【GDPR/個人資料保護】德國福斯汽車測試車進行道路駕駛時違反GDPR遭罰110萬歐元

德國福斯汽車(VW Volkswagen)於公路上測試其主動安全配備及車用鏡頭對於路人、車輛等辨識敏略度,因違反GDPR遭罰110萬歐元。這篇文章將帶你了解為何他們受罰以及相關規定為何.

未告知用路人違反GDPR第13條

首先,德國 DPA 認為違反了 GDPR 第 13 條(個資處理告知義務),因為測試車輛上具有境頭隨時蒐集用路人的影像等資訊,但是該車上並沒有帶有攝像頭符號和其他規定標誌來告知任何一位道路使用者此輛車將進行個人數據的處理。

以下附上GDPR條文英文版本,若想要看中文版本可參考國發會翻譯

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Article 13: Information to be provided where personal data are collected from the data subject

未與委託公司簽訂資料處理協議違反GDPR第28條

DPA 發現福斯汽車未與進行試駕的公司簽訂處理協議,違反了 GDPR 第 28 條。根據GDPR規定當將資料處理委託他人進行時,必須要簽訂資料處理協議,以確保資料可以被妥善的保護,如果受委託公司違反資料處理協議時,委託公司應依契約進行求償。

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) takes all measures required pursuant to Article 32;

(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Article 28 – Processor

未進行保護影響評估違反GDPR第35條

DPA 認為福斯汽車在處理個人資料前前未進行個人資料保護影響評估,違反了 GDPR 第 35 條。GDPR要求在處理個人資料前必須進行相關的影響評估,確保公司或個人在處理個人資料時有充分考量到外洩以及相關保護的措施。

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 35 – Data protection impact assessment

未記錄技術和組織安全措施

DPA 認為福斯汽車未在其處理活動記錄中列出其技術和組織安全措施,從而違反了 GDPR 第 30 條。個人資料蒐集後必須盡到保護的義務,此保護義務要求不僅是口號而已,更是進一步要求要在技術上(例如雙階段驗證後才可以使用,確保只有公司員工可以看到資料)或是組織上(特定層級或特定任務的人員才可以看到個人資料,除此之外都不得看到或使用個人資料)。
關於這些都必須要在紀錄上可以明確觀察得到,不可僅是口頭上陳述。

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Article 30 – Records of processing activities

結論

歐盟GDPR通過後,公司對於其任何對外、對內的舉措以及行動都必須特別注意,過去可以不多加思索進行的措施,在個資觀點下都必須審視再三,確認是否合於法規。不僅在歐盟,包含在日本、韓國、中國都設下嚴謹的個人資料保護規範,未來任何公司有可能處理個資的舉動都不得不慎。

若想更了解中國個保法與GDPR在跨境傳輸條款的比較,可見以下這篇文章【中國個人信息保護法/GDPR】跨境傳輸/提供標準契約條款(SCC)中國版與GDPR版比較

延伸資料
你想更了解歐盟GDPR可參考以下連結
GDPR條文:https://gdpr-info.eu
歐盟官方直屬機構認證課程(有中文字幕):https://pinkrose.info/2xweI