摘要
「個人資料保護法」(Data protection law)已是國際上的重要法律;我國新法(簡稱PIPA)於2012年10月1日施行。而稱號史上最嚴格個資法的歐盟「通用資料保護規定」(簡稱GDPR)則甫於今年5月25日正式施行。個資保護法制化、業務化、究責化的趨勢,使其成為現代公司中資料治理(Data governance)的重要內涵。然而企業界迄今對相關法制的掌握尚缺頭緒,以致法令遵循的業務難以開展。進一步言之,如何將企業的個資管理成果加以合理評價、以判定其是否達成法令遵循,尤其受到關注。國際上的法制經驗顯示:針對組織體個資保護的主要法律監管模式有行政監理制及民間認證制。本文介紹德國法制,評析其對「個資保護稽核」(Datenschutzaudit)的法制經驗與實務內容;此足以顯示個資保護其實具有在地法規的內涵,而我國迄今的認證或輔導思維,則經常是受規範主體的政府與企業,被動接受套裝格式之輔導,因而欠缺本土化的實作深度。另一方面,本文再以歐盟法制為觀察重點,論述其個資保護認證(Data protection certification)的法律意義與發展趨勢,以資參照。在此基礎上,本文旁論及於國發會申請歐盟GDPR「適足性」認定的現實目標,提出由現行台歐間會計稽核的架構、來進行初步「個資保護認證」的建議,期待能加速助成我國政策目標的達成。
並列摘要
The data protection law becomes more and more important, both nationally and internationally. In Taiwan, the Personal Information Protection Act (PIPA) was enacted in 1995 as the first example in Asia; and the newly amended version of PIPA comes into effect in 2012. In the meanwhile, the General Data Protection Regulation of European Union (EU GDPR) takes effect on May 25, 2018. The GDPR imposes stiff fines on data controllers and processors for non-compliance. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation. With such a legal trend, the data protection issues are becoming an indispensable element in modern corporate governance. Among the solutions to protect the business, the data protection audit or certification mechanism is highly evaluated. The author tries to introduce two models of legal institutionalization of it: the German audit model and the EU certification model. Nevertheless, emphasis is put on both the practical instructions in the local regulation and the operational content in the local compliance, which are the main shortcomings of the actual development in Taiwan. Last but not least important, the accounting audit is recommended to fulfill the relating competence, with the conception of helping Taiwanese government to apply for the EU GDPR equivalence decision.