导航
GDPR > 第七條. 同意條件
下载PDF

第七條 GDPR. 同意條件

Article 7 GDPR. Conditions for consent

1. 當處理係基於同意時,控管者應證明資料主體已同意其個人資料 之處理。

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

相关文章

2. 如資料主體之同意併係為其他事件所為之書面聲明時,同意請求 應以易懂且方便取得之格式,並採用清楚簡易之語言,且與其他事件 清楚區分之方式呈現。該聲明之任何條款違反本規則者,不具約束 力。

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

献技

(42) 個人資料處理係基於資料主體之同意者,控管者應舉證證明資 料主體同意該處理活動。尤其是在為他事件所為書面聲明時,保護措 施應確保資料主體知悉其所為同意之事實及其同意之範圍。根據歐盟 理事會所定第 93/13/EEC 號指令[10],控管者事先擬定之同意聲明書,應以易懂且方便取得之格式為之,並採用清楚簡易之語言,且不得有不公平條款。為同意所為之告知,資料主體至少應知悉控管者之身分及其個人資料處理所要達成之目的。於資料主體並非出於真意或無從自由選擇或其無法拒絕或無法於不損及其權益之情況下撤銷同意者,該同意應認定為不具自主性。

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

相关文章

3. 資料主體有權隨時撤回其同意。同意之撤回不影響撤回前基於該 同意所為處理之合法性。資料主體為同意前,資料主體應受告知其得 隨時撤回該同意。同意之撤回應與給予同意一樣容易。

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 7(3) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


访问全文

相关文章

4. 在評估同意之給予是否具自主性時,應特別考慮,包括但不限於, 契約之履行(包括服務之提供)依存於個人資料處理之同意,且處理 個人資料非履行契約所必要者。

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 7(4) GDPR:

8.2.3 Marketing and advertising use

Control

The organization should not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal.


访问全文

献技

(43) 為確保同意係自主作成,於資料主體與控管者間有顯著失衡之 特定情況下,尤其於該控管者為公務機關且於該特定情況之整體情境 下不可能有自主同意時,個人資料處理之同意欠缺有效之合法性基礎。 於個別情況下應屬適當,卻不允許就不同個人資料處理方式為分別同 意,或同意就契約履行非屬必要,卻將契約之履行(包括服務之提供) 依存於該同意時,同意仍應推定為不具自主性。

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(32) 同意之給予必須是資料主體依其意思決定就其個人資料處理所 為具體肯定且自由形成、明確、受充分告知及非模糊之指示,諸如: 口頭或書面之聲明,包括以電子方式為之者。同意可能包括於瀏覽網 頁時所點選之選項、為資訊社會服務所做技術設定之選擇或其他聲明, 或依其脈絡清楚顯示資料主體接受被提案之個人資料處理的行為。因 此,單純沉默、預設選項為同意或不為表示不構成同意。同意應涵蓋 基於相同之一個或多個目的所為之全部處理活動。如個人資料之處理 具有多重目的者,應為全部目的取得同意。如資料主體之同意係基於 電子方式之請求者,該請求必須清楚、簡潔且對所提供服務之使用不 構成非必要之破壞。

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

相关文章
專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) A controller relying on consent as a legal basis to collect, store or use data should respect the basic principles stated in article 4 (11), which provides a legal definition of the notion, and always make sure that it meets the additional conditions listed in article 7. A person must supply a “freely given” consent, distinct from other related matters, and s/he should be offered a “genuine choice” between accepting or refusing to provide it without having to suffer any negative consequences (Guidelines on Consent and recital 42). It is also essential to offer a person full control over her/his consent, including the possibility to withdraw it at any time, and to keep adequate records of consents.


访问全文

Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Withdrawal of consent to process my personal data

Dear Madam, Dear Sir,

You are currently processing my personal data based on my consent…


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 7(1) and 7(2) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).


访问全文

献技

(32) 同意之給予必須是資料主體依其意思決定就其個人資料處理所 為具體肯定且自由形成、明確、受充分告知及非模糊之指示,諸如: 口頭或書面之聲明,包括以電子方式為之者。同意可能包括於瀏覽網 頁時所點選之選項、為資訊社會服務所做技術設定之選擇或其他聲明, 或依其脈絡清楚顯示資料主體接受被提案之個人資料處理的行為。因 此,單純沉默、預設選項為同意或不為表示不構成同意。同意應涵蓋 基於相同之一個或多個目的所為之全部處理活動。如個人資料之處理 具有多重目的者,應為全部目的取得同意。如資料主體之同意係基於 電子方式之請求者,該請求必須清楚、簡潔且對所提供服務之使用不 構成非必要之破壞。

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) 為科學研究目的所為之個人資料處理,於資料蒐集當時,通常 不可能完整指明該處理之目的。因此,當科學研究符合公認之道德標 準時,應允許資料主體僅就科學研究之特定範圍為同意之表示。資料 主體應有機會僅就特定研究範圍或預期目的所允許範圍內之部分研 究計畫表示同意。

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(42) 個人資料處理係基於資料主體之同意者,控管者應舉證證明資 料主體同意該處理活動。尤其是在為他事件所為書面聲明時,保護措 施應確保資料主體知悉其所為同意之事實及其同意之範圍。根據歐盟 理事會所定第 93/13/EEC 號指令[10],控管者事先擬定之同意聲明書,應以易懂且方便取得之格式為之,並採用清楚簡易之語言,且不得有不公平條款。為同意所為之告知,資料主體至少應知悉控管者之身分及其個人資料處理所要達成之目的。於資料主體並非出於真意或無從自由選擇或其無法拒絕或無法於不損及其權益之情況下撤銷同意者,該同意應認定為不具自主性。

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

(43) 為確保同意係自主作成,於資料主體與控管者間有顯著失衡之 特定情況下,尤其於該控管者為公務機關且於該特定情況之整體情境 下不可能有自主同意時,個人資料處理之同意欠缺有效之合法性基礎。 於個別情況下應屬適當,卻不允許就不同個人資料處理方式為分別同 意,或同意就契約履行非屬必要,卻將契約之履行(包括服務之提供) 依存於該同意時,同意仍應推定為不具自主性。

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

指南和案例法 发表评论
[js-disqus]