In Article 32, the GDPR requires both controllers as well as processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of personal data.
The benchmark for the design and the scope of the concrete actions to be taken are always the risks endangering the rights and freedoms of the data subjects which may result from the loss or an unintended or unauthorized change or a disclosure of personal data. When determining the appropriate level of security, the type, scope, and purpose of the processing of the personal data as well as the state of the art, the costs associated with the implementation, and the likelihood of the occurrence of a data breach have to be considered too.
Pursuant to the requirements of the GDPR, it has to be ensured, inter alia, that personal data cannot be corrupted by means of a functional disorders of the data processing system (data integrity), that all the functions of the system are available and that failures and errors that occur are identified (reliability) and that the system can be restored quickly in the case of a malfunction (recoverability).
In the event that data breaches occur as a result of insufficient technical and organisational measures, this may lead, in addition to the loss of reputation and confidence, to hefty fines imposed by the supervisory authorities as well as claims for damages filed by the data subjects, both for the controller responsible for the data processing as well as the processor.
We are happy to support you in facing the security risks associated with the processing of personal data in the best way possible. Taking the vulnerability of the data processed by you into account, we will develop a security concept which also takes your operational procedures into account. Moreover, we will be happy to assess whether the technical and organizational measures that were guaranteed by your service providers in the context of a commissioned data processing are suitable to ensure a level of security that is compliant with the requirements prescribes by the GDPR.