第 23 條 📖 GDPR. 限制

第 23 條 GDPR. 限制

Article 23 GDPR. Restrictions

1. 資料控管者或處理者受拘束之歐盟法或會員國法得以立法程序限制第12條至第 22條及第 34條以及第5條所定之權利與義務之範圍，但限於其立法符合第 12 條至第 22 條所定之權利與義務，且該限制尊重基本權及自由之本質，並於民主社會中係必要且適當措施以確保：

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

第 5 條 GDPR. 個人資料處理原則

Article 5 GDPR. Principles relating to processing of personal data

第 12 條 GDPR. 資料主體為行使其權利之透明資訊、溝通及管道

Article 12 GDPR. Transparent information, communication and modalities for the exercise of the rights of the data subject

第 13 條 GDPR. 蒐集資料主體之個人資料時所提供之資訊

Article 13 GDPR. Information to be provided where personal data are collected from the data subject

第 14 條 GDPR. 尚未自資料主體取得個人資料時所應提供之資訊

Article 14 GDPR. Information to be provided where personal data have not been obtained from the data subject

第 15 條 GDPR. 資料主體之接近使用權

Article 15 GDPR. Right of access by the data subject

第 16 條 GDPR. 更正權

Article 16 GDPR. Right to rectification

第 17 條 GDPR. 刪除權（「被遺忘權」）

Article 17 GDPR. Right to erasure (‘right to be forgotten’)

第 18 條 GDPR. 限制處理權

Article 18 GDPR. Right to restriction of processing

第 19 條 GDPR. 關於更正或刪除個人資料或限制處理之通知義務

Article 19 GDPR. Notification obligation regarding rectification or erasure of personal data or restriction of processing

第 20 條 GDPR. 資料可攜性權利

Article 20 GDPR. Right to data portability

第 21 條 GDPR. 拒絕權

Article 21 GDPR. Right to object

第 22 條 GDPR. 個人化之自動決策，包括建檔

Article 22 GDPR. Automated individual decision-making, including profiling

第 34 條 GDPR. 向資料主體為個人資料侵害之溝通

Article 34 GDPR. Communication of a personal data breach to the data subject

(a) 國家安全；

(a) national security;

指南和案例法

(EN)

Case Law

CJEU, La Quadrature du Net et al./Premier ministre et al., C-511/18, C-512/18, C-520/18 (2020).

CJEU, Privacy International/Secretary of State for Foreign and Commonwealth Affairs, C-623/17 (2020).

(b) 防禦；

(b) defence;

(c)公共安全；

(c) public security;

(d) 預防、調查、偵查及追訴刑事犯罪或執行刑罰，包括為維護及預防對公共安全造成威脅者；

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) 歐盟或會員國之一般公共利益的其他重要宗旨，尤其是歐盟或會員國之重要經濟或金融利益，包括財政、預算及稅負、公共衛生及社會安全；

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) 司法獨立性及司法程序之保障；

(f) the protection of judicial independence and judicial proceedings;

(g) 預防、調查、偵查及追訴違反特定職業之道德規範；

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)依第 a 至 e 點及第 g 點所定情事，公務機關行使其監督、檢查或監管功能，即使係不定期性者；

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)保護資料主體或他人之權利及自由之保障；

(i) the protection of the data subject or the rights and freedoms of others;

(j) 民事請求之執行。

(j) the enforcement of civil law claims.

2. 尤其是，第 1 項所定之任何合法措施於相關情況下，應至少包含下列各款具體規定：

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) 處理之目的或處理之類型；

(a) the purposes of the processing or categories of processing;

(b)個人資料之類別；

(b) the categories of personal data;

(c) 採用限制之範圍；

(c) the scope of the restrictions introduced;

(d) 防止濫用或非法接近使用或移轉之保護措施；

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) 控管者之標準或控管者之類型；

(e) the specification of the controller or categories of controllers;

(f) 儲存期間及考量到處理本質、範圍及目的之適當保護措施或處理類型；

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

2.1.3.3 “nature, scope, context and purpose of processing”

28. In short, the concept of nature can be understood as the inherent[11] characteristics of the processing. The scope refers to the size and range of the processing. The context relates to the circumstances of the processing, which may influence the expectations of the data subject, while the purpose pertains to the aims of the processing.

_{[11] Examples are special categories personal data, automatic decision-making, skewed power relations, unpredictable processing, difficulties for the data subject to exercise the rights, etc.}

(g)資料主體權利及自由之風險；及

(g) the risks to the rights and freedoms of data subjects; and

(h) 資料主體關於該限制之知悉權，但限制之目的得優先於該權利者除外。

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

通用数据保护条例(EU GDPR)

Source: https://www.ndc.gov.tw/Content_List.aspx?n=F98A8C27A0F54C30

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

献技指南和案例法发表评论

献技

(73) 關於特定原則與資訊權、接近使用權、更正或刪除個人資料之權利、資料可攜性之權利、拒絕權、基於建檔之決策、以及對資料主體之個人資料受侵害時之溝通與控管者之特定義務，於下述範圍內，歐盟法或會員國法得施加限制，亦即：在民主社會中所必要且適度用以維護公眾安全者，包括保護人民生命，特別是自然或人為災害之應變、預防、調查及追訴刑事犯罪或執行刑罰，包括為維護及預防對公共安全造成之威脅、或違反特定職業之道德規範、歐盟或會員國之一般公共利益的其他重要宗旨，尤其是歐盟或會員國之重要經濟或金融利益、為一般公共利益為由所留存之公共紀錄之保存、進階處理已歸檔之個人資料以提供有關前極權主義國家機制下之政治行為之特定資訊、或保護資料主體或其他人之權利及自由，包括社會保護、公共衛生與人道目的。此等限制應合乎憲章及歐洲保護人權與基本自由公約所定之要求。

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

指南和案例法

(EN)

Documents

EDPB, Statement on Restrictions on Data Subject Rights in Connection to the State of Emergency in Member States (2020).

EDPB, Guidelines 10/2020 on Restrictions under Article 23 GDPR (2020).

Case Law

CJEU, Draft Agreement between Canada and the European Union, opinion 1/15 (2017).

发表评论

[js-disqus]