目录
GDPR > 第 42 條. 認證
下载PDF

第 42 條 GDPR. 認證

Article 42 GDPR. Certification

1. 會員國、監管機關、委員會及執委會應鼓勵,尤其係歐盟層級, 建立資料保護認證機制與資料保護標章及標誌,以證明控管者及處理 者之處理活動遵守本規則。微型及中小型企業之具體需求應予考慮。

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.

2. 本條第 5 項所定經核准之資料保護認證機制與資料保護標章及標 誌,除適用於受本規則拘束之控管者或處理者外,亦得為第 3 條所定 不受本規則拘束之控管者或處理者依第 46 條第 2 項第 f 點規定將個 人資料移轉至第三國或國際組織時,用以證明適當保護措施之存在。 該等控管者或處理者應透過契約或其他具有法律拘束力之文書,做成 具有拘束力且可得執行之承諾,以適用該等適當之保護措施,包括關 於資料主體之權利。

2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.

连接数

3. 認證應係志願性的,並透過透明程序取得。

3. The certification shall be voluntary and available via a process that is transparent.

4. 本條所定認證不減損控管者或處理者遵守本規則之責任,且不損 及第 55 條或第 56 條所定主管監管機關之任務及權力。

4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.

连接数

5. 本條所定之認證應由認證機構依第 43條規定或主管監管機關依據 第 58 條第 3 項所核准之標準或由委員會依第 63 條規定為之。委員會 核准之標準得為通用性認證,即歐盟資料保護標章。

5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory authority, on the basis of criteria approved by that competent supervisory authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.

连接数

6. 將處理提交至認證機制之控管者或處理者應向第 43條所定之認證 機構或主管監管機關(如適用)提供認證程序所需關於其處理活動之 所有資訊及接近使用之方式。

6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.

连接数

7. 對控管者或處理者所為之認證,最長期限應為三年,且在相同要 件下並持續符合相關要求者,得更新之。第 43 條所定之認證機構或 主管監管機關(如適用)於欠缺認證要件或不再符合認證要件之情況 下,應撤回認證。

7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the criteria for the certification are not or are no longer met.

连接数

8. 委員會應將所有資料保護認證機制與資料保護標章及標誌整理登 錄,並應以適當方式公開之。

8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.

ISO 27701 前言 正式文件和决定 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27001, section 4.1.

Here is the relevant paragraph to article 42 GDPR:

5.2.1 Understanding the organization and its context

The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals.


访问全文

前言

(100) 為了提升本規則之透明度與對本規則之遵循,應鼓勵認證機制 與資料保護標章及標誌之建立,使資料主體得快速評估相關產品及服 務之資料保護程度。

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

正式文件和决定 发表评论