the PII principal.

Implementation guidance

The organization should provide a copy of the PII that is processed in a structured, commonly used, format accessible by the PII principal.


访问全文

献技

(68) 為了進一步強化對自己資料之掌控,當個人資料以自動化手段 執行處理時,資料主體亦應有權以有結構的、通常使用的、機器可讀 的,且可共同操作的形式接收其提供予控管者之資料,並有權將之傳 輸給其他控管者。資料控管者應被鼓勵發展使資料具可攜性之可共同 操作模式。於資料主體基於其同意提供個人資料或資料處理係履行契 約所必要者,該權利應有其適用。當資料處理係基於法律理由而非本 於同意或契約時,則應無其適用。基於其此項本質,該權利不應於控 管者為執行公共任務而處理個人資料時有其適用。因此,當個人資料 之處理係基於控管者遵守其法律義務、或符合公共利益之執行職務、 或委託控管者行使公權力所必須者,該權利即不予適用。資料主體傳 輸或接收其個人資料之權利不應導致控管者有義務採取或維持技術 上得兼容之處理系統。在不僅涉及單一資料主體之一系列個人資料中, 接收個人資料之權利不應損及其他資料主體依本規則所享有之權利 與自由。再者,該權利不應損及資料主體得刪除其個人資料之權利, 以及該權利在本規則中所受到的限制,尤其不應推認資料主體在履行 契約之範圍內提供其為履行契約所必要之個人資料得予刪除。當技術 上可行時,資料主體應有權直接從一控管者傳輸其個人資料至另一控 管者。

(68) To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.

指南和案例法 发表评论