Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Personal data undergoing processing must be kept and controlled (as far as possible, considering technological innovations, the nature of the data and the specific features of the processing), in such a way as to minimise the risk of:

  • its accidental or wilful destruction or loss;
  • unauthorised access to the data; or
  • processing operations that are either unlawful or inconsistent with the purposes for which the data has been collected.  

The latter measures can be specified by the Data Protection Authority via a general provision in relation to specific data processing, as done, for example, in relation to the processing of biometric data or for the processing of personal data by system administrators.

In any case, data controllers must adopt security measures in order to ensure a minimum level of personal data protection. Such measures are listed in Annex B (Technical Specifications Concerning Minimum Security Measures) to the Data Protection Code.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

According to the Data Protection Code, only providers of a publicly available electronic communications service (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers) must notify data subjects of a breach.

In case of a particular risk of a breach of network security, the provider of a publicly available electronic communications service must inform the contracting parties and (if possible) users of all the possible remedies, including an indication of the likely costs involved.

When a personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the provider must also notify the contracting party or individual of the breach without delay. The notification described above is not required if the provider has demonstrated to the Data Protection Authority that it has implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that the measures were applied to the data related to the breach.

The same obligation applies to data breaches related to electronic health files.

The EU General Data Protection Regulation introduces a similar obligation to notify data breaches to every controller and processor, regardless of their qualification as a provider of a publicly available electronic communications service.

Are data owners/processors required to notify the regulator in the event of a breach?

In case of a personal data breach, the providers of publicly available electronic communications services must notify the breach to the Data Protection Authority and the Authority for Communications Safeguards without undue delay.

The same obligation applies to data breaches related to electronic health files.

Click here to view the full article.