开始学习数据控制者和处理者部分的条文变迁。今日涉及数据泄漏通知和数据保护影响评估(P167-169)。
1.数据泄露的通知要求
GDPR Proposal引入了数据泄露通知的通用要求,适用于所有类型的数据控制者。第4(9)条将个人数据泄露定义为“安全破坏从而导致意外或非法破坏、丢失、更改、未经授权披露或访问传输、存储或以其他方式处理的个人数据”。控制者应根据第31条向其主管DPA发出泄漏通知,并根据第32条向相关数据主体发出“当个人数据泄漏可能对个人数据的保护或数据主体的隐私产生不利影响”的通知。应在向DPA发出通知之后再向数据主体发出通知,但“不得无故拖延”。如果控制者在数据泄露之前实施了“适当的技术保护措施”,则无需通知数据主体。GDPR Proposal第31(2)条还要求处理者将任何数据泄露情况通知控制者,无论数据泄露带来的风险如何。
Albrecht议员报告将必须向DPA通知数据泄露的截止时间从24小时延长到72小时,但DPA需要保留一份关于所通知的泄露类型的公共登记簿。此外,为了防止过度通知,只有在泄露行为可能对其个人数据、隐私和隐私的保护产生不利影响时,才会通知数据主体,他们的权利或他们的合法利益(例如,在身份盗窃或欺诈、经济损失、身体伤害、重大羞辱或名誉损害的情况下)。
LIBE委员会的文本取消了包含在GDPR Proposal和Albrecht议员报告中的向监管机构报告数据泄露的24小时或72小时期限的要求。相反,数据控制者被要求“毫不拖延地”通知(第31条)。
欧盟理事会的文本是,在可行的情况下,在知悉数据泄露行为后,应在72小时通知受影响的个人,不得无故拖延。根据其基于风险的路径,理事会将向监管机构和个人通报情形仅于可能对个人权利和自由造成高风险的违规行为,如歧视、身份盗窃或欺诈、财务损失、声誉损害、数据保密性丧失,或任何其他重大经济或社会不利因素。理事会还规定了一些向个人发出通知的例外情况,例如使用加密和实施缓解措施。这大大减少了需要向个人发出泄漏通知的次数。
《个保法》的规定较GDPR还是简单,GDPR用了两条规定在发生数据泄露时如何分别通知监管机构和数据主体。在时效、例外情形、通知的内容等方面的规定都更加清楚。我还是更喜欢GDPR的风格,什么时候应该报,什么时候不报,多久时间内应该报,都应该说清楚。“立刻通知”和24小时内通知,还是后者的确定性更高一些。
GDPR:
Art. 33 Notification of a personal data breach to the supervisory authority
第33条通知监管机构个人数据泄漏
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
1.在发生个人数据泄露的情形时,数据控制者应当自发现之时起 72 小时内,按照第55 条的规定将个人数据泄露的情况报告监管机构,除非该个人数据的泄露不太可能会对自然人的权利和自由造成风险。未能在 72 小时内报告的,则需要说明未及时报告的理由。
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
2.数据处理者应当在发现个人数据泄露后立即通知数据控制者。
3. The notification referred to in paragraph 1 shall at least:
3.本条第1 款中所称的报告至少应包括以下内容:
a.describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
阐述个人数据泄露的性质,包括所涉数据主体的种类和大致数量,以及所涉数据记录的种类和大致数量;
b.communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
告知数据保 护专员的姓名和具体联系方式,或其他能够获取更多信息的联系方式;
c.describe the likely consequences of the personal data breach;
阐述个人数据泄露可能导致的结果;
d.describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
阐述数据控制者提议或采取的处理个人数据泄露的措施,还应包括减少个人数据泄露可能导致的不利影响的措施(如果有)。
4.Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4.到了这一阶段,如果数据控制者不能同时提供上述所有信息,也需要毫无延迟地分阶段提供这些信息。
5.The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
5.数据控制者应当记录下所有的个人数据泄露事件,记录应包括个人数据泄露有关的事实、影响及采取的补救措施。该记录必须使监管机构能够核实该记录是符合本条规定的。
Art. 34 Communication of a personal data breach to the data subject
第34条通知数据主体个人数据泄露
1.When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
1.当个人数据泄露可能对自然人的权利和自由产生较高风险时,数据控制者应当立即将个人数据泄露的事实告知数据主体。
2.The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
2.本条第1 款规定的告知义务应当用明确和清楚的语言说明个人数据泄露的性质并且至少包含本条例第33 条第3 款(b)(c )和(d )项的信息和建议。
3.The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
3.在符合以下条件时,无需履行本条第1 款规定的告知义务:
a.the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
数据控制者已经实施了相应的技术性和组织性保护措施,并且这些措施已经被应用在被泄露的个人数据上,尤其是这种保护措施使得个人数据不被任何未经授权的访问者所接触,例如加密技术;
b.the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
数据控制者已经采取了后续的措施确保第1 款中规定的对数据主体权利和自由产生的高风险不再可能成为现实;
c.it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
在涉及不合理的工作比例时,在这种情形下取而代之的是应当通过大众传媒或者类似的手段来使数据主体获得同样有效的告知。
4.If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
《个保法》:第57条 发生或者可能发生个人信息泄露、篡改、丢失的,个人信息处理者应当立即采取补救措施,并通知履行个人信息保护职责的部门和个人。通知应当包括下列事项:
(一)发生或者可能发生个人信息泄露、篡改、丢失的信息种类、原因和可能造成的危害;
(二)个人信息处理者采取的补救措施和个人可以采取的减轻危害的措施;
(三)个人信息处理者的联系方式。
个人信息处理者采取措施能够有效避免信息泄露、篡改、丢失造成危害的,个人信息处理者可以不通知个人;履行个人信息保护职责的部门认为可能造成危害的,有权要求个人信息处理者通知个人。
2.数据保护影响评估
GDPR Proposal第33条要求数据控制者和处理者在数据处理活动存在特定风险的情况下执行数据保护影响评估(“DPIA”)。但是在征求意见期间,处理员工个人数据等需要进行DPIA的数据处理情形被删除了。
Albrecht议员报告将DPIA作为其改革的另一项核心,并增加了需要进行DPIA的情形,如:个人数据可供大量人员访问,或大量个人数据被处理或与其他数据结合。该报告建议,如果DPIA结果表明数据处理行为涉及高风险,则应咨询DPO意见。
欧盟议会的文本,要求必须先进行风险评估,在某些特定情形下,数据控制者和处理者必须进行DPIA。
欧盟理事会的文本没有保留风险评估的义务,但进一步提供了对于高风险数据处理行为的实施DIPA的要求,不过此义务仅限于数据控制者。此外,该版本的文稿还要求对特征分析活动、敏感数据、生物特征数据和与刑事定罪或过失有关的数据进行DPIA处理。其要求相关监管机构建立一份需要进行DIPA和不需要进行DPIA的数据处理活动清单。若DPIA结果表明数据处理风险较高,且控制者无法采取相关措施降低数据处理风险,此时需事先咨询监管机构意见。监管机构需在6周内回复。
最终结果载于GDPR第35(1)条,该条要求控制人在其数据处理活动可能对个人权利和自由造成高风险的情况下执行DPIA。
《个保法》终于在影响评估中用到了两个条文(55条和56条),这还是三审稿最后拆开的。55条讲适用情形,56条讲个人信息影响评估的内容。但相比较之下,GDPR的规定真是详细太多了。GDPR对监管机构提出了要求,要求出台需要评估的正面和负面清单,这样让企业明确知道什么情况要做DPIA。而《个保法》的范围则大很多。此外,GDPR的预沟通机制也很好,高危处理活动不知道咋办了,先咨询一下。有点像窗口指导,但是给了官方渠道。
GDPR:
Art.35 Data protection impact assessment
第35条 数据保护影响评估
1.Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
1.当一种处理行为特别是用到了新技术时,考虑到处理行为的性质、范围、内容和目的可能会对自然人的权利和自由产生高风险时,数据控制者应当在处理前完成一份设想的数据处理对个人数据保护影响的评估。一份评估可以提出存在相似高风险的一套类似的处理行为。
2.The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
2.数据控制者在实施数据保护影响评估时,在指定的情形下应当征询数据保护专员的建议。
3.A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
3.在以下情形中尤其需要第1 款规定的数据保护影响评估:
a.a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
基于数据的自动化处理包括识别分析 (profiling ),或者基于对该自然人产生法律效力或者类似的显著影响的决定,对自然人个人 方面的系统和广泛的评估;
b.processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
处理大规模的第9 条第1 款规定的特殊类型的数据,或大规模的第10条规定的有关犯罪记录和违法行为的个人数据;或者
c..a systematic monitoring of a publicly accessible area on a large scale.
对公共区域大规模的系统化监控。
4.The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. 2The supervisory authority shall communicate those lists to the Board referred to in Article 68.
4.监管机构应当确定并公开一份清单,列举应当按照第1 款规定进行数据保护影响评估的处理行为。监管机构应当将清单告知第68 条规定的欧洲数据保护委员会。
5.The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. 2The supervisory authority shall communicate those lists to the Board.
5.监管机构同样要确定并公开一份清单,列举不需要进行数据保护影响评估的处理行为。监管机构也应将该清单告知欧洲数据保护委员会。
6.Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
6.在采用第4 款和第5 款规定的清单前,若清单涉及向数据主体 提供商品或服务的处理行为,或在多个成员国监控他们的行为的处理行为,或可能对个人数据在欧盟境内的自由流通产生实质影响的处理行为,监管机构应当适用第63条规定的一致性机制。
7.The assessment shall contain at least:
7.评估内容至少应当包括如下方面:
a.a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
对于设想中的处理行为和处理行为的目的系统化的说明,适当的情况下还包括控制者追求的合法利益;
b.an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
基于处理目的,对处理行为的必要性和相称性的评估;
c.an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
对于第1 款中规定的对数据主体权利和自由产生的风险的评估;
d.the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
处理这些风险的预想方案,包括安全和保障措施,以及确保个人数据的保护和证明符合本条例 规定的机制。以上方应当考虑数据主体和其他相关人员的权利和合法利益。
8.Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
8.在对数据控制者或处理者进行的处理行为进行影响评估时,尤其是为了达到数据保护影响评估的目的,应当考虑该数据控制者或处理者对第40 条规定的行为准则的遵守情况。
9.Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
9.在适当的情况下,数据控制者应当就计划的处理行为征询数据主体或其代表人的意见,公正地对待商业保护或公共利益或处理行为的安全性。
10.Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.
10.依据第6 条第1 款( c )项和 e )项进行的处理行为在数据控制者所遵守的欧盟或成员国法律中具有法律依据,这些法律规定了某一具体处理行为或者一系列处理行为,并且在适用上述法律依据时已经实施了一项作为一般影响评估一部分的数据保护影响评估,该种情况下不适用本条第一部分的数据保护影响评估,该种情况下不适用本条第11到到77款的规定,除非款的规定,除非成员国认为在处理活动前实施数据保护影响评估是有必要的。成员国认为在处理活动前实施数据保护影响评估是有必要的。
11.Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
11.必要的时候,至少是当处理行为出现风险变化的时候,数据控制者应当进行复审以评估数据处理行为是否符合数据保护影响评估。
Art.36 Prior consultation
第36条事先咨询
1.The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
1.当根据第35 条制定的数据保护影响评估表明在控制者缺乏减轻风险的措施会导致高风险时,数据控制者应当在处理前向监管机构咨询。
2.Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing.
2.当监管机构认为即将实施的第1 款中规定的处理行为会违反本条例,尤其是数据控制者不能确定和减少风险时,监管机构应当在收到咨询请求后八周的期限内,向数据控制者提供书面建议,并且也适用于数据处理者和按照第58 条规定行使职权的任何人。考虑到即将实施的处理行为的复杂性,这一期限可以延长六周。监管机构应当在收到咨询请求的一个月内将任何延期和延期的原因告知数据控制者和处理者(如果有)。这些期限可以暂停,直到监管机构获得了基于咨询目的所要求的信息。
3.The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. 4Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
3.When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
3.当按照第1 款向监管机构咨询的时候,数据控制者应当向监管
机构提供以下信息:
a.where applicable, the respective responsibilities of the controller, joint controllersand processors involved in the processing, in particular for processing within a group of undertakings;
处理过程中涉及的控制者、共同控制者和处理者 (如果有)各自的责任,尤其是当处理发生在企业集团内部的时候;
b.the purposes and means of the intended processing;
打算实施的处理行为的目的和方法;
c.the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
按照本条例所采取的保护数据主体权利和自由的保障措施
d.where applicable, the contact details of the data protection officer;
数据保护专员的联系方式 (如果有);
e.the data protection impact assessment provided for in Article 35; and
第35 条要求的数据保护影响评估;以及
f.any other information requested by the supervisory authority.
监管机构要求的任何其他信息。
4.Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
4.成员国在向其国内议会提交有关数据处理行为的立法议案或依据该立法制定行政规制措施时,应当向监管机构咨询。
5.Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
5.尽管存在第1 款规定,但当数据控制者为执行与公共利益有关的任务进行数据处理时,包括与社会保障和公共安全有关的处理,成员国法律可以要求数据控制者向监管机构咨询并且征得其事先授权。
《个保法》:
第五十五条有下列情形之一的,个人信息处理者应当事前进行个人信息保护影响评估,并对处理情况进行记录:
(一)处理敏感个人信息;
(二)利用个人信息进行自动化决策;
(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;
(四)向境外提供个人信息;
(五)其他对个人权益有重大影响的个人信息处理活动。
第五十六条个人信息保护影响评估应当包括下列内容:
(一)个人信息的处理目的、处理方式等是否合法、正当、必要;
(二)对个人权益的影响及安全风险;
(三)所采取的保护措施是否合法、有效并与风险程度相适应。
个人信息保护影响评估报告和处理情况记录应当至少保存三年。
