导航
GDPR > 第 33 條. 向監管機關進行個人資料侵害之通報
下载PDF

第 33 條 GDPR. 向監管機關進行個人資料侵害之通報

Article 33 GDPR. Notification of a personal data breach to the supervisory authority

1. 於個人資料侵害發生時,控管者即應依第 55 條向監管機關通報, 不得無故遲延,且如可能,應於發現後 72 小時內通報,但個人資料 侵害無造成對當事人權利及自由之風險時,不在此限。於未於 72 小 時內向監管機關通報之情形,通報應附遲延之理由。

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

相关文章

2. 發現個人資料侵害後,處理者應通報控管者,不得無故遲延。

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. 第 1 項之通報至少應:

3. The notification referred to in paragraph 1 shall at least:

(a) 描述個人資料侵害之本質,如有可能,應包括相關資料主體之類 型及大致數量,及相關個人資料紀錄之類型及大致數量;

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) 告知資料保護員之姓名及聯絡細節,或其他得獲得更多資訊之聯 絡者;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) 描述個人資料侵害之可能結果;

(c) describe the likely consequences of the personal data breach;

(d) 描述控管者已採取或預計採取用以處理個人資料侵害之措施,如 適當,應包括降低可能不利影響之措施。

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. 於目前無法同時提供資訊時,資訊應分階段提供,不得有進一步 之無故遲延。

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. 控管者應記載任何個人資料侵害,包括與個人資料侵害相關之事 實、其影響及已採取之救濟措施。該等記載應得由監管機關查驗是否 與本條相符。

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 16.1.1.

Here is the relevant paragraph to article 33 GDPR:

6.13.1.1 Responsibilities and procedures

Implementation guidance

As part of the overall information security incident management process, the organization should establish responsibilities and procedures for the identification and recording of breaches of PII. Additionally, the organization should establish responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation.


访问全文

献技

(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

(85) 若未受到適當且及時之處理,個人資料之侵害可能造成當事人 之身體上、物質上或非物質上損害,例如喪失對其個人資料之控制或 對其權利之限制、歧視、身分盜用或詐欺、金融損失、假名化未授權 撤銷、名譽損害、受職業性秘密保護之個人資料之機密性喪失、或其 他任何對於所涉當事人之顯著經濟性或社會性之不利益。因此,一旦 控管者發現個人資料侵害已然發生,即應向監管機關通報,不得無故 遲延,且若可能,應於發現後 72 小時內通報,但控管者得證明依照 歸責原則該個人資料之侵害不可能造成當事人之權利與自由的風險 者,不在此限。當該通知無法於 72 小時內到達時,遲延之原因應與 通知一併提供,且不得有更進一步無故遲延。

(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

(87) 應查明是否已實行所有適當之技術保護與組織措施以立即確定 個人資料侵害是否發生並快速通知監管機關與資料主體。該通知非無 故遲延之事實尤需考量對個人資料侵害之本質與嚴重性及其對資料 主體之結果與不利影響。該通知可能導致監管機關依據本規則所定任 務與權力之介入。

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

(88) 在訂定個人資料侵害之通知所適用關於形式上及程序上之細節 性規定時,應適當考量侵害之情形,包括個人資料是否已受到適當技 術保護措施之保護、有效限制身分詐騙或其他形式濫用之可能性。此 外,當及早揭露可能會無謂妨礙對於個人資料侵害情形之調查者,該 等規定與程序應考量執法機關之正當利益。

(88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

指南和案例法 发表评论
[js-disqus]