Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Under the Law on Legal Protection of Personal Data, data controllers and processors must implement appropriate organisational and technical measures to protect personal data against accidental or unlawful destruction, alteration and disclosure and any other unlawful processing. These measures must ensure a level of security that is appropriate to the nature of the personal data being protected and the risks of the processing. The measures must be defined in a written document (eg, personal data processing regulations approved by the data controller or a contract concluded by the data controller and the data processor) in accordance with the general requirements on the organisational and technical data protection measures laid down by the State Data Protection Inspectorate (DPI).

Specific data security requirements are set out in the General Requirements for Organisational and Technical Data Security Means, which have been approved by the director of the DPI.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

Electronic communication service providers must notify individuals in the event of a breach where the breach is likely to have a negative impact on the privacy or data security of subscribers or registered users of the service or other persons. Other data owners and processors need not notify individuals in the event of a breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Only electronic communication service providers are required to notify the DPI in the event of a breach. Other data owners and processors need not notify the DPI in the event of a breach.

Click here to view the full article.