导航
GDPR > 第 40 條. 行為守則
下载PDF

第 40 條 GDPR. 行為守則

Article 40 GDPR. Codes of conduct

1. 會員國、監管機關、委員會及執委會對於行為守則之訂立,應給 予鼓勵,以促進本規則之有效適用,並考量某些行業執行資料處理之 特定特徵及微型、中小型企業之特定需求。

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. 組織與代表控管者或處理者類型之其他機構得備置行為守則或修 改或擴張該守則以明確化本規則之適用範圍,例如:

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

献技

(89) 歐盟指令第 95/46/EC 號規範了向監管機關通知個人資料處理之 一般性義務。然而該義務造成了行政與財政上之負擔,並非所有情形 都對提升個人資料之保護有所助益。因此,該未加區別之普遍通知義 務應予廢除,並改以注重依處理活動之本質、範圍、脈絡及目的等特 徵區分容易對當事人權利與自由造成高風險之種類的更有效程序與 機制加以取代。該處理活動之種類尤其可能是涉及新技術之使用,或 未曾由控管者實施資料保護影響評估或基於自開始處理所經過之時間而有必要之新類型處理活動。

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

(90) 在此種情形,控管者應在處理之前進行資料保護影響評估,以 評估高風險之特定可能性與嚴重性,並考量處理之本質、範圍、脈絡 與目的及風險來源。該影響評估尤其應包括預計用以降低風險、確保 個人資料保護與顯示遵循本規則之措施、保護措施與機制。

(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

(a) 公正及透明之處理:

(a) fair and transparent processing;

相关文章

(b) 控管者於具體情況下追求之正當利益;

(b) the legitimate interests pursued by controllers in specific contexts;

(c) 個人資料之蒐集;

(c) the collection of personal data;

(d) 個人資料之假名化;

(d) the pseudonymisation of personal data;

(e) 提供大眾及資料主體之資訊;

(e) the information provided to the public and to data subjects;

(f) 資料主體權利之行使;

(f) the exercise of the rights of data subjects;

(g) 向兒童提供之資訊及對於兒童之保護,以及獲得其法定代理人同 意之方式;

(g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

(h) 第 24 條及第 25 條所定之方式及程序,及第 32 條所定確保處理 安全性之保護措施;

(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

相关文章

(i) 向監管機關通知個人資料之侵害,以及將該等個人資料侵害通知 資料主體;

(i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;

(j) 個人資料移轉至第三國或國際組織;或

(j) the transfer of personal data to third countries or international organisations; or

(k) 法庭外程序與其他爭端解決程序,用以解決控管者和資料主體間 關於處理之爭議,而不損及第 77 條及第 79 條所定之資料主體之權 利。

(k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

相关文章

3. 本條第 5 項所定經核准及本條第 9 項所定具有一般規範效力之行 為守則,除適用於受本規則拘束之控管者或處理者外,亦得適用於第 3 條所定不受本規則拘束之控管者或處理者,使其依第 46 條第 2 項 第 e 點規定將個人資料移轉至第三國或國際組織時得以提供適當之 保護措施。該等控管者或處理者應透過契約或其他具有法律拘束力之 文書,做成具有拘束力且可得執行之承諾,以適用該等適當之保護措 施,包括關於資料主體之權利。

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

相关文章

4. 本條第 2項所定之行為守則應涵蓋得以使第 41 條第 1項所定機構 對承諾遵守該等規範之控管者或處理者進行強制性監控之機制,而不 損及第 55 條或 56 條所定主管監管機關之任務及權力。

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

相关文章

5. 本條第 2 項所定欲備置行為守則或修改或擴張現存行為守則之組 織及其他機構,應將該行為守則草案、修正案或擴充案提交至第 55 條所定之主管監管機關。該監管機關應提供該草案、修正案或擴充案 是否符合本規則之意見,如其認為已提供充分且適當之保護措施者, 即應核准該草案、修正案或擴充案。

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6. 依第 5 項規定核准行為守則草案或修正案或擴充案,且該行為守 則與多個會員國之處理活動無關者,監管機關應登記並公布該行為守 則。

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.

7. 如行為守則涉及多個會員國之處理活動者,第 55 條所定之主管監管機關於核准該草案、修正案或擴充案前,應依照第 63 條所定程序 將之提交至委員會,使其就該草案、修正案或擴充案是否符合本規則 之規定或是否已依本條第 3 項規定提供適當保護乙節表示意見。

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

相关文章

8. 第 7 項所定之意見確認該草案、修正案或擴充案符合本規則或已 依照第 3 項規定提供適當保護者,委員會應將其意見提交至執委會。

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. 執委會得以施行法之方式,決定本條第 8 項所定經提交且核准之 行為守則、修正案及擴充案於歐盟內具有一般規範效力。該等施行法 應依照第 93 條第 2 項所定檢驗程序通過。

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

相关文章

10. 執委會應確保依照第 9項規定具有一般規範效力且經核准之行為 守則之公示性。

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. 委員會應將所有經核准之行為守則、修正案及擴充案整理登錄, 並應以適當方式公開之。

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 40 GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


访问全文

献技

(98) 應鼓勵組織與代表控管者或處理者類型之其他機構在合乎本規 則之限制下訂立行為守則,以促進本規則之有效適用,並考量某些行 業執行資料處理之特定特徵及微型、中小型企業之特定需求。尤其, 此種行為守則可能標誌出控管者與處理者之義務,考量資料處理可能 造成當事人之權利與自由的風險。

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(99) 訂立行為守則或修改、擴張該守則時,組織與其他代表控管者 或處理者類型之其他機構應諮詢利害關係人,包括如可行時之資料主 體,並關注為回應此種諮詢所收到之意見及表達之觀點。

(99) When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

指南和案例法 发表评论
[js-disqus]