
2019-07-05 18:43胡友杰
智富时代 2019年5期


【摘 要】欧盟的隐私保护法律《一般信息保护条例(GDPR)》于2018年5月25日开始生效,在经济全球化的今天,受到影响的不仅仅的是所在欧盟境内的公司。很多业内人士认为GDPR只是树立了一个简单的框架,并未告诉大家实际该如何去做。但其实在大家很少关注到的前言部分中,隐藏着一些具体的要求,却容易被大家忽视。




虽说GDPR的管辖范围只是在欧盟境内,针对欧洲公民,但在经济全球化的现在,跨国企业比比皆是,大家多多少少都有业务涉及到欧盟,最高到2000万欧元或全球营业额的4%(两者取其最大值)的罚款也令管理者们不寒而栗,因此加强企业个人信息保护建设,达到GDPR合规,成了众多企业自GDPR 16年定稿后的重中之重。



首先请看第32条:Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for whi



第58条的原文如下:The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.


我们再来看看第70条:Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

想必有不少公司收集用戶使用产品的信息,是用于针对性地推送其它产品或是打广告——这些毫无疑问都是用于“direct marketing”的这一个目的。而GDPR在这一条上是明确地指出,用户对于这一行为有拒绝的权利,即拒绝企业收集用户行为信息并用于任何直接或间接的营销。同时GDPR还要求企业将此类用于营销的收集行为特别地、清晰明确地提醒用户注意,并与其他任何信息区分开来。这意味了企业将营销目的的收集巧妙地掺混于其他目的当中一起获得用户同意的这种做法已不在可行。

那么,企业偷偷地收集处理,并抹消其痕迹,这样是否可行呢?可见第82条:In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.





[1]《General Data Protection Regulation》
