32. Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. GDPR Article 4 Paragraph 5 and encryption of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 ;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 systems and services;
the ability to restore the availability and access to personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 transmitted, stored or otherwise processed.

Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 shall take steps to ensure that any natural person acting under the authority of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or the processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 who has access to personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 does not process them except on instructions from the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7, unless he or she is required to do so by Union or Member State law.

Recitals

Recital 83

In order to maintain security and to prevent processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 in infringement of this Regulation, the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 or processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. GDPR Article 4 Paragraph 8 should evaluate the risks inherent in the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Posts regarding this GDPR Paragraph:

Anonymization vs. pseudonymization 04/04/2019

GDPR Fines based on this article

Title	GDPR Country	Number of involved data records	GDPR Fine
Disposal of delivery bills in waste paper containers	Germany	unknown	0 €
Unlawful disposal of Covid-19 tests	Germany	unknown	1,000 €
Covid-19 test results viewable without authentication	Germany	unknown	2,700 €
unencrypted data	Italy	unknown	40,000 €
E-mail data freely accessible	Great Britain	550	29,183 €
Online store with outdated software	Germany	unknown	65,500 €
Repeated incorrect sending of doctor’s letters, no logging function for access to patient data	Germany	1	105,000 €
open contact details	Germany	unknown	100 €
Ticketmaster UK Limited – hacker attack	Great Britain	9400000	1,392,525 €
Penalty against Marriott hotel chain	Great Britain	20347230	20,347,230 €
British Airways faces 20 million EUR GDPR fine after a data breach	United Kingdom	500000	22,428,000 €
Allseas MARINE S.A. – 15,000 euro fine	Greece	unknown	15,000 €
Eni gas e luce SpA – 11.5 million fine	Italy	7200	11,500,000 €
GDPR fine for DSG Retail Ltd	United Kingdom	14 million	587,240 €
9.5 million Eur fine for 1&1 Telekom	Germany		9,550,000 €
Raiffeisen Bank SA and penalty for inadequate data protection	Romania	1177	150,000 €
Vreau Credit S.R.L fined for not reporting a Data Breach	Romania	1177	20,000 €
Penalty after Cyberattack against Bank	Bulgaria		510,000 €
Penalty against Life at Parliament View Limited	Great Britain	18610	90,000 €
Penalty against car insurance	France	144000	180,000 €
GDPR Penalty against Tax Office	Bulgaria	5 000 000	2,600,000 €
Penalty against law firm	Romania	unknown	3,000 €
Penalty against hotel	Romania	46	15,000 €
Penalty against real estate law firm	France	29440	400,000 €
Lithuania: Data Breach at a payment service provider	Lithuania	9.000	61,500 €
Penalty against Rousseau platform	Italy	unknown	50,000 €
City of Bergen was fined 170 000€	Norway	35 000	170,000 €
Data graveyard: 14.5 million euro fine	Germany	unknown	14,500,000 €
Penalty against game website	Czech Republic	unknown	580 €
Penalty for Carphone Warehouse for lack of data protection	Great Britain	3 348 869	460,000 €
Penalty against Uber (NL)	Netherlands	174 000	600,000 €
Penalty against Uber	Great Britain	2 700 000	440,000 €
DSGVO penalty against knuddels.de	Germany	330 000	20,000 €
Penalty against hospital	Czech Republic	unknown	1,550 €
Penalty against hospital	Portugal	unknown	400,000 €
Penalty against Optical Center	France	300 000	250,000 €
Penalty against British Bible Society	Great Britain	417 000	115,000 €

CHAPTER IV Controller and processor Section 2 Security of Personal data