GDPR评注学习笔记(12)--条文变迁(行为准则)

来源:数据何规

文章摘要
继续学习数据控制者和处理者部分的条文变迁。今日涉及行为准则(P170-171)。 1.

继续学习数据控制者和处理者部分的条文变迁。今日涉及行为准则(P170-171)。

1.行为准则(Code of Conduct)
GDPR Proposal设想由相关协会及其他组织代表数据控制者和处理者起草各种数据保护内容的行为准则,并允许将相关准则提交给监管机构,相关机构会给出其是否符合GDPR的意见。同时,还会提交给欧盟委员会,其会采取相关实施法案以确定相关行政准则是否具有“普遍效力”。行为准则被视为有效落实GDPR的良方。
欧盟理事会对该制度进行修改。监管机构可以批准与几个成员国的加工活动无关的行为准则。然而,与几个成员国的加工活动有关的行为准则应通过一致性机制提交给EDPB,如果EDPB的意见是积极的,则应提交给欧盟理事会批准。认证机构必须监督行为准则的遵守情况
这个制度似乎没有在《个保法》出现,但我觉得似乎有点像我们中国的各种国标、行标。由相关组织进行起草,对上位法进行解释、明晰,备案后具备“准法律”的效力。GDPR第40条的第2款列举的各项内容,其实也可能对应一份国标。当然行为准则可能仅在几个成员国生效。也有可能只针对某类型的企业。体现分而治之的思想。
GDPR第41条的认证,相当于是各自协会、组织对企业进行背书。认证机构也需要持续督促相关公司落实行为准则的要求。可以借鉴,考虑未来要推行的个人信息保护认证,不仅限于出境领域。
GDPR:
Art. 40 Codes of conduct
第40条行为准则
1.The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
1.成员国、监管机构、欧洲数据保护委员会和欧盟委员会应当鼓励拟定行为准则,以促进本条例的合理实施。制定行为准则时,应当考虑到各类数据处理领域的具体特点以及微型、小型和中型企业的具体需求。
2.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
2.代表各类数据控制者或处理者的机构和协会可以起草行为准则,也可以修改或扩展这些准则来明确本条例的适用,如:
A.fair and transparent processing;
公平、透明的数据处理;
B.the legitimate interests pursued by controllers in specific contexts;
在特定情况下数据控制者追求的合法利益
C.the collection of personal data;
个人数据的收集;
D.the pseudonymisation of personal data;
个人数据的假名化;
E.the information provided to the public and to data subjects;
提供给公众和数据主体的信息;
G.the exercise of the rights of data subjects;
数据主体权利的行使;
H.the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;
提供给儿童的信息、对儿童的保护,以及对儿童具有家长责任的人的同意的获取方式;
I.the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;
第24 条和第25 条规定的措施和程序以及第32 条规定的确保处理行为安全的措施;
J.the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects;
向监管机构报告个人数据的泄露以及将该泄露告知数据主体;
K.the transfer of personal data to third countries or international organisations; or
将个人数据向第三国或国际组织的转移;
K.out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.
用以解决数据控制者和数据主体之间关于处理行为争议的庭外程序和其他争议解决程序,公正地保护第77 条和第79 条中数据主体的权利。
3.In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
3.为了依据第46 条第2 款( e )项规定,对向第三国或国际组织转移个人数据提供适当的安全保障措施,除了受本条例约束的数据控制者和处理者需遵守之外,根据本条第5 款批准的行为准则以及本条第9 款规定的一般有效性,也应被第3 条规定的不属于本条例调整范围内的数据控制者或处理者所遵守。这类数据控制者或处理者应当通过合同条款或者其他具有法律约束力的文件作出具有约束力和执行力的承诺,来适用这些适当的安全保障措施,包括与数据主体的权利相关的安全保障措施。
4.A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
4.本条第2 款规定的行为准则应当包含确保第41 条第1 款规定的机构能够强制监控数据控制者或处理者遵守条款的机制,并且不得影响依据第55 条或第56 条的规定有权限的监管机构的任务和职权 。
5.Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
5.本条第2 款中规定的协会或其他机构准备起草行为准则或修改、扩展现有的准则时,应当将准则的草案、修正案或扩展方案提交给依据第55 条规定的有权的监管机构。监管机构应当就该准则草案、修正案或扩展方案是否符合本条例给出意见,并且在证实其已经提供了充分的适当安全保障措施后批准该准则草案、修正案或扩展方案。
6.Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority shall register and publish the code.
6.当准则草案、修正案或扩展方案按照第5 款规定被批准,并且行为准则的内容不涉及在多个成员国进行的数据处理时,监管机构应当登记并公布该准则。
7.Where a draft code of conduct relates to processing activities in several Member States, the supervisory authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
7.当起草的准则涉及在多个成员国进行的数据处理时,根据第55 条规定的有权监管机构应当在批准该准则草案、修正案或扩展方案前按照第63 条的程序将其提交给欧洲数据保护委员会,委员会应当就该准则草案、修正案或扩展方案是否符合本条例或在第3 款规定的情况下是否提供了适当的安全保障措施给出意见。
8.Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
8.如果第7 款规定的意见确认了该准则草案、修正案或扩展方案符合本条例的规定,或者在第3 款规定的情况下,提供了适当的安全保障措施时,欧洲数据保护委员会应当将其意见提交给欧盟委员会。
9.The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. 2Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
9.欧盟委员会可以通过实施性法令来决定根据第8 款规定提交给它的已经被批准了的准则草案、修正案或扩展方案在欧盟范围内具 有普遍的效力。实施性法令的制定应当符合本条例第93 条第2 款所规定的审查程序。
10.The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
10.欧盟委员会应当确保对第9 款规定的已经被批准且确定具有普遍约束力的准则进行适当的宣传。
11.The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
11.欧洲数据保护委员会应当核对所有登记的被批准的行为准则、修正案或扩展方案,并且应当确保它们能被公众通过任何适当的方式所知悉。
Art. 41 Monitoring of approved codes of conduct
第41条 已批准行为准则的监控
1.Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
1.在不影响第57 条和第58 条规定的有权监管机构的任务和职权的前提下,对第40 条规定的行为准则的遵守的监控可以由有权监管机构认证的、对准则的主要问题拥有适当专业水准的机构来实施。
2.A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
2.第1 款中规定的机构在具备以下条件时可以被认证,以监控行为准则的遵守:
demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority;
证明了它的独立性和有关准则主要问题的专业水准满足了有权监管机构的要求;
established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation;
已建立程序,使其可以评估适用行为准则的数据控制者和处理者的资格,可以监控他们遵守行为准则条款的情况和定期审查他们的操作;
established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
已建立程序,以处理针对违反准则的行为或对数据控制者或处理者已经或正在实施准则的方式的投诉,并且向数据主体和公众公开这些程序;并且
demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not result in a conflict of interests.
证明了他们的任务和职责不会导致利益冲突并且满足有权监管机构的要求。
3.The competent supervisory authority shall submit the draft requirements for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
3.有权监管机构应当将起草的认证本条第1 款中规定的机构的标准按照第63 条规定的一致性机制提交给欧洲数据保护委员会。
4.Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory authority of such actions and the reasons for taking them.
4.在不影响有权监管机构的任务和职权以及第八章的条款时,第1 款中规定的机构应当遵守适当安全保障措施,在数据控制者或处理者违反准则时采取适当措施,包括暂停或排除准则涉及的控制者或处理者的权限。同时也应将上述行为以及采取上述行为的原因告知有权的监管机构。
5.The competent supervisory authority shall revoke the accreditation of a body as referred to in paragraph 1 if the requirements for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
5.不满足或不再满足认证条件或该机构的行为违反本条例规定时,有权监管机构应当撤回第1 款中规定的对于机构的认证。
6.This Article shall not apply to processing carried out by public authorities and bodies.
6.本条不适用于公共机构和组织实施的处理行为。

技术驱动法律,专业成就未来