Data Controllers' Obligations Regarding Data Processing Security and Security Incident Notification

The protection of personal data is a fundamental responsibility for data controllers. The General Data Protection Regulation (GDPR) sets out strict obligations regarding data processing security and the management of security incidents.

1. Technical and Organizational Measures for Data Protection

According to Article 32 of the GDPR, data controllers must implement appropriate technical and organizational measures to ensure an adequate level of security. These include:

• Pseudonymization and encryption of data to mitigate the risks of unauthorized access;
• Ensuring the confidentiality, integrity, and availability of processing systems;
• The ability to restore data quickly in the event of an incident;
• Regular testing and evaluation of the effectiveness of security measures.

The level of protection must be proportionate to the risks posed by data processing, such as unauthorized access, loss, or accidental destruction of data.

2. Notification to the Supervisory Authority

In the event of a data security breach, data controllers must notify the competent supervisory authority (ANSPDCP in Romania) within a maximum of 72 hours from the moment they become aware of the incident. The notification must include:

• The nature of the breach, the categories of affected data, and the number of data subjects impacted;
• Contact details of the Data Protection Officer (DPO);
• The probable consequences of the incident;
• Measures taken to remedy the situation and mitigate its impact.

If the notification is not made within the legal deadline, the delay must be justified.

3. Informing Data Subjects

The data controller must inform affected individuals of a data security breach if it poses a high risk to their rights and freedoms. This communication must be clear, simple, and include details about the incident, potential consequences, and the measures taken. However, if the controller has implemented appropriate protective measures, such as encryption, or has taken steps that eliminate the risk, individual notification may not be required.

4. Maintaining Documentation on Security Incidents

Data controllers are required to document all security incidents, including their causes, effects, and remedial actions. This documentation is essential to demonstrate compliance before supervisory authorities.

Conclusion

Complying with security and incident notification obligations is crucial to avoiding sanctions and protecting data subjects' rights. Controllers must adopt proactive measures to prevent security breaches and respond swiftly if they occur. For proper implementation, consulting a data protection specialist is recommended.