Article 32 GDPR
Safety of processing

1.

*

Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity of a breach of the rights or freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, among other things, where appropriate:

(a) pseudonymisation and encryption of personal data;

(b) the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to quickly restore the availability and access of personal data in the event of a physical or technical incident;

(d) regular testing, measurement and evaluation of the effectiveness of technical and organisational measures to ensure the safety of processing.

2. In assessing whether the degree of security is adequate, particular consideration shall be given to the risks involved in the processing, in particular those arising from the accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed.

3. Compliance with the obligations referred to in paragraph 1 of this Article may be demonstrated, inter alia, through the application of an approved code of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data shall only process the personal data on the controller's instructions, unless required to do so by Union or Member State law.