导航
GDPR > 第 37 條. 資料保護員之指定
下载PDF

第 37 條 GDPR. 資料保護員之指定

Article 37 GDPR. Designation of the data protection officer

1. 於下列任一情形,控管者及處理者應指定資料保護員:

1. The controller and the processor shall designate a data protection officer in any case where:

(a) 除法院行使其司法權外,該處理係由公務機關或機構執行;

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

相关文章

(b) 控管者或處理者之核心活動,包括依其本質、範圍及/或其目的, 需要定期且系統性地大規模監控資料主體;或

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

相关文章

(c) 控管者或處理者之核心活動,包括第 9 條所稱之大規模處理特殊類型之資料及第 10 條所稱之前科與犯罪相關之個人資料。

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

相关文章

2. 於各分支機構皆易於接近單一一名資料保護員時,企業集團得指 定同一名資料保護員。

2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

相关文章

3. 於控管者或處理者為公務機關或機構時,考量其組織結構與規模, 單一一名資料保護員得受指定至多個該等機關或機構。

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

相关文章

4. 於第 1 項以外之情形,控管者、處理者或組織及其他代表控管者 或處理者類型之機構得指定資料保護員,或於歐盟或會員國法要求時 應指定之。

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. 資料保護員應依專業資格、尤其資料保護法律與實踐之專業知識、 及完成第 39 條所稱職務之能力指定之。

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

相关文章

6. 資料保護員得為控管者或處理者之工作人員,或基於服務契約完 成職務。

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. 控管者或處理者應公告資料保護員之契約細節,並向監管機關溝 通之。

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) The article explains when and under what conditions a Data Protection Officer (DPO) should be appointed or hired. In most cases, at least one of the following conditions is sufficient for the company to be required to have a DPO:

  • if data processing is performed by state authorities (except for courts)


访问全文

(EN) Author
(EN) Maria Arnst CIPM, TÜV
(EN) GDPR Consultant
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 37 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).


访问全文

献技

(97) 於下述情形時,就資料保護之法律與實務有專業知識者應協助 控管者或處理者內部監督本規則之遵守,亦即:當資料處理係由除了 法院和獨立司法機關執行其司法權之公務機關執行時、於私部門之處 理係由核心活動包括需要經常且有體系的監控大規模資料主體的控 管者所為之處理活動、或於控管者及處理者之核心活動包括處理大規 模特殊類型之個人資料及涉及前科及犯罪之資料時。在私部門中,控 管者之核心活動係連結到其主要活動,而與作為輔助活動之個人資料 處理無關。專業知識所需程度尤應依據所執行之資料處理活動及由控 管者或處理者處理之個人資料所需之保護而定。該等資料保護員,不 問是否為控管者之雇員,都應以獨立之態度堅守職位以執行其任務。

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

指南和案例法 发表评论