Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
The Data Protection Law obliges data controllers to take the appropriate technical and administrative measures to protect personal data. The law prescribes no specific technical requirements. However, the International Organisation for Standardisation (ISO) has already produced a set of standards with respect to technical data security measures: ISO/IEC 27000. However, whether the ISO standards correspond to the information security requirements established by the Data Protection Law remains unclear.
Are data owners/processors required to notify individuals in the event of a breach?
In the event that personal data is unlawfully obtained by a third party, the data controller must notify the data subject as soon as possible.
Are data owners/processors required to notify the regulator in the event of a breach?
In the event that personal data is unlawfully obtained by a third party, the data controller must notify the Personal Data Protection Board as soon as possible. If necessary, the board may announce this issue on its own website or via other appropriate means.
Click here to view the full article.