开始讨论第七类威胁:Non-compliance 不合规,Nc.1-Nc.1.1。
Non-compliance 不合规
Non-compliance threats arise when the system deviates from legislation, regulation, or standards and best practices, leading to the incomplete management of risk. Privacy-related risks should not be focused upon in a vacuum, and a privacy risk assessment is ideally complemented with broader attention to broader risk perspectives, such as legal risk, and cybersecurity risk.
当系统偏离法律、法规或标准和最佳实践,导致风险管理不完整时,就会产生“不合规”威胁。与隐私相关的风险不应该被孤立地关注,隐私风险评估最好与更广泛的风险视角(如法律风险和网络安全风险)相辅相成。
Nc.1 Regulatory non-compliance 不满足监管要求
The investigated data collection activities and/or the identified privacy threats are considered legally problematic in the context of the applicable regulatory framework.
根据适用的监管框架,被调查的数据采集活动和/或确定的隐私威胁在法律上存在问题。
Nc.1.1 GDPR
GDPR-related non-compliance threat characteristics. This threat characteristic groups a number of relevant GDPR principles.
与GDPR相关的不合规威胁特征。此威胁特征集合了许多相关的GDPR原则。
-
Nc.1.1.1 Insufficient data subject controls
数据主体控制不足Support for the different data subject rights is lacking. Chapter 3 of GDPR codifies a wide range of intervenability and transparency requirements that should be implemented.
缺乏对不同数据主体权利的支持。GDPR法案第3章规定了应实施的广泛的可干预性和透明度要求。
-
Nc.1.1.2 Violation of data minimization principle
违反数据最小化原则More personal data is processed than is actually needed. Article 5.1(c) stipulates that ”Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
处理的个人数据多于实际需要的数据。第5.1(c)条规定,“个人数据应是充分的、相关的,并仅限于处理这些数据的目的所必需的”
-
Nc.1.1.3 Unlawful processing of personal data
非法处理个人数据Personal data is not processed in a lawful way. Article 6 of GDPR codifies the conditions for lawful processing of personal data.
不以合法方式处理个人数据。GDPR第6条规定了合法处理个人数据的条件。-
Nc.1.1.3.1 Invalid consent
无效同意Personal data collection and processing does not rely on valid consent. The constraints for valid consent are discussed in Art. 7.
个人数据采集和处理不依赖于有效同意。有效同意的限制在GDPR第7条中讨论。
-
Nc.1.1.3.2 Lawfulness problems not related to consent
与同意无关的合法性问题Lawfulness problems not related to consent, such as incorrect lawful ground, automated decision making on sensitive personal data, etc.) A wide range of lawfulness conditions are described in Art. 6.1(b-f).
与同意无关的合法性问题,如不正确的合法理由、对敏感个人数据的自动决策等。GDPR第6.1(b-f)条款描述了一系列广泛的合法性条件。
-
-
Nc.1.1.4 Violation of storage limitation principle
违反存储限制原则Personal data is stored longer than needed.) Article 5.1(e) determines the principles regarding the maximal duration of retention.
个人数据存储的时间比需要的时间长。第5.1(e)条款确定了关于最长保留期限的原则。