[1] Art.2 para.1 This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

[2] Art.4 para.2.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

Para.3.This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

[3] Art.5 para.1.Personal data shall be:

(a)processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c)adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

[4] Art.4. para.1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[5] Art.7 para.1.Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Para.2.If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

Para.3.The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Para.4.When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

[6] GArt.15 para.1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

...

(d)where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

...

[7] 具体可见Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR .

[8] Ibid.

[9] 欧盟委员会已根据GDPR和LED认可安道尔、阿根廷、加拿大（商业组织）、法罗群岛、根西岛、以色列、马恩岛、日本、泽西岛、新西兰、韩国、瑞士、英国、美国（参与欧盟-美国数据隐私框架的商业组织）和乌拉圭提供了充分的保护。详见https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en，最后访问时间2024年5月8日。

[10] Art.33. para.1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Art.34 para.1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

[11] Art.35 para.1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

[12] DECISION OF THE EUROPEAN DATA PROTECTION SUPERVISOR OF 16 JULY 2019ON DPIA LISTS ISSUED UNDER ARTICLES 39(4) AND (5) OF REGULATION (EU)2018/1725.

作者：

• 王红燕，律师，杭州办公室合伙人；业务领域：知识产权权利保护，跨境投资并购，合规和调查；行业领域：电信和互联网，信息和智能技术，传媒、体育和娱乐
• 邱腾岳，杭州办公室，知识产权部
• 张浩冉，杭州办公室，知识产权部