Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Yes – in particular, measures suited to the types of personal data or categories of data being protected will be taken in order to:

  • prevent unauthorised persons from accessing data processing systems used to process or use personal data (access control);
  • prevent data processing systems from being used without authorisation (access control);
  • ensure that persons authorised to use a data processing system have access only to that data which they are authorised to access, and that personal data cannot be read, copied, altered or removed without authorisation during processing and use and after storage (access control);
  • ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being stored on data storage media, and that it is possible to ascertain and verify which bodies are transferring personal data using data transmission facilities (disclosure control);
  • ensure that it is possible after the fact to verify and ascertain whether personal data has been accessed, altered or removed from data processing systems and, if so, by whom (input control);
  • ensure that personal data processed on behalf of others is processed strictly in compliance with the data controller’s instructions (job control);
  • ensure that personal data is protected against accidental destruction or loss (availability control); and
  • ensure that data collected for different purposes can be processed separately.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

A company must immediately notify data subjects if any of the following information has been stored, transferred or disclosed to third parties illegally and threatens to cause serious harm to the rights or legitimate interests of the data subjects:

  • sensitive data;
  • personal data that is subject to professional secrecy;
  • personal data referring to criminal or administrative offences or to suspected criminal or administrative offences; or
  • personal data concerning bank or credit card accounts.

Data subjects must be informed as soon as appropriate measures have been taken to safeguard the data and notification would no longer endanger criminal prosecution. The notification must describe the nature of the illegal disclosure and recommend measures to minimise possible harm. Where notifying the data subjects would require a disproportionate effort – in particular due to the large number of persons affected – it may be replaced by public ads of at least half a page in at least two national daily newspapers or by another equally effective measure.

Are data owners/processors required to notify the regulator in the event of a breach?

A company must immediately notify the competent supervisory authority if any of the following information has been stored, transferred or disclosed to third parties illegally and threatens to cause serious harm to the rights or legitimate interests of data subjects:

  • sensitive data;
  • personal data that is subject to professional secrecy;
  • personal data referring to criminal or administrative offences or to suspected criminal or administrative offences; or
  • personal data concerning bank or credit card accounts.

The notification must describe all possible harmful consequences of the illegal disclosure and the measures taken by the body as a result.

Click here to view the full article.