委托处理个人信息的私法规制  被引量：10

作　　者：曹明德[1] 赵峰 CAO Mingde;ZHAO Feng(Civil,Commercial and Economic Law School,China University of Political Science and Law,Beijing 100088,P.R.China)

机构地区：[1]中国政法大学民商经济法学院,北京100088

出　　处：《重庆大学学报（社会科学版）》2022年第4期203-215,共13页Journal of Chongqing University(Social Science Edition)

基　　金：司法部国家法治与法学理论研究资助项目“人工智能产品法律责任研究”(18SFB039);中国政法大学大健康法治政策创新研究项目资助(Y2020005)。

摘　　要：委托处理个人信息是信息流动、共享与利用的必然选择。《个人信息保护法》第21条专门为委托处理个人信息提供了规范基础,填补了《民法典》《电子商务法》《网络安全法》等规范空白,但就该条的规范内容如何解释适用,对委托处理私法规制的目的、对象及方式等要素的具体展开,仍需藉由解释论予以完善。由于司法实践中,信息处理者通常会援引其与第三人之间存在合同或其他交易安排,系由他人造成了损害而与自身的处理行为无关,给信息主体的权益保护带来了挑战,这构成了委托处理私法规制的核心。作为对委托处理进行私法规制的基础论证,委托处理的法律结构不同于共同处理,信息处理者与受托人之间为从属关系,信息处理者决定了处理的目的、方式,受托人只能按信息处理者的指示处理个人信息。为了更好地保障信息主体的合法权益,委托处理关系内部合同应当包含必备条款以确保受托人合法处理数据,且信息处理者可以检查受托人是否遵守这些规定。相较于《个人信息保护法》第20条由内部主体约定各方的权利义务,第21条第1款详细列举委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等事项,是值得肯定的立法选择。结合《个人信息保护法》第21条第2款以及域外法的通常规则,受托人应当承担依指示处理、服务结束后的返还(或删除)、保密三项法定义务。此外,在转委托、告知同意以及适当化任命与监督上不能适用委托合同的一般规则,其目的在于确保受托人正确、合适地履行职责,遵守个人信息保护法规。对于各方的责任承担,《个人信息保护法》第69条规定了损害赔偿责任,同时,依靠《民法典》规范实现体系拓展,使信息主体的权益救济不仅可以通过人格权编加以解决,还可以通过侵权责任编进�Entrusted processing of personal information is an inevitable option of information flowing, sharing, and using. Article 21 of the Personal Information Protection Law(PIPL) specifically provides a regulatory basis for entrusted processing of personal information, filling the normative gaps of the Civil Code, the Electronic Commerce Law and the Network Security Law. However, how to interpret and apply the regulatory content of this article, and the specific development of the purpose, objects, methods and other elements of the entrusted processing still needs to be improved through interpretation. In judicial practice, information processors often cite the existence of contracts or other transaction arrangements with a third party, in which the damage is caused by others rather than their own processing behaviors, which brings challenges to the protection of the rights and interests of information subjects. This is the core of civil law regulation of entrusted processing. As the basic argument of private law regulation of entrusted processing, the legal structure of entrusted processing is different from joint processing, in which there is a subordinate relationship between the information processor and the entrusted party. The information processor decides the purpose and method of processing, and the entrusted party can process the personal information only as instructed by the information processor. In order to better safeguard the rights of information subjects, the internal contract of entrusted processing relationship must include mandatory provisions to ensure that the entrusted party legally processes data and the information processor can check whether the entrusted party has complied with these provisions. Compared with Article 20 of the PIPL which stipulates the rights and obligations of each party shall be agreed upon by an internal person, Article 21.1 that lists in detail the purpose, duration, and method of the entrustment, types of personal information, protection measures as well as the rights and

关 键 词：委托处理 个人信息 从属关系 连带责任 

分 类 号：D923[政治法律—民商法学] D922.16[政治法律—法学] D922.294