目录
GDPR > 第 6 條. 處理之合法性
下载PDF

第 6 條 GDPR. 處理之合法性

Article 6 GDPR. Lawfulness of processing

1. 合法之處理應至少符合下列要件之一:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) 資料主體同意為一個或多個特定目的處理其個人資料;

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

正式文件和决定 连接数

(b) 處理係為向身為契約當事人之資料主體履行契約所必須者,或在 締約前,應資料主體之要求,所必須採取之步驟;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

正式文件和决定 前言

(44) 於個人資料處理為契約所必要或為簽訂契約而有必要時,其處 理應合乎法令。

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

连接数

(c) 處理係控管者為遵守法律義務所必須者;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

前言

(45) 個人資料處理係基於控管者為遵守其法定義務所為,或係基於 公共利益為履行任務所必要,或係公務機關行使公權力所必要者,該 處理應具備歐盟法或會員國法之依據。本規則不要求就每一個別之處 理定有具體法律規定。就控管者為遵守其法定義務所為、因公共利益 為履行任務所必要或公務機關行使公權力所必要之數個處理方式明 定其所依據之法律,可謂充分。其亦應由歐盟法或會員國法決定處理 之目的。此外,該法得具體化規定本規則關於個人資料處理之合法性 規範的一般條款、建構控管者之決定性標準、個人資料處理所涉個人 資料之類型、相關個人資料主體、得向其揭露個人資料之實體、限制 之目的、儲存期間及用以確保處理合法性與公正性之其他措施。歐盟 法或會員國法亦應決定,為公共利益執行任務或行使公權力之控管者 是否為公務機關或其他受公法所規範之個人或法人,或於其為公共利 益所為之者時,是否包括為了如公眾健康與社會保障及健康照顧服務 之管理等健康目的者、或依私法者,如職業工會。

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(d) 處理係為保護資料主體或他人重大利益所必須者;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

前言

(46) 為保護資料主體或他人生活中之重大利益所必要者,個人資料 之處理亦應被認定為合法。基於他人重大利益所為之個人資料處理, 原則上僅有當該處理明顯無法基於其他法律依據為之者始得為之。有 些處理類型得同時符合公共利益及資料主體重大利益之兩項重要理 由,舉例而言,當個人資料之處理係基於人道目的所必要者,包括監 測傳染病及其蔓延或人道救援之情況,特別是天災人禍之情形。

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(e) 處理係為符合公共利益執行職務或委託控管者行使公權力所必須 者;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

正式文件和决定 前言

(115) 有些第三國會採用旨在直接規範個人或法人在會員國管轄權 內所為處理活動之法律、規則或其他法令。此可能包括第三國之法院 或法庭之判決或行政機關之決定要求控管者或處理者移轉或揭露個 人資料,而其並非基於如司法互助條約等在要求資料之第三國與歐盟 或會員國間之國際協議。該等法律、規則及其他法令對於治外法權之 適用可能違反國際法,且可能妨礙本規則達成對個人在歐盟之保護。 移轉應僅得在本規則對於移轉至第三國所規定之條件皆成就時始被 允許。此包括但不限於發生在揭露係基於歐盟法或會員國法所承認之 公共利益的重要理由而控管者受該法之拘束且有必要之情形。

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

(f) 處理係控管者或第三者為追求正當利益之目的所必須者,但該資 料保護之資料主體之利益或基本權與自由優先於該等利益,特別是該 資料主體為兒童時,不適用之;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

正式文件和决定 前言

(47) 控管者(包括個人資料得向其揭露之控管者)或第三方之正當 利益,得作為資料處理之合法依據,但應兼顧該等利益或資料主體之 基本權及自由,且考慮到資料主體基於其與控管者間關係所生之合理 預期。正當利益可存在於諸如資料主體與控管者間具有相關且適當之 關係,例如資料主體係控管者之客戶或由控管者提供其服務等情。無 論如何,正當利益是否存在須審慎評估,包括資料主體於其個人資料 之蒐集過程中及其當下是否能合理預期到該目的之資料處理。於個人 資料處理係在資料主體無法合理預見其資料將被進一步處理之情況 下所為者,資料主體之利益及基本權得特別優先於資料控管者之利益。 鑑於公務機關處理個人資料之合法依據係由立法者以法律規範之,該 合法依據不得適用於公務機關執行職務所為之個人資料處理。基於防 範詐欺之目的而有個人資料處理之絕對需要者,亦得構成相關資料控 管者之正當利益。為直接行銷之目的所為個人資料處理,得被認定係 基於正當利益所為之。

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) 身為企業集團之一部或隸屬於中央機構之組織之控管者,基於 內部管理之目的,就企業集團內部間之個人資料傳輸,包括客戶或員 工個人資料之處理,得有正當利益。企業集團內部間移轉個人資料之 一般原則,於移轉至設址於第三國之企業者,亦同。

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) 為確保網路與資訊安全而嚴格遵循必要性及合比例性之個人資 料處理(亦即,具有指定機密級別之網路或資訊系統,以防止突發事 件或違法或惡意行為危害已儲存或已傳輸之個人資料之可用性、真實 性、完整性及機密性,及危害藉由該等網路或系統、公務機關、資安 危機應變小組(CERTs)、資安事件處理小組(CSIRTs)、電子通 訊網路及服務供應商及安全技術服務供應商所提供相關服務之安全 性),構成相關資料控管者之正當利益。舉例言之,此可能包括防止 非經授權之電子通訊網路之存取及阻擋惡意程式碼之散播及阻止「阻 斷服務」攻擊及電腦及電子通訊系統之損害。

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

第 1 款第 f 點不適用於公務機關執行其任務時所為之處理。

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

前言

(40) 為合法處理個人資料,個人資料之處理應基於相關資料主體之 同意或源自於法律規定(不論其為本規則或本規則所提及之其他歐盟 法或會員國法規定)之其他合法性基礎,此包括控管者為遵守其法定 義務所必要者,或資料主體作為契約當事人為契約履行所必要者,或 於契約簽署前依據資料主體之要求所為者。

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(50) 個人資料處理之目的非基於原蒐集該個人資料之目的者,唯有 當處理及蒐集個人資料之目的得相互兼容者,始得為之。於此類案件 中,不需要有獨立於允許蒐集個人資料以外之合法依據。如個人資料 之處理係為符合公共利益執行職務或委託控管者行使公權力所必須 者,歐盟法或會員國法得決定及具體規範何等任務及目的所為之進階 處理得被認定為具備兼容性及合法性。基於公共利益為達成上開目的、 科學或歷史研究目的或統計目的所為之進階處理,應被認為屬於有兼 容性及合法性之處理。歐盟法或會員國法為個人資料處理所訂定之合 法依據亦得作為資料為進階處理之合法依據。為了確保進階處理之目 的與原先蒐集資料之目的相互兼容,控管者於該當於原資料處理之全 部合法性要件後,應考慮到包括但不限於:該等目的與所欲進階處理 目的間之任何連結性;所蒐集個人資料之背景,尤其是資料主體基於 其與控管者間之關係而對於進階使用之合理預見性;個人資料之本身 性質;所欲進階處理對於資料主體造成之後果;及原處理與所欲進階 處理作業中是否存在適當保護措施。

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

凡經資料主體之同意或係歐盟法或會員國法所定於民主社會中用以 確保特別如一般公眾利益之重要目的所必要且成比例之措施者,不問 目的間之兼容性,進階處理個人資料應予允許。在任何情況下,本規 則所定原則之適用及特別是關於其他目的所知之資料主體之資訊及 其包括拒絕權等權利均應予確保。由控管者指出可能之犯罪行為或對 於公共安全之威脅,以及將特定案件或相同犯罪行為之相關案件或造 成公共安全威脅所涉及之相關個人資料傳輸予主管機關,應被認定係 控管者所作為之正當利益。惟如進階處理未遵守法定、專業或其他有 拘束力之保密義務者,控管者基於正當利益所為之傳輸或進階處理應 予禁止。

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

2. 會員國得維持或採用更具體之規範,使其與本規則所定本條第 1 項第 c 點及第 e 點之適用相符,為處理及用以確保處理合法性與公正 性之其他措施,包括為第九章所規定之其他特定處理情形,訂定更具 體化之特定規範。

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. 第 1 項第 c 點及第 e 點所定處理之依據應為:

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a) 歐盟法;或

(a) Union law; or

(b) 控管者受拘束之會員國法律。

(b) Member State law to which the controller is subject.

處理之目的應在該法律依據上被確立,或如第1項第 e點所定之處理, 應為符合公共利益執行職務或委託控管者行使公權力所必須者。該法 律依據可能包含與本規則規定適用相符之具體規範,包括但不限於: 規範控管者之個人資料處理合法性的一般條款;處理所涉及之個人資 料之類型;相關資料主體;得向其揭露個人資料之主體及其目的;目 的限制;儲存期間;及處理方式與處理程序,包括例如第九章所規定 之其他特定處理情形,用以確保處理合法性與公正性之其他措施。歐 盟法或會員國法律應符合公共利益之目標,並應與所追求之正當目標 相適當。

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

前言

(41) 凡本規則所指法律依據或立法措施,不以經議會採取立法行為 為必要,但不得侵害依會員國憲法秩序之要求。惟法律依據或立法措 施應清楚明確且為受規範者可得預見者,並應遵守歐盟法院及歐洲人 權法院所定之判例法。

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

4. 如處理係出於蒐集個人資料目的以外之目的且非基於資料主體同 意,或非依據歐盟法或會員國法律在民主社會中為確保第 23 條第 1 項所定目的構成必要且適當方法所為時,控管者為確保處理之目的與 原先蒐集個人資料之目的相互兼容應考慮包括但不限於下列事項:

4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) 蒐集個人資料之目的與所欲進階處理目的間之任何連結性;

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b) 蒐集個人資料之背景,尤其是資料主體與控管者間之關係;

(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c) 個人資料之本身性質,尤其是依據第 9 條特殊類型之個人資料處 理,或依據第 10 條涉及前科及犯罪有關之個人資料處理;

(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d) 所欲進階處理對於資料主體造成之可能後果;

(d) the possible consequences of the intended further processing for data subjects;

(e) 適當保護措施之存在,可能包括加密或假名化。

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6(4)(e) GDPR:

7.4.5 PII de-identification and deletion at the end of processing

Control

The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).


访问全文

ISO 27701 前言 正式文件和决定 连接数 发表评论
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 6 GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:


访问全文

前言

(40) 為合法處理個人資料,個人資料之處理應基於相關資料主體之 同意或源自於法律規定(不論其為本規則或本規則所提及之其他歐盟 法或會員國法規定)之其他合法性基礎,此包括控管者為遵守其法定 義務所必要者,或資料主體作為契約當事人為契約履行所必要者,或 於契約簽署前依據資料主體之要求所為者。

(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(41) 凡本規則所指法律依據或立法措施,不以經議會採取立法行為 為必要,但不得侵害依會員國憲法秩序之要求。惟法律依據或立法措 施應清楚明確且為受規範者可得預見者,並應遵守歐盟法院及歐洲人 權法院所定之判例法。

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.

(42) 個人資料處理係基於資料主體之同意者,控管者應舉證證明資 料主體同意該處理活動。尤其是在為他事件所為書面聲明時,保護措 施應確保資料主體知悉其所為同意之事實及其同意之範圍。根據歐盟 理事會所定第 93/13/EEC 號指令[10],控管者事先擬定之同意聲明書,應以易懂且方便取得之格式為之,並採用清楚簡易之語言,且不得有不公平條款。為同意所為之告知,資料主體至少應知悉控管者之身分及其個人資料處理所要達成之目的。於資料主體並非出於真意或無從自由選擇或其無法拒絕或無法於不損及其權益之情況下撤銷同意者,該同意應認定為不具自主性。

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

(43) 為確保同意係自主作成,於資料主體與控管者間有顯著失衡之 特定情況下,尤其於該控管者為公務機關且於該特定情況之整體情境 下不可能有自主同意時,個人資料處理之同意欠缺有效之合法性基礎。 於個別情況下應屬適當,卻不允許就不同個人資料處理方式為分別同 意,或同意就契約履行非屬必要,卻將契約之履行(包括服務之提供) 依存於該同意時,同意仍應推定為不具自主性。

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(44) 於個人資料處理為契約所必要或為簽訂契約而有必要時,其處 理應合乎法令。

(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.

(45) 個人資料處理係基於控管者為遵守其法定義務所為,或係基於 公共利益為履行任務所必要,或係公務機關行使公權力所必要者,該 處理應具備歐盟法或會員國法之依據。本規則不要求就每一個別之處 理定有具體法律規定。就控管者為遵守其法定義務所為、因公共利益 為履行任務所必要或公務機關行使公權力所必要之數個處理方式明 定其所依據之法律,可謂充分。其亦應由歐盟法或會員國法決定處理 之目的。此外,該法得具體化規定本規則關於個人資料處理之合法性 規範的一般條款、建構控管者之決定性標準、個人資料處理所涉個人 資料之類型、相關個人資料主體、得向其揭露個人資料之實體、限制 之目的、儲存期間及用以確保處理合法性與公正性之其他措施。歐盟 法或會員國法亦應決定,為公共利益執行任務或行使公權力之控管者 是否為公務機關或其他受公法所規範之個人或法人,或於其為公共利 益所為之者時,是否包括為了如公眾健康與社會保障及健康照顧服務 之管理等健康目的者、或依私法者,如職業工會。

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

(46) 為保護資料主體或他人生活中之重大利益所必要者,個人資料 之處理亦應被認定為合法。基於他人重大利益所為之個人資料處理, 原則上僅有當該處理明顯無法基於其他法律依據為之者始得為之。有 些處理類型得同時符合公共利益及資料主體重大利益之兩項重要理 由,舉例而言,當個人資料之處理係基於人道目的所必要者,包括監 測傳染病及其蔓延或人道救援之情況,特別是天災人禍之情形。

(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) 控管者(包括個人資料得向其揭露之控管者)或第三方之正當 利益,得作為資料處理之合法依據,但應兼顧該等利益或資料主體之 基本權及自由,且考慮到資料主體基於其與控管者間關係所生之合理 預期。正當利益可存在於諸如資料主體與控管者間具有相關且適當之 關係,例如資料主體係控管者之客戶或由控管者提供其服務等情。無 論如何,正當利益是否存在須審慎評估,包括資料主體於其個人資料 之蒐集過程中及其當下是否能合理預期到該目的之資料處理。於個人 資料處理係在資料主體無法合理預見其資料將被進一步處理之情況 下所為者,資料主體之利益及基本權得特別優先於資料控管者之利益。 鑑於公務機關處理個人資料之合法依據係由立法者以法律規範之,該 合法依據不得適用於公務機關執行職務所為之個人資料處理。基於防 範詐欺之目的而有個人資料處理之絕對需要者,亦得構成相關資料控 管者之正當利益。為直接行銷之目的所為個人資料處理,得被認定係 基於正當利益所為之。

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(48) 身為企業集團之一部或隸屬於中央機構之組織之控管者,基於 內部管理之目的,就企業集團內部間之個人資料傳輸,包括客戶或員 工個人資料之處理,得有正當利益。企業集團內部間移轉個人資料之 一般原則,於移轉至設址於第三國之企業者,亦同。

(48) Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(49) 為確保網路與資訊安全而嚴格遵循必要性及合比例性之個人資 料處理(亦即,具有指定機密級別之網路或資訊系統,以防止突發事 件或違法或惡意行為危害已儲存或已傳輸之個人資料之可用性、真實 性、完整性及機密性,及危害藉由該等網路或系統、公務機關、資安 危機應變小組(CERTs)、資安事件處理小組(CSIRTs)、電子通 訊網路及服務供應商及安全技術服務供應商所提供相關服務之安全 性),構成相關資料控管者之正當利益。舉例言之,此可能包括防止 非經授權之電子通訊網路之存取及阻擋惡意程式碼之散播及阻止「阻 斷服務」攻擊及電腦及電子通訊系統之損害。

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

(50) 個人資料處理之目的非基於原蒐集該個人資料之目的者,唯有 當處理及蒐集個人資料之目的得相互兼容者,始得為之。於此類案件 中,不需要有獨立於允許蒐集個人資料以外之合法依據。如個人資料 之處理係為符合公共利益執行職務或委託控管者行使公權力所必須 者,歐盟法或會員國法得決定及具體規範何等任務及目的所為之進階 處理得被認定為具備兼容性及合法性。基於公共利益為達成上開目的、 科學或歷史研究目的或統計目的所為之進階處理,應被認為屬於有兼 容性及合法性之處理。歐盟法或會員國法為個人資料處理所訂定之合 法依據亦得作為資料為進階處理之合法依據。為了確保進階處理之目 的與原先蒐集資料之目的相互兼容,控管者於該當於原資料處理之全 部合法性要件後,應考慮到包括但不限於:該等目的與所欲進階處理 目的間之任何連結性;所蒐集個人資料之背景,尤其是資料主體基於 其與控管者間之關係而對於進階使用之合理預見性;個人資料之本身 性質;所欲進階處理對於資料主體造成之後果;及原處理與所欲進階 處理作業中是否存在適當保護措施。

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

凡經資料主體之同意或係歐盟法或會員國法所定於民主社會中用以 確保特別如一般公眾利益之重要目的所必要且成比例之措施者,不問 目的間之兼容性,進階處理個人資料應予允許。在任何情況下,本規 則所定原則之適用及特別是關於其他目的所知之資料主體之資訊及 其包括拒絕權等權利均應予確保。由控管者指出可能之犯罪行為或對 於公共安全之威脅,以及將特定案件或相同犯罪行為之相關案件或造 成公共安全威脅所涉及之相關個人資料傳輸予主管機關,應被認定係 控管者所作為之正當利益。惟如進階處理未遵守法定、專業或其他有 拘束力之保密義務者,控管者基於正當利益所為之傳輸或進階處理應 予禁止。

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

(155) 會員國法或團體協約,包括「勞動協議」,得提供關於僱傭關 係下員工個人資料處理之特別規定,尤其是當僱傭關係下個人資料處 理可能係基於下列理由,亦即,包括員工之同意、為徵才目的、包括 履行法律或團體協約所規定之義務等之僱傭契約之履行、工作之管理、 計畫及或組織、工作場所之平等與多元性、工作之健康與安全、個人 或團體與僱傭有關之權利及福利之行使及享有之目的,以及終止僱傭 關係之目的。

(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

正式文件和决定 连接数 发表评论