Processing security
Taking into account the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of processing and the risks to the rights and freedoms of individuals, which vary in their likelihood and seriousness, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which shall include, where appropriate, the following:
the pseudonymization and encryption of personal data;
The ability to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
A procedure for periodically testing, assessing and evaluating the effectiveness of technical and organizational measures to secure processing.
The assessment of the appropriate level of security shall take particular account of the processing risks, especially those resulting from the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, data transmitted, stored or otherwise processed, whether accidental or unlawful.
Adherence to an approved code of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as an element to demonstrate compliance with the requirements referred to in paragraph 1 of this Article.
The controller and the processor shall take measures to ensure that any natural person acting under the authority of the controller or the processor and having access to personal data processes them only on instructions from the controller, unless required to do so by Union or Member State law.
