跨域資安強化產業推動計畫網站 ACW

最近這幾個月，當你瀏覽網站、使用通訊軟體、下載手機APP應用程式等，你可能會收到各類網站平台與企業所寄出的e-mail，內容不外乎是要向你告知Cookie蒐集或針對隱私權政策進行更新。這些網站平台與企業所告知的事項或更新隱私權政策的舉動，是跟最近歐盟施行號稱史上最嚴格的一般個人資料保護規則(General Data Protection Regulation, GDPR)有關。

而違反GDPR受到的處罰真的很嚴重嗎？遭受處罰時，監管機關考量因素有那些？違反GDPR者，除了可能遭受行政罰鍰之處罰外，有無其他處罰方式呢？我們就從GDPR的條款內容來一探究竟吧!

作者：資策會科法所

======

首先，我們可先從GDPR第83條第2項來判斷案件是否該處以行政罰鍰及罰款的數額：

GDPR §83(2) Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

條款列舉的考量因素如：(1)考量所處理之資料的性質範圍或目的以及受影響之資料主體(即個人資料本人)人數及其受損害之程度後，有關於侵害行為之性質、嚴重性及持續期間；(2)侵害行為係屬故意或過失；(3)資料控制者或資料處理者為消除資料主體所受之損害所採取的措施；(4)資料控制者或資料處理者為符合GDPR規定所採取之技術上或組織上措施；(5)資料控制者或資料處理者先前相關之違規紀錄；(6)與監管機關之配合程度；(7)侵害行為所涉及之個人資料種類；(8)於有侵害行為發生時，如：發生個人資料外洩，資料控制者是否有主動通知主管機關；(9)資料控制者或資料處理者是否有依主管機關之要求，採取相關改正措施；(10)是否有採行經歐盟認可之行為準則(code of conduct)或是認證機制(certification mechanisms)；(11)其他考量因素，如：因侵害行為可直接或間接獲得之利益…等。

其次，依照GDPR第83條第4項及第5項規定，對於違反本規則者，可能會被處以1000萬至2000萬歐元，或全球年營業總額2%至4%的罰款，處罰金額十分的龐大。

GDPR §83(4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; (b) the obligations of the certification body pursuant to Articles 42 and 43; (c) the obligations of the monitoring body pursuant to Article 41(4). GDPR §83(5) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects' rights pursuant to Articles 12 to 22; (c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49; (d) any obligations pursuant to Member State law adopted under Chapter IX; (e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)

並會依案件違反情節而給予不同程度的裁罰，舉例說明：發生個人資料外洩事件時，如果企業沒有合法理由而遲延向監管機關進行通報，依GDPR規定最高將可能被處以1000萬歐元或前一會計年度全球年營業額之的2%的罰款，兩者金額以較高者為準；另外，如果有違法向第三國傳輸個人資料、違反GDPR與資料主體權利有關之規定(第12條至第22條)等情形，最高將被處以2000萬歐元或前一會計年度全球年營業額之的4%的罰款，兩者金額以較高者為準。

又，GDPR於前言中表示，違反GDPR者除了可能遭受行政罰鍰之處罰外，歐盟會員國對於違反GDPR者，可在GDPR的規定及其所限制之範圍內調整制定內國法，對於違反規定者，可擬定刑罰規範，該等刑罰亦得允許沒入違反規定者所獲得之利益。

GDPR recital §149 Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation. Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation.…(後略)

GDPR recital §150 In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement.…(後略)

此外，GDPR第82條亦明白揭示任何資料主體因資料控制者或資料處理者違反GDPR規定而導致其受有損害時，不論是實質或精神損害，都可以向其請求損害賠償。

GDPR §82 Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …(後略)