Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
Personal data undergoing processing must be kept and controlled (as far as possible, considering technological innovations, the nature of the data and the specific features of the processing), in such a way as to minimise the risk of:
- its accidental or wilful destruction or loss;
- unauthorised access to the data; or
- processing operations that are either unlawful or inconsistent with the purposes for which the data has been collected.
The latter measures can be specified by the Data Protection Authority via a general provision in relation to specific data processing, as done, for example, in relation to the processing of biometric data or for the processing of personal data by system administrators.
In any case, data controllers must adopt security measures in order to ensure a minimum level of personal data protection. Such measures are listed in Annex B (Technical Specifications Concerning Minimum Security Measures) to the Data Protection Code.
As of May 15 2018, Annex B will no longer be in force. Data controllers will be accountable for the security measures they have implemented within their own organisations. The General Data Protection Regulation set a minimum set of requirements in Article 32. In this regard, the Data Protection Authority stated it will provide best practise on which data controllers may rely on to perform their own assessment of security measures.
Are data owners/processors required to notify individuals in the event of a breach?
According to the Personal Data Protection Code, only providers of a publicly available electronic communications service (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers) must notify data subjects of a breach.
In case of a particular risk of a breach of network security, the provider of a publicly available electronic communications service must inform the contracting parties and (if possible) users of all the possible remedies, including an indication of the likely costs involved.
When a personal data breach is likely to be detrimental to the personal data or privacy of the contracting party or another individual, the provider must also notify the contracting party or individual of the breach without delay. The notification described above is not required if the provider has demonstrated to the Data Protection Authority that it has implemented technological protection measures that render the data unintelligible to any entity that is not authorised to access it, and that the measures were applied to the data related to the breach.
The same obligation applies to data breaches related to electronic health files.
The General Data Protection Regulation introduces a similar obligation to notify data breaches to every controller and processor, regardless of their qualification as a provider of a publicly available electronic communications service.
Are data owners/processors required to notify the regulator in the event of a breach?
In case of a personal data breach, the providers of publicly available electronic communications services must notify the breach to the Data Protection Authority and the Authority for Communications Safeguards without undue delay. The same obligation applies to data breaches related to electronic health files.
The General Data Protection Regulation extended to all data controllers the duty to notify the occurrence of a data breach to the relevant supervisory authority no later than 72 hours after having become aware of it.
Click here to view the full article.