导航
GDPR > Recital 81
下载PDF

Recital 81

Recital 81

(81) 為確保處理者代控管者執行處理活動時遵循本規則,當委託處 理者處理活動時,控管者應只委託具有足夠保證(尤其是就專業知識、 可信度與資源而言)之處理者,以符合本規則之要求而執行科技化與 組織化之措施,包括處理之安全性。處理者採取經核准的行為守則或 認證機制可用以證明其有遵循控管者之義務。處理者就處理之執行應 受到契約或符合歐盟法或會員國法之其他法規控管,將處理者結合至 控管者、明列主體事項及處理持續之時間、處理之本質與目的、個人 資料之類型及資料主體之分類,並考慮所欲執行之處理脈絡下處理者 之特定任務與責任,以及資料主體之權利與自由的風險。控管者與處 理者得選擇使用個別性契約或定型化契約條款,該條款須或為執委會 所直接採用,或經監管機關以一致性機制再由執委會所採用者。代表 控管者完成處理後,基於控管者之選擇,處理者應返還或刪除個人資 料,除非處理者所受拘束之歐盟法或會員國法要求處理者儲存個人資 料。

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission.

After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.