是否需要遵守欧盟的《通用数据保护条例》取决于业务模式。《通用数据保护条例》既适用于欧盟内部,也适用于欧盟境外的组织。若属于《通用数据保护条例》涵盖的业务类型,则需要判断是个人信息的“”控制者”还是“处理者”,或者两者都是。根据《通用数据保护条例》,控制者和处理者应当履行不同的义务。本文将解释《通用数据保护条例》下控制者和处理者之间的区别。
Depending on your business model, you may need to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR applies both to businesses within the EU and outside the EU. If the GDPR covers your business, you will need to determine whether you are a “controller” or a “processor” of personal information, or both. Depending on whether you are a controller or processor will determine what your obligations are under the GDPR. This article will explain the difference between a controller and processor of data under the GDPR.
《通用数据保护条例》的适用范围
Who Does the GDPR Apply To?
首先是确定《通用数据保护条例》的适用范围。《通用数据保护条例》适用于以下企业:
The first step is to determine whether the GDPR applies to your business. The GDPR applies to businesses that:
欧盟境内设有业务机构;
Are physically located in the EU;
处理欧盟内个人的个人数据与向提供商品或服务相关;或
Target their goods or services to individuals in the EU; or
处理欧盟内个人的个人数据与监控个人相关。
For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.
例如,仅仅允许欧盟境内的个人访问网站的,并不意味着网站运营者必须遵守《通用数据保护条例》。但是,如果在提供产品中使用欧元,则可能需要遵守《通用数据保护条例》。
For example, simply allowing EU individuals to access your website does not necessarily mean you have to comply. However, if you offer products in a European currency, you will likely need to comply with the GDPR.
如果确定为《通用数据保护条例》的适用范围,下一步评估处理个人数据的方式属于控制者还是处理者。
If the GDPR applies to your business, the next step is to assess the way you process personal data, as either a controller or a processor.
控制者的界定
What Is a Controller?
控制者是决定从个人处收集哪些个人数据和如何使用这些数据的实体。
A controller is an entity that decides which personal data to collect from individuals. They then also decide how they will use that data.
例如,一个在线零售商收集客户的联系方式,此时他决定收集了哪些信息,属于控制者。
For example, if you are an online retailer and you collect the contact details of your customers, you are deciding which information to collect and are a controller.
控制者将在许多不同的场合处理数据,例如:
If your company is a controller, you will process data on many different occasions. For example, this may be when you:
为了与客户沟通收集联系方式;
Collect contact details to communicate with customers;
在应用上运行分析以寻找用户参与应用方式的趋势;和
Run analytic on your app to look for trends with the way users engage with your app; and
在网站上使用cookie。
Use cookies on your website.
作为控制者处理数据时,都需要选择相应所依据的法律基础。
下面表格列明了可以使用的法律基础。
Each time you process data as a controller, you will need to choose a legal basis on which to do so. The table below explains the legal bases available to you.
处理者的界定
What Is a Processor?
处理者是受控制者的指示处理个人数据的机构。这通常发生在为控制者提供服务的情形。
A processor is a business which is instructed to process personal data by a controller. This often occurs in the context of performing services for that controller.
例如,在如PayPal代表在线零售商处理支付的第三方支付处理程序中,此时零售商是一个控制者,第三方支付处理程序是一个处理者。
For example, a third-party payment processor (TPPP) like PayPal, that processes payments on behalf of an online retailer. Here, the retailer is a controller and the TPPP is a processor.
若稍微复杂点则可能是,如果第三方支付处理程序拥有在线零售商的关键联系人或员工的联系方式,那在这种情况下则是控制者。组织可以是某些信息的控制者,也可以是其他信息的处理者。区分因素是谁在以下方面做决定:
To slightly complicate the matter, the TPPP could also be a controller in this situation if it holds the contact details of a key contact or employee of the online retailer. Businesses can be controllers of some information and processors of other information. The distinguishing factor is who makes the decisions on:
收集哪些信息; 和
Which information is collected; and
如何使用信息。
How to use the information.
数据处理协议
Data Processing Agreements
《通用数据保护条例》要求控制者和处理者与代表他们的处理者和控制者签订数据处理协议,协议中应该列出合同各方处理个人数据的方式。重要的是,这使控制者确保处理者遵守义务。
The GDPR requires that controllers and processors have an agreement in place with their respective processors and controllers. Called a data processing agreement, this document should set out the way each party handles personal data. Importantly, this allows controllers to ensure that processors adhere to the same obligations that they are required to uphold.
例如,收集用户个人数据的移动应用程序机构是控制者。该机构还可能委托开发商为应用程序提供持续的开发服务。在开发和更新应用程序时,开发商可能会使用和分析应用程序业务最初收集的个人数据。
For example, a mobile app business that collects its users’ personal data is a controller. The business may also use a developer to provide ongoing development for the app. While building and updating the app, that developer may use and analyse the personal data originally collected by the app business.
此时,开发商则扮演处理者的角色。应用程序机构应当遵循《通用数据保护条例》下的义务,并需要确保开发商同样遵守。
Here, the developer is acting as a processor. The app business will have obligations under the GDPR and will need to make sure that the developer will comply with these responsibilities.
为确保处理者履行控制者的隐私义务,建议双方使用约定如何处理个人数据的数据处理协议。
To ensure that processors fulfil the privacy obligations of a controller, it is a good idea to use a data processing agreement that sets out how they must handle the personal data.
违反《通用数据保护条例》
Non-Compliance With the GDPR
《通用数据保护条例》还规定了许多其他的义务。如果违反,可能会面临欧盟监管机构的调查和罚款。
There are many other obligations that you will need to comply with under the GDPR. If you fail to do so, your business may face investigations and fines by EU regulators.
如2019年1月,法国监管机构因谷歌未充分获得个人知情同意而处以5000万欧元(约合7900万澳元)的罚款。
For example, in January 2019, a French regulator fined Google €50 million (approximately AUD$79 million) for not adequately obtaining informed consent from individuals.
在欧盟境外也要遵守《通用数据保护条例》
作者:ProfSimonChoi来源:广东良马律师事务所

是否需要遵守欧盟的《通用数据保护条例》取决于业务模式。《通用数据保护条例》既适用于欧盟内部,也适用于欧盟境外的组织。