Data Controller’s Security Obligations (Art. 34 of French Data Protection Act)
The Data Controller must adopt all and any necessary precautionary measures with regard to the nature of the data collected and the risks presented by the data processing in order to preserve the security of the data. These measures must prevent the data from being deformed, damaged or accessed by non-authorized third parties.
The Data Processor must provide the adequate safeguards to ensure the implementation of security and confidentiality measures provided for by Article 34.
Security Obligations within the European Data Protection Regulation (Article 32 of the GDPR)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data;
- a process for regularly testing, assessing and evaluating the effectiveness of these measures.
Examples of measures taken: encryption and pseudonymisation
The adherence to an approved code of conduct or an approved certification mechanism provides evidentiary proof of a company’s compliance with the data security requirements.
Notification of Personal Data Security Breaches (Art. 33 and 34 of the GDPR)
Notification of personal data breaches to competent supervisory authorities:
- Who? The Data Controller
- Why? The breach presents risks for the rights and liberties of individuals
- When? Without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
- Exceptions? If the breach is unlikely to result in a risk to the rights and freedoms of individuals.
The Data Processor notifies the Data Controller no later than 72 hours after having become aware of the breach.
Notifying Data Subjects:
- Who? The Data Controller
- Why? The breach is likely to result in a high risk to the rights and freedoms of individuals.
- When? Without undue delay.
- Exception? The Data Controller has implemented protective measures that either render the personal data unintelligible, such as encryption or ensure that the high risk is no longer likely to materialize.
Security Obligations for Payment Service Providers and Notification of Breaches (PSD2)
Payment service providers are responsible for the adoption and execution of security measures. In order to receive an authorization as a payment institution, an application must be submitted to competent authorities of its home Member State along with the following information: (…)
- A description of the procedure in place to monitor, handle and follow up on a security incident and security related customer complaints, including an incidents reporting mechanism,
- A description of the process in place to file, monitor, track and restrict access to sensitive payment data as well as the tracking of the access logs.
- A description of the business continuity provisions,
- A security policy document, including a detailed risk assessment.