Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Under the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers, electronic system providers must do the following to secure electronic systems that store personal data:

  • implement a risk management scheme to mitigate damages and losses;
  • maintain management policies and operational work procedures;
  • maintain a continuous auditing mechanism;
  • maintain and implement procedures and means to avoid parties interfering with the system or causing it to fail or be damaged; and
  • implement a security system that includes prevention procedures and countermeasures against threats and attacks enabling parties to interfere with or damage the system or cause it to fail.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Electronic service providers must provide written notification to personal data owners in the event that the confidentiality of their personal data has been breached.

Are data owners/processors required to notify the regulator in the event of a breach?

In the event that external parties have caused an electronic system to fail or have seriously interfered with an electronic system, electronic service providers must secure the data and immediately notify law enforcement or the Sectoral Supervisory and Management Agency.

Click here to view the full article.