导航
GDPR > 第 5 條. 個人資料處理原則
下载PDF

第 5 條 GDPR. 個人資料處理原則

Article 5 GDPR. Principles relating to processing of personal data

1. 個人資料應:

1. Personal data shall be:

(a) 為資料主體為合法、公正及透明之處理(「合法性、公正性及透 明度」);

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 5(1)(a) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


访问全文

指南和案例法 献技

(39) 個人資料之任何處理應合法且公正。個人資料之蒐集、利用、 商議或其他處理應向當事人公開,且應及於該個人資料所處理或將處 理之程度。透明原則要求關於個人資料處理之任何資訊或聯繫應方便 取得、易於理解且應以清楚簡易之語言為之。透明原則尤其關注於向 資料主體公開控管者身分、其處理資料之目的及進一步資訊,用以確 保對於相關當事人為公正及透明之個人資料處理,並確保其得確認及 溝通其所被處理之個人資料之權利。當事人應獲告知有關個人資料處 理之風險、規範、保護措施及權利,以及其如何就該等處理行使其權 利。特別是,個人資料處理之特定目的應具明確性及合法性,且應於 蒐集個人資料時告確定。個人資料應適當、相關及限於其所受處理目 的之必要範圍內。尤須確保個人資料之儲存期間係在最小限度範圍內。 個人資料之處理唯有當其處理目的無法經由其他方式合理實現者始 得為之。為確保個人資料未遭留存至超過其所必要之期間,控管者應 設定個人資料銷毀之期限或定期確認之。各種合理措施應被採用以更 正或刪除不正確之個人資料。個人資料之處理應以確保其適當安全性 及保密性之方式為之,包括防止對個人資料及其處理過程所使用設備 之未經授權之接近或使用。

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

相关文章

(b)蒐集目的須特定、明確及合法,且不得為該等目的以外之進階處 理;依照第 89 條第 1 項規定,為達成公共利益之目的、科學或歷史 研究目的或統計目的所為之進階處理,不應視為不符合原始目的(「目 的限制」);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(b) GDPR:

7.2.1 Identify and document purpose

Control

The organization should identify and document the specific purposes for which the PII will be processed.

Implementation guidance

The organization should ensure that PII principals understand the purpose for which their PII is processed. It is the responsibility of the organization to clearly document and communicate this to PII principals.


访问全文

指南和案例法 相关文章

(c) 適當、相關且限於處理目的所必要者(「資料最少蒐集原則」);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(c) GDPR:

7.4.1 Limit collection

Control

The organization should limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes.

Implementation guidance

The organization should limit the collection of PII to what is adequate, relevant and necessary in relation to the identified purposes. This includes limiting the amount of PII that the organization collects indirectly (e.g. through web logs, system logs, etc.).

Privacy by default implies that, where any optionality in the collection and processing of PII exists, each option should be disabled by default and only enabled by explicit choice of the PII principal.

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.


访问全文

指南和案例法 相关文章

(d) 正確且必要時應隨時更新;考慮個人資料處理之目的,應採取一 切合理措施,確保不正確之個人資料立即被刪除或更正(「正確性」);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(d) GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.


访问全文

相关文章

(e) 資料主體之識別資料保存於一定形式,不長於處理目的所必要之 期間;個人資料處理係單獨為達成公共利益之目的、科學或歷史研究 目的或統計目的,且符合第 89 條第 1 項規定,實施適當之技術上及 組織上之措施以確保資料主體權利及自由之要求者,該個人資料得被 儲存較長時間(「儲存限制」);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraphs to article 5(1)(e) GDPR:

7.4.4 PII minimization objectives

Control

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.

Implementation guidance

Organizations should identify how the specific PII and amount of PII collected and processed is limited relative to the identified purposes.


访问全文

指南和案例法 相关文章

(f) 處理應以確保個人資料適當安全性之方式為之,包括使用適當之 技術上或組織上之措施,以防止未經授權或非法處理,並防止意外遺 失、破壞或損壞(「完整性和保密性」)。

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

專家評論
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 6.2.1.

Here is the relevant paragraphs to article 5(1)(f) GDPR:

6.3.2.1 Mobile device policy

Implementation guidance

The organization should ensure that the use of mobile devices does not lead to a compromise of PII.


访问全文

指南和案例法 相关文章

2. 控管者應遵守並就其符合第 1 項規定負舉證責任(「責任」)。

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added a requirement additional to ISO/IEC 27002, section 18.1.3.

Here is the relevant paragraphs to article 5(2) GDPR:

6.15.1.3 Protection of records

Implementation guidance

Review of current and historical policies and procedures can be required (e.g. in the cases of customer dispute resolution and investigation by a supervisory authority).


访问全文

指南和案例法 献技

(82) 為證明遵循本規則,控管者或處理者應依其職責保留處理活動 之紀錄。各控管者及處理者應有義務配合監管機關並做成前開紀錄, 並依要求提供之,使處理活動受監控。

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

相关文章
献技 指南和案例法 发表评论
献技

(39) 個人資料之任何處理應合法且公正。個人資料之蒐集、利用、 商議或其他處理應向當事人公開,且應及於該個人資料所處理或將處 理之程度。透明原則要求關於個人資料處理之任何資訊或聯繫應方便 取得、易於理解且應以清楚簡易之語言為之。透明原則尤其關注於向 資料主體公開控管者身分、其處理資料之目的及進一步資訊,用以確 保對於相關當事人為公正及透明之個人資料處理,並確保其得確認及 溝通其所被處理之個人資料之權利。當事人應獲告知有關個人資料處 理之風險、規範、保護措施及權利,以及其如何就該等處理行使其權 利。特別是,個人資料處理之特定目的應具明確性及合法性,且應於 蒐集個人資料時告確定。個人資料應適當、相關及限於其所受處理目 的之必要範圍內。尤須確保個人資料之儲存期間係在最小限度範圍內。 個人資料之處理唯有當其處理目的無法經由其他方式合理實現者始 得為之。為確保個人資料未遭留存至超過其所必要之期間,控管者應 設定個人資料銷毀之期限或定期確認之。各種合理措施應被採用以更 正或刪除不正確之個人資料。個人資料之處理應以確保其適當安全性 及保密性之方式為之,包括防止對個人資料及其處理過程所使用設備 之未經授權之接近或使用。

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

指南和案例法 发表评论