標準簡介
《一般資料保護規則》(GDPR)是歐盟於 2018 年 5 月 25 日生效的全面性資料隱私法。它規範組織如何收集、使用、儲存、分享和保護歐盟和歐洲經濟區(EEA)內個人的個人資料。儘管為歐盟法規,GDPR 具有域外效力——全球任何處理歐盟居民個人資料的組織都必須遵守。此法規從根本上改變了全球資料隱私方法,賦予個人對其個人資訊前所未有的控制權,並對資料控制者和處理者施加嚴格的問責要求。
GDPR 建立在七項核心原則之上:合法性、公平性和透明度;目的限制;資料最小化;準確性;儲存限制;完整性和保密性;以及問責制。組織必須具備合法的處理依據(如同意、合約、法律義務或合法利益),實施適當的技術和組織措施以確保資料安全,對高風險處理進行資料保護影響評估(DPIA),在需要時任命資料保護官,並在 72 小時內向監管機關報告資料外洩事件。不合規可能導致最高 2000 萬歐元或全球年營業額 4% 的罰款,以較高者為準。此法規亦賦予個人權利,包括存取權、更正權、刪除權(被遺忘權)、資料可攜性權以及反對處理權。
Extraterritorial Reach
Applies to any organization worldwide that processes personal data of EU/EEA residents, regardless of where the company is based.
Data Subject Rights
Grants individuals rights to access, rectify, erase, port, and restrict processing of their personal data.
Enforcement & Fines
Supervisory authorities can impose fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.
list_alt Core Principles
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Who Needs to Comply?
Any organization worldwide that collects, processes, or stores personal data of EU/EEA residents — including companies with no physical presence in Europe.
Key Requirements
Lawful Basis for Processing
Organizations must establish a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing any personal data.
Data Protection Impact Assessments
Required for high-risk processing activities. Organizations must assess risks to individuals and implement measures to mitigate them before processing begins.
Breach Notification
Data breaches must be reported to the supervisory authority within 72 hours. Affected individuals must also be notified if the breach poses a high risk.
Data Protection Officer (DPO)
Mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing special category data.
International Data Transfers
Transfers outside the EEA require adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions.
Penalties & Enforcement
Fines up to EUR 20 million or 4% of global annual turnover (whichever is higher). Supervisory authorities can also order processing bans and data erasure.