Show the recitals of the Regulation related to article 32 keyboard_arrow_down
Hide the recitals of the Regulation related to article 32 keyboard_arrow_up
(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
Show the recitals of the Directive related to article 32 keyboard_arrow_down
Hide the recitals of the Directive related to article 32 keyboard_arrow_up
(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
(37) Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information, as guaranteed in particular in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms; whereas Member States should therefore lay down exemptions and derogations necessary for the purpose of balance between fundamental rights as regards general measures on the legitimacy of data processing, measures on the transfer of data to third countries and the power of the supervisory authority; whereas this should not, however, lead Member States to lay down exemptions from the measures to ensure security of processing; whereas at least the supervisory authority responsible for this sector should also be provided with certain ex-post powers, e.g. to publish a regular report or to refer matters to the judicial authorities;
(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;
The GDPR
Article 32 of the Regulation extends, the content of the provisions of the Directive related to the duties of security.
The main purpose of this duty remains the implementation of appropriate technical and organizational measures by the controller and the processor to ensure a level of security that is appropriate to the risk. The risk is therefore logically the main criterion of the measure to be taken. This direct reference to the risk is new compared to the Directive. However, it is still a matter of a standard providing for “standard” behaviour without providing the real content of the standard that must be evaluated by the recipients themselves. The new Regulation attempts to specify the standard in different ways:
- upstream, the Regulation specifies the general criteria for assessment of the appropriate measures: to have regard to the state of the art and the costs of implementation of security measures taking into account the nature, the scope, the context and the purpose of the processing as well as the likelihood and the severity of the risk to the rights and freedoms of the data subjects. This consideration of the risk is also clarified by Article 32 (2), which specifies the origin and the scope, i.e. the risks to the data processing itself, in particular, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
- downstream, the Regulation - in its latest version - sets out four categories of measures that may be, among other things, appropriate according to the needs. First, the personal data pseudonymisation and encryption (a). Then, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (b). The Regulation aims at the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (c). Finally, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (d).
Both of the controller and the processor are subject to compliance with the same rule, even if in his or her relationship with the processor, the controller is also subject to certain specific rules that have been brought together in Article 28 of the Regulation.
The Regulation, being aware of the difficulty for controllers and processors to comply with a duty, the content of which is always vague enough, indicates that submission to an approved code of conduct as referred to in Article 40, or to an approved mechanism for certification as referred to in Article 42, can be used as an element to demonstrate compliance with the requirements of the obligation for security.
Remember that Article 30 (4) still requires (see Article 29) controllers and processors to take measures to ensure that the persons acting under their authority and having access to the data process such data only on the instruction of not only the controller but also of the processor.
The Directive
The Directive, in its Article 17, required controllers to implement appropriate technical and organizational measures for data protection. Having regard to the state of the art and the cost of their implementation, such measures had to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
In the case of acting through a processor, the controller should ensure that such processor provides sufficient guarantees as to the implementation and the compliance with the security measures to be implemented.
A binding legal contract or act should bind the controller and the processor, the latter having to state in particular that he or she will act only on instructions from the controller, as well as the safety measures he or she had to take.
Potential issues
The new text will not remove all the difficulties of evaluation of the obligation for security that the controllers and the processors face for years yet.
The text of Article 32, in its final version nevertheless tries to provide criteria for evaluating the scope and extent of the obligation for security.
Nonetheless, its correct implementation will depend on the structure of the controller, on the quality of the dialogue and communication between the lawyer (the compliance officer and/or the DPO) and the technician, being, each of them, unable to provide an informed response.
Indeed, the substance of the obligation is actually technical and the legal rule cannot lose its neutrality in the face of a constantly changing technical environment. The technicians are then those who must notify the lawyer or the decision-maker to enable them to select the security measures in the most informed manner. But the latter seems to be increasingly dependent on knowledge that is often completely absent.
Also, the Regulation seems to take into account of the lack of awareness of the recipient in terms of the rule that “invites” them to adhere to the codes of conduct or the processes of certification supposed to contain more specific rules and measures. The future will show when they will be available and how they will be implemented in terms of the independence and the neutrality of the certification authorities.
European Union
Retour au sommaire
Article 29 Working Party
Guidelines on the application and setting of administrative fines - wp253 (3 October 2017)
(Endorsed by the EDPB)
The EU has completed a comprehensive reform of data protection regulation in Europe. The reform rests on several pillars (key components): coherent rules, simplified procedures, coordinated actions, user involvement, more effective information and stronger enforcement powers.
Data controllers and data processors have increased responsibilities to ensure that personal data of the individuals is protected effectively. Supervisory authorities have powers to ensure that the principles of the General Data Protection Regulation (hereafter ‘the Regulation’) as well as the rights of the individuals concerned are upheld according to the wording and the spirit of the Regulation.
Consistent enforcement of the data protection rules is central to a harmonized data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.
This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals.
In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’) is empowered to issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines concerning the setting of administrative fines.
These guidelines are not exhaustive, neither will they provide explanations about the differences between administrative, civil or criminal law systems when imposing administrative sanctions in general.
In order to achieve a consistent approach to the imposition of the administrative fines, which adequately reflects all of the principles in these guidelines, the EDPB has agreed on a common understanding of the assessment criteria in article 83 (2) of the Regulation and therefore the EDPB and individual supervisory authorities agree on using this Guideline as a common approach.
Link
Guidelines on Personal data breach notification under Regulation 2016/679 - wp250rev.01 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.
The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.
Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.
The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.
In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.
The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
Link
Retour au sommaire
European Union
CJEU caselaw
C-340/21, VB v. Natsionalna agentsia za prihodite (14 December 2023)
1. Articles 24 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that unauthorised disclosure of personal data or unauthorised access to those data by a ‘third party’, within the meaning of Article 4(10) of that regulation, are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’, within the meaning of Articles 24 and 32.
2. Article 32 of Regulation 2016/679
must be interpreted as meaning that the appropriateness of the technical and organisational measures implemented by the controller under that article must be assessed by the national courts in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.
3. The principle of accountability of the controller, set out in Article 5(2) of Regulation 2016/679 and given expression in Article 24 thereof,
must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate pursuant to Article 32 of that regulation.
4. Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law
must be interpreted as meaning that, in order to assess the appropriateness of the security measures implemented by the controller under that article, an expert’s report cannot constitute a systematically necessary and sufficient means of proof.
5. Article 82(3) of Regulation 2016/679
must be interpreted as meaning that the controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’, within the meaning of Article 4(10) of that regulation, in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.
6. Article 82(1) of Regulation 2016/679
must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision.
Decision of the Court
Opinion of the advocate general
Retour au sommaire
Retour au sommaire