导航
GDPR > 第 47 條. 有拘束力之企業守則
下载PDF

第 47 條 GDPR. 有拘束力之企業守則

Article 47 GDPR. Binding corporate rules

1. 於有拘束力之企業守則符合下列條件時,主管監管機關應依第 63 條之一致性機制核准之:

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

相关文章

(a) 法律上拘束並由共同經濟活動中之各事業團體或企業團體之成員 適用與遵守,包括其員工;

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b) 明文賦予資料主體關於其個人資料處理可執行之權利;及

(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

(c) 符合第 2 項之要求。

(c) fulfil the requirements laid down in paragraph 2.

2. 第 1 項所稱有拘束力之企業守則至少應特定:

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) 共同經濟活動中之事業團體或企業團體及其各成員之組織與聯絡 方式;

(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b) 資料移轉或一系列移轉,包括個人資料之類型、處理之類型及目 的、受影響之資料主體類型、及該第三國之識別;

(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c) 其內部及外部具合法拘束力之本質;

(c) their legally binding nature, both internally and externally;

(d) 一般資料保護原則之適用,尤其目的限制、資料最少蒐集原則、 資料品質、設計或預設資料保護、處理之法律依據、特殊類型個人資料之處理、確保資料安全之措施、及進一步移轉至不受具拘束力之企 業守則所拘束之機構時之要求;

(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;

相关文章

(e) 資料主體關於處理之權利及行使該等權利之方式,包括不得僅受 自動化處理決定之權利(含第 22 條之建檔)、依第 79 條向主管監管 機關及會員國之管轄法院提起申訴、及如適合時,因有拘束力之企業 守則之侵害而獲得補償之權利;

(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

相关文章

(f) 設立於會員國之控管者或處理者承受其歐盟境外之成員任何違反 有拘束力之企業守則時之責任;控管者或處理者應僅於證明該成員對 造成損害結果不負責任時,全部或部分免除責任;

(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g) 有拘束力之企業守則之資訊,尤其本項第d、e及 f點所稱之規定, 如何於第 13 條及第 14 條外提供予資料主體;

(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

相关文章

(h) 依第 37 條受指定之任何資料保護員、或共同經濟活動中之事業 團體或企業團體內,其他任何負責監控有拘束力之企業守則之遵守情 形、及監督培訓及申訴處理之人或實體之職務;

(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

相关文章

(i) 申訴程序;

(i) the complaint procedures;

(j) 共同經濟活動中之事業團體或企業團體確保有拘束力之企業守則 遵循之驗證機制。該等機制應包括資料保護審計及確保糾正措施以保 護資料主體權利之方法。該等驗證之結果應向第 h 點所稱之個人或實 體及共同經濟活動中之事業團體或企業團體之控管階層溝通,並應於 主管監管機關請求時提供;

(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;

(k) 報告及紀錄規範之變更及向監管機關報告該等變更;

(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

(l) 與監管機關之合作機制,以確保任何共同經濟活動中之事業團體 或企業團體之成員遵循,尤其是監管機關請求依第 j點措施驗證之結 果時,應予提供;

(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);

(m) 於共同經濟活動中之事業團體或企業團體之成員可能涉及對有 拘束力之企業守則所保證者有實質不利影響時,向主管監管機關報告 任何法律要求之機制;

(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(n) 針對永久或定期接觸個人資料之人員之適當資料保護訓練。

(n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3. 執委會得特定本條意義下有拘束力之企業守則關於控管者、處理 者及監管機關間交換資訊之形式與程序。該等執行規範應符合第 93 條第 2 項設定之檢驗程序。

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

相关文章
ISO 27701 献技 指南和案例法 发表评论
ISO 27701

(EN) ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 47 GDPR:

7.5.1 Identify basis for PII transfer between jurisdictions

Control

The organization should identify and document the relevant basis for transfers of PII between jurisdictions.

Implementation guidance

PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).


访问全文

献技

(110) 企業集團或從事聯合經濟活動之企業團體就其從歐盟境內至 相同團體組織內所為之國際移轉,應得使用經核准且具拘束力之企業 守則,但以該等企業守則包括所有核心原則及可實現之權利以確保資 料移轉或其分類設有適當保護措施者為限。

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

指南和案例法 发表评论