导航
GDPR > Recital 36
下载PDF

Recital 36

Recital 36

(36) 控管者於歐盟境內之主要分支機構應為其於歐盟境內核心管理 機構之所在地,但個人資料處理的目的及方式係由控管者於歐盟境內 另一分支機構所決定者,該分支機構應被視為主要分支機構。控管者 於歐盟境內之主要分支機構應按客觀標準判定之,且其應經由穩定之 安排而就個人資料處理之目的及方式等主要決策採取有效及有實際 執行之管理行動。判定主要分支機構之標準不得取決於個人資料處理 是否於該處所為之。為處理個人資料或其處理活動之技術方法或科技之存在與利用,其本身不構成主要分支機構,且因此並非主要分支機構之決定性標準。資料處理者之主要分支機構應為其於歐盟境內核心管理機構之所在地,或其於歐盟境內並無核心管理機構時,為其於歐盟境內為主要處理活動之所在地。於同時涉及控管者及處理者時,主管之領導監管機關應為控管者主要分支機構所在地會員國之監管機關,但處理者之監管機關應被視為係相關監管機關而應參與本規則所定之合作程序。在任何情況下,於裁決草案僅涉及控管者時,有一個或多個分支機構之資料處理者所在之一個或多個會員國監管機關均不得視為係相關監管機關。個人資料處理係由企業集團實施者,控制企業之主要分支機構應被認定為企業集團之主要分支機構,但個人資料處理之目的及方式係由其他企業所決定者,不在此限。

(36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment.

The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.

That criterion should not depend on whether the processing of personal data is carried out at that location.

The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment.

The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union.

In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation.

In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller.

Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.