Data Protection in Albania

Security

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

General responsibility of the controller (Article 22)

Data protection by design and by default (Article 23)

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

Last modified 28 January 2025

The controller must put in place measures to ensure the integrity and protection of the data.

These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected.

If the processing is carried out on behalf of the controller, the controller must choose a processor providing sufficient guarantees in respect of the technical and organisational security measures relating to the processing to be carried out and must ensure compliance with those measures.

Transfer of data abroad

The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to data processing.

The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.

Last modified 20 January 2025

Data controllers must implement appropriate technical and organizational measures and adopt adequate security levels to protect personal data from accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.

Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, relative to the entities facilities and implementation costs. Specific security measures shall be adopted regarding certain type of personal data and purposes (notably, sensitive data, call recording and video surveillance).

Under the Protection of Information Systems and Networks Law, service providers, operators and companies offering information society services must: (i) guarantee the security of any device or set of devices used in the storage, processing, recovery or transmission of computer data on execution of a computer program and (ii) promote the registration of users as well as the implementation of technical measures in order to anticipate, detect and respond to risk situations. The Law requires an accident and incident management plan in case of a computer emergency.

Last modified 30 December 2021

The person responsible for a data archive, or using such archive, must adopt the technical and organizational measures to assure the security and confidentiality of personal data, so as to avoid their adulteration, loss, consultation or non-authorized processing, and to detect the misuse of information. The recording of personal data in archives, registries or data banks that do not comply with the legal requirements on integrity and security is prohibited.

Last modified 28 January 2025

The processor has an obligation to destruct or block personal data that are not necessary for achieving the legitimate purpose.

In the course of processing personal data, the processor shall be obliged to use encryption keys to ensure the protection of information systems containing personal data against accidental loss, unauthorized access to information system, unlawful use, recording, destructing, altering, blocking, copying, and disseminating personal data and other interference.

The processor is obliged to prevent the access of appropriate technologies for processing personal data for persons not having a right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and the data which are allowed to be used.

The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by the decision of the government of the Republic of Armenia. In case another body exercising control is prescribed by law, this body, within the scope of powers reserved to it by law, may prescribe higher requirements other than those provided above.

Use and storage of biometric personal data out of information systems may be carried out only through such tangible media, application of such technologies or forms, which ensure the protection of these data from the unauthorized access thereof, unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc.

Processors of personal data or other persons provided for by this law shall be obliged to maintain confidentiality both in the course of performing official or employment duties concerning the processing of personal data and after completing thereof.

The control over the fulfillment of the above-mentioned requirements shall be exercised by the authorized body for the protection of personal data without the right to process personal data being processed in the information systems.

Legal persons processing personal data, for having recognized electronic systems for processing the personal data under their possession as having an adequate level of protection and including them in the register, may apply to the authorized body for the protection of personal data.

Last modified 20 January 2025

National Ordinance Person Registration

Pursuant to article 8 of the of the National Ordinance person Registration the data controller shall execute appropriate technical and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof.

GDPR

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR).

Last modified 10 February 2025

An organization must have appropriate security measures in place (i.e. take reasonable steps) to protect any personal information it retains from misuse and loss and from unauthorized access, modification or disclosure. The recent changes to the Privacy Act confirm that the reasonable steps required to be taken include both technical and organizational measures.

The OAIC has issued detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose(s) for which it was collected.

Last modified 20 January 2025

EU regulation

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Austria regulation

Section 13 DSG imposes further obligations on Controllers in regard to CCTV and / or processing of captured images pursuant to Section 12 DSG. The controller needs to secure the access to the CCTV / captured images in a way that makes any access and / or subsequent alteration of captured images by an unauthorized third party impossible.

Last modified 20 January 2025

Adequate level of protection of personal data should be provided by owners of operators of personal data.

Last modified 15 February 2022

As mentioned previously, Section 6(1)(d) provides that data controllers must ensure that appropriate security measures are taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. In practice, appropriate security measures typically mean ‘industry-standard’ (particularly for institutions that store SPD, e.g. law firms, hospitals, banks, insurance companies, etc).

Last modified 28 January 2025

The PDPL requires that data controllers apply technical and organizational measures capable of protecting the data against unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of processing.

The PDPL requires that the Authority's Board of Directors issues a decision specifying the terms and conditions that the technical and organizational measures must satisfy. The decision may require specific activities by applying special security requirements when processing personal data.

Data controllers must also use data processors who will provide sufficient guarantees about applying the technical and organizational measures that must be adhered to when processing the data. Data controllers must also take reasonable steps to verify that data processors comply with these measures.

Last modified 20 January 2025

There are no data security requirements.

Last modified 3 January 2024

The data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Last modified 28 January 2024

The owners of the information systems should take appropriate technical, legal and organisational measures to secure personal data processed in their information systems. The key technical measure is creation of the information protection system to secure the information system of an entity intended for processing of personal data. The information protection system shall be attested according to the procedure established by the OAC. The rules also suggest simplified attestation procedure for subjects using information system of other organisations who have already passed attestation procedure for their systems.

Last modified 20 January 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Belgium regulation

The Data Protection Act inserts no general additional requirements in relation to security measures. In the context of archiving, scientific or historical research purposes or statistical purposes, the Data Protection Act sets out specific rules including anonymization or pseudonymization requirements¹.

Security measures are also detailed for each special regime but resemble the GDPR².

Footnotes

1. Art. 198 et seq Data Protection Act.
2. Intelligence and security services Art. 88-89 Data Protection Act, Bodies for security clearances, certificates and recommendations Art. 121-122 Data Protection Act, Coordination Unit for Threat Assessment Art. 154-155 Data Protection Act, Passenger Information Unit Art. 179-180 Data Protection Act.

Last modified 31 December 2024

The Law on the Digital Code adopts a proportionate, context-specific approach to security.

Article 426 of this Law states that in order to guarantee the security of personal data, the controller and / or its processor must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, interception, in particular where the processing involves the transmission of data over a network, and against all other forms of unlawful processing.

These measures must ensure, taking into account the state of the art and the costs associated with their implementation, an appropriate level of security, taking into account, on the one hand, the state of the art in the field and the costs involved in applying these measures and, on the other hand, the nature of the data to be protected and the potential risks.

It is also the responsibility of the data controller, his representative and the sub-processor to ensure compliance with these security measures.

The Law on the Digital Code does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

No specific requirements other than those set forth in the Law.

Last modified 20 January 2025

PIPA makes provision for the implementation of proportional security safeguards against risk including loss, unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential information (deliberately or otherwise) may be liable at common law.

Last modified 28 January 2024

There are no specifc laws regulating the security of personal data.

Last modified 24 January 2022

Personal Data Protection Act BES

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

GDPR

Last modified 10 February 2025

The DP Law requires data controllers and processors to:

Take care of data security and to undertake all technical and organizational measures;
Undertake measures against unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfer, other forms of illegal data processing, as well as measures against misuse of personal data; and
Adopt a personal data security plan ("Security Plan") which specifies technical and organizational measures for the security of personal data.

As provided by the Rules (as defined in the section "Data Protection Officers"), the Security Plan includes the categories of processed data and the list of instruments for protection of the data to ensure confidentiality, integrity, availability, authenticity, possibility of revision and transparency of the personal data.

The Rules prescribe that the controller is required to undertake more stringent technical and organizational measures when processing sensitive personal data. Such measures aim at enabling recognition of each authorized access to the information system, operation with the data during the controller’s regular working hours and cryptographic protection of the data transmission via telecommunications systems with appropriate software and technical measures.

The Rules also closely regulate the manner of personal data keeping and personal data protection in automatic processing.

Security measures envisaged by Draft Data Protection Law correspond to the measures prescribed by GDPR.

Last modified 20 January 2025

Data controllers are required to take appropriate technical and organisational security measures necessary to protect personal data from negligent or unauthorised destruction, negligent loss, as well as unauthorised access, alteration and processing of personal data.

The measures are influenced by technological developments of processing personal data and the costs for implementing the security measures, as well as the nature of the personal data and the potential risks involved.

Failure to implement the security safeguards amounts to an offence and will render the data controller liable to a fine not exceeding BWP 500 000 or to imprisonment for a term not exceeding nine years, or to both.

Last modified 20 January 2025

Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:

Unauthorized accesses, and
Accidental or unlawful situations of:
- Destruction
- Loss
- Alteration
- Communication, or
- Any improper or unlawful processing

The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.

On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage guidelines, and vulnerability management.

On December 09, 2024, the ANPD published its Regulatory Agenda for 2025/2026 and made the regulation of technical and administrative security measures a priority for the period, determining the start of the regulation procedures within 2025.

The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the Internet Act established guidelines on appropriate security controls, including:

Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access privileges to certain users
Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure individualization of the controller records
Creation of detailed inventory of access to connection records and access to applications containing the time, duration, the identity of the employee or the responsible person for the access designated by the company and the accessed file
Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures

Last modified 28 January 2024

While the DPA does not specify any technical standards for data controllers to implement, the DPA requires a data controller, when processing personal data, to take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access, or disclosure, alteration or destruction (together, 'Security Breach') by having regard to the following matters:

the nature of the personal data and the harm that would result from a Security Breach
the place or location where the personal data is stored
any security measures incorporated into any equipment in which the personal data is stored
the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data, and
the measures taken for ensuring the secure transfer of the personal data

The DPA also requires, where a data processor carries out the processing of personal data on behalf of the data controller, the data controller (for the purpose of protecting the personal data from Security Breach) to ensure that the data processor:

provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
take reasonable steps to ensure compliance with the above measures

Last modified 28 January 2025

At present not a regulated activity save in relation to a "Financial Institution" — see Mandatory Breach Notification.

It is anticipated that under the PDPO, an organization must protect personal data in its possession or under its control by making reasonable security arrangements to prevent:

unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks; and
the loss of any storage medium or device on which personal data is stored.

It is anticipated that under the PDPO data intermediaries will also be subjected to the same obligation to protect personal data in their possession.

It is anticipated that the PDPO will provide for a reasonable standard for such security measures taking into account factors such as the nature and sensitivity of the data, the form in which personal data is stored and the impact to the individual if the personal data is subject to unauthorized access, disclosure or other risks. But it is not anticipated that the PDPO will stipulate specific security measures to be adopted and implement by organizations and data intermediaries. That said, AITI have expressed their intentions to issue detailed guidance on the types of security measures, which will include administrative / organisational, physical and technical security measures in due course.

Last modified 3 January 2024

EU regulation

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Bulgaria regulation

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding security of personal data and does not introduce any additional rules or requirements in this respect.

Last modified 27 December 2024

The personal data Act is not prescriptive about specific technical standards or measures.

However, the Article 24 states that the data controller shall take all necessary measures in view of the nature of the data and the architecture of the processing, in particular to prevent them from being distorted, damaged, lost, stolen or accessed by unauthorised parties.

Last modified 20 January 2025

There are no specific data security requirements in Burundi.

Last modified 17 January 2024

Article 32 of the E-Commerce Law directly addresses matters of data protection in the course of electronic communication.

Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid loss, modification, leakage, and / or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed. The E-Commerce Law does not provide specific guidelines as to how or what mechanisms are required. It is simply required that any measures could be used as long as they could reasonably protect the data from loss, or unauthorized access, use, alteration, or disclosure without authorization or illegally.

The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.

The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in bad faith or without authorized permission.

Article 47 of the Banking Law prohibits those who participate in the administration, direction, management, internal control, or external audit of a covered entity, and employees of the latter from providing confidential information pertaining to statements, facts, acts, figures, or the contents of accounting or administrative documents of which they might have become aware through their functions. However, this professional secrecy obligation cannot be used as a ground for nondisclosure in relation to requests by supervisory authorities, auditors, provisional administrators, liquidators, or a court dealing with criminal proceedings.

In case the service provider is not under the scope of the E-Commerce Law or Banking Law, the obligations under the laws of general application that require protection of the right to privacy and the obligation to protect data from unauthorized access should apply when a service provider collects, uses, discloses and processes data of the subject.

Furthermore, the Draft Law on Personal Data Protection requires the data controller to protect personal data under its possession or control by setting up a security system to prevent unauthorised access, collection, use disclosure, copying, modification or disposal, or similar risks; and the loss of any storage medium or device on which personal data is stored. The data processor must also take security measures to prevent loss or unauthorised or unlawful access, use, modification, or disclosure of personal data.

Last modified 20 January 2025

A reference framework for security, technical and organizational measures will be established by the Personal Data Protection Authority.

Last modified 6 January 2025

Each of the Canadian Privacy Statutes contains safeguarding provisions designed to protect personal information. Organizations must take reasonable technical, physical and administrative measures to protect personal information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. These laws do not generally mandate specific technical requirements for the safeguarding of personal information.

Last modified 26 January 2023

The Cape Verdean Data Protection Law stipulates that data controllers must implement technical and organizational measures so as to ensure the confidentiality and security of the personal data processed. Such obligations must also be contractually enforced by the data controller against the data processor. Moreover, certain specific security measures must be adopted regarding certain types of personal data and purposes (notably, sensitive data, call recording, video surveillance etc.).

Last modified 16 January 2025

The DPA is not prescriptive about specific technical standards or measures that must be taken to protect personal data. Rather, the DPA adopts a context-specific approach, requiring that appropriate technical and organization measures be taken, appropriate to the risks presented by the processing. A data controller should take into account the state of the art, costs of implementation, as well as the nature, scope, context and purpose of their processing.

Aspects to consider include:

organizational measures, e.g. staff training and policy development;
technical measures, e.g. physical protection of data, pseudonymization, encryption; and
securing ongoing availability, integrity and accessibility, e.g. by ensuring backups.

Last modified 28 January 2025

Data Controllers are required to ensure the security of personal data. They must prevent the data’s alteration and damage, or access by non-authorised third parties. In this regard, Data Controllers should make sure that:

Persons with access to the system can only access the data that they are allowed to access;
The identity and interest of any third-party recipients of the data can be verified;
The identity of persons who have access to the system (to view or add data) can be verified;
Unauthorised persons cannot access the place and equipment used for the data processing;
Unauthorised persons cannot read, copy, modify, destroy, or move data;
All data entered onto the system are authorised;
The data will not be read, copied, amended, or deleted without authorisation during the transport or communication of the data.
The data are backed up with security copies;
The data are renewed and converted to preserve them.

(Article 60 of the Act)

Last modified 6 January 2025

The PDPL does not establish specific measures that need to be adopted for the security of the personal data processed. It only stipulates that the controller is required to take care of the data with due diligence, being liable in case of damages.

All individuals involved in the processing of personal data (other than from publicly accessible sources) have to comply with confidentiality obligations, even after they end their work in this field.

Last modified 28 January 2023

According to the CSL, DSL and PIPL, organizations must keep personal information confidential and establish a data security management system. This includes taking appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorized or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data. Security measures must be deployed, as prescribed by the CSL and DSL and their underlying measures, guidelines and technical standards (including the TC260 guidelines). The PIPL includes a specific obligation on data controllers to adopt corresponding encryption or deidentification technologies, and to adopt access controls and training.

Systems should also be established to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received. Organizations must conduct mandatory data / cyber security training.

Additional security safeguards must be applied to processing of sensitive personal information and organizations deemed CIIOs (see above).

The CSL implemented a multi-level protection scheme for cybersecurity protection of information systems by network operators. Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. Organizations should conduct a self-evaluation and determine the tier(s) to which its information systems belong, based on relevant laws, regulations and guidelines. Filing to the Public Security Bureau is required and, in certain circumstances, assessment by accredited third party may also be required, depending on the determined tier level of a respective information system. Further national standards and guidelines have been published to provide further details and requirements on the process and technical aspect of the tiered system.

The DSL proposes introducing a similar tiered-security scheme for classification of data in due course.

The National Standard of Data Security Technology — Rules for Data Classification and Grading, effective from March 21, 2024, provides the principles and methods for data classification and grading. It classifies data into three grades: general data, important data, and core data. Additionally, industrial regulators in each sector are working on issuing the data classification and grading scheme in the relevant sectors. In particular:

the Ministry of Industry and Information Technology recently issued the Measures for Data Security Management in the Industrial and Information Technology Sector (for Trial Implementation) (MIIT Measures) which came into force on January 1, 2023;
the Ministry of Natural Resources issued the Administrative Measures for Data Security in the Field of Natural Resources which came into effect on March 22, 2024;
the Ministry of Finance and the Cyberspace Administration of China issued the Interim Measures for the Administration of Data Security for Accounting Firms which came into effect on October 1, 2024;
the National Financial Regulatory Administration issued the Administrative Measures for Data Security of Banking and Insurance Institutions which came into effect on December 27, 2024.

If a data controller appoints a data processor to process personal information on its behalf, the data controller should ensure sufficient measures are adopted by the data processor to protect the personal information: for example, to conduct due diligence and regular audits on data processor to ensure the data processor adopts sufficient and adequate security measures; and put in place an appropriate data processing agreement with the data processor.

Last modified 20 January 2025

Data controllers have the legal duty of guaranteeing that the information under their control is kept under strict security measures. For this reason, data controllers shall ensure that such information will not be manipulated or modified without the Data Subject's consent . For this purpose, the data controller shall develop an information security policy that prevents the unauthorized access, the damage or loss of information, including personal data.

Last modified 28 January 2024

Law No. 2013-450 of 19 June 2013 on the Protection of Personal Data requires data controllers to implement appropriate security measures to safeguard personal data against any form of breach.

According to Article 39 of the law, the processing of personal data must remain confidential and should only be carried out by individuals acting under the authority of the data controller or their processor, and strictly in accordance with their instructions.

Furthermore, Article 40 specifies that the data controller is required to take all necessary precautions, taking into account the nature of the data and the risks posed by processing, to ensure the security of the data. This includes preventing them from being altered, damaged, or accessed by unauthorised third parties. The controller must also implement technical and organisational measures to protect the data against destruction, loss, alteration, unauthorised disclosure, or access. These measures include securing facilities, controlling access, verifying the identity of third parties, and backing up the data.

In the event of non-compliance with these obligations, the data controller may face various types of sanctions, as provided for in Articles 49 and subsequent of the 2013-450 law on the protection of personal data:

Warning: The data protection authority may issue a formal warning to the controller for failing to meet their obligations.
Formal Notice: The authority may serve notice on the controller to rectify the identified breaches within a set timeframe.
Administrative and Financial Sanctions: If the controller fails to comply with the formal notice, the authority may revoke the authorisation temporarily or permanently and impose a financial penalty proportional to the severity of the breach.
Interruption of Processing, Locking of Data, or Prohibition of Processing: In urgent cases where processing causes a violation of rights and freedoms, the authority may order the suspension of data processing, locking of specific data, or a ban on processing activities.
Criminal Sanctions: Criminal penalties apply for serious breaches, such as processing sensitive data without authorisation (e.g., racial origin, political opinions, religious beliefs), direct marketing without prior consent, or obstructing the authority's work.
Civil Liability: The controller may also be held liable for damages caused to affected individuals due to non-compliance with their obligations, as stipulated in Article 5 of the African Union Convention on Cybersecurity and Personal Data Protection.

Last modified 6 January 2025

Any company or individual using and / or managing personal information must take all necessary steps (technical and organizational) to guarantee that the information is kept in a secure environment, and must issue an internal protocol indicating all the procedures that shall be followed during the recollection, storage and use of such information.

If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

Last modified 28 January 2025

EU regulation

Security

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Croatia regulation

The Act does not contain any special security requirements other than those prescribed by the GDPR.

Last modified 16 January 2025

Organisations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Last modified 16 February 2022

National Ordinance Personal Data Protection

Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data.

GDPR

Last modified 10 February 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Cyprus regulation

There are no derogations or additional requirements introduced by the Law in relation to security.

Last modified 21 February 2022

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Last modified 16 January 2024

Not applicable.

Last modified 6 January 2025

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Denmark regulation

The Danish Data Protection Act does not set out provisions on security requirements. Thus, the articles of the GDPR apply, under which data controllers and data processors must implement appropriate technical and organizational security measures necessary to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in the Danish Data Protection Act.

Last modified 16 January 2025

The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and security measures to safeguard personal data and avoid its:

Alteration
Loss
Treatment
Consultation, or
Unauthorized access

The DPL prohibits the storage of personal data in files, records or databases that do not meet the necessary technical conditions for guaranteeing their integrity and security. Additionally, credit bureaus and users or subscribers shall take the necessary measures to prevent the alteration, loss or unauthorized access to personal data.

Last modified 28 January 2025

Data controllers or the individual in charge of the treatment of personal data must abide by the principle of personal data security, for which it must consider the categories and volume of personal data, the state of the art, best comprehensive security practices. and the costs of application according to the nature, scope, context, and purposes of the treatment, as well as identifying the probability of risks.

Data controllers or the individual in charge of the treatment, must implement a process of verification, evaluation and continuous and permanent assessment of the efficiency, effectiveness, and effectiveness of the measures of a technical, organizational and any other nature, implemented to guarantee and improve the security of the processing of personal data.

The individual in charge of the treatment of personal data must demonstrate that the measures adopted and implemented adequately mitigate the risks identified.

Among other measures, the following may be included:

Anonymization, pseudonymization or encryption measures of personal data.
Measures aimed at maintaining the confidentiality, integrity and permanent availability of the systems and services for the processing of personal data and access to personal data, quickly in case of incidents.
Measures aimed at improving technical, physical, administrative, and legal residence.
Those responsible and in charge of the treatment of personal data, may avail themselves of international standards for adequate risk management focused on the protection of rights and freedoms, as well as for the implementation and management of information security systems or codes of conduct. recognized and authorized by the Personal Data Protection Authority.

Last modified 28 January 2025

The Law defines data security as the technological and organizational procedures and operations for the purpose of protecting the privacy, secrecy, safety, unity, and completeness of personal data.

The Law does not state any specific technical standards or measures. However, the Law states that the controller must adopt all technical and regulatory procedures and apply the necessary standard criteria for protecting personal data and to ensure its confidentiality, and prevent any hack, damage, alteration or manipulation through any illegitimate procedure.

Furthermore, Article (25) of the Egyptian Anti-Cybercrimes Law imposes penalties of imprisonment for a period not less than six (6) months and/or a fine not less than EGP 50,000 (fifty thousand Egyptian pounds) and not exceeding EGP 100,000 (one hundred thousand Egyptian pounds). This penalty is imposed regardless of whether the published information is correct or incorrect, on whoever violates the right to privacy, grants any personal data to a system or a website or sends densified e-mails without the data subject’s consent in order to promote goods or services or to publish information, news, pictures or the like, through the information network or by any means of information technology.

Last modified 19 January 2024

Security is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all information provided by the user of an online store/marketplace must be safely guarded. Similar requirements are established by the E-Signature Act, in regards to the information of the owners of an E-Signature.

Last modified 28 January 2024

Art. 11 determines that, the data controller or data processor must adopt the necessary technical and organisational measures to ensure the security of the personal data processed, ensuring their preservation and avoiding their alteration, loss, unauthorised processing or access. In this sense, personal data must not be recorded in files, systems or processing centres that do not meet the security conditions for the integrity, confidentiality and guarantee of the same.

Last modified 6 March 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Estonia regulation

The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.

Last modified 16 January 2025

There are no specific data security requirements.

The Computer Crime Proclamation No. 958/2016 requires service providers to implement reasonable and necessary security measures to protect confidential computer traffic data disseminated through their computer systems or communications services from unlawful and unnecessary access.

Ethiopian Communications Authority’s Sim Card Registration Directive requires Telecommunication Operators to take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration details.

Last modified 12 January 2023

None.

Last modified 31 January 2023

No applicable laws.

Last modified 3 January 2024

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Finland regulation

The new Finnish Data Protection Act does not contain any direct additional requirements for the security of processing in the meaning of GDPR article 32. However, the Data Protection Act does specify the security measures to be taken if special categories of personal data are processed. These measures are mostly the same as included in the GDPR article 32 (eg, pseudonymization, encryption, personnel training, access management, log-on data usage), and according to the government proposal explanatory text serve more as examples of what measures must be taken rather than an exhaustive mandatory list despite the wording used.

Last modified 4 January 2023

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

France regulation

The CNIL and the French Cyber Security Agency (“ANSSI”) have issued security guidance and recommendations containing state-of-the-art security practices, in particular: the 2023 version of the Personal Data Security Guide – which has been updated in 2024 to include security guidelines regarding the use of artificial intelligence, mobile applications, cloud computing and APIs – and the 2022 version of the recommendations on password and other shared secrets.

Last modified 5 January 2025

Articles 113 et seq. of the 2023 Personal Data Act state that in order to guarantee the security of personal data, the data controller is required to take all necessary precautions with regard to the nature of the data and, in particular, to prevent it from being distorted, damaged or accessed by unauthorized third parties. In particular, he / she shall take all measures to:

guarantee that, for the use of an automated data processing system, authorized persons can only access personal data within their competence;
guarantee that the identity of third parties to whom personal data may be transmitted can be verified and established;
guarantee that the identity of persons who have had access to the information system and which data have been read or introduced into the system, at what time and by which person, can be verified and established posteriori;
prevent any unauthorized person from accessing the premises and equipment used for data processing;
prevent data carriers from being read, copied, modified, destroyed or moved by an unauthorized person;
prevent the unauthorized entry of any data into the information system and the unauthorized access, modification or deletion of stored data;
prevent the use of data processing systems by unauthorized persons using data transmission facilities;
prevent unauthorized reading, copying, modification or deletion of data during data communication and transport of data carriers;
back up data by making back-up copies;
Refresh and, if necessary, convert the data for permanent storage.

No specific requirements other than those set forth in the Law.

Last modified 6 January 2025

As per Article 27 of Data Protection Law a controller is obliged to take appropriate technical and organizational measures to ensure the processing of data in accordance with the Law and the confirmation of the compliance of data processing with the Law.

Furthermore, a controller and a processor are obliged to take organizational and technical measures that are adequate for the possible and associated risks of data processing (including data pseudonymization, registration of the access to data, information security mechanisms (confidentiality, integrity, accessibility), etc.), which will ensure the protection of the data against loss or unlawful processing, including destruction, deletion, alteration, disclosure or use.

When determining the necessary organizational and technical measures for ensuring data security, a controller and a processor are obliged to take into account the data categories and volume, and the purpose, form and means of data processing and possible threats of violation of the rights of data subjects, and to periodically assess the efficiency of technical and organizational measures taken for ensuring data security, and where necessary, to take adequate measures and / or update existing measures for ensuring data security.

In addition to that, a controller and a processor are obliged to ensure that all operations performed in relation to electronic data (including information on incidents, data collection, data alteration, data access, data disclosure (transfer), data links and data deletion) are registered. When processing non-electronic data, the controller and the processor are obliged to ensure that all operations related to data disclosure and / or alteration (including information on incidents) are registered.

Any employee of a data controller and a data processor who is involved in data processing, or who has access to data, is obliged to act within the scope of powers granted to him / her, maintain data secrecy and confidentiality, and to comply with same after the termination of his / her term of office. A controller and a processor are obliged to determine the volume of data to be accessed by employees depending on their scope of authority, and to take adequate measures to safeguard such data from incidents of unlawful data processing by employees, and to identify and prevent such incidents, and to provide information to employees on matters related data security.

Last modified 6 January 2025

EU regulation

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Germany regulation

The BDSG has additional exceptions for the processing of special categories of personal data in Sec. 22 (1) BDSG. In case of processing of such data, appropriate and specific security measures have to be taken to safeguard the interests of the data subject (Sec. 22 (2) BDSG). This provision also applies by reference to other specific processing scenarios involving special categories of personal data.

Pursuant Sec. 22 (2) BDSG, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, these measures may include in particular the following:

technical and organizational measures to ensure that processing complies with the GDPR;
measures to ensure that it is subsequently possible to verify and establish whether and by whom personal data were input, altered or removed;
measures to increase awareness of staff involved in processing operations;
designation of a data protection officer;
restrictions on access to personal data within the controller and by processors;
the pseudonymization of personal data;
the encryption of personal data;
measures to ensure the ability, confidentiality, integrity, availability and resilience of processing systems and services related to the processing of personal data, including the ability to rapidly restore availability and access in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
specific rules of procedure to ensure compliance with this Act and with the GDPR in the event of transfer or processing for other purposes.

Last modified 16 January 2025

A person who processes data shall take into account the privacy of the individual by applying the data security safeguards.
A data controller has an obligation to ensure that a data processor who processes personal data for the data controller, establishes and complies with the security measures provided for under the Act.

Last modified 19 January 2024

The GDPR is not prescriptive about specific technical standards or measures. Rather, the Gibraltar GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the Gibraltar GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Last modified 19 January 2024

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Greece regulation

The Greek Data Protection Law does not provide for additional requirements in relation to security measures other than those set forth in the GDPR. Only with regard to special categories of data, the Greek Data Protection Law provides an indicative list of the security measures, which should be taken. More specifically, when processing special categories of personal data, appropriate security measures to safeguard the data subject’s interests should be adopted. Such measures may include:

Technical and organizational measures to ensure that processing complies with the GDPR;
Measures to verify and establish whether and by which party personal data were fed into, altered or removed;
Data Protection awareness;
Data classification and access rights;
Designation of a DPO;
Pseudonymization of personal data;
Encryption of personal data;
Measures to restore confidentiality, integrity, availability and resilience of processing systems and services, including the ability to restore availability and access to data in the event of physical or technical incident;
Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Requirements according to the Greek Cybersecurity Law

The Greek Cybersecurity Law applies to specific categories of entities defined therein, regardless of the nature of the information they use (personal data or not). It entered into force on 27 November 2024. Therefore, in case personal data is processed, both the Greek Cybersecurity Law and GDPR / Greek data protection rules apply in parallel.

The Greek Cybersecurity Law obliges specific categories of entities to:

implement specific minimum organisational and technical security measures (Article 15(2)), similar to those mentioned in Article 21 of NIS2 Directive, namely:
- policies and procedures for risk analysis and information system security;
- incident handling;
- business continuity management;
- supply chain security;
- security in network and information systems acquisition, development and maintenance;
- policy and procedures for the assessment of risk management measures;
- cyber hygiene practices and training;
- cryptography and encryption measures;
- access control policies and asset management;
- multi-factor authentication and secured voice, video and text communications;
adopt a single cybersecurity policy, based on the standardized template, which will be created by the National Cybersecurity Authority (Article 15 (5)(b));
maintain a comprehensive ICT asset inventory (Article 15(5)(c));
report significant incidents to the National Cybersecurity Authority and to recipients of the services affected (Article 16);
designate an appropriate skilled staff member as Information and Communication Systems Security Officer, who will be responsible for i) monitoring the compliance of the entity with the legal requirements for cybersecurity risk management and incident reporting requirements and ii) communicating with the National Cyber Security Authority (Article 15(5)(a)).

Last modified 16 January 2025

Security is not regulated. However, as referred above, according to Art. 36 of the Law, all information in public records must be safeguarded and should not be destroyed.

Last modified 21 December 2021

Security features more prominently under the DPL 2017 than its predecessor. Whilst implementing appropriate security measures to safeguard personal data from unauthorised or unlawful processing continues to be a feature of the DPL 2017 (see Principle 6 'Integrity and Confidentiality'), the DPL 2017 (unlike its predecessor) sets out with more clarity the steps required to ensure compliance.

Data controllers must take reasonable steps to ensure a level of security which is appropriate to the personal data, taking into account the nature, scope, context and purpose of the processing, the likelihood and severity of the risks to data subjects if the personal data is not secure (including the risk of unlawful or accidental destruction, loss or alteration and / or unauthorised disclosure of personal data), best practice and the costs of implementing appropriate measures.

Section 41 of the DPL 2017 provides some assistance as to what may be regarded as a reasonable 'step' to ensure appropriate security. In essence, to ensure compliance with this obligation, a controller should consider:

pseudonymising and encrypting personal data
ensuring that the controller or processor has and retains the ability to:
- ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
- restore access to personal data in a timely manner in the event of a physical or technical incident; and
establishing and implementing a process for regular testing and evaluation of the effectiveness of the technical and organisational measures.

There are several provisions which touch on the security obligations, located throughout the DPL 2017. Thus, the key provisions not only appear in the main security section (Part VI of the DPL 2017) but also form a key consideration (amongst other things) when undertaking a data protection impact assessment, the right to erasure, a controller's duty to take reasonable steps to achieve compliance and the measures that should be in place when choosing a processor. For example, when assessing the suitability of a processor a controller must ensure that the processor provides sufficient guarantees that reasonable technical and organisational security measures governing the processing will be established to meet the requirements of the DPL 2017.

Last modified 16 January 2025

According to Law on Cybersecurity and Personal Data Protection, the processing of personal data is confidential, it must be carried out exclusively by persons acting under the authority of the Data controller, and only on his instructions.

The Data controller is required to take all necessary precautions, in view of the nature of the data, and in particular to prevent it from being distorted, damaged or accessed by unauthorised third parties.

Last modified 20 December 2021

The Decree provides that the personal data needs to be stored in a way to protect confidentiality and prevent disclosure. When stored, only specific people should have access to them because of their position.

Last modified 16 January 2025

The Institute for the Access to Public Information has the authority to require all Obligated Entities to take necessary security measures for the protection of the personal data they collect and / or use.

The current legislation neither clarifies nor specifically identifies the security policies or security mechanisms that Obligated Entities must comply with.

As a general statement, the Institute for the Access to Public Information has to ensure the security of all Public Information, of all information classified as confidential by public entities, of all sensitive personal data, and of all information to which the current legislation gives a secrecy status.

Last modified 10 February 2025

Data users are required by the Ordinance to take all practical steps to ensure that personal data is protected against unauthorized or accidental access, processing, erasure, loss or use, having regard to factors including the nature of the personal data and the harm that could result if data breaches or leaks were to occur.

Where the data user engages a data processor to process personal data on its behalf, the data user must use contractual or other means to:

prevent unauthorized or accidental access, processing, erasure, or loss of use of the personal data; and
ensure that the data processor does not retain the personal data for longer than necessary.

The January 2020 Consultation Paper proposed to require organizations to formulate and publish a clear data retention policy specifying retention period(s) for personal data collected. The PCPD’s Report issued in February 2023 and the Panel Meeting Summary published in February 2024 also referred to this as an amendment direction.

Last modified 20 January 2025

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Last modified 11 January 2024

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Iceland regulation

Chapter IV of the DPA implements the provisions of the GDPR on security measures into Icelandic national legislation.

Last modified 16 January 2025

Under the DPDP Act, Data Fiduciaries are required to protect the personal data under their control, with respect to any processing undertaken by them or on their behalf by a Data Processor, by taking reasonable security safeguards to prevent any kind of personal data breach. Notably, the highest quantum of financial penalty prescribed under the DPDP Act, being INR 250 Crores, is for failure on the part of a Data Fiduciary to take reasonable security safeguards to prevent personal data breach.

The Draft Rules prescribe the minimum standards that the Data Fiduciary is required to adhere to:

appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;
appropriate measures to control access to the computer resources used by such Data Fiduciary or the relevant Data Processor;
visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data- backups;
for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and
appropriate technical and organisational measures to ensure effective observance of security safeguards.

Data Protection Impact Assessment

Under the DPDP Act, Significant Data Fiduciaries are required to appoint an independent data auditor who will undertake periodic Data Protection Impact Assessments, which has been described as a process comprising a description of the rights of Data Principals and the purpose of processing their personal data. It also includes an assessment and management of the risks to the rights of Data Principals.

Last modified 6 January 2025

The PDP Law does not provide specific technical standards or measures. It does, however, provide certain general measures to data controllers, who are obliged to protect and ensure the security of personal data that it processes, by requiring them to:

set out and implement operational technical measures to protect personal data from any disruption in the processing of personal data that is contrary to the provisions of laws and regulations; and
determine the appropriate level of security of the personal data by taking into account the nature and risk of personal data which must be protected in the processing of personal data.

Whilst anticipating the issuance of further implementing regulations to the PDP Law, certain fundaments to ensuring the security of personal data may be found in the General Data Protection Regulations, which set out certain obligations to electronic system operators (PSEs) in particular. The obligations of such PSEs are regulated under Reg. 71 and MOCI Reg. 20/2016, who amongst other things shall:

guarantee the confidentiality of the source code of the software;
ensure agreements on minimum service level and information security towards the information technology services being used as well as security and facility of internal communication security it implements;
protect and ensure the privacy and personal data protection of users;
ensure the appropriate lawful use and disclosure of the personal data;
provide the audit records on all provision of electronic systems activities;
have governance policies, operational work procedures, and audit mechanisms that are conducted periodically in the electronic system;
for private sector PSEs who process and / or store personal data outside of Indonesia, must ensure the supervisory effectiveness of the Ministry or Agency and law enforcement;
provide access to the electronic system for the purpose of supervision and law enforcement;
provide information in the electronic system based on legitimate request from investigators for certain crimes;
provide options to the personal data owner regarding the personal data that is processed so that the personal data can or cannot be used and / or displayed by / at third party based on the consent as long as it is related with the purpose of obtaining and collecting the personal data;
provide access or opportunity to personal data owner to change or renew his / her personal data without disturbing the system management of the personal data, except regulated otherwise by laws and regulations;
delete the personal data if (i) it has reached the maximum period of storing the personal data (at the shortest 5 years or based on the applicable regulations / specific sectoral regulations); or (ii) by request from the personal data owner, except regulated otherwise by the laws and regulations; and
provide contact person that is easy to be contacted by the personal data owner in relation to his / her personal data.

An online self-assessment on the security system’s risk level and compliance is also offered upon the application for an electronic system operator registration certificate (TDPSE). Although it is a self-assessment, the feature is to a certain degree mandatory, as an applicant for TDPSE may not be able to proceed in submitting its application before it fills out certain part of the online self-assessment about its security system’s risk level and compliance.

In the telecommunications sector, Article 19 paragraph (2) of Minister of Communication and Informatics Regulation No. 26/PER/M.KOMINFO/5/2007 regarding the Security and Utilization of Internet Protocol based Telecommunications Network (as amended) ("MOCI Reg. 26/2007") also provides that the telecommunication service provider is responsible for data storage due to its obligation to record its log file for at least 3 months.

Last modified 20 January 2025

Generally, Iranian business are required to take reasonable measures to secure personal information. It is unclear whether such measures must be physical, technical or organizational.

Nevertheless, somehow effective regulations apply to some businesses which are involved in sensitive information such as judges, attorneys, doctors, hospitals and pharmacies.

Under the ECL, “secure information system” is defined as an information system that:

is reasonably protected against misuse or penetration
possesses a reasonable level of proper accessibility and administration
is reasonably designed and organized in accordance with the significance of the task
is in compliance with secure methods

A “secure method” is a method to authenticate “data message” date, correctness, origin and destination, as well as to detect errors and modifications in its communication, content, or storage from a certain point. A secure message is generated using algorithms or codes, identification words or numbers, encryption, acknowledgement call-back procedures or similar secure techniques.

Last modified 23 May 2019

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Ireland regulation

The DP Act requires enhanced “suitable and specific” measures to be implemented in relation to certain processing activities. In such cases, enhanced data security measures (including logs / audit trails and encryption) are listed in section 36 of the DP Act as one example of such measures.

Last modified 17 January 2025

On March 21, 2017, the Constitution, Law, and Justice Committee of the Knesset approved the Data Security Regs, which have come into effect on May 2018. The Data Security Regs further broaden the PPL by imposing additional requirements applicable to database owners, holders and managers. Such additional requirements include, without limitation, having in place a broad list of manuals and policies; various physical, environmental and logical security measures; and regular audit, inspection and training obligations.

Furthermore, the Data Security Regs add to the Outsourcing Guidelines, which in effect would expand the requirements applicable when outsourcing processing services, even prior to entering into a data transfer agreement between the database owner and the data recipient and the requirements to be included therein.

Failure to comply with the Data Security Regs will constitute a breach of the PPL, which may expose a non-compliant entity to criminal and civil liability, as well as to administrative fines.

In March and April of 2018, the IPA published guidelines regarding the applicability of the Data Security Regs to four types of organizations: organizations certified to ISO/IEC 27001 standard, supervised entities subject to the directives of the Supervisor of the Bank, management companies and insurers which are subject to the provisions of the Capital Market, Insurance and Savings Authority and non-bank stock exchange members subject to stock exchange regulations. These types of organizations only need to comply with selective provisions of the Data Security Regs.

On May 1, 2018, the IPA published the Privacy Protection Authority’s Policy for Reporting Severe Security Incidents. The directive sets forth the instructions on how to report a severe security incident. Failure to comply with the directive may lead to sanctions such as advertising the violation or deletion of database registration.

On March 20, 2023, the IPA published Opinion: Security Risks in Shortened URLs, which describes the security risks arising from services that enable such shorten links to websites and recommends to avoid, unless a throughout security check has been conducted, not to apply such shortened links to a database of Personal Data and additional security related guidelines.

On September 7, 2023, the IPA published Guideline: The Role of The Board of Directors in Fulfilling The Corporation's Obligations According To The Privacy Protection Regulations (Information Security), which details the role of the board of directors in fulfilling the company's obligations according to the Data Security Regs. In companies which processing of Personal Data is at the core of their activity, or companies whose activity creates an increased risk of breaching privacy laws, the company's board of directors is the appropriate party to perform the duties set forth in the Data Security Regs, including having in place a policy which defines inter alia supervision processes, controls, and effective compliance.

On May 9, 2024, the IPA published Opinion: Conducting Risk Assessments and Penetration Tests on Information Systems, which recommends organizations and Personal Data repositories to conduct voluntary risk assessments and penetration tests (not only in respect of a high security level database which according to the Data Security Regs such testing is mandatory).

On September 29, 2024, the IPA published Guidance: Implementation of Section 10 of the Data Security Regs - Keeping Records and Logs, which clarifies the manner of implementation of the obligations to manage an automatic documentation mechanism by keeping records and logs in databases classified as having a medium or high level of security.

Last modified 25 December 2024

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Italy regulation

The Privacy Code does not prescript further security measures that should be followed to protect personal data.

Nevertheless, genetic data, biometric data or data concerning health must be processed in accordance with the additional safeguard measures issued by the Garante every two years (Article 2-septies). Such safeguard measures take into account the guidelines, recommendations and best practices published by the European Data Protection Board and best practices on personal data processing; scientific and technological evolution in the sector covered by such measures; and the interest of the free flow of personal data within the territory of the Union. Also, the Garante may issue codes of ethics that set out security measures for the processing of personal for statistical and scientific research purposes.

Last modified 16 January 2025

The APPI requires that business operators prevent the leakage of Personal Information. The APPI does not set forth specific steps that must be taken. The PPC guidelines suggest recommended steps that business operators should take to ensure that Personal Information is secure. These necessary and appropriate measures generally include "Systematic Security Control Measures", "Human Security Control Measures", "Physical Security Measures" and "Technical Security Control Measures".

Guidelines often contain several specific steps or examples that entities subject to the guidelines must take with respect to each of the security control measures such as developing internal guidelines pertaining to security measures, executing non-disclosure contracts with employees who have access to Personal Information, protecting machines and devices and developing a framework to respond to instances of leakage.

Last modified 20 January 2025

Controllers and processors must implement technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data that are proportionate to the risk of harm posed to the rights of data subjects by such events (Article 21 DPJL).

'Technical measures' may include:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Last modified 16 January 2025

Anyone who intentionally enters the information network or information system by any means without permission, or in violation of or exceeding authorisation with the aim of accessing data or information not available to the public and that affects national security, foreign relations of the Kingdom, public safety or the national economy shall be punished with imprisonment for a period of no less than four months and a fine of no less than (500) five hundred dinars and not more than (5000) five thousand dinars.

If the entry referred to above is accompanied with the intention of cancelling, destroying, modifying, changing, transferring, copying or disclosing such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000) thousand dinars and not more than (5000) five thousand dinars.

Anyone who intentionally accesses a website to view data on information not available to the public that affects national security, the Kingdom’s foreign relations, public safety, or the national economy shall be punished by imprisonment for a period of no less than four months and a fine of no less than (500) five hundred dinars.

If the entry referred to in the paragraph directly above is accompanied with the intention to cancel, destroy, modify, change, move or copy such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000) one thousand dinars and not more than (5,000) five Thousands of dinars.

Last modified 11 January 2024

Protection of personal data is guaranteed by the state and is carried out in a manner determined by the Ministry.

Collection and processing of personal data is carried out only if its protection is ensured. Kazakh law defines protection of personal data as a set of legal, organization and technical measures.

The owner and / or operator of a personal data database and a third party having access to such database are required to take measures for protecting personal data in a manner determined by the Ministry, which ensure:

prevention of unauthorized access to personal data;
timely detection of the facts relating to an incident of unauthorized access to personal data, if such unauthorized access could not be prevented;
minimizing adverse effects of unauthorized access to personal data;
the state technical service’s access to objects of informatisation that use, store, process and distribute limited access personal data contained in electronic information resources, so that the state technical service could carry out a survey to assess the security level of the processes of storage, processing and distribution of limited access personal data contained in electronic information resources in the manner determined by the authorized body;
registration of certain operations with the personal data where required by Kazakh law.

The obligations of an owner and / or operator of a database containing personal data and a third party having access to such database to protect personal data arise from the moment of collecting the personal data and remain in force until such personal data is destroyed or depersonalized.

Kazakh law provides for additional requirements with regard to protection of electronic resources containing personal data.

Last modified 4 February 2025

Sections 41 and 42 of the Act

Data controllers and processors are required to implement the appropriate organizational and technical measures to implement data protection principles in an effective manner.

Civil registration registries are mandated to formulate written data security procedures which must include the following:

Instructions concerning physical protection of the database sites and their surroundings;
Access authorizations to the database and database systems;
Description of the means intended to protect the database systems and the manner of their operation for this purpose;
Instructions to authorized officer of the database and database systems regarding the protection of data stored in the database;
The risks to which the data in the database is exposed in the course of the civil registration entity's ongoing activities;
The manner of dealing with information security incidents, according to the severity of the incident;
Instructions concerning the management and usage of portable devices;
Instructions with respect to conducting periodical audits to ensure that appropriate security measures, in accordance with the Procedure and the Regulations exist; and
Instructions regarding backup of personal data.

As far as technical measures are concerned, the General Regulations require the use of hashing and cryptography to limit the possibility of repurposing personal data. The General Regulations also require that the contract between a data controller and a data processor to include a clause on security measures subjecting the data processor to appropriate technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a data controller or data processor to develop, publish and regularly update a policy reflecting their personal data handling practices. The policy may include:

the nature of personal data collected and held;
how a data subject may access their personal data and exercise their rights in respect to that personal data;
complaints handling mechanisms;
lawful purpose for processing personal data;
obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
the retention period and schedule; and
the collection of personal data from children, and the criteria to be applied.

The General Regulations provide for specific obligations to the data controller and data processor under the data protection principle of integrity, confidentiality and availability. These include:

having an operative means of managing policies and procedures for information security;
assessing the risks against the security of personal data and putting in place measures to counter identified risks;
processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;
ensuring only authorised personnel have access to the data necessary for their processing tasks;
securing transfers shall be secured against unauthorised access and changes;
securing data storage from use, unauthorised access and alterations;
keeping back-ups and logs to the extent necessary for information security;
using audit trails and event monitoring as a routine security control;
protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;
having in place routines and procedures to detect, handle, report, and learn from data breaches; and
regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.

Last modified 6 February 2025

LPPD contains general provisions when it comes to safety of processing of personal data. Security of processing of personal data refers to adopting appropriate organisational, technical and logical-technical procedures and measures in order to prevent any accidental, deliberate unauthorised destruction, disclosure, modification, etc. Implementing security measures is carried out by (Article 31 (1)):

Pseudonymization and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The above measures of security are not sector-specific and apply to the processing of personal data in general.

In addition to implementing appropriate organizational, technical, and procedural measures for the secure processing of personal data, Regulation 02/2023 imposes specific measures on drone users to protect personal data, including (Article 8.1):

Prohibiting unauthorized access to premises storing processed personal data.
Restricting data access and prohibiting unauthorized use of archiving tools.
Requiring authorization from licensed drone users for equipment commissioning and securing tools against unauthorized use.
Mandating employees to lock computers, lockers, and offices containing personal data when leaving their workplace.
Ensuring the protection of data from unauthorized access in the presence of non-employees.
Prohibiting the display of personal data on screens in the presence of unauthorized persons.
Restricting the removal of devices containing personal data from the office and ensuring data deletion or destruction in unsafe places.
Prohibiting employees from recording or copying records without permission from the licensed user.
Restricting the use of drone-collected data for purposes other than its intended collection, unless permitted by relevant personal data protection legislation.

Last modified 4 February 2025

No specific provisions.

Last modified 4 February 2025

When processing personal data the Holder (Owner) of personal data (data controller) and processor shall:

Prevent access of unauthorized persons to the equipment used for personal data processing (access control);
Prevent unauthorized reading, copying, modification or removal of data media (control of data media use);
Prevent unauthorized recording of personal data and alteration or destruction of stored personal data (entry control) and enable backdated determination of when, by whom and which personal data have been altered;
Ensure security of data processing systems, designed to transfer personal data irrespective of the data involved (control of data transmission means);
Ensure that each user of a data processing system has only has access to the personal data which it is authorized to process (controlled access);
Enable backdated determination of when, by whom and which personal data have been entered into the data processing system (input control);
Prevent unauthorized reading, copying, alteration and destruction of personal data during the transmission and transportation of personal data (transport control);
Ensure the confidentiality of the information in the course of personal data processing.

Last modified 4 February 2025

Generally, the Law on Electronic Data Protection requires the Data Administrator to ensure the following regarding the storage / maintenance of electronic data:

there is a team or employee responsible for the administration of sensitive data;
there is, among other things, an adequate system to store or use the data, and a data safeguard system to protect the data;
there is a backup system for destroyed or deleted data;
information is recorded by way of another appropriate method (e.g. paper, magnetic storage), and the appropriate measure is used to guarantee good maintenance;
a risk assessment is conducted on the protection system at least once a year, and any failures uncovered during the inspection are corrected;
access to the system is inspected, and protected from any intrusion, virus, or other risks;
any adverse events that have occurred or are about to occur are immediately solved; and
the information that is under the responsibility of the Data Administrator is protected.

Last modified 8 January 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Latvia regulation

The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding security.

Last modified 4 February 2025

The Law does not mandate specific technical security measures. Appropriate security standard is applicable.

The Law requires the data processor to take all measures, in light of the nature of the data and the risks resulting from processing thereof, in order to ensure the integrity and security of the data and to protect the same against being distorted, damaged or accessed by unauthorized persons.

Last modified 21 December 2022

The DP Act regulates security measures on integrity of personal information processed by a data controller and security measures regarding information processed by an agent.

The DP Act (section 20) gives the data controller the duty to secure the integrity of personal information in its possession by taking appropriate measures to prevent the loss, damage to or unauthorised destruction of personal information and prevent the unlawful access to or processing of personal information. In order to give effect to this, the data controller should take the following reasonable measures:

Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
Establish and maintain appropriate safeguards against the identified risks;
Regularly verify that the safeguards are effectively implemented; and
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The DP Act (section 21) states that any personal information processed by an agent should only be done with the knowledge and authorization of the data controller. Secondly the personal information should be treated as confidential unless the law or the performance of their duties requires disclosure. The following security measures are in place for information processed by an agent:

A data controller should ensure that the agent processing the personal information establishes and maintains the security measures referred to in the DP Act.
A written contract between the data controller and agent governs the processing of personal information by the agent.
If the agent is not domiciled or does not have its principal place of business in Lesotho, the data controller should take reasonable steps to ensure that the agent complies with the laws relating to the protection of personal information of the territory in which the agent is domiciled.

Last modified 20 December 2021

Section 9.1 of the CBL Regulations Concerning the Licensing and Operations of Electronic Payment Services in Liberia (“E-Payment Regulation”) provides as follows:

“All e-payment service providers shall ensure that personal information of customers obtained during the course of operations is used, disclosed, retained and protected as agreed”; and
“They shall ensure the security, Integrity, Confidentiality and Availability of data and services by adopting prevailing international standard(s) as well as those prescribed by Central Bank of Liberia from time to time.”

Last modified 23 February 2024

Not applicable.

Last modified 18 January 2024

EU regulation

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Lithuania regulation

The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding security.

Last modified 3 February 2025

EU regulation

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Luxembourg regulation

Article 65 of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides specific technical measures that must be put in place for limited categories of processing (ie, processing of personal data for scientific or historical research purposes or for statistical purposes, and processing of special categories of personal data for archiving purposes in the public interest).

Such measures include:

Resorting to an independent trusted third party for the anonymization or pseudonymization of the personal data
Log files allowing for the identification of the purpose, date and time of consultation of the personal data as well as for the identification of the person having collected, modified or deleted the personal data

Last modified 4 February 2025

The data controller must implement adequate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a security level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into consideration the state of the art and costs of the measures.

Last modified 19 December 2023

The data controller must take all useful precautions, with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and, amongst other things, prevent alteration, corruption or access by unauthorised third parties.

Last modified 4 February 2025

Under the PDPA, data users / data controllers have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards. However, please note that the Amending Act has amended this by imposing the direct obligation on data processors to comply with the Security Principle under the PDPA.

In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. However, please note that the Standards are currently under review.

Last modified 20 January 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Malta regulation

The Act does not derogate or further regulate from the provisions of the GDPR in this regard.

Last modified 18 January 2024

Under the DPA 2017, a controller or processor must, at the time of the determination of the means for processing and at the time of the processing, implement and maintain appropriate security and organizational measures for the prevention of unauthorized access to, alteration, disclosure or destruction of, or the accidental loss of the personal data.

Additionally, the controller or processor must ensure that measures provide a level of security appropriate to the harm that may result from the unauthorized access to, alteration, disclosure or destruction of, or the accidental loss of the personal data and the nature of the personal data concerned.

The measures referred to above shall include all of the following:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

In determining the appropriate security measures, in particular, where the processing involves the transmission of data over an information and communication network, a data controller shall have regard to the:

State of technological development available;
Cost of implementing any of the security measures;
Special risks that exist in the processing of the data; and
Nature of the data being processed.

Where a controller is using the services of a processor; (a) the controller must choose a processor that is able to provide sufficient guarantees in respect of security and organizational measures for the purpose of complying with the security measures described above; and (b) the controller and the processor shall enter into a written contract which shall provide that; (i) the processor shall act only on instructions received from the controller; and (ii) the processor shall be bound by obligations of the controller as regards security measures to be taken.

If the purpose for keeping personal data has lapsed, the controller must destroy such data as soon as reasonably practicable and notify any data processor holding such data, who in turn must destroy the data specified by the controller as soon as is reasonably practicable.

Every controller or processor has to take all reasonable steps to ensure that any person employed by him or it is aware of, and complies with, the relevant security measures.

Last modified 6 January 2025

All data controllers must establish and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorized use, access or processing. They may not adopt security measures that are inferior to those they have in place to manage their own information.

The risk involved, potential consequences for the data subjects, sensitivity of the data and technological development must be taken into account when establishing security measures, and more care should be taken in the collection and process of sensitive personal data.

The Controller also has the obligation to train its personnel on the proper handling of personal data in order to ensure compliance with the Mexican Privacy Laws. Per the Guidelines, a controller must also establish, document and follow security policies and procedures, including:

Maintaining an inventory of personal data and the relevant processing systems, and update this at least once per year with respect to sensitive personal data
Identifying the duties and obligations of persons that processing personal data on behalf of the controller
Conducting appropriate risk analyses to identify dangers and estimate risk of harm to personal data
Establishing security measures applicable and confirm they are effectively implemented
Assessing and improving security on an ongoing basis
Establishing a roadmap to implement any missing security measures identified pursuant to a security breach (as necessary to prevent a recurrence of such breach)
Performing reviews or audits of security program
Maintaining records of the storage means for personal data

Last modified 28 January 2024

The controller must implement appropriate technical and organizational measures to protect personal data against destruction, alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data. The NCPDP has approved guidelines on the security measures to be implemented by the controller or processor, for the protection and processing of personal data within information systems. The guidelines may be accessed here.

Where processing is to be carried out on behalf of the controller, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures. The processing of personal data by a processor shall be governed by a contract concluded with the controller, ensuring in particular the following:

that the processor only acts on the instructions from the controller;
that the obligations related to mandatory technical and organisational measures to be undertaken, in order to ensure a level of security appropriate to the risk and nature of the data processed, shall also apply to the processor.

According to the New Data Protection Law, and save for the exceptions expressly established by law, where a controller or processor not registered in the Republic of Moldova is processing personal data of subjects who are in the Republic of Moldova, it should designate a representative in Moldova, provided that the processing activities are related to the following:

offering of goods or services, irrespective of whether a payment of the data subject is required to such subjects in the Republic of Moldova; or
to the monitoring of data subjects’ behaviour, as far as their behaviour takes places within the Republic of Moldova.

Last modified 16 January 2025

Data controllers must take appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing, accidental loss or destruction of, or damage to, personal data.

Measures implemented must ensure an adequate level of security with regard to the risks posed by processing and by the nature of the data to be protected.

Where the data controller or their representative engages a service provider to process personal data, they must ensure that the service provider is able to comply with the obligations laid down in the two previous paragraphs.

The implementation of processing by such service provider must be governed by a written agreement between the subcontractor and the data controller that stipulates specifically that the service provider and his employees work under the sole directive of the data controller, and that he is also accountable for the obligations relating to the security of the processing.

Last modified 6 February 2025

Data Controllers must take the following measures for the purpose of maintaining data security:

Adopt internal data security rules and regulations;
Approve a plan in accordance with the law to take measures and deliver notice to the state authority and the Data Owner in the event of data loss;
Take all measures to ensure the integrity, confidentiality and accessibility of information technology system used for data collection, processing and use;
Adopt and follow procedures and instructions on restricting the use of data, deleting the data and making it impossible to identify the Data Owner; and
In the event of making decisions that affect the rights, freedom and legitimate interests of the Data Owner or regularly processing Sensitive Personal Data, the Data Controller must evaluate the situation in order to ensure the security of data processing activities. Guidelines and procedures for the evaluation will be adopted by the Ministry of Digital Development, Innovation and Communications as recommended by the National Human Rights Commission.

On 11 September 2023, the Ministry of Digital Development, Innovation and Communications adopted the procedure on "General requirement for maintaining information security during the collection, processing and use of Personal Data" ("Information Security Requirement"). As per the Information Security Requirement, the Data Controller must follow the below principles when collecting, processing and using the Sensitive Personal Data in addition to those provided under the Data Protection Law:

Transparency;
Fit for purpose;
Maintain storage limitations;
Responsible;
Based on risk evaluation; and
Have integrated information system.

According to the Information Security Requirement, the Data Controller must comply with certain technological security requirements, including:

Adopt and implement internal information security regulation;
Employ unit or personnel in charge of information security;
Use information processing program, network and equipment that are approved by the authorized entity;
Use licensed program in order to prevent information security risks and conduct an information security evaluation every two years or when necessary;
Conduct an information security audit on an annual basis;
Maintain historical records of information changes, deletions, and restorations; and
Monitor and ensure the integrity and confidentiality of the information.

The Information Security Requirement further requires that the information processing server of the Data Controller must:

be located in the territory of Mongolia;
be accessible only from Mongolia;
be placed in the dedicated technical room;
be able to increase the capacity of the server if necessary;
be able to exchange information through the state information exchange system "KHUR";
be connected to the network time server of the Communications Regulatory Commission of Mongolia;
be protected by "SSL" certificate; and
be able to be backed up on a regular basis.

The Cyber Security Law of Mongolia, adopted by the Parliament on 17 December 2021 regulates matters pertaining to the establishment of systems, principles and legal framework for ensuring cyber security. According to the Cyber Security Law, “cyber security system” that is responsible for ensuring cyber security includes the Government, intelligence agency, state-owned legal entities, police organization, citizens, legal entities and entities with critical information infrastructure, such as entities operating in the energy, health and payment sectors, as well as database operators and border ports. For instance, the Law provides that an individual person must be responsible for maintaining cyber security of himself and individuals under his or her care.

Last modified 16 January 2025

The DP Law requires that both data controllers and processors undertake technical, personnel and organizational measures for the protection of personal data against loss, destruction, unauthorized access, alteration, publication and misuse. Further, individuals who process personal data are required to keep the processed personal data confidential.

Additionally, data controllers are required to establish internal rules regarding their personal data processing and protection of same (which should include identifying the measures undertaken). Data controllers should also determine which employees have access to the processed data (and to which of this data), as well as the types of data which may be disclosed to other users (and the conditions for the respective disclosure). Finally, if the processing is performed electronically, a data controller is required to ensure that certain information on the use and recipients of the respective data, is automatically kept in the information system.

Last modified 16 January 2025

Article 23 of the DP Law provides that an organization is required to implement all technical and organizational measures to protect personal data in order to prevent it being damaged, altered or used by a third party who is not authorized to have access, as well as to protect it against any form of illicit processing.

Additionally, in appointing processors and subcontractors an organization must choose a processor or subcontractor who provides sufficient guarantees with regard to the technical and organizational measures relating to the processing to be carried out while ensuring compliance with these measures.

Last modified 18 January 2024

Under the Electronic Transactions Law, the person / entity responsible for processing electronic data, must protect personal data against risks, losses, unauthorized access, destruction, use, modification or disclosure.

The Cybersecurity Bill also establishes a duty on data processors and data controllers to ensure the confidentiality of data stored in electronic communications network.

Last modified 16 January 2025

By implication from relevant laws, personal data must be kept with reasonable security arrangements.

Last modified 18 December 2024

There are no data security requirements.

Last modified 18 January 2024

The collected data should only be used for the purpose for which such data have been collected. Further, the Privacy Act obligates the public body which has the collected information, to make appropriate arrangements for the protection of collected information.

Last modified 20 January 2025

EU regulation

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

An important security measure in line with the GDPR applicable from 1 January 2021 is that, most online payments must be completed with two-step verification. This is an obligation under the Payment Service Directive 2, the European directive for payments by consumers and businesses.

Netherlands regulation

The Netherlands have not implemented any specific regulations on the basis of Articles 24, 25 or 32 of the GDPR. In this respect, the Explanatory Memorandum to the Dutch Implementation Act explains that no general standard will be developed which sets out when an organization has fulfilled its technical and organizational security obligations. However, specific sectoral codes of conduct may be implemented which may contain further concrete standards. For example, in the health sector we see that such security standards already exist (e.g. NEN 7510, which applies as an important information security standard in the health sector).

Last modified 18 January 2024

An agency that holds personal information shall ensure that the information is kept securely and protected by such security safeguards as are reasonable in the circumstances to protect against loss, access, use, modification, or disclosure that is not authorised by the agency, and other misuse.

If it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency must be done to prevent unauthorised use or unauthorised disclosure of the information.

Last modified 24 January 2025

The necessary technical and organisational measures must be adopted to guarantee the integrity, confidentiality and security of personal data, to avoid its adulteration, loss, consultation, treatment, disclosure, transfer or unauthorised disclosure, and that allow detecting intentional deviations or not, of private information, whether the risks come from human action or the technical means used.

Last modified 28 January 2024

Article 82 of the 2022 Data Protection Act sets out the security obligations of data controllers and processors with regard to the protection of personal data. They must put in place technical and organisational measures to prevent distortion, damage or unauthorised access to such data, taking into account the nature, scope, context and purposes of the processing, as well as the risks to individuals. These measures may include pseudonymisation, encryption, anonymisation and encryption of personal data, as well as regular testing, analysis and evaluation procedures to ensure the security of the processing. Appropriate security policies must also be put in place, including the obligation of protection by design and protection by default of personal data necessary for each specific purpose of processing.

Last modified 6 January 2025

Data Controllers and Processors involved in data processing or the control of data have the responsibility to develop and implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data under its control. Such measures include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policies for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.

In developing and implementing the measures referred to above, the amount and sensitivity of the personal data, likelihood of harm to the data subject amongst other considerations should be taken into account.

Last modified 18 January 2025

The DP Law requires data controllers and data processors to implement appropriate technical and organizational measures to protect personal data from accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data or unauthorized access to transferred, stored or otherwise processed personal data. These risks are particularly taken into consideration in order to assess the appropriate level of safety.

The technical and organizational measures include, inter alia, as appropriate:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The data controller and the data processor must always implement the technical and organizational measures relevant to the period in which they are designed and implemented, in accordance with the state-of-the-art technology.

The data controller and the data processor are obliged to apply appropriate levels of technical and organizational measures proportional to the processing activities, while taking into consideration the nature, scope, context and purposes of the processing, as well as the risks with different probability and seriousness for the rights and freedoms of natural persons.

The technical and organizational measures can be classified in two levels:

Standard; and
High.

The process for managing the system for personal data protection is described in the internally adopted Policy on the System for Personal Data Protection, which should be regularly updated and harmonized in line with any changes in the data controller’s working process.

Last modified 17 January 2024

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Last modified 16 January 2025

There are currently no additional data security requirements under the provisions of PECA 2016. However, there are additional requirements under sector specific legislation, such as in the banking and finance sector.

Further, once promulgated, the PDPB would require data collectors and data processors to comply with the standards so prescribed by it for the protection of personal data.

Last modified 4 January 2024

In matters of security, data controllers must establish protocols, safe management and transfer processes and procedures to protect the rights of data subjects under the precepts of this Law. The minimum requirements that must be contained in the privacy policies, protocols and procedures for data processing and transfer that must be met by the data controller, will be issued by the regulator of each sector in accordance with this law.

In the event that the treatment or transfer of personal data is carried out through the Internet or any other electronic, digital or physical means, the data controller or the data processor, whomever applies must comply with the standard certifications, protocols, technical and management measures appropriate to preserve the security in their systems or networks, in order to guarantee the levels of protection of personal data as established by the Data Protection Law.

Last modified 28 January 2024

Under current legislation, there are no specific security requirements regarding the protection of private information. However, Art. 10 of the Law establishes that the person or entity responsible of the treatment of personal credit data shall guarantee the adoption and implementation of the necessary technical, organization, and security measures to protect the access and integrity of personal data in order to prevent its alteration, loss, commercialization and not authorized access.

The Regulatory Decree of the Electronic Commerce Law also establishes that companies that render services via electronic means (that also collect or process personal or private data), have the duty to:

inform to the recipient of such data, of the person in charge of its custody and storage; and
implement secure systems to avoid the unauthorized loss, alteration and/or third party access to such data (Art. 11).

Additionally, such companies have the duty to inform consumers and users (in a transparent, clear and simple manner) regarding the specifics of:

the level of security and the applicable privacy policy covering the permanent protection of personal data; and
security measures and technology used to protect the means of payment and the transfer, processing and/or storage of financial data (Art. 12).

Last modified 28 January 2025

Database holders and data handlers must adopt technical, organizational and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.

Therefore, they must comply with, among others, the following security measures:

Document and implement mechanisms for access management, identification and authentication procedures, biannual verification of privileges and use of mechanisms such as passwords, digital certificates and tokens
Monitor and periodically review security measures and staff training according to their roles and responsibilities
Document and implement the generation of legible and timely records of interactions with data, including for traceability purposes, account information, schedules, actions, among others. Such records should have a procedure for disposal, storage, transfer, destruction, a minimum retention of two years and secure disposal; and should be generated continuously and immediately
Document and implement measures to prevent unauthorized access and reproduction of digital documents, and exclusive use of approved institutional systems and tools, and
Implement at least: (i) controls to maintain secure areas, (ii) controls to maintain secure equipment inside and outside the facilities, and (iii) controls to ensure the generation of secure and continuous backup copies and their integrity verification. Taking as a reference the recommendations indicated in the “NTP-ISO/IEC 27001:2022 Information Technology. Security Techniques. Information Security Systems. Requirements” in the current edition.

Likewise, with the entry into force of the New Regulation, the holder of the personal database shall implement a Security Document that must have a certain date. The Security Document must be updated and contain, as a minimum, the procedures for access management, privilege management and periodic verification of the privileges assigned to the information systems. This includes technological platforms, mobile applications, database engines, among others, used for the processing of personal data, as well as internal policies for the management and processing of personal data, which must consider the context and life cycle of the data.

Furthermore, NDPA has issued a Security Directive trough the Directorial Resolution Nº 019-2013-JUS/DGPDP (Security Directive), as an instrument that makes it possible for those actors who process personal data to act in accordance with the applicable law as it provides guidance on the conditions, requirements and technical measures that shall be considered to comply with the applicable regulation.

Last modified 26 January 2023

The PIC must implement reasonable and appropriate organizational, physical and technical measures to protect Personal Information against any type of accidental or unlawful destruction, such as from accidental loss, unlawful access, fraudulent misuse, unlawful destruction, alteration, contamination and disclosure, as well as against any other unlawful processing.

The determination of the appropriate level of security must take into account the nature of the Personal Information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation.

In addition, the security measures to be implemented must include the following, which are subject to guidelines that the NPC may issue:

safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
a security policy with respect to the processing of Personal Information;
a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

The PIC is obligated to ensure that third parties processing Personal Information on its behalf shall implement the security measures required by the Act.

The obligation to maintain strict confidentiality of Personal Information that are not intended for public disclosure extends to the employees, agents or representatives of a PIC who are involved in the processing of such Personal Information.

Last modified 20 January 2025

EU regulation

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Poland regulation

The Implementing Act does not include any derogations from the GDPR.

Last modified 16 January 2025

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Portugal regulation

The security measures shall follow GDPR provisions. Law no 58/2019 of 8 August also provides that health databases or centralised registers based on single platforms should meet the security and integrity requirements provided for by the GDPR.

Last modified 17 January 2024

Data controllers must take appropriate technical and organizational measures to securely manage personal data.

The data controller must carry out the following procedures:

Review privacy protection procedures before implementing new processing operations
Specify the processors responsible for protecting the personal data
Train processors on the protection of personal data and raise their awareness relating to the same
Set up internal systems to receive and investigate complaints, data access requests, data correction or deletion requests and provide the data subjects with information relating to the same
Set up internal systems for the effective management of personal data, and report any violation of the same with the aim of safeguarding personal data
Adopt suitable technical means to enable individuals to exercise their rights to access, review and correct their personal data directly
Carry out comprehensive review and checking of the commitment to protect personal data
Verify that the data processor abides by the instructions given to him/her or take suitable precautions to protect personal data, and continually monitor that situation

The data controller and processor must take necessary precautions to protect personal data against loss, damage, amendment, disclosure or access thereto or use thereof in an accidental or unlawful way. The Data Protection Law states the precautions taken must be proportionate to the nature and importance of the personal data to be protected. Organizations should adopt best practice methodologies in keeping with their business sector.

Last modified 17 January 2024

Data controllers and processors must implement appropriate technical and organizational measures to ensure an appropriate level of security in the processing of personal data. These measures include, but are not limited to:

The de-identification and / or encryption of the personal data;
Ability to ensure continuing confidentiality, integrity, availability and resilience of processing systems and advances;
Ability to restore availability of and access to the personal data in a timely manner if a physical or technical incident has occurred;
A process for routinely testing, assessing and evaluation the effectiveness of the measures.

The measures implemented ought to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected and in particular, to protect such personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data. In assessing what measures are appropriate, data controllers and processors can consider:

Availability of technology;
Costs of implementation;
The processing activities; and
The likelihood and severity of the risks to the rights and legitimate interests of individuals.

Last modified 17 January 2024

The Law provides for a detailed overview of security measures that must be taken by the processor of personal data in order to secure the personal data.

Last modified 23 February 2024

EU regulation

The GDPR does not prescribe specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A one-size-fits-all approach is therefore the antithesis of this requirement.

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

Romania regulation

No specific provisions / derogations are provided by Law no. 190/2018 with respect to the security measures to be undertaken by controllers / processors.

Last modified 17 January 2024

Data controllers are required to take appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss, changing, blocking or destruction of, or damage to, personal data.

A recent special regulation sets forth certain measures that the data controller should undertake to ensure security of personal data, data systems, carriers of biometrical information and technologies.

Last modified 17 January 2024

The DC and DP are required to ensure security of the personal data in their possession by adopting appropriate, reasonable technical measures to prevent loss, damage or destruction of personal data which include the following (article 47):

identify foreseeable risks to personal data under that person’s possession or control, establish and maintain appropriate safeguards against those risks;
regularly verify whether the personal data safeguards are effectively implemented;
ensure that the personal data security safeguards are continually updated in response to new risks or any identified deficiencies.

The NCSA is entitled by the Data Protection Law to conduct inspection and assessment of these security measures.

The Data Protection Law also provides for safeguards that DC or DP processing sensitive personal data must adopt including storing sensitive personal data separately from other types of data or applying measures such as tokenisation, pseudonymisation or encryption (article 11).

Last modified 17 January 2024

Data controllers must take necessary organisational, administrative and technical measures and means to ensure personal data is preserved, including when it is transferred, in accordance with the provisions and controls specified in the Implementing Regulations.

Last modified 23 February 2024

According to Article 71 of the Protection of Personal Data, all data controllers have an obligation to ensure the security of personal data. The data controller is required to take all necessary precautions with regard to the nature of the data and, in particular, to prevent it from being distorted, damaged, or unauthorized third parties having access to it. Data Controllers must make sure that:

authorized persons can only access data personal nature within their competence;
the identity and interests of any third parties recipients of the data can be verified;
identity of persons having access to the information system can be verified;
unauthorized persons are prevented from accessing the place and equipment used for data processing;
unauthorized persons are prevented from reading; coping; modifying, moving and destroying data;
all data introduced in the system is authorized;
Data will not be read, copied, modified or erased without authorization during the transport or communication of the data.
Data is backed up with security copies;
Data are renewed and converted to preserve them.

Last modified 23 February 2024

Similar to the GDPR, the DP Law introduces burdensome accountability obligations on data controllers, which are required to "demonstrate compliance”. This includes an obligation to all of the following:

Implement, maintain and update appropriate technical, organizational and human resources measures to ensure a level of security appropriate to the risk involved by taking into account state of the art and associated implementation costs etc.
Have in place certain documentation, such as data protection policies and records of processing activities.
Implement data protection by design and by default.
Conduct a data protection impact assessments for those processing operations that are likely to cause a high risk to the rights and freedoms of individuals (whereas the specific cases when conducting such assessments is mandatory, are explicitly prescribed as well, e.g. when special categories of personal data are processed on a large scale).

Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures (such as pseudonymization, data minimization) which will implement the safeguards necessary for processing. Data protection by default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary for the specific purpose will be possible (e.g. that, by default, privacy settings on one’s social network profile do not make the data public).

Last modified 17 January 2024

The Act provides that appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

Last modified 17 January 2024

Organizations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, the loss of any storage medium or device on which personal data is stored, or similar risks. Data intermediaries are also directly liable and subject to the same security obligation. The Act does not specify security measures to adopt and implement, however the Commission has issued best practice guidance which provides specific examples, including with respect to cloud computing and IT outsourcing.

Last modified 23 January 2025

National Ordinance Personal Data Protection

GDPR

Last modified 10 February 2025

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The rights and obligations in regard to the security of personal data are governed by the GDPR.

In this respect, the Slovak Office issued Decree No. 158/2018 Coll. on Procedure when Assessing the Impact on the Protection of Personal Data as of 29 May 2018.

Slovak Republic regulation

In this respect, the Slovak Office issued Decree No. 158/2018 Coll. on Procedure when Assessing the Impact on the Protection of Personal Data as of 29 May 2018.

Last modified 17 January 2024

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 GDPR states that controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However, the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

The pseudonymization and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

ZVOP-2 provides no general additional requirements in relation to security measures. In the context of archiving, scientific or historical research purposes or statistical purposes, the ZVOP-2 sets out specific rules including anonymization or pseudonymization requirements.

Security measures are also detailed for each special regime but resemble the GDPR.

However, Article 22 ZVOP-2 provides additional requirements regarding data security by prescribing the so‑called "processing log" (dnevnik obdelave), namely by specifying:

who must ensure processing logs;
for which processing activities;
what the processing log must contain;
for which purposes the processing log can be used; and
data retention periods in processing logs.

Article 23 ZVOP-2 specifies data security requirements in the field of special processing. These requirements apply to particularly risky information systems processing large amounts of sensitive, confidential, or otherwise protected data, including special categories of personal data.

Article 21 ZVOP-2 also includes provisions related to the protection of personal data in proceedings related to such personal data.

Last modified 17 January 2024

Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of, and unlawful access to, personal information.

To comply with this obligation, the responsible party must take reasonable measures to do all of the following:

Identify all reasonably foreseeable internal and external risks to personal information under its control;
Establish and maintain appropriate safeguards against the risks identified;
Regularly verify that the safeguards are effectively implemented; and
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must also have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Last modified 17 January 2024

Under the PIPA, every personal data controller must, when it processes personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information:

establishment and implementation of an internal control plan for handling personal information in a safe way;
installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information;
measures for preventing fabrication and alteration of access / log records;
measures for security including encryption technology and other methods for safe storage and transmission of personal information; and
measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.

The PIPA provides detailed measures to be taken by the personal data controller in its subordinate regulations. On October 31, 2024, the PIPC released the updated Guidelines on Standards for Measures to Ensure Security of Personal Information (the “Guidelines”).

Last modified 20 January 2025

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Last modified 22 January 2024

The PDPA does not prescribe the specific technical measures or standards that ought to be implemented but requires the adoption of appropriate technical and organizational measures to ensure security that is commensurate to the risk of the processing activity.

Nonetheless, it provides insight into such technical and organizational measures by setting out that such measures include encryption, pseudonymization, anonymization or access controls.

Moreover, the PDPA also requires processors of personal data to have in place such technical and organizational measures, and ensure that their personnel data are bound by contractual obligations of confidentiality and secrecy.

Last modified 3 January 2024

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Sweden regulation

There are no specific security requirements set out in the Data Protection Act. However, it should be noted that certain security related provisions are prescribed under the Patient Data Act (2008:355) when processing personal data, regarding e.g. confidentiality, access and disclosure.

Moreover, a two-factor authentication when accessing special categories of data over an open network and encryption when sending special categories of data are examples of previous recommendations from the Swedish Authority for Privacy Protection.

Last modified 22 January 2024

The data controller and any processor shall guarantee a level of data security appropriate to the risk by taking suitable technical and organisational measures. The measures must make it possible to avoid data security breaches and ensure the confidentiality, availability, integrity and traceability of the personal data. In particular, personal data must be protected against the following risks:

Unlawful or accidental loss, deletion and destruction;
technical errors;
forgery, theft or unlawful use;
unauthorized altering, copying, accessing or other unauthorized processing.

The technical and organisational measures must be appropriate, in particular with regard to the type of processed data and the purpose, nature, extent and circumstances of the data processing, the risks for the personality or fundamental rights of the data subjects and the current technological standards and implementation costs. The ODP sets out these requirements in more detail.

Wilful violations of the minimum data security requirements (which, however, are only defined generally in the ODP) are subject to sanctions (see here).

Last modified 22 August 2023

A data collector is required to adopt proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.

In addition, the relevant competent authority at the central government level may designate certain data collectors for setting up plans of security measures for personal data files or the disposal measures for personal data after termination of business. As at December 18, 2023, industry specific guidelines governing the plan of security measures for personal data files have been promulgated for many industries, including for financial institutions, human resources recruitment business, hospitals, manufacturers, and others.

Last modified 18 December 2023

The data controller is obliged to take appropriate measures against unauthorized processing, accidental loss, or modification of personal data.

Last modified 27 January 2025

The PDPA requires data controllers and their representatives to safeguard personal data by taking necessary security measures for the safeguard of such information against any negligent loss or unauthorised destruction, modification, disclosure, access or processing of personal data.¹

The security measures that a data collector employs must ensure the required level of security by taking into account the following:

the state of technological advancement and the costs of implementing such measures; and
the nature of personal data that should be protected and the potential risks to the data subject;²

Data controllers are also required to appoint a personal data protection officer (refer to above).³

Any processing activity by a data processor must be governed by a contract that will specify the relationship between the processor and the controller in such a way that ensures the data processor will act under the instructions of the data controller and that the data processor will be responsible for ensuring compliance with the security standards provided under the PDPA.⁴

Footnotes

1: Section 27(1) of the DPA
2: Section 27(2)(a) and (b) of the DPA
3: Section 27(3) of the DPA
4: Section 27(4) of the DPA

Last modified 25 January 2024

Under the PDPA, Data Controllers are required to have appropriate security measures to protect the stored Personal Data against loss, unauthorized and unlawful access, use, alteration, edit or disclosure. Such security measures must be subject to periodic review.

Notification of the Regulator on Security Measures of Data Controller B.E. 2565 (2022), a subordinate regulation under the PDPA, further prescribed that those appropriate security measures shall include organizational measures, technical measures, and physical measures. Examples of security measures include access controls, user access management, user responsibilities, and audit traits.

Data Controllers (and Data Processors) under the PDPA are also now required under the said subordinate regulation to notify staff, employees and / or any relevant persons of the security measures in order to raise awareness of the importance of personal data protection and encourage strict compliance.

Last modified 6 January 2025

None.

Last modified 15 February 2022

The DPA generally requires that personal information is protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.

Last modified 26 January 2023

Each person who carries out directly or by a third party the processing of personal data shall take all the required steps to ensure the safety of the data processing and prevent any third party from changing, modifying or consulting it without prior authorization of the data subject. (article 18 of Organic-Law n°2004-63 of July 27th 2004 on the protection of personal data).

The data controller must ensure that its subcontractor (if any) also implements all the organizational and technical measures necessary to ensure the protection of personal data against any kind of breach.

The National Authority for Protection of Personal Data is responsible for determining the proper measures and necessary safeguards in order to protect personal data.

In case of violation of the personal data protection legislation, in addition to the dissuasive actions it can take, it can also file a complaint with the public prosecutor to initiate criminal action.

Under Decree-Law 2023-17 of March 11, 2023, on cybersecurity, companies involved in the automated processing of the personal data of people with whom they are in contact as part of the provision of their services via telecommunications networks must:

Carry out annual audits of their IT systems in accordance with the procedures laid down by law;
Inform the National Cyber Security Agency (ANCS) in the event of a cyber-attack;
Request that the organization be classified according to its level of digital confidence. This classification is carried out by the ANCS.

Last modified 27 January 2025

In light of the provisions of the LPPD and consistent with the principles of good faith, those entrusted with personal data are expected to ensure protection of such data. Under the LPPD, the data controller is required to ensure that appropriate technical and organizational measures are taken to prevent all illegal processing and to ensure the data is not destroyed, lost, amended, disclosed or transferred without authority. Such measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected. Additionally, the data controller has to carry out the necessary inspections on its own institution or organization in order to ensure the implementation of the LPPD.

Data controllers and data processors shall not disclose any personal data in contradiction with the provisions of LPPD and shall not use any personal data for any purposes except for the purpose of processing. This obligation continues after leaving their institution.

In addition, the LPPD enables data subjects to apply to data controllers by various means in relation to their rights stated in Article 11. Data controllers have an obligation to take every necessary administrative and technical measure effectively to finalize these applications in accordance with the LPPD and in good faith. The Communiqué on Procedures and Principles for Application to Data Controller dated March 10, 2018, numbered 30356 outlines the procedures of application.

Last modified 27 January 2025

Article 23 of the Data Protection Law stipulates that data operators shall implement a set of legal, organizational and technical measures to ensure personal data protection. Such measures shall:

Uphold the rights to privacy, personal and family secrets
Ensure integrity and security of personal data
Confidentiality of personal data
Allow owner of personal data to have guaranteed access to such personal data
Prevent unauthorised collection and processing of personal data

Data operators are statutorily obliged to take any necessary and lawful measures to protect personal data and ensure:

Prevention of unauthorized access to personal data
Timely detection of unauthorized access to personal information
No adverse effects of such unauthorized access to personal data

It is important to note that the obligation of the data operators, as well as any third party acquiring the personal data, to protect confidentiality of the acquired personal data, arises from the moment such data is collected and shall be effective until the moment such data is destroyed or depersonalized.

Last modified 23 December 2022

The obligation to provide appropriate technical and organisational (security) measures for Personal Data applies to both Controllers and Processors. The DPR do not specify any particular security measures, rather it is up to the organisation to judge what is appropriate in the circumstances taking into account:

the state of the art (i.e. the current state of technological development as appropriate to the context including: industry practice; the type and scale of the Processing; and the availability of a product or solution in the market);
the costs of implementation;
the nature, scope, context and purposes of the Processing; and
the likelihood and severity of risks to Data Subjects’ rights (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data).

Controllers must only use Processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their Processing will meet the requirements of the DPR and protect Data Subjects’ rights. Controllers are primarily responsible for overall compliance with the DPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures (see “Enforcement” below).

Last modified 9 January 2024

Controllers and Processors must implement appropriate technical and organisational measures to protect Personal Data against willful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, taking into account:

the nature, scope, context and purpose of the Processing;
the risks presented by the Processing to a relevant Data Subject; and
prevailing information security good industry practice.

They must also review and update such measures, where necessary, to reflect legal, operational and technical developments.

(Article 14 (2) DPL)

Last modified 27 January 2025

A Licensee is responsible for the security of its information systems and networks and should act in a timely and co-operative manner to prevent, detect and respond to security incidents. A Licensee is further required review and assess the security of information systems and networks and make appropriate modifications to security policies, practices, measure and procedures on a regular basis. Any security incidents must be disclosed to the CPU on a periodic basis.

A Licensee that holds Patient Health Information must maintain the security of the Patient Health Information, ensuring it is stored in a way that can be readily retrieved and easy removed or shared, as well as protecting the accuracy of the information. A Licensee if further responsible for ensuring reasonable safeguards are put in place to protect the Patient Health Information from loss, destruction, potential fire / water damage, tampering, theft, unauthorized access, use, modification, or disclosure (section 31, HDPR).

Last modified 27 January 2025

The PDPL imposes strict requirements around data security. Controllers and Processors are required to put in place sufficient technical and authorised measures to protect and secure Personal Data, preserve its confidentiality and privacy, and ensuring that such personal data is not breached, destroyed or altered. The measures which must be taken need to take into account the nature, scope and purposes of processing and the possibility of risks to the confidentiality and privacy of the Data Subject’s Personal Data. Put simply, this means the higher the risk of harm to the Data Subject and / or the higher the likelihood of a breach, the greater the steps to secure personal data that need to be taken.

The UAE's Federal Cabinet has issued Resolution No. 21 of 2013, concerning the Regulation of Information Security in Federal Authorities. Although it applies to information security within UAE federal government bodies, the requirements of this resolution might be passed on to contractors providing services to Federal government bodies when they are entering into service supply agreements with such bodies. Similarly, contractors to emirate level government bodies may need to require with emirate government security standards. Examples, include the Information Security Regulations of the Dubai Electronic Security Center.

Article 24.9 of the TDRA Consumer Protection Regulations v2.0 requires telecommunications service providers to “take all reasonable and appropriate measures to prevent the unauthorised disclosure or the unauthorised use of subscriber information”. Article 24.4 further stipulates that telecommunications service providers must take “all reasonable measures to protect the privacy of Subscriber Information that it maintains in its files, whether electronic or paper for”, and that “reliable security measures” should be employed.

The UAE Cyber Crime Law focuses on offences related to accessing data without permission and / or illegally (Articles 2 and 3), including financial information (e.g. credit card information or bank account information) (Articles 12 and 13).

Based on the above, best practice from a UAE law perspective would be to take appropriate technical security measures against unauthorised or unlawful processing of, and against accidental disclosure of, personal data. The measures taken must ensure a level of security adequate enough to minimise the risk of liability arising out of a claim for breach of privacy made by a Data Subject.

Last modified 27 January 2025

A data controller, data collector or data processor is required under section 20 of the Data Protection and Privacy Act to secure the integrity of personal data in its control or possession by adopting appropriate measures to prevent loss, unauthorised destruction, unauthorised processing of or unlawful access to personal data. This includes observation of generally accepted information security practices and procedures, and specific industry or professional rules and regulations.

The data controller is specifically required to use measures that:

identify reasonable risks to personal data in its possession or control;
establish and maintain appropriate precautions against the risks identified;
regularly verify the effective implementation of the precautions; and
ensure that the safeguards are continually updated.

In instances where personal data is processed by a third party, the entity must ensure that the data processor applies the security safeguards provided under the Act. The Act specifically requires that the contract between a data controller and processor relating to the processing of personal data oblige the data processor to maintain the confidentiality and security measures necessary to protect the integrity of the personal data.

Last modified 27 January 2025

The data owners and processors must take appropriate technical and organizational measures to ensure the protection of personal data against unlawful processing, including against loss, unlawful or accidental elimination, and also against unauthorized access. In this regard, owners and processors processing personal data which is of particular risk to the rights and freedoms of personal data subjects shall determine a special department or a responsible person to organize the work related to the protection of personal data during the processing thereof (other owners and processors may either establish a department or appoint a responsible person on a voluntary basis).

The Model Procedure stipulates that the owners and processors of personal data shall take measures to maintain the security of personal data in all stages of their processing, including organizational and technical measures for the protection of personal data. Organizational measures shall include:

Determination of a procedure of access to personal data by employees of the owner / processor of personal data;
Determination of the order of the recording of operations related to the processing of personal data o and access to them;
Elaboration of an action plan in case of unauthorized access to personal data, damage of technical equipment or occurrence of emergency situations; and
Regular trainings of employees working with personal data.

Personal data, irrespective of the manner of its storage, shall be processed in the way which makes unauthorized access to the data by third persons impossible.

With the purpose of maintenance of security of personal data, technical security measures shall be taken which would exclude the possibility of unauthorized access to personal data being processed and ensure the proper work of technical and program complex through which the processing of personal data is performed.

Additionally, the Data Protection Law requires establishing a structural unit or appointing a responsible person within the personal data owners / processors processing the personal data which is of particular risk to the rights and freedoms of personal data subjects. Such structural unit or responsible person shall organize the work related to protection of personal data during the processing thereof.

Last modified 27 January 2025

The UK GDPR is not prescriptive about specific technical standards or measures. Rather, the UK GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the UK GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Last modified 6 February 2025

Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information (eg, health or financial information, telecommunications usage information, biometric data, or information that would require security breach notification). A few states have enacted laws imposing more specific security requirements for such data.

For example, Massachusetts has enacted regulations that apply to any company that collects or maintains sensitive personal information (eg, name in combination with Social Security number, driver's license, passport number, or credit card or financial account number) on Massachusetts residents. Among other things, the Massachusetts regulations require regulated entities to have a comprehensive, written information security program and set forth the minimum components of such program, including binding all service providers who touch this sensitive personal information to protect it in accordance with the regulations. Massachusetts law includes encryption requirements on the transmission of sensitive personal information across wireless networks or beyond the logical or physical controls of an organization, as well as on sensitive personal data stored on laptops and portable storage devices.

Some states impose further security requirements on payment card data and other sensitive personal information. In 2019, New York passed a new law (the New York “SHIELD Act”) setting forth minimum security obligations for safeguarding private information. The SHIELD Act does not mandate specific safeguards but rather provides that a business will "be deemed to be in compliance" with the law if it implements a security program that includes elements set forth in the SHIELD Act.

The CCPA and Washington’s MHMD Act provide a private right of action to individuals for certain breaches of unencrypted personal information or consumer health data, respectively, which increases class action risks posed by data breaches.

There are also several other sectoral data security laws and regulations that impose specific security requirements on regulated entities – such as in the financial, insurance and health sectors. Federal financial regulators impose extensive security requirements on the financial services sector, including requirements for security audits of all service providers who receive data from financial institutions. For example, the New York Department of Financial Services (NYDFS) regulations impose extensive cybersecurity and data security requirements on licensees of the NYDFS, which includes financial services and insurance companies. The federal Gramm-Leach-Bliley Act and implementing rules and regulations require financial institutions to implement reasonable security measures.

HIPAA regulated entities are subject to much more extensive data security requirements. HIPAA security regulations apply to so-called ‘covered entities’ such as doctors, hospitals, insurers, pharmacies and other healthcare providers, as well as their ‘business associates’ which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. ‘Protected health information’ under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.

Internet of Things

California enacted the first US Internet of Things (IoT) legislation, effective January 1, 2020. Under SB 327, manufacturers of most IoT and Bluetooth connected devices will be required to implement reasonable security features ‘appropriate to the nature and the function of the device and the information the device may collect, contain or transmit’ and ‘designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.’ To the extent a device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature if (i) the preprogrammed is unique to each device manufactured, or (ii) the device forces the user to set a unique password upon first use.

Last modified 6 February 2025

The data processor must implement appropriate technical and organisational measures to guarantee the security and confidentiality of the personal data. These measures should be aimed at avoiding the loss, falsification, non‑authorised treatment or inquiry, as well as at detecting information that may have been leaked, performed by human intervention or not.

It is forbidden to register personal data in databases which do not meet technical safety conditions.

Last modified 28 January 2024

The Law on Personal Data states that personal data is subject to the protection guaranteed by the State. It also imposes obligations on the owner / operator of personal data and the third party acquiring personal data to take necessary legal, organizational and technical measures ensuring:

non-interference into the subject's private life;
integrity and safety of personal data;
confidentiality of personal data;
prevention of illegal processing of personal data.

Obligations of the owner / operator of personal data on protection of confidentiality of personal data arise from the moment such data is collected until their destruction or depersonalization.

The owner / operator of personal data shall take organizational and technical measures to protect personal data based on the potential threats to their security.

Threats to the security of personal data are defined as a combination of conditions and factors that may lead to their alteration, addition, use, provision, transfer, dissemination, depersonalization, destruction, and copying as a result of unauthorized, including accidental access to the personal database.

In addition, the Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 570 "On Approval of Certain Normative Legal Documents in the Field of Processing of Personal Data" dated 5 October 2022 establishes the following regulations, effective from January 7, 2023:

the Regulation on determining the levels of protection of personal data during their processing;
the Regulation on the requirements for material carriers of biometric and genetic data and storing technologies of such data outside personal databases.

Last modified 27 January 2025

According to the general principles dictated by the Constitutional Chamber of the TSJ, there is a guarantee of confidentiality, of no alteration of data by third parties, and of access to such data by the competent authorities in accordance with the law. The data must be protected from alteration, loss, accidental destruction, unauthorised access, or fraudulent use.

Last modified 12 December 2022

Organizations must take necessary managerial or technical measures to ensure that the personal information shall not be lost, stolen, disclosed, modified or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed or destroyed.

Indeed, generally, the data controller shall classify information based on its secrecy in order to take appropriate protection measures; and agencies and organizations that use classified and unclassified information in activities within their fields have to develop regulations and procedures for processing information, and determine contents and methods of recording authorized access to classified information, in which:

Personal information protection policies to be developed and published by traders and organizations collecting and using the consumers’ personal information on E-commerce websites must provide the purpose of collection; scope of use; storage period; organizations and persons authorized to access to such personal information; address of data controller, including way of contact for the consumers to ask about the collection and processing information related to them; methods and tools for data subjects to access and modify their personal information on the E-commerce system of the data controller;
The above contents must be clearly displayed to the consumers before or at the time of information collecting. The language is Vietnamese, and other languages may be used under agreements according to the CRPL. The background and letter colour used in the terms must contrast. The layout and design of the text shall be clear and easy to follow. Contents shall be clear, easy to follow, and in compliance with the law on the protection of consumers’ rights;
If the information collection is done through E-commerce website of the data controller, the personal information protection policies must be made public in a conspicuous place on the website; and
The traders, organizations or individuals that own E-commerce websites with online payment functions must publish on their website policies on security of customer’s payment information.

Under the PDPD, the data controller and processor shall implement the following personal data protection measures:

General personal data protection measures, including:
1. Management measures adopted by an organization or individual related to processing of personal data;
2. Technical measures adopted by an organization or individual related to processing of personal data;
3. Measures adopted by a competent authority according to regulations in the PDPD and relevant law;
4. Investigation and procedure measures adopted by a competent authority;
5. Other measures as prescribed by law.
Data protection measures applicable to the processing of basic personal data, including:
1. Formulation and promulgation of regulations on personal data protection, which specify tasks to be performed in accordance with the PDPD;
2. Encouragement of application of standards of personal data protection in conformity with fields, industries and activities related to the processing of personal data;
3. Cybersecurity inspection for systems, means and equipment for processing of personal data before processing, permanent deletion or destruction of devices containing personal data.
Data protection measures applicable to the processing of sensitive personal data, including:
1. appointment of a department with the function of protecting personal data (i.e. DPD) and personnel in charge of protection of personal data (i.e. head of the DPD (i.e. DPO)), and notification about the establishment of the DPD and the appointment of the DPO to the A05;
2. Notification to the data subject about the sensitive nature of the personal data to be processed; and the processing of such sensitive data.

Last modified 20 January 2025

A data controller or data processor is required to provide guarantees regarding the technical and organisational security measures employed to protect the personal data associated with the processing undertaken and ensure strict adherence to such measures.

A data controller or the data processor is further required to, having regard to the nature, scope and purpose of processing personal data undertaken, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing, implement appropriate security safeguards including:

maintaining integrity of personal data using methods including pseudonymisation and encryption;
ensuring ongoing confidentiality, integrity and implementation of measures necessary to protect the integrity of personal data;
measures necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data; and
implementation of appropriate data protection policies.

A data controller and data processor is also required to undertake a periodic review of security safeguard in accordance with guidelines issued by the Data Protection Commissioner.

Last modified 27 January 2025

Section 13 of the Act states that Data controllers are responsible for processing personal information lawfully, fairly, and transparently, and for taking all necessary measures to comply with the Act and Regulations.

Data controllers must take appropriate technical and organizational measures to protect personal data from negligent or unauthorized destruction, loss, alteration, access, or processing.

Security measures must ensure an appropriate level of security considering technological development, implementation costs, the nature of the data, and potential risks to the data subject.

The Authority may issue information security standards for processing activities.

Data controllers must appoint data processors who provide sufficient guarantees regarding technical and organizational security measures and must enter into a written contract or legal instrument with the processor ensuring security measures are maintained.

Data controllers must take all appropriate technical and organizational measures to safeguard data security, integrity, and confidentiality, ensuring an appropriate level of security.

Technical and organizational security measures include:

Conducting risk assessments;
Developing and implementing organizational policies;
Implementing appropriate physical and technical measures for all data phases;
Data controllers and processors may implement additional security measures depending on the circumstances and risks associated with the processing.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Security

General responsibility of the controller (Article 22)

Data protection by design and by default (Article 23)

Transfer of data abroad

National Ordinance Person Registration

GDPR

EU regulation

Security

Austria regulation

EU regulation

Belgium regulation

Footnotes

Personal Data Protection Act BES

GDPR

EU regulation

Security

Bulgaria regulation

EU regulation

Security

Croatia regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Cyprus regulation

EU regulation

Denmark regulation

EU regulation

Estonia regulation

EU regulation

Finland regulation

EU regulation

France regulation

EU regulation

Germany regulation

EU regulation

Greece regulation

Requirements according to the Greek Cybersecurity Law

EU regulation

Iceland regulation

Data Protection Impact Assessment

EU regulation

Ireland regulation

EU regulation

Italy regulation

Sections 41 and 42 of the Act

EU regulation

Latvia regulation

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation

EU regulation

Netherlands regulation

EU regulation

Poland regulation

EU regulation

Portugal regulation

EU regulation

Romania regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Slovak Republic regulation

EU regulation

Sweden regulation

Footnotes

Internet of Things

Continue reading