欧盟数据保护官制度研究
|
摘要
[目的/意义]欧盟数据保护新规(GDPR)中的数据保护官(DPO)制度颇受关注。追溯DPO制度演进路径,剖析DPO的设置与具体职责,考察欧盟DPO制度实施与影响,不止关乎中国企业对欧贸易,更是我国相关规则体系构建的重要参考。[方法/过程]通过梳理GDPR中有关DPO的条款及相关过程文本,发现在GDPR规定的3种情形下,数据控制者/处理者应设置数据保护官。DPO的职责包括对数据控制者相关工作人员的告知和建议、监督数据处理的合规性、联络数据主体、同监管机构合作、数据处理活动的记录与归档、培训以及保密等。[结果/结论]设置DPO对于确保数据控制者的合规、减轻监管机构负担影响深远。欧盟DPO制度对中国企业/机构的启示在于:应按GDPR的规定设置DPO,并设计完整的数据保护监督流程;对中国数据保护监督及机制建设的启示包括:明确规定数据控制者应设置数据保护专门岗位和专业人员、对不合规的数据控制者给予相应的责任追究和惩罚、加强数据监管机构的建设。
[Purpose/significance]The data protection officer(DPO) in the new regulation of EU data protection(GDPR) has attracted considerable attention.Tracing the evolution path of DPO,analyzing the settings and specific responsibilities of it. Studying on DPO system is not only related to trade between China and Europe, but also an important reference for the construction of relevant rules system in China. [Method/process] By teasing out the terms of DPO in the GDPR and related texts,in the three cases specified by GDPR, the data controllers or processors should set up DPO.The responsibilities of the DPO include that informing and advising to the data controller's relevant staff, monitoring the compliance of data processing, contacting with data subject, cooperating with the supervisory authority, maintaining records and documentation of data processing, training, and confidentiality obligation.[Result/conclusion] Setting up DPO has far-reaching influence on ensuring the compliance of data controllers and reducing the burden of the supervisory authority. The enlightenment of DPO for Chinese enterprises or institutions is that DPO should be set up according to the provisions of GDPR, and a complete data protection supervision system should be designed as soon as possible. As for the data protection supervision system and mechanism construction in China, it should be clearly stipulated that the data controllers have to set up special posts and professionals for data protection, and investigate and punish non-compliant data controllers with corresponding responsibilities. Meanwhile the construction of data supervisory authority should be strengthened.
[Purpose/significance]The data protection officer(DPO) in the new regulation of EU data protection(GDPR) has attracted considerable attention.Tracing the evolution path of DPO,analyzing the settings and specific responsibilities of it. Studying on DPO system is not only related to trade between China and Europe, but also an important reference for the construction of relevant rules system in China. [Method/process] By teasing out the terms of DPO in the GDPR and related texts,in the three cases specified by GDPR, the data controllers or processors should set up DPO.The responsibilities of the DPO include that informing and advising to the data controller's relevant staff, monitoring the compliance of data processing, contacting with data subject, cooperating with the supervisory authority, maintaining records and documentation of data processing, training, and confidentiality obligation.[Result/conclusion] Setting up DPO has far-reaching influence on ensuring the compliance of data controllers and reducing the burden of the supervisory authority. The enlightenment of DPO for Chinese enterprises or institutions is that DPO should be set up according to the provisions of GDPR, and a complete data protection supervision system should be designed as soon as possible. As for the data protection supervision system and mechanism construction in China, it should be clearly stipulated that the data controllers have to set up special posts and professionals for data protection, and investigate and punish non-compliant data controllers with corresponding responsibilities. Meanwhile the construction of data supervisory authority should be strengthened.
引文
[1] 肖冬梅. 在全球数据洪流中筑牢数据边疆[N]. 中国社会科学报,2016-11-10(1).
[2] 高富平. 个人数据保护和利用国际规则:源流和趋势[M]. 北京:法律出版社,2016.
[3] LACHAUD E. Certification of data protection officers should be regulated[EB/OL].[2018-05-10]. https://ssrn.com/abstract=3176471 or http://dx.doi.org/10.2139/ssrn.3176471.
[4] MIGUEL R. Data protection officer: the key figure to ensure data protection and accountability[J].European data protection law review,2017,3(1):114-118.
[5] 王融.大数据时代:欧盟能否重建数据保护新秩序[J]. 中国信息安全, 2016(1):125-127.
[6] 张敏, 马民虎. 欧盟数据保护立法改革之发展趋势分析[J]. 网络与信息安全学报, 2016, 2(2):8-15.
[7] 李欣倩. 德国个人信息立法的历史分析及最新发展[J]. 东方法学, 2016(6):116-123.
[8] CEDPO.Comparative analysis of data protection officials role and status in the EU and More-I[EB/OL]. [2017-05-19].http://www.cedpo.eu/wp-content/uploads/2015/01/CEDPO_Studies_Comparative-Analysis_DPO_20120206.pdf.
[9] MoJ wants obligation to appoint data protection officers scrapped from EU reform proposals.[EB/OL]. [2017-04-11].https://www.out-law.com/en/articles/2013/january/moj-wants-obligation-to-appoint-data-protection-officers-scrapped-from-eu-reform-proposals/.
[10] ANGELIQUE C. Where should the new mandatory DPO sit? [EB/OL]. [2017-01-21].https://iapp.org/news/a/where-should-the-new-mandatory-dpo-sit/.
[11] European Parliament and of the Council. European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[EB/OL]. [2017-07-20].http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212.
[12] 中国商业电讯.欧盟GDPR留给中国企业的时间不多了[EB/OL].[2017-03-15].http://www.sohu.com/a/124637983_115007.
[13] PAUL L. The data protection officer: profession, rules, and role[M].New York:Auerbach Publication,2016.
[14] HEIMES R,PFEIFLE S. Study: GDPR’s global reach to require at least 75,000 DPOs worldwide[EB/OL]. [2017-03-20].https://iapp.org/news/a/study-gdprs-global-reach-to-require-at-least-75000-dpos-worldwide/.
[2] 高富平. 个人数据保护和利用国际规则:源流和趋势[M]. 北京:法律出版社,2016.
[3] LACHAUD E. Certification of data protection officers should be regulated[EB/OL].[2018-05-10]. https://ssrn.com/abstract=3176471 or http://dx.doi.org/10.2139/ssrn.3176471.
[4] MIGUEL R. Data protection officer: the key figure to ensure data protection and accountability[J].European data protection law review,2017,3(1):114-118.
[5] 王融.大数据时代:欧盟能否重建数据保护新秩序[J]. 中国信息安全, 2016(1):125-127.
[6] 张敏, 马民虎. 欧盟数据保护立法改革之发展趋势分析[J]. 网络与信息安全学报, 2016, 2(2):8-15.
[7] 李欣倩. 德国个人信息立法的历史分析及最新发展[J]. 东方法学, 2016(6):116-123.
[8] CEDPO.Comparative analysis of data protection officials role and status in the EU and More-I[EB/OL]. [2017-05-19].http://www.cedpo.eu/wp-content/uploads/2015/01/CEDPO_Studies_Comparative-Analysis_DPO_20120206.pdf.
[9] MoJ wants obligation to appoint data protection officers scrapped from EU reform proposals.[EB/OL]. [2017-04-11].https://www.out-law.com/en/articles/2013/january/moj-wants-obligation-to-appoint-data-protection-officers-scrapped-from-eu-reform-proposals/.
[10] ANGELIQUE C. Where should the new mandatory DPO sit? [EB/OL]. [2017-01-21].https://iapp.org/news/a/where-should-the-new-mandatory-dpo-sit/.
[11] European Parliament and of the Council. European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[EB/OL]. [2017-07-20].http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0212.
[12] 中国商业电讯.欧盟GDPR留给中国企业的时间不多了[EB/OL].[2017-03-15].http://www.sohu.com/a/124637983_115007.
[13] PAUL L. The data protection officer: profession, rules, and role[M].New York:Auerbach Publication,2016.
[14] HEIMES R,PFEIFLE S. Study: GDPR’s global reach to require at least 75,000 DPOs worldwide[EB/OL]. [2017-03-20].https://iapp.org/news/a/study-gdprs-global-reach-to-require-at-least-75000-dpos-worldwide/.