导航
GDPR > 第 43 條. 認證機構
下载PDF

第 43 條 GDPR. 認證機構

Article 43 GDPR. Certification bodies

1. 在不損及第 57 條及 58 條所定主管監管機關之任務及權力之情況 下,具備關於資料保護之適當程度專業性之認證機構,於通知監管機 關使其得於必要時依照第 58 條第 2 項第 h 點行使其權力後,核發及 更新認證。會員國應確保該等認證機構通過下列一項或二項之認證:

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:

献技

(100) 為了提升本規則之透明度與對本規則之遵循,應鼓勵認證機制 與資料保護標章及標誌之建立,使資料主體得快速評估相關產品及服 務之資料保護程度。

(100) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.

相关文章

(a) 第 55 條或第 56 條所定之主管監管機構;

(a) the supervisory authority which is competent pursuant to Article 55 or 56;

相关文章

(b) 依 EN-ISO/IEC 第 17065/2012 號標準以及主管監管機關依第 55 條或第 56 條規定所建立之附加要求,按歐洲議會及歐盟理事會[20]第 765/2008 號規則命名之國家認證機構。

(b) the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council [20] in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.

相关文章

[20] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

[20] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2015:241:TOC

2. 第 1 項所定之認證機構應依該項規定通過認證,但必須符合以下 要件:

2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:

(a) 證明其具備所涉及認證事件之獨立性及專業性至主管監管機關滿
意;

(a) demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;

(b) 承諾會遵守第 42 條第 5 項所定之標準,並經主管監管機關依第 55 條或第 56 條規定、或經委員會依第 63 條規定核准;

(b) undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;

相关文章

(c) 建立資料保護認證、資料保護標章及標誌的核准、定期審查及撤 回之程序;

(c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;

(d) 建立處理申訴之程序及組織,以處理違反資料保護認證或控管者 或處理者執行之方式已違反或正違反資料保護認證之申訴,並向資料 主體及公眾公開該等程序及組織;及

(d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

(e) 證明其任務及責任不會產生利害衝突至主管監管機關滿意。

(e) demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.

3. 本條第 1 項及第 2 項所定認證機構之認證應由主管監管機關依據 第 55 條或第 56 條規定或由委員會依第 63 條規定依其核准之標準定 之。依據本條第 1 項第 b 點之認證,該等要件應與第 765/2008 號規 則及規範認證機構之方法及程序之技術規則相一致。

3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

相关文章

4. 第 1 項所定之認證機構應負責對於認證及撤回認證進行適當之評 估,但不損及控管者或處理者遵守本規則之責任。認證最長期限為 5 年,且得在相同要件下更新,但該認證機構應符合本條所定之要求。

4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.

5. 第一項所定之認證機構應向主管監管機關提供核准或撤回認證之 理由。

5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.

6. 本條第 3項所定要件及第 42條第 5 項所定標準應由監管機關以方 便取得之格式公開之。監管機關亦應將該等要件及標準傳送至委員會。 委員會應將所有資料保護認證機制與資料保護標章整理登錄,並應以 適當方式公開之。

6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board.

相关文章

7. 在不損及第 8 章規定之情況下,主管監管機關或國家認證機構於 欠缺認證要件或不再符合認證要件或認證機構之行為違反本規則之 情況下,應依本條第 1 項規定撤銷該認證機構之認證。

7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.

8. 執委會應有權依據第 92 條規定通過授權法,以具體化第 42 條第 1 項所定資料保護認證機制應考慮的要件。

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

相关文章

9. 執委會得通過施行法,為資料保護認證機制與資料保護標章及標 誌制定技術性標準,以促進及認可該等資料保護認證機制與資料保護 標章及標誌。該等施行法應依照第93條第 2項所定之檢驗程序通過。

9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

相关文章