Article 11.3

• 1

  The providers referred to in Article 11.2 shall take appropriate technical and organizational measures for the safety and security of the networks and services they offer in the interest of protecting personal data and privacy of subscribers and users. Taking into account the state of the art and the cost of implementation, the measures shall ensure an appropriate level of security commensurate with the risk involved.

• 2

  The measures referred to in paragraph 1 shall include, in any case:

  • a.

    ensure that only authorized personnel have access to personal data for legally authorized purposes,

  • b.

    the protection of personal data stored or transmitted against inadvertent or unauthorized storage, processing, access, disclosure, alteration, loss, destruction, and

  • c.

    the introduction of a security policy regarding the processing of personal data.

• 3

  The providers referred to in Article 11.2 shall ensure that subscribers are informed of:

  • a.

    particular risks of breaching the safety or security of the offered network or service;

  • b.

    the means, if any, by which the risks referred to in subsection (a) can be countered, insofar as these are measures other than those which the provider is obliged to take under subsection (1), as well as an indication of the expected costs.

• 4

  By or pursuant to general order in council, further obligations and restrictions may be imposed on the providers referred to in Article 11.2 in the interest of the protection of personal data and the protection of the privacy of subscribers and users for the benefit of the safety and security of the networks and services offered by them.