(39) 個人資料之任何處理應合法且公正。個人資料之蒐集、利用、 商議或其他處理應向當事人公開，且應及於該個人資料所處理或將處 理之程度。透明原則要求關於個人資料處理之任何資訊或聯繫應方便 取得、易於理解且應以清楚簡易之語言為之。透明原則尤其關注於向 資料主體公開控管者身分、其處理資料之目的及進一步資訊，用以確 保對於相關當事人為公正及透明之個人資料處理，並確保其得確認及 溝通其所被處理之個人資料之權利。當事人應獲告知有關個人資料處 理之風險、規範、保護措施及權利，以及其如何就該等處理行使其權 利。特別是，個人資料處理之特定目的應具明確性及合法性，且應於 蒐集個人資料時告確定。個人資料應適當、相關及限於其所受處理目 的之必要範圍內。尤須確保個人資料之儲存期間係在最小限度範圍內。 個人資料之處理唯有當其處理目的無法經由其他方式合理實現者始 得為之。為確保個人資料未遭留存至超過其所必要之期間，控管者應 設定個人資料銷毀之期限或定期確認之。各種合理措施應被採用以更 正或刪除不正確之個人資料。個人資料之處理應以確保其適當安全性 及保密性之方式為之，包括防止對個人資料及其處理過程所使用設備 之未經授權之接近或使用。
(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.