第 33 條 GDPR. 向監管機關進行個人資料侵害之通報
Article 33 GDPR. Notification of a personal data breach to the supervisory authority
1. 於個人資料侵害發生時,控管者即應依第 55 條向監管機關通報, 不得無故遲延,且如可能,應於發現後 72 小時內通報,但個人資料 侵害無造成對當事人權利及自由之風險時,不在此限。於未於 72 小 時內向監管機關通報之情形,通報應附遲延之理由。
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
[…]
[…]
3. 第 1 項之通報至少應:
3. The notification referred to in paragraph 1 shall at least:
[…]
[…]
(b) 告知資料保護員之姓名及聯絡細節,或其他得獲得更多資訊之聯 絡者;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) 描述個人資料侵害之可能結果;
(c) describe the likely consequences of the personal data breach;
(d) 描述控管者已採取或預計採取用以處理個人資料侵害之措施,如 適當,應包括降低可能不利影響之措施。
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
“Clear and plain language”
With written information (and where written information is delivered orally, or by audio/ audiovisual methods, including for vision-impaired data subjects), best practices for clear writing should be followed.11 A similar language requirement (for “plain, intelligible language”) has previously been used by the EU legislator12 and is also explicitly referred to in the context of consent in Recital 42 of the GDPR13. The requirement for clear and plain language means that information should be provided in as simple a manner as possible, avoiding complex sentence and language structures. The information should be concrete and definitive; it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. In particular the purposes of, and legal basis for, processing the personal data should be clear.
(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 16.1.1.
Here is the relevant paragraph to article 34 GDPR:
6.13.1.1 Responsibilities and procedures
Implementation guidance
As part of the overall information security incident management process, the organization should establish responsibilities and procedures for the identification and recording of breaches of PII. Additionally, the organization should establish responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation.
…
登入
访问全文