Article 17
Security of processing
1\. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2\. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3\. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
\- the processor shall act only on instructions from the controller,
\- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4\. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
SECTION IX
NOTIFICATION
TU and RE v Google LLC
In the balancing exercise between the rights in Articles 7 and 8 of the Charter and the right in Article 11 of the Charter, a search engine cannot make de-referencing of links to content alleged to be inaccurate conditional on the accuracy of that content having been resolved, even provisionally, in proceedings brought by the requester against the content provider.
TU and RE v Google LLC
When balancing the rights in Articles 7 and 8 of the Charter against the right in Article 11 of the Charter on a request to remove thumbnail photographs from an image search based on a natural person's name, the informative value of those photographs must be assessed regardless of the context of their publication on the webpage from which they are taken. Any text that directly accompanies the display of those photographs in the search results, and is capable of shedding light on their informative value, must also be taken into account.
Google LLC, successor in law to Google Inc. v Commission nationale de l'informatique et des libertés (CNIL)
Where a search engine operator grants a de-referencing request under Article 12(b) or Article 14(a) of Directive 95/46, or under Article 17(1) of Regulation 2016/679, it need not carry out that de-referencing on all versions of its search engine. It must do so on the versions corresponding to all Member States and, where necessary, use measures that effectively prevent - or at least seriously discourage - an internet user searching from a Member State on the basis of the data subject's name from accessing, via the results list, the links covered by the request.