导航
GDPR > 第 35 條. 資料保護影響評估
下载PDF

第 35 條 GDPR. 資料保護影響評估

Article 35 GDPR. Data protection impact assessment

1. 於特別使用新科技之處理方式,且考量該處理之本質、範圍、使 用情形及目的後,認為該處理可能導致自然人之權利及自由的高度風 險時,控管者應於處理前,實行該處理對於個人資料保護之影響評估。 單一評估得針對一系列呈現相似高風險之類似處理。

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to articles 35(1) GDPR:

8.2.1 Customer agreement

Control

The organization should ensure, where relevant, that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations (taking into account the nature of processing and the information available to the organization).

Implementation guidance

The contract between the organization and the customer should include the following wherever relevant, and depending on the customer’s role (PII controller or PII processor) (this list is neither definitive nor exhaustive):


访问全文

相关文章

2. 實行資料保護影響評估時,控管者應尋求資料保護員之意見。

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. 第 1 項所稱資料保護影響評估於下列情形應特別被要求:

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a) 關於自然人之系統性及大規模的個人特質評估,而該評估是基於 自動處理,包含建檔,且基於該評估作成關於該自然人之法律效果或 其他重大影響該自然人之決定;

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) 處理大規模之第 9 條第 1 項所稱之特殊類型個人資料,或關於第 10 條所稱前科及犯罪之個人資料;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

相关文章

(c) 大規模系統性監督公共區域。

(c) a systematic monitoring of a publicly accessible area on a large scale.

4. 監管機關應建立並公布依第 1 項需要資料保護影響評估之處理類 型清單。監管機關應與第 68 條所稱之委員會溝通該清單。

4. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.

相关文章

5. 監管機關亦得建立並公布不需要資料保護影響評估之處理類型清 單。監管機關應與委員會溝通該清單。

5. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.

6. 於採用第 4 項及第 5 項所稱之清單前,於該等清單涉及有關提供 商品或服務與資料主體或有關在各會員國監督其行為,或可能實質影 響個人資料於歐盟自由流通等之處理活動時,主管監管機關應適用第 63 條所稱之一致性機制。

6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.

相关文章

7. 評估應至少包含:

7. The assessment shall contain at least:

(a) 擬採用處理之系統性描述及該處理之目的,於可適用之情形,包含控管者追求之合法利益;

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b)該處理之必要性及比例性與目的間之關係評估;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) 對於第 1 項所稱資料主體之權利及自由之風險評估;及

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) 應對風險之方式,包含保護措施、保全措施及確保個人資料保護 及符合本規則考慮資料主體及其他相關人員之權利及合法利益之機 制。

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. 第 40條所稱經核准之行為守則是否為相關控管者或處理者所遵循, 應於評估由該等控管者或處理者所為之處理所造成之影響時,予以慎 重考慮,特別是為資料保護影響評估之目的時。

8. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

9. 在不實質影響商業或公共利益之保護或處理之保全的前提下,於適當時,控管者應尋求資料主體或其代表人對於處理之意見。

9. Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.2.

Here is the relevant paragraph to article 35(9) GDPR:

5.2.2 Understanding the needs and expectations of interested parties

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


访问全文

10. 於依第 6 條第 1 項第 c 點或第 e 點之處理有控管者遵循之歐盟法 或會員國法之法律基礎,而該法管制特定處理或有爭議之處理,且資 料保護影響評估已因採用該法律基礎而於概括影響評估中實行時,除 會員國認為有必要於處理活動前實行該評估外,第 1 項至第 7 項不適 用之。

10. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.

相关文章

11. 於必要時,控管者至少應於處理之風險有變化時,審查評估是否 依資料保護影響評估實行處理。

11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 35 GDPR:

7.2.5 Privacy impact assessment

Control

The organization should assess the need for, and implement where appropriate, a privacy impact assessment whenever new processing of PII or changes to existing processing of PII is planned.

Implementation guidance

PII processing generates risks for PII principals. These risks should be assessed through a privacy impact assessment.


访问全文

献技

(75) 當事人之權利及自由所受之諸多可能且嚴重之風險,可能起因 自處理個人資料,並造成身體上、物質上、或非物質上之損害,尤其 是於下述情形時:當處理可能造成歧視、身分盜用或詐欺、金融損失、 名譽損害、受職業性秘密保護之個人資料之機密性喪失、假名化未授 權撤銷、或其他任何顯著之經濟性或社會性之不利益時;當資料主體 之權利或自由可能受到剝奪或被排除在自己之個人資料控制權之外 時;當個人資料處理涉及揭露種族或人種、政治意見、宗教或哲學信 仰、貿易聯盟會員、以及基因資料之處理、有關健康之資料或有關性 生活或前科及犯罪或相關保安措施之資料時;當個人特徵受到評估, 尤其是為了建檔或使用個人檔案,分析或預測有關工作表現、經濟狀 況、健康、個人偏好或興趣、可信度或行為、地點或動向等個人特徵 時;當處理易受傷害之個人(尤其是兒童)之個人資料時;或當該處 理會牽涉大量個人資料並影響大量資料主體時。

(85) Нарушение безопасности персональных данных, если оно не было надлежащим образом и вовремя устранено, может повлечь физический, материальный или моральный вред физическим лицам, как, например, потеря контроля над их персональными данными или ограничение их прав, дискриминация, кража личности или ее мошенническое использование, финансовые потери, несанкционированная повторная идентификация псевдонимизированных данных, ущерб репутации, нарушение конфиденциальности персональных данных, защищенных профессиональной тайной, или любой другой значительный экономический или социальный вред, нанесенный физическому лицу. Поэтому, как только контролёру становится известно о нарушении безопасности персональных данных, он обязан уведомить о таком нарушении надзорный орган без неоправданной задержки и, по возможности, не позднее 72 часов, за исключением случаев, когда контролёр может подтвердить, в соответствии с принципом подотчетности, что нарушение безопасности персональных данных с малой вероятностью может представлять риск нарушения прав и свобод физических лиц. В случаях, когда подобное уведомление не может быть сделано в течение 72 часов, причины такой задержки должны сопровождать уведомление и информация может предоставляться поэтапно без дополнительной задержки.

(84) 就處理活動可能造成當事人之權利或自由有高度風險之情形, 為了促進對本規則之遵守,控管者應負責執行資料保護影響評估,以 衡量(特別是)風險的來源、本質、特殊性與嚴重性。為證明個人資 料之處理符合本規則,在決定適當措施時,評估結果應納入考量。當 資料保護影響評估指出處理活動涉及高度風險而控管者無法以現有 技術及執行成本提供適當措施降低風險時,應於處理前徵詢監管機 關。

(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.

(89) 歐盟指令第 95/46/EC 號規範了向監管機關通知個人資料處理之 一般性義務。然而該義務造成了行政與財政上之負擔,並非所有情形 都對提升個人資料之保護有所助益。因此,該未加區別之普遍通知義 務應予廢除,並改以注重依處理活動之本質、範圍、脈絡及目的等特 徵區分容易對當事人權利與自由造成高風險之種類的更有效程序與 機制加以取代。該處理活動之種類尤其可能是涉及新技術之使用,或 未曾由控管者實施資料保護影響評估或基於自開始處理所經過之時間而有必要之新類型處理活動。

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

(90) 在此種情形,控管者應在處理之前進行資料保護影響評估,以 評估高風險之特定可能性與嚴重性,並考量處理之本質、範圍、脈絡 與目的及風險來源。該影響評估尤其應包括預計用以降低風險、確保 個人資料保護與顯示遵循本規則之措施、保護措施與機制。

(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

(91) 此尤其適用於預定處理地區、國家或超國家層級可觀數量之個 人資料,且可能影響大量資料主體並導致高風險之大規模處理活動, 例如,基於其敏感性,按照現存技術知識狀況,大規模使用新技術並 用於對資料主體之權利與自由造成高風險之其他處理活動,尤其是該 等活動使得資料主體更難以行使其權利者。透過建檔資料,就相關當 事人之個人特徵為體系性及密集性之評估、或透過特殊類型之個人資 料、生物資料、或前科及犯罪資料或相關保安措施等之資料處理,以 取得特定當事人之決策所為之個人資料處理者,亦應進行資料保護影 響評估。資料保護影響評估也在大規模監控公共場合時有其必要,特 別是使用光學電子裝置或主管監管機關認為該處理有可能對資料主 體之權利與自由造成高風險之任何其他活動,尤其是因該等裝置或活 動使資料主體無法行使權利、或使用服務或契約,或是因其係被有系 統性地大規模執行者。若由個別醫生、其他健康照護專業者或律師處 理來自於病患或客戶之個人資料時,不應被視為大規模之處理。在此 種情形,資料保護影響評估並非強制。

(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.

(92) 有些情況下,資料保護影響評估之主體比單一計畫更廣泛將是 合理且經濟的,例如,當公務機關或機構欲建立普遍性的應用程式或 處理平台、或當許多控管者計畫引進普遍性的應用程式或跨產業或跨 界之處理環境,或為廣泛使用的水平整合活動。

(92) There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.

(93) 於公務機關或公務機構執行任務係依據會員國法,且其所通過 之內容係在規範相關之特定或系列處理活動時,,該會員國得視其為 有必要在處理活動前進行該等評估。

(93) In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.

指南和案例法 发表评论