menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Romania) language
Contact our local member in Romania mail_outline
Visit the website of DB Law office account_balance

arrow_backPrevious Article
Article 32
Next Articlearrow_forward

Security of processing

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 32 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 32 keyboard_arrow_up

Articles related to article 32

Key words related to article 32

Show the recitals of the Regulation related to article 32 keyboard_arrow_down Hide the recitals of the Regulation related to article 32 keyboard_arrow_up

(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Show the recitals of the Directive related to article 32 keyboard_arrow_down Hide the recitals of the Directive related to article 32 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

(37) Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing, measures on the transfer of data to third countries and the power of the supervisory authority; whereas this should not, however, lead Member States to lay down exemptions from the measures to ensure security of processing; whereas at least the supervisory authority responsible for this sector should also be provided with certain ex-post powers, e.g. to publish a regular report or to refer matters to the judicial authorities;

(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;

The GDPR

Article 32 of the Regulation extends, the content of the provisions of the Directive related to the duties of security.

The main purpose of this duty remains the implementation of appropriate technical and organizational measures by the controller and the processor to ensure a level of security that is appropriate to the risk. The risk is therefore logically the main criterion of the measure to be taken. This direct reference to the risk is new compared to the Directive. However, it is still a matter of a standard providing for “standard” behaviour without providing the real content of the standard that must be evaluated by the recipients themselves. The new Regulation attempts to specify the standard in different ways:

- upstream, the Regulation specifies the general criteria for assessment of the appropriate measures: to have regard to the state of the art and the costs of implementation of security measures taking into account the nature, the scope, the context and the purpose of the processing as well as the likelihood and the severity of the risk to the rights and freedoms of the data subjects. This consideration of the risk is also clarified by Article 32  (2), which specifies the origin and the scope, i.e. the risks to the data processing itself, in particular, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;

- downstream, the Regulation - in its latest version - sets out four categories of measures that may be, among other things, appropriate according to the needs. First, the personal data pseudonymisation and encryption (a). Then, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (b). The Regulation aims at the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (c). Finally, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (d).

Both of the controller and the processor are subject to compliance with the same rule, even if in his or her relationship with the processor, the controller is also subject to certain specific rules that have been brought together in Article 28 of the Regulation.

The Regulation, being aware of the difficulty for controllers and processors to comply with a duty, the content of which is always vague enough, indicates that submission to an approved code of conduct as referred to in Article 40, or to an approved mechanism for certification as referred to in Article 42, can be used as an element to demonstrate compliance with the requirements of the obligation for security.

Remember that Article 30 (4) still requires (see Article 29) controllers and processors to take measures to ensure that the persons acting under their authority and having access to the data process such data only on the instruction of not only the controller but also of the processor.

The Directive

The Directive, in its Article 17, required controllers to implement appropriate technical and organizational measures for data protection. Having regard to the state of the art and the cost of their implementation, such measures had to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

In the case of acting through a processor, the controller should ensure that such processor provides sufficient guarantees as to the implementation and the compliance with the security measures to be implemented.

A binding legal contract or act should bind the controller and the processor, the latter having to state in particular that he or she will act only on instructions from the controller, as well as the safety measures he or she had to take.

Potential issues

The new text will not remove all the difficulties of evaluation of the obligation for security that the controllers and the processors face for years yet.

The text of Article 32, in its final version nevertheless tries to provide criteria for evaluating the scope and extent of the obligation for security.

Nonetheless, its correct implementation will depend on the structure of the controller, on the quality of the dialogue and communication between the lawyer (the compliance officer and/or the DPO) and the technician, being, each of them, unable to provide an informed response.

Indeed, the substance of the obligation is actually technical and the legal rule cannot lose its neutrality in the face of a constantly changing technical environment. The technicians are then those who must notify the lawyer or the decision-maker to enable them to select the security measures in the most informed manner. But the latter seems to be increasingly dependent on  knowledge that is often completely absent.

Also, the Regulation seems to take into account of the lack of awareness of the recipient in terms of the rule that “invites” them to adhere to the codes of conduct or the processes of certification supposed to contain more specific rules and measures. The future will show when they will be available and how they will be implemented in terms of the independence and the neutrality of the certification authorities.

arrow_back Previous ArticleArticle 32Next Article arrow_forward
arrow_back Previous ArticleArticle 32 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)

(Endorsed by the EDPB)

The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.

Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.

Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.

This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.

In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.

These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.

In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.

Link

Guidelines on Personal data breach notification under Regulation 2016/679 - wp250rev.01 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.

The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.

Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.

The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.

In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.

The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Link

Retour au sommaire
arrow_back Previous Article Article 32 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-340/21,  VB v. Natsionalna agentsia za prihodite (14 December 2023)

1.      Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.

2.      Article 32 of Regulation 2016/679

must be interpreted as meaning that the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.

3.      The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof,

must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.

4.      Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law

must be interpreted as meaning that, in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof.

5.      Article 82(3) of Regulation 2016/679

must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.

6.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.

Decision of the Court

Opinion of the advocate general

C-687/21 (25 January 2024) - MediaMarktSaturn

1.      Articles 5, 24, 32 and 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together

must be interpreted as meaning that in an action for compensation based on Article 82, the fact that the employees of the controller provided to an unauthorised third party in error a document containing personal data is not sufficient, in itself, to consider that the technical and organisational measures implemented by the controller at issue were not ‘appropriate’, within the meaning of Articles 24 and 32.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full, and not a punitive function.

3.      Article 82 of Regulation 2016/679

must be interpreted as meaning that that article does not require that the severity of the infringement made by the controller be taken into consideration for the purposes of compensation under that provision.

4.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the person seeking compensation by way of that provision is required to establish not only the infringement of provisions of that regulation, but also that that infringement caused him or her material or non-material damage.

5.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that if a document containing personal data was provided to an unauthorised third party and it was established that that person did not become aware of those personal data, ‘non-material damage’, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.

Judgment of the Court 

C-492/23 (2 December 2025) - Russmedia Digital and Inform Media Press

2. Article 32 of Regulation 2016/679 must be interpreted as meaning that the operator of an online marketplace, as controller, within the meaning of Article 4(7) of that regulation, of the personal data contained in advertisements published on its online marketplace, is required to implement appropriate technical and organisational security measures in order to prevent advertisements published there and containing sensitive data, in terms of Article 9(1) of that regulation, from being copied and unlawfully published on other websites.

Opinion of the Advocate General

Judgment of the Court

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 32 Next Article arrow_forward
Regulation
1e 2e

Art. 32

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3.   Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4.   The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
1st proposal close

Art. 30

1.           The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.

2.           The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.

3.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.

4.           The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to:

(a)     prevent any unauthorised access to personal data;

(b)     prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data;

(c)     ensure the verification of the lawfulness of processing operations.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2nd proposal close

Art. 30

1. Having regard to available technology and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risk for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, such as (...) pseudonymisation of personal data to ensure a level of security appropriate to the risk.

1a. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by data processing (...), in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

2. (...)

2a. Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraph 1.

2b. The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

3. (...)

4. (...)
Directive close

Art. 17

1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:

- the processor shall act only on instructions from the controller,

- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
Romania
compare_arrows

Switzerland close

DSG Art. 7 Datensicherheit
1 Personendaten müssen durch angemessene technische und organisatorische Massnahmen
gegen unbefugtes Bearbeiten geschützt werden.
2 Der Bundesrat erlässt nähere Bestimmungen über die Mindestanforderungen an die
Datensicherheit.

Verordnung zum Bundesgesetz über den Dateschnutz (VDSG)

Art. 8 Allgemeine Massnahmen (VDSG)

1 Wer als Privatperson Personendaten bearbeitet oder ein Datenkommunikationsnetz zur Verfügung stellt, sorgt für die Vertraulichkeit, die Verfügbarkeit und die Integrität der Daten, um einen angemessenen Datenschutz zu gewährleisten.1 Insbesondere schützt er die Systeme gegen folgende Risiken:

a.unbefugte oder zufällige Vernichtung;

b.zufälligen Verlust;

c.technische Fehler;

d.Fälschung, Diebstahl oder widerrechtliche Verwendung;

e.unbefugtes Ändern, Kopieren, Zugreifen oder andere unbefugte Bearbeitungen.

2 Die technischen und organisatorischen Massnahmen müssen angemessen sein. Insbesondere tragen sie folgenden Kriterien Rechnung:

a.Zweck der Datenbearbeitung;

b.Art und Umfang der Datenbearbeitung;

c.Einschätzung der möglichen Risiken für die betroffenen Personen;

d.gegenwärtiger Stand der Technik.

3 Diese Massnahmen sind periodisch zu überprüfen.

 

Art. 9 Besondere Massnahmen (VDSG)

1 Der Inhaber der Datensammlung trifft insbesondere bei der automatisierten Bearbeitung von Personendaten die technischen und organisatorischen Massnahmen, die geeignet sind, namentlich folgenden Zielen gerecht zu werden:

a.Zugangskontrolle: unbefugten Personen ist der Zugang zu den Einrichtungen, in denen Personendaten bearbeitet werden, zu verwehren;

b.Personendatenträgerkontrolle: unbefugten Personen ist das Lesen, Kopieren, Verändern oder Entfernen von Datenträgern zu verunmöglichen;

c.Transportkontrolle: bei der Bekanntgabe von Personendaten sowie beim Transport von Datenträgern ist zu verhindern, dass die Daten unbefugt gelesen, kopiert, verändert oder gelöscht werden können;

d.Bekanntgabekontrolle: Datenempfänger, denen Personendaten mittels Einrichtungen zur Datenübertragung bekannt gegeben werden, müssen identifiziert werden können;

e.Speicherkontrolle: unbefugte Eingabe in den Speicher sowie unbefugte Einsichtnahme, Veränderung oder Löschung gespeicherter Personendaten sind zu verhindern;

f.Benutzerkontrolle: die Benutzung von automatisierten Datenverarbeitungssystemen mittels Einrichtungen zur Datenübertragung durch unbefugte Personen ist zu verhindern;

g.Zugriffskontrolle: der Zugriff der berechtigten Personen ist auf diejenigen Personendaten zu beschränken, die sie für die Erfüllung ihrer Aufgabe benötigen;

h.Eingabekontrolle: in automatisierten Systemen muss nachträglich überprüft werden können, welche Personendaten zu welcher Zeit und von welcher Person eingegeben wurden.

2 Die Datensammlungen sind so zu gestalten, dass die betroffenen Personen ihr Auskunftsrecht und ihr Recht auf Berichtigung wahrnehmen können.

 Art. 101Protokollierung (VDSG)

1 Der Inhaber der Datensammlung protokolliert die automatisierte Bearbeitung von besonders schützenswerten Personendaten oder Persönlichkeitsprofilen, wenn die präventiven Massnahmen den Datenschutz nicht gewährleisten können. Eine Protokollierung hat insbesondere dann zu erfolgen, wenn sonst nicht nachträglich festgestellt werden kann, ob die Daten für diejenigen Zwecke bearbeitet wurden, für die sie erhoben oder bekannt gegeben wurden. Der Beauftragte2 kann die Protokollierung auch für andere Bearbeitungen empfehlen.

2 Die Protokolle sind während eines Jahres revisionsgerecht festzuhalten. Sie sind ausschliesslich den Organen oder privaten Personen zugänglich, denen die Überwachung der Datenschutzvorschriften obliegt, und dürfen nur für diesen Zweck verwendet werden.

 

 Art. 11 Bearbeitungsreglement (VDSG)

1 Der Inhaber einer meldepflichtigen automatisierten Datensammlung (Art. 11a Abs. 3 DSG), die nicht aufgrund von Artikel 11a Absatz 5 Buchstaben b-d DSG von der Meldepflicht ausgenommen ist, erstellt ein Bearbeitungsreglement, das insbesondere die interne Organisation sowie das Datenbearbeitungs- und Kontrollverfahren umschreibt und die Unterlagen über die Planung, die Realisierung und den Betrieb der Datensammlung und der Informatikmittel enthält.

2 Der Inhaber der Datensammlung aktualisiert das Reglement regelmässig. Er stellt es dem Beauftragten oder dem Datenschutzverantwortlichen nach Artikel 11a Absatz 5 Buchstabe e DSG auf Anfrage in einer für sie verständlichen Form zur Verfügung.
arrow_back Previous ArticleArticle 32 Next Article arrow_forward
close

2016 - www.itiplaw.eu.