Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security, an account will be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate the personal data breach to the data subject without undue delay.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. In the case of a personal data breach, the controller should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Click here to view the full article.