导航
GDPR > 第 45 條. 基於充足程度保護決定之移轉
下载PDF

第 45 條 GDPR. 基於充足程度保護決定之移轉

Article 45 GDPR. Transfers on the basis of an adequacy decision

1. 個人資料移轉至第三國或國際組織,僅於執委會決定該第三國、 第三國內之領域或特定部門、或國際組織確有充足程度之保護時,方 得為之。該移轉不須獲得任何特別授權。

1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

献技

(103)執委會得做成影響全歐盟之決定,認定第三國、第三國內之領 域或特定部門,或國際組織已提供充足程度之資料保護,並因此就第 三國或國際組織被認為已提供該保護程度乙事在整個歐盟提供了法 明確性和一致性。於該等情形,個人資料移轉至第三國或國際組織可 能在不需要獲得進一步授權之情形下發生。於給予第三國或國際組織 通知及說明理由之完全陳述時,執委會亦可決定撤銷原決定。

(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

2. 於評估保護程度之充足性時,執委會尤其應考量下列因素:

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

献技

(104) 依循歐盟所創立之基本價值,尤其是人權之保護,執委會在其 衡量第三國或第三國內之領域或特定部門時,應考量特定第三國如何 遵守法治、接近使用司法、以及國際人權規範和標準及其普通法與部 門法,包括涉及公共安全、防禦與國家安全與公共秩序及刑法之立法。 對第三國內之領域或特定部門作成有提供充足保護之決定應考量明 確與具體之標準,例如特定處理活動及第三國可適用之法律標準與立法之範圍。第三國應提供保證,以確保基本上等同於歐盟所保障之充 足程度保護,特別是當個人資料處理在單一或數個特定部門時。尤其, 第三國應確保有效而獨立之資料保護監督機制,且應提供合作機制予 會員國資料保護機關,且應提供資料保護主體有效且可實現的權利與 有效的行政與司法救濟。

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105) 除了第三國或國際組織已加入之國際協約,執委會應考量第三 國或國際組織於多邊或區域體系之義務,尤其是涉及個人資料保護及 該等義務之履行。尤其,應考量第三國加入歐洲理事會 1981 年 1 月 28 日關於自動化個人資料處理之個人保護公約及其附加議定書。於 衡量第三國或國際組織之保護程度時,執委會應向委員會諮詢。

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(a) 法治、對人權與基本自由之尊重、一般與部門之相關立法,包括 有關公共安全、防衛、國家安全及刑法、公務機關對個人資料之接近 使用權、及該等立法、資料保護規則、專業規則及安全措施之執行, 包括個人資料向其他第三國或國際組織進一步移轉,該其他第三國或 國際組織之規則、判例法、及有效且可執行之資料主體權利及個人資 料受移轉之資料主體有效之行政與司法救濟;

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

(b) 第三國內有一個或以上獨立監管機關之存在及有效運作,或對象 為國際組織時,確保及執行資料保護規則之遵守,包括充足之執行權, 以協助及建議資料主體行使其權利,並與會員國之監管機關合作;及

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c) 第三國或國際組織所加入之國際協定,或其他因具法律拘束力之 合約或辦法、及從其參與多邊或區域體系而生之義務,尤其關於個人 資料保護者。

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3. 執委會於評估保護之充足程度後,得透過施行法決定第三國、第 三國內之領域或單一或多數之特定部門、或國際組織依本條第 2 項之 方式確保充足程度保護。施行法應提供定期檢驗機制,至少四年一次, 並應考量第三國或國際組織之所有相關發展。施行法應特定其適用之 領域及部門,且於得適用時,確認監管機關或本條第 2 項第 b 點所稱之機關。施行法應採行第 93 條第 2 項之檢驗程序。

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

相关文章

4. 執委會應持續監控如下之第三國與國際組織,亦即:可能影響依 本條第 3 項採行之決定、及依歐盟指令第 95/46/EC 號第 25 條第 6 項 採行之決定運作之發展。

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

献技

(106) 執委會應觀察審視第三國、第三國境內之領域或特定部門、或 國際組織保護程度之決定的運作,並觀察審視在歐盟指令第 95/46/EC 號第 25 條第 6 項及第 26 條第 4 項之基礎下採行之決定。就有提供充 足保護之決定,執委會應提供定期檢驗其運作之機制。該定期檢驗應 在諮詢有關之第三國或國際組織下進行,且考量所有相關第三國或國 際組織之發展。為了觀察審視與執行定期檢驗,執委會應考慮歐洲議 會及歐盟理事會以及相關機構與來源之意見與認定。執委會應在合理 時間內評估前次決定之運作情形,並如本規則所確立的,依歐洲議會 及歐盟理事會之歐盟規則第 182/2011 號 [12],向委員會報告任何相關 認定。

(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [12] as established under this Regulation, to the European Parliament and to the Council.

[12] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:055:TOC

[12] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:055:TOC

5. 於現有資訊顯示,尤其依本條第 3 項之檢驗,第三國、第三國內 之領域或單一或多數之特定部門、或國際組織不再確保本條第 2 項意 義下之充足程度保護時,執委會應於必要程度內透過執行不具溯及既 往效力之行為,廢除、修正或凍結本條第 3 項。

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

相关文章

該等施行法應依第 93 條第 2 項之檢驗程序行之。於具正當理由之緊急情形,執委會應 依第 93 條第 3 項之程序立即採用可適用之施行法。

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

相关文章

6. 執委會應參與與第三國或國際組織之協商,以救濟依第 5 項作成決定之情形。

6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

献技

(107) 執委會可能認定第三國、第三國內之領域或特定部門、或國際 組織不再達到充足程度之資料保護。因此,向該第三國或國際組織之 個人資料移轉應被禁止,但完成本規則關於移轉所定適當保護措施之 要件被滿足,包括有拘束力之企業守則及存在特定情況之例外者,不 在此限。在該情況,該規範應由執委會及該第三國或國際組織間訂定。 執委會應於適當時間內通知第三國或國際組織其理由,並進入協商程 序以救濟該情形。

(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.

7. 本條第 5 項之決定不損及第 46 條至第 49 條所指向第三國、第三 國內之領域及特定部門、及國際組織之個人資料移轉。

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

相关文章

8. 執委會應於歐洲聯盟官方公報及網站上,公布已決定或不再確保 具充足程度保護之第三國、第三國內之領域及特定部門、及國際組織 之名單。

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. 執委會基於歐盟指令第 95/46/EC 號第 25 條第 6 項採行之決定,於 執委會依本條第3項或第 5項決定修改、取代或廢除前,應持續有效。

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 45 GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).


访问全文

献技

(103)執委會得做成影響全歐盟之決定,認定第三國、第三國內之領 域或特定部門,或國際組織已提供充足程度之資料保護,並因此就第 三國或國際組織被認為已提供該保護程度乙事在整個歐盟提供了法 明確性和一致性。於該等情形,個人資料移轉至第三國或國際組織可 能在不需要獲得進一步授權之情形下發生。於給予第三國或國際組織 通知及說明理由之完全陳述時,執委會亦可決定撤銷原決定。

(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

(104) 依循歐盟所創立之基本價值,尤其是人權之保護,執委會在其 衡量第三國或第三國內之領域或特定部門時,應考量特定第三國如何 遵守法治、接近使用司法、以及國際人權規範和標準及其普通法與部 門法,包括涉及公共安全、防禦與國家安全與公共秩序及刑法之立法。 對第三國內之領域或特定部門作成有提供充足保護之決定應考量明 確與具體之標準,例如特定處理活動及第三國可適用之法律標準與立法之範圍。第三國應提供保證,以確保基本上等同於歐盟所保障之充 足程度保護,特別是當個人資料處理在單一或數個特定部門時。尤其, 第三國應確保有效而獨立之資料保護監督機制,且應提供合作機制予 會員國資料保護機關,且應提供資料保護主體有效且可實現的權利與 有效的行政與司法救濟。

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105) 除了第三國或國際組織已加入之國際協約,執委會應考量第三 國或國際組織於多邊或區域體系之義務,尤其是涉及個人資料保護及 該等義務之履行。尤其,應考量第三國加入歐洲理事會 1981 年 1 月 28 日關於自動化個人資料處理之個人保護公約及其附加議定書。於 衡量第三國或國際組織之保護程度時,執委會應向委員會諮詢。

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(106) 執委會應觀察審視第三國、第三國境內之領域或特定部門、或 國際組織保護程度之決定的運作,並觀察審視在歐盟指令第 95/46/EC 號第 25 條第 6 項及第 26 條第 4 項之基礎下採行之決定。就有提供充 足保護之決定,執委會應提供定期檢驗其運作之機制。該定期檢驗應 在諮詢有關之第三國或國際組織下進行,且考量所有相關第三國或國 際組織之發展。為了觀察審視與執行定期檢驗,執委會應考慮歐洲議 會及歐盟理事會以及相關機構與來源之意見與認定。執委會應在合理 時間內評估前次決定之運作情形,並如本規則所確立的,依歐洲議會 及歐盟理事會之歐盟規則第 182/2011 號 [12],向委員會報告任何相關 認定。

(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [12] as established under this Regulation, to the European Parliament and to the Council.

[12] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:055:TOC

[12] Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:055:TOC

(107) 執委會可能認定第三國、第三國內之領域或特定部門、或國際 組織不再達到充足程度之資料保護。因此,向該第三國或國際組織之 個人資料移轉應被禁止,但完成本規則關於移轉所定適當保護措施之 要件被滿足,包括有拘束力之企業守則及存在特定情況之例外者,不 在此限。在該情況,該規範應由執委會及該第三國或國際組織間訂定。 執委會應於適當時間內通知第三國或國際組織其理由,並進入協商程 序以救濟該情形。

(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.

指南和案例法 发表评论