Article 4a (data protection by security and design)

• 1

  The controller and processor shall take appropriate technical and organizational measures to:

  • a.

    ensure and be able to demonstrate that the processing of police data is carried out in accordance with the provisions of or under this Act;

  • b.

    Effectively implement and apply data protection policies and principles respectively;

  • c.

    in determining the means of processing and the processing itself, build into the processing the necessary safeguards, such as pseudonymization, to comply with what is provided by or under this Act and to protect the rights of data subjects.

• 2

  The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular in relation to the processing of the special categories of police data referred to in Article 5, and in such a way that the police data are protected against unauthorized or unlawful processing and against intentional loss, destruction or damage.

• 3

  When implementing the measures referred to in the first and second paragraphs, the controller and the processor shall take into account the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons which vary in their likelihood and gravity.

• 4

  In addition to the third paragraph, with respect to the first paragraph (c) and the second paragraph, the controller and the processor shall take into account the state of the art and implementation costs.

• 5

  The measures referred to in the first and second paragraphs shall be periodically reviewed and, if necessary, updated.

• 6

  Further rules on the measures referred to in paragraphs 1 and 2 shall be laid down by or pursuant to an order in council.