导航
GDPR > 第 4 條. 定義
下载PDF

第 4 條 GDPR. 定義

Article 4 GDPR. Definitions

為本規則之目的:

For the purposes of this Regulation:

(1) 「個人資料」係指有關識別或可得識別自然人(「資料主體」) 之任何資訊;可得識別自然人係指得以直接或間接地識別該自然人,特別是參考諸如姓名、身分證統一編號、位置資料、網路識別碼或一 個或多個該自然人之身體、生理、基因、心理、經濟、文化或社會認 同等具體因素之識別工具。

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

專家評論

(RU)

Когда номер телефона – персональные данные?

(1) В настоящем комментарии рассматривается Позиция WP29 4/2007 о концепции
персональных данных от 20 июня 2007 года (далее—Позиция WP29).

В европейской доктрине и законодательстве определение персональных данных умышленно дано широко, не имеет и, скорее всего, никогда не будет иметь четких и однозначных критериев. Для чего эксперты в области приватности в составе WP29, а затем и законодатели это сделали?

Раздел III Позиции WP29 выделяет в конструкции персональных данных 4 «несущих» блока: «любая информация», «относящаяся к», «идентифицированному или идентифицируемому», «физическому лицу». Для целей нашего анализа потребуются два центральных элемента: «относящаяся к» и «идентифицированному или идентифицируемому», поскольку они в наибольшей степени характеризуют сторону контролера персональных данных как участника правоотношений.

(2) Данные, «относящиеся к» субъекту, включают в себя не только информацию о самом субъекте, но и о принадлежащих ему или иным образом связанных с ним объектах, питомцах. Таким образом, данными, «относящимися к» субъекту, являются не только номер телефона, автомобиля, компьютера, банковской карты, фитнес трекера, чипа питомца, но и иные характеристики этих объектов и животных: цена, износ, серийные номера, поломки, диагнозы, результаты анализов и т.д.

Позиция WP29 также выделяет три элемента, каждый из которых, независимо от наличия других, может сделать любую информацию «относящейся к» субъекту — это содержание, цель и результат.

Информация может относиться к субъекту по своему содержанию, если она о конкретном физическом лице, например, результаты тестов на экзамене, номер телефона конкретного лица, профиль определенного пользователя в соцсетях.

Информация может относиться к субъекту также по цели, если она используется или, вероятнее всего, будет использована в целях оценки, влияния на статус или поведение субъекта, проявления определенного рода отношения к субъекту. Например, список посещенных сотрудниками компании интернет страниц в корпоративной сети, может быть использован для целей мониторинга эффективности использования рабочего времени каждым сотрудником, или для блокировки определенных страниц определенным сотрудникам.

Информация может относиться к субъекту персональных данных, даже в отсутствие признаков «содержания» и «цели», если есть признак результата: если обработка данных, вероятнее всего, повлияет на права и интересы субъекта, например, даже если слегка изменит отношение окружающих к нему, заставит выделять его среди остальных в сообществе. Например, информация о том, что дедушка школьника получил премию Дарвина, может вызвать насмешки и издевательства со стороны сверстников.

Эти три элемента относимости данных к субъекту применяются каждый в отдельности, но, если присутствует хотя бы один элемент, нет надобности выявлять остальные два — данные точно относятся к субъекту.

(3) Третий блок конструкции персональных данных: «идентифицированному или идентифицируемому» — имеет квалифицирующее значение для номера телефона и прочих номеров, характеристик объектов и живых существ, относящихся к субъектам.

Позиция WP29 определяет лицо как идентифицируемое, если оно еще не идентифицировано, но его возможно идентифицировать прямо, например, по имени (если оно позволяет выделить субъекта из группы) или косвенно — по номеру паспорта, автомобиля, телефона или комбинации существенных критериев, позволяющих выделить субъекта из группы (это может быть возраст, место проживания, внешний вид и т.д.).

Однако одна лишь гипотетическая вероятность идентификации субъекта не делает информацию персональными данными. Если возможность идентифицировать субъекта отсутствует или ничтожно мала, данные не считаются персональными. В этом месте некоторые контролеры с радостью воскликнут, что у них и в мыслях не было идентифицировать кого либо, что они всего лишь собирают номера телефонов, автомобилей и некоторых карт, принадлежащих субъектам. Но мы понимаем, что идентификация по этим номерам возможна при сопоставлении с другой базой данных, например, в рамках межведомственного обмена данными, получения данных от сотовых контролеров, с дорожных камер видеонаблюдения, либо в рамках интеграции систем.

Как же определить степень и вероятность того, что контролер или любое третье лицо, завладевшее информацией, решит воспользоваться возможностью идентифицировать субъектов?

Для этого необходимо определить какие разумные усилия контролер или любое третье лицо должны будут приложить для идентификации конкретных субъектов: затраты денежных средств на такие усилия; временные и человеческие ресурсы; наличие технологии, позволяющей выполнить идентификацию без особых усилий и затрат; подразумеваемая (а не декларируемая цель) и построение обработки; какие выгоды может извлечь контролер или любое другое третье лицо; продолжительность хранения данных и потенциальное развитие технологий для идентификации в этот период.

В каждом конкретном случае необходимо определять наличие возможности и прилагаемые ресурсы контролера для идентификации субъектов по номеру телефона. Если возможность есть, или цель и контекст обработки предполагает идентификацию субъекта, то номер телефона является персональными данными.

Номер телефона — является персональными данными, так как он в зависимости от ситуации либо служит идентификатором личности, либо представляет собой информацию, относящуюся к идентифицированному или идентифицируемому физическому лицу. Все прочие номера и характеристики принадлежащих субъекту объектов и живых существ, в том или ином контексте обработки, также могут квалифицироваться в качестве персональных данных.

(4) Даже при отсутствии ФИО субъекта персональных данных у контролера и любого третьего лица, и даже при отсутствии у них возможности идентифицировать субъекта, они все же имеют возможность очень серьезно повлиять на поведение субъекта, нарушить его права и интересы.

Ведь номер телефона, существенно отличается от остальных номеров вещей принадлежностей еще и тем, что по нему можно непосредственно связаться с субъектом и вмешаться в его частную жизнь, причинить ему беспокойство. Возможны: мошенничество, пранк, звонки ночью или ранним утром в выходные, нежелательные смс, звонки, спам. Все это может не только причинить вред здоровью субъекта, нанести ущерб его материальному благосостоянию, но и заставить субъекта сменить номер телефона, и даже поменять контролера, по вине которого произошло нарушение его прав.

Контактные данные в целом (номер телефона, email, адрес и т.д.) позволяют злоумышленникам вступить в непосредственный контакт с субъектом против его воли, чтобы, предположим, угрожать его жизни и безопасности, манипулировать им, назойливо завладеть его вниманием, мешать работе и личной жизни (вторжение согласно Таксономии приватности). Дополнением к мерам защиты таких данных должна быть разумная осмотрительность самого субъекта при раскрытии своих контактных данных третьим лицам, поскольку их компрометация может заставить субъекта сменить номер или переехать, а также нарушить интересы третьих лиц, например семьи субъекта.

Как показано выше, даже без полной идентификации субъекта по контактным данным возможно нарушение его прав. Конфиденциальность этих данных обеспечивает безопасность жизни и здоровья субъекта, его близких, позволяет держать под контролем свои внешние коммуникации, снижает его доступность для внешнего мира, выстраивает личные границы субъекта, оберегает его личное пространство, что дает субъекту комфорт и уверенность.


访问全文

(EN) Author
(EN) Elena Sebjakina CIPP/E, Privacy by design
(EN) Data Protection Officer, GDPR Consultant
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
指南和案例法 献技

(26) 個人資料保護原則應適用於有關識別或可得識別當事人之任何 資訊。已假名化之個人資料,且可透過使用額外資訊而識別出當事人 身分者,應被認為屬於可得識別之當事人的資訊。為決定當事人是否 可被識別,應考慮到所有可合理使用之方法,例如由控管者自己或透 過他人指認以直接或間接地識別該當事人。為確認何為可合理使用作 為識別當事人之方法,應考慮所有客觀因素,諸如:識別所需之成本 與時間,並考慮到資料處理當時現有之技術及科技發展。因此,資料 保護原則不適用於匿名資訊,亦即並非已識別或可識別當事人之資訊, 或以使資料主體不可或不再可識別之方式而成為匿名之個人資料。因 此,本規則無涉於此類匿名資訊之處理,包括為統計或研究目的所為 之者。

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(2) 「處理」係指對個人資料或個人資料檔案執行任何操作或系列操 作,不問是否透過自動化方式,例如收集、記錄、組織、結構化、儲 存、改編或變更、檢索、查閱、使用、傳輸揭露、傳播或以其他方式 使之得以調整或組合、限制、刪除或銷毀。

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

專家評論

(EN) Though GDPR Art.4(2) does not mention “purpose”, a “processing” should actually be understood as an operation or set of operations united by one purpose. The purpose determines the role of data controller, legal ground for processing, defines the exception allowing for the processing of special categories of data, it limits processing to one purpose (purpose limitation principle), serves as a criteria for data minimisation, and determines a risk level and scope of data subject rights.

Some operations may serve multiple purposes, for instance, storage of email addresses allows a company to provide login to its website (purpose 1) and to send marketing communications (purpose 2). In that case this operation (storage) is  a part of two processing activities at the same time. Stopping one of them (for example as a result of a withdrawal of consent for marketing emails) does not prevent company from continuing the another one (allowing the user to login).


访问全文

(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
指南和案例法

(3) 「處理限制」係指對於已儲存之個人資料進行標記,以限制其未 來之處理。

(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

(4) 「建檔」係指對個人資料任何形式之自動化處理,包括使用個人 資料來評估與該當事人有關之個人特徵,特別是用來分析或預測有關 當事人之工作表現、經濟狀況、健康、個人偏好、興趣、可信度、行 為、地點或動向等特徵;

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

指南和案例法

(5) 「假名化」係指處理個人資料之方式,使該個人資料在不使用額 外資訊時,不再能夠識別出特定之資料主體,且該額外資料已被分開 存放,並以技術及組織措施確保該個人資料無法或無可識別出當事 人。

(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

專家評論
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
指南和案例法 献技

(26) 個人資料保護原則應適用於有關識別或可得識別當事人之任何 資訊。已假名化之個人資料,且可透過使用額外資訊而識別出當事人 身分者,應被認為屬於可得識別之當事人的資訊。為決定當事人是否 可被識別,應考慮到所有可合理使用之方法,例如由控管者自己或透 過他人指認以直接或間接地識別該當事人。為確認何為可合理使用作 為識別當事人之方法,應考慮所有客觀因素,諸如:識別所需之成本 與時間,並考慮到資料處理當時現有之技術及科技發展。因此,資料 保護原則不適用於匿名資訊,亦即並非已識別或可識別當事人之資訊, 或以使資料主體不可或不再可識別之方式而成為匿名之個人資料。因 此,本規則無涉於此類匿名資訊之處理,包括為統計或研究目的所為 之者。

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(28) 對於個人資料採用假名技術可對資料主體降低風險,並可協助 控管者及處理者履行其保護個人資料之義務。本規則明確引用「假名 化」並無意排除為資料保護目的所為之其他任何措施。

(28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(29) 為鼓勵於個人資料處理過程中應用假名化技術,當同一控管者, 縱令允許一般分析,於已採取必要之技術及組織措施以確保處理過程 中本規則被遵守且得識別特定資料主體之額外資訊已被分開存放者, 假名化技術應仍有其應用可能。控管者於處理個人資料時應註明在同 一控管者之被授權人。

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

(6) 「檔案系統」係指依據特定標準可接近使用之個人資料所建構之 任何檔案,不問是集中式、分散式或依功能性或地域性分散式之檔 案。

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

專家評論
指南和案例法 相关文章

(7) 「控管者」係指單獨或與他人共同決定個人資料處理之目的與方 法之自然人或法人、公務機關、局處或其他機構;依照歐盟法或會員 國法決定處理之目的及方法,由歐盟法或會員國法律規定控管者或其 認定之具體標準;

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

專家評論
指南和案例法

(8) 「處理者」係指代控管者處理個人資料之自然人或法人、公務機 關、局處或其他機構;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

指南和案例法

(9) 「接收者」係指個人資料被向其揭露之自然人或法人、公務機關、 局處或其他機構,不問其是否為第三人。但依據歐盟法或會員國法律, 在特定調查框架內可能接收個人資料之公務機關不應視為接收者;該 等公務機關所為資料之處理,應依照其處理目的,遵守其所適用之資 料保護規則;

(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

献技

(31) 為執行公務而取得依法定義務所揭露個人資料之公務機關,諸 如稅務機關及海關、金融調查單位、獨立行政機關或負責規範及監管 證券市場之金融市場主管機關,如其接收個人資料係為公眾利益所必 要而進行特定詢問者,該公務機關非屬歐盟法或會員國法所定之資料 接收者。公務機關要求揭露應以書面、附理由且偶然為之,且不得通 用於整個檔案系統或與其他檔案系統相聯通。公務機關處理個人資料 應依照其處理之目的,遵守可適用之資料保護規則。

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(10) 「第三人」係指資料主體、控管者、處理者及在控管者或處理 者直接授權下被授權處理個人資料之人以外之自然人或法人、公務機 關、局處或其他機構;

(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(11) 資料主體之「同意」係指資料主體基於其意思,透過聲明或明 確肯定之行動,所為自主性、具體、知情及明確之表示同意處理與其 有關之個人資料;

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

指南和案例法 献技

(32) 同意之給予必須是資料主體依其意思決定就其個人資料處理所 為具體肯定且自由形成、明確、受充分告知及非模糊之指示,諸如: 口頭或書面之聲明,包括以電子方式為之者。同意可能包括於瀏覽網 頁時所點選之選項、為資訊社會服務所做技術設定之選擇或其他聲明, 或依其脈絡清楚顯示資料主體接受被提案之個人資料處理的行為。因 此,單純沉默、預設選項為同意或不為表示不構成同意。同意應涵蓋 基於相同之一個或多個目的所為之全部處理活動。如個人資料之處理 具有多重目的者,應為全部目的取得同意。如資料主體之同意係基於 電子方式之請求者,該請求必須清楚、簡潔且對所提供服務之使用不 構成非必要之破壞。

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) 為科學研究目的所為之個人資料處理,於資料蒐集當時,通常 不可能完整指明該處理之目的。因此,當科學研究符合公認之道德標 準時,應允許資料主體僅就科學研究之特定範圍為同意之表示。資料 主體應有機會僅就特定研究範圍或預期目的所允許範圍內之部分研 究計畫表示同意。

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

相关文章

(12) 「個人資料侵害」係指違反安全性導致傳輸、儲存或以其他方 式處理之個人資料遭意外或非法破壞、遺失、變更、未獲授權之揭露或接近使用;

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

指南和案例法

(13) 「基因資料」係指涉及當事人遺傳性或突變性之基因特徵之個 人資料,尤其是經由當事人生物樣本分析後所取得關於該當事人獨特 之生理或健康資訊;

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

指南和案例法 献技

(34) 基因資料係指經由當事人生物樣本分析後所涉及該當事人遺傳 性或突變性之基因特徵之個人資料,特別是染色體、去氧核糖核酸 (DNA)或核糖核酸(RNA)分析或從其他元素可獲得相同資料之 分析。

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(14) 「生物特徵識別資訊」係指透過特定技術處理所得關於當事人身體、生理或行為特徵而允許或確認其特定識別性之個人資料,例如臉部圖像或診斷資料;

(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

指南和案例法

(15) 「涉及健康之資料」係指與當事人之身體或精神健康有關之個 人資料,包括提供揭示其健康狀況之醫療照顧服務;

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

指南和案例法 献技

(35) 關於健康之個人資料應包括資料主體所揭露關於過去、現在或 未來生理或心理健康狀態而與該資料主體健康情況有關之全部資料。 其中包括在為當事人登記之過程中或為其提供依照歐洲議會及歐盟 理事會[9]所定第 2011/24/EU 號指令定義之醫療照顧服務中所蒐集之 資訊;為醫療目的特別配予當事人而用以識別該人之號碼、標誌或獨 特標識;對身體部位或組成物質(包括基因資料或生物樣本)進行測 試或檢驗所得到之資訊;及從醫生或其他醫療專業人員、醫院、醫療 裝置或體外診斷測試等獨立於資料主體以外來源所得之任何資訊,例 如:疾病、殘疾、患病風險、病史、臨床治療或該資料主體之生理狀 態或醫學狀態。

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council [9] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

(16) 「主要分支機構」係指:

(16) ‘main establishment’ means:

献技

(36) 控管者於歐盟境內之主要分支機構應為其於歐盟境內核心管理 機構之所在地,但個人資料處理的目的及方式係由控管者於歐盟境內 另一分支機構所決定者,該分支機構應被視為主要分支機構。控管者 於歐盟境內之主要分支機構應按客觀標準判定之,且其應經由穩定之 安排而就個人資料處理之目的及方式等主要決策採取有效及有實際 執行之管理行動。判定主要分支機構之標準不得取決於個人資料處理 是否於該處所為之。為處理個人資料或其處理活動之技術方法或科技之存在與利用,其本身不構成主要分支機構,且因此並非主要分支機構之決定性標準。資料處理者之主要分支機構應為其於歐盟境內核心管理機構之所在地,或其於歐盟境內並無核心管理機構時,為其於歐盟境內為主要處理活動之所在地。於同時涉及控管者及處理者時,主管之領導監管機關應為控管者主要分支機構所在地會員國之監管機關,但處理者之監管機關應被視為係相關監管機關而應參與本規則所定之合作程序。在任何情況下,於裁決草案僅涉及控管者時,有一個或多個分支機構之資料處理者所在之一個或多個會員國監管機關均不得視為係相關監管機關。個人資料處理係由企業集團實施者,控制企業之主要分支機構應被認定為企業集團之主要分支機構,但個人資料處理之目的及方式係由其他企業所決定者,不在此限。

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(a) 於一個以上會員國內成立分支機構之控管者,其於歐盟境內核心 管理機構之所在地,但個人資料處理的目的及方式係由控管者於歐盟 境內另一分支機構所決定,且後者有權使其所為決定予以執行者,於 此情形,作成該等決定之分支機構應被視為主要分支機構;

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) 於一個以上會員國內成立分支機構之處理者,其於歐盟境內核心 管理機構之所在地,或如其於歐盟境內並無核心管理機構時,歐盟為 該處理者之分支機構之主要處理活動所在地,且該等活動使其須遵守 本規則所規定之具體義務之處理者之分支機構;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

相关文章

(17) 「代表」係指控管者或處理者依據第 27 條規定書面指定在歐盟 境內之自然人或法人,而代表控管者或處理者依本規則各自所負之義 務;

(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

相关文章

(18) 「企業」係指從事經濟活動之自然人或法人,不問其法律形式, 包括經常性從事經濟活動之合夥或組織;

(18) ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19) 「企業集團」係指控制企業及其從屬企業;

(19) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

專家評論
献技

(37) 企業集團應包括控制企業及從屬企業,在此之控制企業應係能 夠藉由諸如股權、資金參與或治理規範或執行個人資料保護規定之權 力等方式對他企業發揮決定性影響力之企業。企業監控其關係企業之 個人資料處理者,應將其與該等關係企業視為一企業集團。

(37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.

(20) 「有拘束力之企業守則」係指會員國境內成立之控管者或處理 者,在企業集團內或從事於共同經濟活動之企業集團間,為移轉或一 系列移轉個人資料至一個或多個成立於第三國之控管者或處理者所 應遵守之個人資料保護政策;

(20) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

(21) 「監管機關」係指會員國依第 51 條規定成立之獨立公務機關;

(21) ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22) 「相關監管機關」係指因下列事由涉及之個人資料處理之監管 機關:

(22) ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

献技

(36) 控管者於歐盟境內之主要分支機構應為其於歐盟境內核心管理 機構之所在地,但個人資料處理的目的及方式係由控管者於歐盟境內 另一分支機構所決定者,該分支機構應被視為主要分支機構。控管者 於歐盟境內之主要分支機構應按客觀標準判定之,且其應經由穩定之 安排而就個人資料處理之目的及方式等主要決策採取有效及有實際 執行之管理行動。判定主要分支機構之標準不得取決於個人資料處理 是否於該處所為之。為處理個人資料或其處理活動之技術方法或科技之存在與利用,其本身不構成主要分支機構,且因此並非主要分支機構之決定性標準。資料處理者之主要分支機構應為其於歐盟境內核心管理機構之所在地,或其於歐盟境內並無核心管理機構時,為其於歐盟境內為主要處理活動之所在地。於同時涉及控管者及處理者時,主管之領導監管機關應為控管者主要分支機構所在地會員國之監管機關,但處理者之監管機關應被視為係相關監管機關而應參與本規則所定之合作程序。在任何情況下,於裁決草案僅涉及控管者時,有一個或多個分支機構之資料處理者所在之一個或多個會員國監管機關均不得視為係相關監管機關。個人資料處理係由企業集團實施者,控制企業之主要分支機構應被認定為企業集團之主要分支機構,但個人資料處理之目的及方式係由其他企業所決定者,不在此限。

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(a) 控管者或處理者係在該監管機關會員國境內成立;

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;

(b) 資料主體居住於該監管機關會員國境內,且受處理之實質影響或 可能受到實質影響者;或

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) 已向該監管機關提出申訴者;

(c) a complaint has been lodged with that supervisory authority;

(23) 「跨境處理」係指:

(23) ‘cross-border processing’ means either:

(a) 歐盟境內之控管者或處理者在一個以上之會員國境內成立,而在 一個以上之會員國之分支機構之活動過程中處理個人資料;或

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) 歐盟境內之控管者或處理者之單一分支機構之活動過程中處理 個人資料,但實質影響或可能實質影響到居住於一個以上會員國之資 料主體;

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

相关文章

(24) 「相關且合理之異議」係指對於裁決草案關於是否有違反本規 則之行為、或控管者與處理者有關之預設性行動是否符合本規則之判 斷所為之異議,且該異議清楚證明裁決草案對於資料主體之基本權及 自由及個人資料在歐盟境內自由流通(如適用)造成重大風險;

(24) ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

(25) 「資訊社會服務」係指歐洲議會及歐盟理事會[19]所定歐盟指令第 2015/1535 號第 1 條第 1 項第 b 點所定義之服務;

(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council [19];

相关文章

[19] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

[19] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

(26) 「國際組織」係指受國際公法管轄之組織及其附屬機構或依據 兩個或多個國家所定協議成立或以此為基礎所成立之任何其他機 構。

(26) ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

献技 发表评论
献技

(26) 個人資料保護原則應適用於有關識別或可得識別當事人之任何 資訊。已假名化之個人資料,且可透過使用額外資訊而識別出當事人 身分者,應被認為屬於可得識別之當事人的資訊。為決定當事人是否 可被識別,應考慮到所有可合理使用之方法,例如由控管者自己或透 過他人指認以直接或間接地識別該當事人。為確認何為可合理使用作 為識別當事人之方法,應考慮所有客觀因素,諸如:識別所需之成本 與時間,並考慮到資料處理當時現有之技術及科技發展。因此,資料 保護原則不適用於匿名資訊,亦即並非已識別或可識別當事人之資訊, 或以使資料主體不可或不再可識別之方式而成為匿名之個人資料。因 此,本規則無涉於此類匿名資訊之處理,包括為統計或研究目的所為 之者。

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(27) 本規則不適用於死者之個人資料。會員國得自行規範關於死者 之個人資料處理。

(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

(28) 對於個人資料採用假名技術可對資料主體降低風險,並可協助 控管者及處理者履行其保護個人資料之義務。本規則明確引用「假名 化」並無意排除為資料保護目的所為之其他任何措施。

(28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(29) 為鼓勵於個人資料處理過程中應用假名化技術,當同一控管者, 縱令允許一般分析,於已採取必要之技術及組織措施以確保處理過程 中本規則被遵守且得識別特定資料主體之額外資訊已被分開存放者, 假名化技術應仍有其應用可能。控管者於處理個人資料時應註明在同 一控管者之被授權人。

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

(30) 透過設備、應用程式、工具及通訊協定,諸如網際網路協定位 址、瀏覽歷程記錄識別碼或其他識別工具,諸如無線射頻識別系統標 籤,當事人可被連結到網路上識別碼。此可能留下軌跡,並可被用於 對當事人建檔並識別其身分,特別是當該軌跡結合了唯一的識別碼及 從服務商取得其他資料。

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(31) 為執行公務而取得依法定義務所揭露個人資料之公務機關,諸 如稅務機關及海關、金融調查單位、獨立行政機關或負責規範及監管 證券市場之金融市場主管機關,如其接收個人資料係為公眾利益所必 要而進行特定詢問者,該公務機關非屬歐盟法或會員國法所定之資料 接收者。公務機關要求揭露應以書面、附理由且偶然為之,且不得通 用於整個檔案系統或與其他檔案系統相聯通。公務機關處理個人資料 應依照其處理之目的,遵守可適用之資料保護規則。

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(32) 同意之給予必須是資料主體依其意思決定就其個人資料處理所 為具體肯定且自由形成、明確、受充分告知及非模糊之指示,諸如: 口頭或書面之聲明,包括以電子方式為之者。同意可能包括於瀏覽網 頁時所點選之選項、為資訊社會服務所做技術設定之選擇或其他聲明, 或依其脈絡清楚顯示資料主體接受被提案之個人資料處理的行為。因 此,單純沉默、預設選項為同意或不為表示不構成同意。同意應涵蓋 基於相同之一個或多個目的所為之全部處理活動。如個人資料之處理 具有多重目的者,應為全部目的取得同意。如資料主體之同意係基於 電子方式之請求者,該請求必須清楚、簡潔且對所提供服務之使用不 構成非必要之破壞。

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) 為科學研究目的所為之個人資料處理,於資料蒐集當時,通常 不可能完整指明該處理之目的。因此,當科學研究符合公認之道德標 準時,應允許資料主體僅就科學研究之特定範圍為同意之表示。資料 主體應有機會僅就特定研究範圍或預期目的所允許範圍內之部分研 究計畫表示同意。

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(34) 基因資料係指經由當事人生物樣本分析後所涉及該當事人遺傳 性或突變性之基因特徵之個人資料,特別是染色體、去氧核糖核酸 (DNA)或核糖核酸(RNA)分析或從其他元素可獲得相同資料之 分析。

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(35) 關於健康之個人資料應包括資料主體所揭露關於過去、現在或 未來生理或心理健康狀態而與該資料主體健康情況有關之全部資料。 其中包括在為當事人登記之過程中或為其提供依照歐洲議會及歐盟 理事會[9]所定第 2011/24/EU 號指令定義之醫療照顧服務中所蒐集之 資訊;為醫療目的特別配予當事人而用以識別該人之號碼、標誌或獨 特標識;對身體部位或組成物質(包括基因資料或生物樣本)進行測 試或檢驗所得到之資訊;及從醫生或其他醫療專業人員、醫院、醫療 裝置或體外診斷測試等獨立於資料主體以外來源所得之任何資訊,例 如:疾病、殘疾、患病風險、病史、臨床治療或該資料主體之生理狀 態或醫學狀態。

(35) Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council [9] to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

[9] Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:088:TOC

(36) 控管者於歐盟境內之主要分支機構應為其於歐盟境內核心管理 機構之所在地,但個人資料處理的目的及方式係由控管者於歐盟境內 另一分支機構所決定者,該分支機構應被視為主要分支機構。控管者 於歐盟境內之主要分支機構應按客觀標準判定之,且其應經由穩定之 安排而就個人資料處理之目的及方式等主要決策採取有效及有實際 執行之管理行動。判定主要分支機構之標準不得取決於個人資料處理 是否於該處所為之。為處理個人資料或其處理活動之技術方法或科技之存在與利用,其本身不構成主要分支機構,且因此並非主要分支機構之決定性標準。資料處理者之主要分支機構應為其於歐盟境內核心管理機構之所在地,或其於歐盟境內並無核心管理機構時,為其於歐盟境內為主要處理活動之所在地。於同時涉及控管者及處理者時,主管之領導監管機關應為控管者主要分支機構所在地會員國之監管機關,但處理者之監管機關應被視為係相關監管機關而應參與本規則所定之合作程序。在任何情況下,於裁決草案僅涉及控管者時,有一個或多個分支機構之資料處理者所在之一個或多個會員國監管機關均不得視為係相關監管機關。個人資料處理係由企業集團實施者,控制企業之主要分支機構應被認定為企業集團之主要分支機構,但個人資料處理之目的及方式係由其他企業所決定者,不在此限。

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(37) 企業集團應包括控制企業及從屬企業,在此之控制企業應係能 夠藉由諸如股權、資金參與或治理規範或執行個人資料保護規定之權 力等方式對他企業發揮決定性影響力之企業。企業監控其關係企業之 個人資料處理者,應將其與該等關係企業視為一企業集團。

(37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.

发表评论
[js-disqus]