Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.
In developing security measures, the data controller should take at least the following into account:
- the inherent risk given the type of personal data;
- the sensitivity of the personal data;
- technological developments;
- the potential consequences of a breach for data subjects;
- the number of data subjects;
- prior vulnerabilities in the processing systems;
- value of the data for an unauthorised third party; and
- other factors that may impact the level of risk or that result from other applicable laws and regulations.
The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:
- prepare an inventory of personal data;
- determine the functions and obligations of the person(s) who will process personal data;
- conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
- establish the necessary security measures;
- identify gaps between existing security measures and those required for each type of data and each processing system;
- prepare a work plan based on the gap analysis in (v) above;
- carry out revisions and/or audits;
- train personnel who process personal data; and
- keep a record of the methods of processing personal data.
The controller or the processor shall take appropriate organisational and technical measures in order to protect personal data from unlawful or accidental destruction, accidental loss, from access or disclosure to unauthorised persons, especially when the processing of data takes place in a network, as well as from any other unlawful form of processing.
The controller shall take the following special security measures:
- defines the functions of the organisational units and those of the operators as regards the use of data;
- data shall be used with the order of authorised organizational units or operators;
- instructs all operators concerning their obligations, in conformity with this law and the internal regulations on data protection, including the regulations on data security;
- Prohibits access of unauthorised persons to the working facilities of the data controller or processors;
- data and programmes shall be accessed only by authorised persons;
- Prohibits access to the filing system and their use by unauthorised persons;
- Operation of the data processing equipment shall be carried out upon authorisation and every device shall be secured with preventive measures against unauthorised operation;
- records and documents the alteration, rectification, erasure, transfer, etc.
The controller is obliged to document the technical and organisational measures adjusted and implemented to ensure protection of personal data in compliance with the law and other legal regulations.
The data recorded shall not be used for different purposes which are not compliant with the purpose of collection. Acquaintance with or processing of the data registered in files for a purpose other than the right to enter the data shall be prohibited. In case data are used to guarantee national security, public security, for prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any infringement of ethics for the regulated professions, it is exempted from this rule. Documentation of the data shall be kept for as long as it is necessary for the purpose for which they were collected.
The security level shall be in compliance with the nature of personal data processing. Detailed rules on data security shall be specified by decision of the Commissioner. Procedures for the administration of the data registration, data entry, their processing and disclosure shall be regulated by a decision of the Commissioner.
Controllers, processors and persons who come to know the content of the processed data while exercising their duty, shall remain under obligation of confidentiality and credibility even after termination of their functions. These data shall not be disclosed save when otherwise provided by law. Everyone acting under the authority of the controller or the processor shall not process the personal data to which he or she has access, without the authorisation of the controller, unless it is mandatory by law.