(103)執委會得做成影響全歐盟之決定,認定第三國、第三國內之領 域或特定部門,或國際組織已提供充足程度之資料保護,並因此就第 三國或國際組織被認為已提供該保護程度乙事在整個歐盟提供了法 明確性和一致性。於該等情形,個人資料移轉至第三國或國際組織可 能在不需要獲得進一步授權之情形下發生。於給予第三國或國際組織 通知及說明理由之完全陳述時,執委會亦可決定撤銷原決定。
(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
(104) 依循歐盟所創立之基本價值,尤其是人權之保護,執委會在其 衡量第三國或第三國內之領域或特定部門時,應考量特定第三國如何 遵守法治、接近使用司法、以及國際人權規範和標準及其普通法與部 門法,包括涉及公共安全、防禦與國家安全與公共秩序及刑法之立法。 對第三國內之領域或特定部門作成有提供充足保護之決定應考量明 確與具體之標準,例如特定處理活動及第三國可適用之法律標準與立法之範圍。第三國應提供保證,以確保基本上等同於歐盟所保障之充 足程度保護,特別是當個人資料處理在單一或數個特定部門時。尤其, 第三國應確保有效而獨立之資料保護監督機制,且應提供合作機制予 會員國資料保護機關,且應提供資料保護主體有效且可實現的權利與 有效的行政與司法救濟。
(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(105) 除了第三國或國際組織已加入之國際協約,執委會應考量第三 國或國際組織於多邊或區域體系之義務,尤其是涉及個人資料保護及 該等義務之履行。尤其,應考量第三國加入歐洲理事會 1981 年 1 月 28 日關於自動化個人資料處理之個人保護公約及其附加議定書。於 衡量第三國或國際組織之保護程度時,執委會應向委員會諮詢。
(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.
(106) 執委會應觀察審視第三國、第三國境內之領域或特定部門、或 國際組織保護程度之決定的運作,並觀察審視在歐盟指令第 95/46/EC 號第 25 條第 6 項及第 26 條第 4 項之基礎下採行之決定。就有提供充 足保護之決定,執委會應提供定期檢驗其運作之機制。該定期檢驗應 在諮詢有關之第三國或國際組織下進行,且考量所有相關第三國或國 際組織之發展。為了觀察審視與執行定期檢驗,執委會應考慮歐洲議 會及歐盟理事會以及相關機構與來源之意見與認定。執委會應在合理 時間內評估前次決定之運作情形,並如本規則所確立的,依歐洲議會 及歐盟理事會之歐盟規則第 182/2011 號 [12],向委員會報告任何相關 認定。
(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [12] as established under this Regulation, to the European Parliament and to the Council.
(107) 執委會可能認定第三國、第三國內之領域或特定部門、或國際 組織不再達到充足程度之資料保護。因此,向該第三國或國際組織之 個人資料移轉應被禁止,但完成本規則關於移轉所定適當保護措施之 要件被滿足,包括有拘束力之企業守則及存在特定情況之例外者,不 在此限。在該情況,該規範應由執委會及該第三國或國際組織間訂定。 執委會應於適當時間內通知第三國或國際組織其理由,並進入協商程 序以救濟該情形。
(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 45 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
…
登入
访问全文