导航
GDPR > 第 39 條. 資料保護員之職務
下载PDF

第 39 條 GDPR. 資料保護員之職務

Article 39 GDPR. Tasks of the data protection officer

1. 資料保護員應至少有下列之職務:

1. The data protection officer shall have at least the following tasks:

(a) 依本規則及其他歐盟或會員國法之資料保護規定通知並建議控管 者或處理者及執行其義務之員工;

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

相关文章

(b) 監督本規則、其他歐盟或會員國法之資料保護規定及與個人資料 保護相關對控管者或處理者之政策,包括責任分配、提高認識及工作 人員關於處理活動之訓練、以及相關審計之遵循;

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

ISO 27701
相关文章

(c) 於受資料保護影響評估請求時,提供建議,並依第 35 條監督其執 行;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

相关文章

(d) 與監管機關合作;

(d) to cooperate with the supervisory authority;

(e) 於處理相關之議題,包括第 36 條所稱之事前諮詢時,擔任監管機 關之連絡站,並於適當時提供其他事項之諮詢;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

2. 資料保護員於執行其職務時,應考量處理之本質、範圍、脈絡及 目的,適當考慮處理活動所涉風險,

2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

相关文章
專家評論 ISO 27701 指南和案例法 发表评论
專家評論

(EN) Article 39 lists the main (but not all) tasks that fall under the remit of the Data Protection Officer (DPO). Among them, there are three main functions (although DPO competences are not necessarily limited to them):

  1. Consulting (39.1a, c),
  2. Control / monitoring (39.1b),
  3. Relationship with the supervising authorities (39.1d, e).

1. The consulting function means that the DPO provides information and explanations about the GDPR and its compliance to the controller and processor as well as to the employees of the controller and processor who are involved in the processing of personal data. In particular the role of DPO is important in the context of Data Protection Impact Assessment (DPIA), because DPO advises and monitors its implementation according to Article 35 of the GDPR. WP29 recommends that the controller seeks the advice of the DPO, e.g. on the following issues:

  • whether or not to conduct a DPIA


访问全文

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.1.1.

Here is the relevant paragraph to article 39 GDPR:

6.3.1.1 Information security roles and responsibilities

Implementation guidance

The organization should designate a point of contact for use by the customer regarding the processing of PII. When the organization is a PII controller, designate a point of contact for PII principals regarding the processing of their PII (see 7.3.2).


访问全文

指南和案例法 发表评论
[js-disqus]