Article 23 of the Data Protection Law stipulates that data operators shall implement a set of legal, organizational and technical measures to ensure personal data protection. Such measures shall: 

• Uphold the rights to privacy, personal and family secrets
• Ensure integrity and security of personal data
• Confidentiality of personal data
• Allow owner of personal data to have guaranteed access to such personal data
• Prevent unauthorised collection and processing of personal data 

Data operators are statutorily obliged to take any necessary and lawful measures to protect personal data and ensure:

• Prevention of unauthorized access to personal data
• Timely detection of unauthorized access to personal information
• No adverse effects of such unauthorized access to personal data 

It is important to note that the obligation of the data operators, as well as any third party acquiring the personal data, to protect confidentiality of the acquired personal data, arises from the moment such data is collected and shall be effective until the moment such data is destroyed or depersonalized.