导航
GDPR > 第 46 條. 須遵守適當保護措施之移轉
下载PDF

第 46 條 GDPR. 須遵守適當保護措施之移轉

Article 46 GDPR. Transfers subject to appropriate safeguards

1. 於欠缺第 45 條第 3 項之決定時,控管者或處理者僅於其提供適當 保護措施,且資料主體之權利得為執行,並具備有效權利救濟時,始 得移轉個人資料至第三國或國際組織。

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

相关文章

2. 第 1項所稱之適當保護措施,於無監管機關為特定授權之情形下, 得以下列方式提供:

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

献技

(108) 在欠缺有提供充足保護之決定時,控管者或處理者應為資料主 體採取適當保護措施,以彌補第三國對資料保護之欠缺。該等適當保 護措施可能包括利用有拘束力之企業守則、執委會採用之標準資料保護條款、監管機關採用之標準資料保護條款或由監管機關授權之契約 條款。該等保護措施應確保符合資料保護之要求及資料主體之權利在 歐盟境內適當地處理,包括可實現之資料主體權利以及有效之法律救 濟,包括在歐盟內或第三國獲得有效的行政或司法救濟並請求補償。 該等適當保護措施尤應符合個人資料處理之基本原則及設計與預設 資料保護之原則。移轉之執行亦得由第三國之公務機關或公務機構向 第三國之公務機關或公務機構或具對應責任或功能之國際組織為之, 包括在規範基礎上加入諸如同意備忘錄、提供資料主體可執行且有效 權利等行政安排。保護措施係以不具法拘束力之行政安排所提供者, 應獲得有關監管機關之授權。

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) 控管者或處理者使用執委會採用或監管機關採用之定型化資 料保護條款的可能性,應避免控管者或處理者將定型化資料保護條款 擴張適用於更廣泛之契約,例如處理者與其他處理者間之契約,亦應 避免以增訂其他條款或額外保護措施而直接或間接牴觸執委會或監 管機關所採用之定型化契約條款,或侵害資料主體之基本權或自由。 控管者與處理者應被鼓勵透過補充定型化保護條款之契約上承諾來 提供額外保護措施。

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(a) 與公務機關或機構間有法律拘束力且得執行之辦法;

(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) 第 47 條之有拘束力之企業守則;

(b) binding corporate rules in accordance with Article 47;

相关文章

(c) 執委會依第 93 條第 2 項之檢驗程序採行之標準資料保護條款;

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

指南和案例法 相关文章

(d) 監管機關採行,並由執委會依第 93 條第 2 項之檢驗程序核准之 標準資料保護條款;

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

相关文章

(e) 依第 40 條經核准之行為守則,及第三國之控管者或處理者有拘束 力且可執行之協約,以適用適當保護措施,包括關於資料主體之權利; 或

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or

(f) 依第 42 條經核准之驗證機制,及第三國之控管者或處理者有拘束 力且可執行之協約,以適用適當保護措施,包括關於資料主體之權 利。

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

3. 第 1項所稱之適當保護措施,於有主管監管機關為授權之情形下, 得以下列方式提供:

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) 控管者或處理者與第三國或國際組織之個人資料控管者、處理者 或接收者間之契約條款;

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b) 納入包括可執行且有效之資料主體權利之公務機關或機構間行 政安排之條款。

(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. 於本條第 3 項之情形,監管機關應遵循第 63 條之一致性機制。

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

相关文章

5. 會員國或監管機關依歐盟指令第 95/46/EC 號第 26條第 2項之授權, 於監管機關認有必要而修改、取代或廢除前,應持續有效。依歐盟指 令第 95/46/EC 號第 26 條第 4 項之決定,於執委會認有必要而依本條 第 2 項決定修改、取代或廢除前,應持續有效。

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 46 GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).


访问全文

献技

(108) 在欠缺有提供充足保護之決定時,控管者或處理者應為資料主 體採取適當保護措施,以彌補第三國對資料保護之欠缺。該等適當保 護措施可能包括利用有拘束力之企業守則、執委會採用之標準資料保護條款、監管機關採用之標準資料保護條款或由監管機關授權之契約 條款。該等保護措施應確保符合資料保護之要求及資料主體之權利在 歐盟境內適當地處理,包括可實現之資料主體權利以及有效之法律救 濟,包括在歐盟內或第三國獲得有效的行政或司法救濟並請求補償。 該等適當保護措施尤應符合個人資料處理之基本原則及設計與預設 資料保護之原則。移轉之執行亦得由第三國之公務機關或公務機構向 第三國之公務機關或公務機構或具對應責任或功能之國際組織為之, 包括在規範基礎上加入諸如同意備忘錄、提供資料主體可執行且有效 權利等行政安排。保護措施係以不具法拘束力之行政安排所提供者, 應獲得有關監管機關之授權。

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) 控管者或處理者使用執委會採用或監管機關採用之定型化資 料保護條款的可能性,應避免控管者或處理者將定型化資料保護條款 擴張適用於更廣泛之契約,例如處理者與其他處理者間之契約,亦應 避免以增訂其他條款或額外保護措施而直接或間接牴觸執委會或監 管機關所採用之定型化契約條款,或侵害資料主體之基本權或自由。 控管者與處理者應被鼓勵透過補充定型化保護條款之契約上承諾來 提供額外保護措施。

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

指南和案例法 发表评论