GDPR > 第 34 條. 向資料主體為個人資料侵害之溝通

第 34 條 GDPR. 向資料主體為個人資料侵害之溝通

Article 34 GDPR. Communication of a personal data breach to the data subject

1. 於個人資料侵害可能導致當事人權利及自由之高風險時,控管者 應與資料主體溝通個人資料侵害,不得無故遲延。

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. 本條第 1 項所稱向資料主體之溝通,應以清楚簡易之語言描述個 人資料侵害,並至少包括第 33 條第 3 項第(b)、(c)、及(d)點之資訊及 措施。

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).


3. 第 1 項所稱向資料主體之溝通,遇有符合下列條件之一者,應無 須被要求為之:

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) 控管者已執行適當之科技化與有組織之措施,且該等措施已適用 於受個人資料侵害影響之個人資料,尤其已使未獲授權接近使用之人 無法識別個人資料者,如加密;

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) 控管者已採取後續措施,確保第 1 項所稱對資料主體權利及自由 之高風險已不會實現;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) 涉及不符比例之努力。於此情形,應有公共溝通或類似措施取代 之,使資料主體獲相同有效之通知。

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. 於控管者尚未向資料主體溝通個人資料侵害時,監管機關得考量 個人資料侵害可能導致高風險,要求控管者進行溝通或認定第 3 項之 任一條件已符合。

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 16.1.1.

Here is the relevant paragraph to article 34 GDPR: Responsibilities and procedures

Implementation guidance

As part of the overall information security incident management process, the organization should establish responsibilities and procedures for the identification and recording of breaches of PII. Additionally, the organization should establish responsibilities and procedures related to notification to required parties of PII breaches (including the timing of such notifications) and the disclosure to authorities, taking into account the applicable legislation and/or regulation.



(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

(86) 當個人資料侵害可能造成當事人之權利或自由之高度風險,為 了使其得以採取必要之防範措施,控管者應與資料主體溝通個人資料 之侵害,不得無故遲延。該溝通應描述個人資料侵害之本質及對該當 事人降低潛在不利影響之建議。此種對資料主體之溝通應儘快、合理、 可行,且與監管機關密切合作,遵守監管機關或其他相關機關如執法 機關之指導。例如,降低損害之立即風險的需求即需要立刻與資料主 體溝通,但執行適當措施以對抗繼續或類似的個人資料侵害之需求則 得正當化較長之溝通時間。

(86) The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

(87) 應查明是否已實行所有適當之技術保護與組織措施以立即確定 個人資料侵害是否發生並快速通知監管機關與資料主體。該通知非無 故遲延之事實尤需考量對個人資料侵害之本質與嚴重性及其對資料 主體之結果與不利影響。該通知可能導致監管機關依據本規則所定任 務與權力之介入。

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

(88) 在訂定個人資料侵害之通知所適用關於形式上及程序上之細節 性規定時,應適當考量侵害之情形,包括個人資料是否已受到適當技 術保護措施之保護、有效限制身分詐騙或其他形式濫用之可能性。此 外,當及早揭露可能會無謂妨礙對於個人資料侵害情形之調查者,該 等規定與程序應考量執法機關之正當利益。

(88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

指南和案例法 发表评论