EDPB数据跨境传输补充措施的最终建议-中英⽂对照版本
背景
⼤家可能都对欧盟《通⽤数据保护规范》(GDPR)有些了解,近些年来欧盟内基于GDPR出现了很多的个⼈数据保护⽅⾯的案件与判例,也就是在昨天7.30号,欧盟初步决定判处亚马逊因违反欧盟通⽤数据保护条例(GDPR),被欧盟隐私监管机构处以7.46亿欧元(约合8.88亿美元)罚款。据悉,这是⾃2018年5⽉欧盟GDPR规则⽣效以来,迄今为⽌最⼤的⼀笔罚款。
这个法案随时间发展也在不断得到各种补充解释。本⽂正是基于EDPB于2021.6公布的《数据跨境传输补充措施的最终建议》,翻译得到的中英对照版本。相信对于公司业务涉及到公司位于EEA境内或需要为其境内⽤户提供服务的企业来说,本⽂件都会是⽐较重要的参考材料。
本⽂件中针对跨境进⾏个⼈数据的转移活动,提供了准确⽽细致的操作指导,参见下图⽬录。
Executive summary 执⾏提要
The EU General Data Protection Regulation (GDPR) was adopted to rve a dual-purpo: facilitating the free flow of personal data within the European Union, while prerving the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.
欧盟《通⽤数据保护条例》(GDPR)的通过是为了达到双重⽬的:促进个⼈数据在欧盟内部的⾃由流动,同时维护个⼈的基本权利和⾃由,特别是他们保护个⼈数据的权利。
In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA. The Court also asrts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but esntially equivalent. The Court also upholds the validity of standard contractual claus, as a transfer tool that may rve to ensure contractually an esntially equivalent level of protection for data transferred to third countries.
欧盟法院(CJEU)在其最近的第C-311/18号判决(Schrems II)中提醒我们,在欧洲经济区(EEA)对个⼈数据的保护必须跟随数据的转移。将个⼈数据转移到第三国不能成为破坏或削弱其在欧洲经济区所受保护的⼿段。该法院还澄清,第三国的保护⽔平不需要与欧洲经济区内的保护⽔平相同,但要基本等同。法院还⽀持标准合同条款的有效性,认为这是⼀种可⽤来确保在合同上对转移给第三国的数据提供基本上同等保护的数据传输措施。
Standard contractual claus and other transfer 押金收据模板
tools mentioned under Article 46 GDPR do not operate in a vacuum. The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a ca-by-ca basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In tho cas, the Court still leaves open the possibility for exporters to implement supplementary measures that fill the gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures the could be. However, the Court underlines that export小学生四年级作文
ers will need to identify them on a ca-by-ca basis. This is in line with the principle of accountability of Article 5.2染墨香
GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.
标准合同条款和GDPR第46条提及的其他数据传输⼯具并⾮是在“真空”中运作的。法院指出,如果第三国的法律或惯例影响到GDPR第46条转移⼯具中所载的适当保障措施的有效性,那么作为出⼝⽅的控制者或处理者有责任逐案核实,并在适当情况下与第三国的进⼝⽅合作。在这些案件中,法院仍然为出⼝⽅提供了实施补充措施的可能性,以填补这些保护措施的空⽩,以使其达到欧盟法律要求的⽔平。法院没有具体说明这些措施是哪些。不过,法院强调,出⼝⽅将需要根据具体情况加以识别。这符合GDPR第5.2条的责任原则,该原则要求控制者负责并能够证明遵守了GDPR有关个⼈数据处理的原则。
To help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of asssing third countries and identifying appropriate supplementary measures where needed, the European Data Protection Board (EDPB) has adopted the recommendations. The recommendations provide exporters with a ries of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
为帮助出⼝⽅(⽆论是控制者或处理者、私营实体或公共机构,在GDPR政策适⽤范围内处理个⼈数据)完成评估第三国和在必要时确定适当补充措施的复杂任务,欧洲数据保护委员会(EDPB)采纳了这些建议。这些建议为出⼝⽅提供了⼀系列可采取的步骤、潜在的信息来源以及⼀些可实施的补充
措施的例⼦。
As a first step, the EDPB advis you, exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exerci. Being aware of where the personal data goes is however necessary to ensure that it is afforded an esntially equivalent level of protection wherever it is procesd. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purpos for which it is procesd.
第⼀步,EDPB建议你们(出⼝⽅)了解你们的数据转移情况。绘制所有的个⼈数据传输到第三国的数据地图北伐战争时期
可能是⼀项困难的⼯作。然⽽,了解个⼈数据的去向是必要的,以确保⽆论在何处处理个⼈数据时,都能获得实质上同等程度的保护。您还必须确认您转移的数据是充分的、相关的,并且仅限于处理⽬的相关的必要内容。
A cond step is to verify the transfer tool your transfer relies on, amongst tho listed under Chapter V GDPR. If the European Commission has already declared the country, region or ctor to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In th
e abnce of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR. Only in some cas you may be able to rely on one of the derogations provided for in Article 49 GDPR if you meet the conditions. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.
第⼆步,在GDPR第五章列出的⼯具中,核实您的数据转移所依赖的转移⼯具。如果欧盟委员会已经通过其根据GDPR第45条或之前的第95/46号指令作出的⼀项充分性决定,宣布您将数据传输到的国家、地区或部门是符合充分性认定的,则只要该决定仍然有效,您就⽆需采取任何进⼀步的措施,除了监控充分性决策是否仍然有效。在没有充分性认定的情况下,您需要依赖GDPR第46条所列的转移⼯具之⼀。只有在某些情况下,如果您符合条件,您才能依赖GDPR第49条规定的减免条款之⼀。减免条款不能成为实践中的“规则”,⽽需要局限于具体的情况。
A third step is to asss if there is anything in the law and/or practices in force of the third country that may impinge on
the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your asssment should be focud first and foremost on third country legislation that is relevant to your
transfer and the Article 46 GDPR transfer tool you are relying on. Examining also the practices of the third country’s public authorities will allow you to verify if the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the personal data transferred. Examining the practices will be especially relevant for your asssment where:
(i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice;
(ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking;
(iii) your transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an esntially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality).
第三步,评估第三国现⾏法律和/或惯例中是否有任何内容可能影响你所依赖的转移⼯具在处理具体数据转移中适当保障措施的有效性。您的评估应⾸先关注与您的转移相关的第三国⽴法以及您所依赖的第46条GDPR转移⼯具。同时检查第三国公共当局的做法将使您能够核实转移⼯具中包含的保障措施是否能够在实践中确保有效保护所转移的个⼈数据。在以下情况下,审查这些实践将对您的评估尤为
重要:(i)第三国有符合欧盟标准的正式⽴法,但在实践中明显未应⽤/不遵守;
(ii)在第三国缺乏相关⽴法的情况下,存在不符合转移⼯具的承诺的做法;
(iii)您转移的数据和/或进⼝⽅,属于或可能属于有问题的⽴法范围(即,影响转移⼯具对基本同等保护⽔平的合同保证,不符合欧盟关于基本权利、必要性和相称性的标准)。
In the first two situations, you will have to suspend the transfer or implement adequate supplementary measures if you wish to proceed with it.
In the third situation, in light of uncertainties surrounding the potential application of problematic legislation to your transfer, you may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.
在前两种情况下,如果你想继续进⾏转移,你必须暂停转移或采取适当的补充措施。
在第三种情况下,鉴于有问题的⽴法可能适⽤于您的数据转移的不确定性,您可以决定:暂停转移;
实施补充措施以继续进⾏传输;或者,如果您认为能够证明和记录,您没有理由相信相关和有问题的⽴法将被解释和/或实际应⽤,以涵盖您转移的数据和数据进⼝⽅,那么您可以决定继续进⾏转移⽽不实施补充措施。
For evaluating the elements to be taken into account when asssing the law of a third country dealing with access to data by public authorities for the purpo of surveillance, plea refer to the EDPB European Esntial Guarantees recommendations.
You should conduct this asssment with due diligence and document it thoroughly. Your competent supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis.
关于评估第三国处理公共当局为监控⽬的获取数据的法律时应考虑的因素,请参考EDPB欧洲基本保障的建议。
您应尽职尽责地进⾏这⼀评估,并将其完整记录在案。你的主管监督和/或司法当局可能会要求你这样做,并对你在此基础上作出的任何决定进⾏问责。
A fourth step is to identify and adopt supplementary measures that are necessary to bring the level o
f protection of the data transferred up to the EU standard of esntial equivalence. This step is only necessary if your asssment reveals that the third country legislation and/or practices impinge on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. The recommendations contain (in Annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective.
第四步,确定并采取必要的补充措施,使所转移数据的保护⽔平达到欧盟基本等同标准。仅当您的评估显⽰第三国的⽴法和/或贯例影响到您在转移过程中所依赖的GDPR第46条转移⼯具的有效性时,才有必要执⾏此步骤。这些建议(在附件2中)中包含了关于补充措施的⼀个粗略清单,以及它们所需的⼀些有效条件。
As is the ca for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for asssing their effectiveness in the context of the transfer, and in light of the third country law and practices and the transfer tool you are relying on, as you
will be held accountable for any decision you take on that basis. This might also require you to combine veral supplementary measures. You may ultimately find that no supplementary measure
can ensure an esntially equivalent level of protection for your specific transfer. In tho cas where no supplementary measure is suitable, you must avoid, suspend or terminate 狗狗鼻子干
the transfer to avoid compromising the level of protection of the personal data. You should also conduct this asssment of supplementary measures with due diligence and document it.
与第46条转移⼯具中包含的适当保障措施⼀样,⼀些补充措施可能在⼀些国家有效,但在其他国家未必有效。你将负责根据第三国法律和惯例以及你所依赖的转移⼯具,评估数据转移的有效性。您将对你在此基础上作出的任何决定负责。这可能需要你结合使⽤⼏个补充措施。您也许最终会发现,没有任何补充措施可以确保您的特定数据转移获得实质上同等⽔平的保护。在没有合适的补充措施的情况下,您必须避免、暂停或终⽌转移,以避免损害个⼈数据的保护⽔平。您还应尽职调查并记录对补充措施的评估⼯作。
A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. The recommendations specify some of 大学周记
the formalities. You may need to consult your competent supervisory authorities on some of them.
The sixth and final step is to re-evaluate at appropriate intervals the level of protection afforded to th
e personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.
第五步,根据你所依赖的GDPR第46条转移⼯具,采取补充措施可能需要的任何正式程序步骤。在本建议中具体说明了其中的⼀些⼿续。您可能需要就其中⼀些问题咨询您的主管监管机构。
第六步,也是最后⼀步,是在适当的时间间隔内重新评估您转移到第三国的个⼈数据的保护⽔平,并监测是否已经或将会有任何可能产⽣影响的变化。问责原则要求对个⼈数据的保护⽔平持续保持警惕。
Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it. Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an esntially equivalent level of protection. As the Court recalls, supervisory authorities will suspend or prohibit data transfers in tho cas where they find that an esntially equivalent level of protection cannot be ensured, following an investigation or a complaint.
Supervisory authorities will continue developing guidance for exporters and coordinating their action
s in the EDPB to
ensure consistency in the application of EU data protection law.
监管机构将继续履⾏其职责,监督GDPR的应⽤并予以执⾏。监管当局将适当考虑数据出⼝⽅采取的⾏动,以确保他们传输的数据得到基本同等⽔平的保护。正如法院回顾的那样,在调查或投诉后,如果监管当局发现⽆法确保基本同等程度的保护,那么将暂停或禁⽌数据转移。监管机构将继续为数据出⼝⽅制定指导意见,并协调其在EDPB中的⾏动,以确保欧盟数据保那年初二
护法应⽤的⼀致性。
下载《数据跨境传输补充措施的最终建议》中英对照版本的⽅法
本⽂件已上传⾄CSDN资源,可点击 下载⽂档。
或者,您也可以通过 下载本⽂档。