目录
GDPR > 第 32 條. 處理之安全
下载PDF

第 32 條 GDPR. 處理之安全

Article 32 GDPR. Security of processing

1. 考量現有技術、執行成本、處理之本質、範圍、脈絡及目的與對 當事人權利及自由之風險變動之可能性與嚴重性,控管者及處理者應 執行採取適當之科技化且有組織的措施,以確保對於風險之適當安全 程度,包括但不限於適當之如下事項:

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

正式文件和决定 连接数

(a) 個人資料之假名化及加密;

(a) the pseudonymisation and encryption of personal data;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 32(1)(a) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).

Implementation guidance

The organization should have mechanisms to erase the PII when no further processing is anticipated.


访问全文

正式文件和决定

(b) 確保處理系統及服務持續之機密性、完整性、可用性及彈性之能 力;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 6.1.2.

Here is the relevant paragraphs to article 32(1)(b) GDPR:

5.4.1.2 Information security risk assessment

6.1.2 c) 1) is refined as follows:

The organization shall apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability, within the scope of the PIMS.


访问全文

(c) 在物理性或技術性事件中及時回復個人資料可用性及可接近性之 能力;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 12.3.1.

Here is the relevant paragraphs to article 32(1)(c) GDPR:

6.9.3.1 Information backup

Implementation guidance

The organization should have a policy which addresses the requirements for backup, recovery and restoration of PII (which can be part of an overall information backup policy) and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup requirements.


访问全文

(d) 定期測試,評估並衡量確保處理安全性之科技化且有組織之措施 之有效性。

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 18.2.1.

Here is the relevant paragraphs to article 32(1)(d) GDPR:

6.15.2.1 Independent review of information security

Implementation guidance

Where an organization is acting as a PII processor, and where individual customer audits are impractical or can increase risks to security, the organization should make available to customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the organization’s policies and procedures.


访问全文

2. 於衡量適當之安全程度時,尤其應考量因處理而造成之風險,特 別是來自意外或非法破壞、損失、改變、未獲授權之揭露、或經傳輸、 儲存或其他處理之個人資料之接近權。

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.3.

Here is the relevant paragraphs to article 32(2) GDPR:

5.2.3 Determining the scope of the information security management system

When determining the scope of the PIMS, the organization shall include the processing of PII.


访问全文

前言

(83) 為維持安全性與預防資料處理違反本規則,控管者或處理者應 評估與處理相關之風險,並執行相關措施以降低風險,例如加密。該 等措施應確保適當之安全程度,包括機密性,且考慮到有關欲保護之 個人資料的風險及本質之現有技術狀況與執行費用。於衡量資料安全 風險時,應考慮因個人資料處理所造成之風險,例如意外或非法破壞、 遺失、變更、未獲授權之揭露或接近使用、個人資料之傳輸、儲存或 其他可能特別引起身體上、物質上或非物質上之損害。

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

3. 恪守第 40 條所稱經核准之行為守則或第 42 條所稱經核准之認證 機制,得作為顯示遵循本條第 1 項要求之斟酌因素之一。

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 32(3) GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


访问全文

连接数

4. 控管者及處理者應採取行動,確保任何受該取得個人資料之控管 者或處理者指揮之個人不得為指示外之處理,但其受歐盟法或會員國 法要求而為之者,不在此限。

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 32(4) GDPR:

7.2.1 Identify and document purpose

Control

The organization should identify and document the specific purposes for which the PII will be processed.

Implementation guidance

The organization should ensure that PII principals understand the purpose for which their PII is processed. It is the responsibility of the organization to clearly document and communicate this to PII principals.


访问全文

前言 正式文件和决定 发表评论
前言

(83) 為維持安全性與預防資料處理違反本規則,控管者或處理者應 評估與處理相關之風險,並執行相關措施以降低風險,例如加密。該 等措施應確保適當之安全程度,包括機密性,且考慮到有關欲保護之 個人資料的風險及本質之現有技術狀況與執行費用。於衡量資料安全 風險時,應考慮因個人資料處理所造成之風險,例如意外或非法破壞、 遺失、變更、未獲授權之揭露或接近使用、個人資料之傳輸、儲存或 其他可能特別引起身體上、物質上或非物質上之損害。

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

(74) 有關控管者或其代表所為任何個人資料處理之控管者責任與義 務應予確立。尤其,控管者有義務執行適當且有效之措施,並可證明 其處理活動符合本規則,包括該措施之有效性。該措施應考量資料處 理之本質、範圍、過程與目的,以及對當事人權利與自由之風險。

(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。

(85) Нарушение безопасности персональных данных, если оно не было надлежащим образом и вовремя устранено, может повлечь физический, материальный или моральный вред физическим лицам, как, например, потеря контроля над их персональными данными или ограничение их прав, дискриминация, кража личности или ее мошенническое использование, финансовые потери, несанкционированная повторная идентификация псевдонимизированных данных, ущерб репутации, нарушение конфиденциальности персональных данных, защищенных профессиональной тайной, или любой другой значительный экономический или социальный вред, нанесенный физическому лицу. Поэтому, как только контролёру становится известно о нарушении безопасности персональных данных, он обязан уведомить о таком нарушении надзорный орган без неоправданной задержки и, по возможности, не позднее 72 часов, за исключением случаев, когда контролёр может подтвердить, в соответствии с принципом подотчетности, что нарушение безопасности персональных данных с малой вероятностью может представлять риск нарушения прав и свобод физических лиц. В случаях, когда подобное уведомление не может быть сделано в течение 72 часов, причины такой задержки должны сопровождать уведомление и информация может предоставляться поэтапно без дополнительной задержки.

(76) 資料主體之權利與自由所受風險之嚴重性及可能性應參考資料 處理之本質、範圍、過程與目的定之。風險應在客觀評鑑基礎上被評 估,並藉以確定資料處理活動是否有風險或有高度風險。

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

(77) 有關執行適當措施與有關控管者或處理者所應遵守規範之指導 原則(尤其是有關資料處理所涉及之風險的識別,對於其來源、本質、 可能性與嚴重性、以及降低風險之最佳方法),得被以特別是下列方 式提供,亦即得以經核准之行為守則、經核准之認證、委員會提供指 導原則或資料保護員之指示等方式提供。委員會亦得頒布較不可能導 致對於權利或自由有高風險之處理活動的指導原則,並指出何種措施 足以解決此等風險。

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

正式文件和决定 发表评论