Article 32
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
X v Russmedia Digital SRL and Inform Media Press SRL
An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace cannot rely on Articles 12 to 15 of Directive 2000/31 on the liability of intermediary providers in relation to an infringement of its obligations under Article 5(2), Articles 24 to 26, and Article 32 of Regulation 2016/679.
Nemzeti Adatvédelmi és Információszabadság Hatóság v UC
In a complaint procedure, the supervisory authority may verify whether the Member State law applicable to the controller provides appropriate measures to protect the data subject's legitimate interests for the purposes of Article 14(5)(c). That verification does not cover whether the measures the controller must implement under Article 32 are appropriate to guarantee the security of personal-data processing.
ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
Article 9(3) of Regulation 2016/679 does not itself require a controller processing health data on the basis of Article 9(2)(h) to ensure that no colleague of the data subject can access the data. That obligation may nonetheless arise under national rules adopted under Article 9(4) or under the integrity and confidentiality principles in Article 5(1)(f), as defined in Article 32(1)(a) and (b).
VB v Natsionalna agentsia za prihodite
Unauthorised disclosure of personal data, or unauthorised access to those data by a 'third party' within the meaning of Article 4(10), is not enough by itself to show that the controller's technical and organisational measures were not 'appropriate' within the meaning of Articles 24 and 32.
VB v Natsionalna agentsia za prihodite
National courts must assess concretely whether the controller's technical and organisational measures under Article 32 were appropriate, taking into account the risks associated with the processing and whether the nature, content and implementation of those measures were suited to those risks.
VB v Natsionalna agentsia za prihodite
In an action for damages under Article 82, the controller bears the burden of proving that its security measures were appropriate under Article 32.
VB v Natsionalna agentsia za prihodite
Under Article 32 of Regulation 2016/679 and the principle of effectiveness of EU law, an expert report cannot be treated as automatically both necessary and sufficient to assess whether the controller's security measures were appropriate.