导航
GDPR > 第 24 條. 主旨與立法目的
下载PDF

第 24 條 GDPR. 主旨與立法目的

Article 24 GDPR. Subject-matter and objectives

1. 考量到處理之性質、範圍、內容及目的以及當事人之權利及自由 所受之諸多可能且嚴重之風險,控管者應實施適當科技化且有組織的 措施以確保並得證明其處理符合本規則規定。該等措施應得予審視, 且必要時應予更新。

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 24(1) GDPR:

7.2.8 Records related to processing PII

Control

The organization should determine and securely maintain the necessary records in support of its obligations for the processing of PII.

Implementation guidance

A way to maintain records of the processing of PII is to have an inventory or list of the PII processing activities that the organization performs.


访问全文

相关文章

2. 與處理活動相適當之情況下,第 1 項所定措施應包括控管者適當 資料保護政策之實施。

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 5.1.1.

Here is the relevant paragraph to article 24(2) GDPR:

6.2.1.1 Policies for information security

Implementation guidance

Either by the development of separate privacy policies, or by the augmentation of information security policies, the organization should produce a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and/or regulation and with the contractual terms agreed between the organization and its partners, its subcontractors and its applicable third parties (customers, suppliers etc.), which should clearly allocate responsibilities between them.


访问全文

3. 遵守第 40 條所定經批准之行為守則或第 42 條所定經核准之認證 機制得作為控管者遵守其義務之證明。

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 24(3) GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


访问全文

相关文章
專家評論 献技 指南和案例法 发表评论
專家評論

(EN) A controller is a person or an organization that determines the personal data to process and the purposes and means of the processing (Article 4(7)). The definition rightly points to the decision-making capacity of the entity that “decides why and how data will be processed” (ULD Schleswig-Holstein/Wirtschaftsakademie, Opinion of Advocate General).


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
献技

(74) 有關控管者或其代表所為任何個人資料處理之控管者責任與義 務應予確立。尤其,控管者有義務執行適當且有效之措施,並可證明 其處理活動符合本規則,包括該措施之有效性。該措施應考量資料處 理之本質、範圍、過程與目的,以及對當事人權利與自由之風險。

(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

(76) 資料主體之權利與自由所受風險之嚴重性及可能性應參考資料 處理之本質、範圍、過程與目的定之。風險應在客觀評鑑基礎上被評 估,並藉以確定資料處理活動是否有風險或有高度風險。

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

(77) 有關執行適當措施與有關控管者或處理者所應遵守規範之指導 原則(尤其是有關資料處理所涉及之風險的識別,對於其來源、本質、 可能性與嚴重性、以及降低風險之最佳方法),得被以特別是下列方 式提供,亦即得以經核准之行為守則、經核准之認證、委員會提供指 導原則或資料保護員之指示等方式提供。委員會亦得頒布較不可能導 致對於權利或自由有高風險之處理活動的指導原則,並指出何種措施 足以解決此等風險。

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(83) 為維持安全性與預防資料處理違反本規則,控管者或處理者應 評估與處理相關之風險,並執行相關措施以降低風險,例如加密。該 等措施應確保適當之安全程度,包括機密性,且考慮到有關欲保護之 個人資料的風險及本質之現有技術狀況與執行費用。於衡量資料安全 風險時,應考慮因個人資料處理所造成之風險,例如意外或非法破壞、 遺失、變更、未獲授權之揭露或接近使用、個人資料之傳輸、儲存或 其他可能特別引起身體上、物質上或非物質上之損害。

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

指南和案例法 发表评论
[js-disqus]