Supervision by the controller in the processing of personal data by the processor regarding security measures
Ways to ensure the security of personal data with the processor
It depends on the results of the risk assessment made by the controller, or, where applicable, the results of the Data Protection Impact Assesment (DPIA), which level of security measures the processor needs to maintain and the level of security measures are needed.
Security measures are based on the type of information and the extent of processing
The rule of thumb is that the more sensitive personal data and/or the more extensive processing, the more security measures need to be taken.
For example, the same requirements are not applied to a system that manages a customer list (name, addresses, telephone numbers) and a system that contains sensitive health information, such as a medical record.
Before processing begins, the controller and the processor must decide on the safety measures to be taken taking into account the risks of processing. The processor must implement these measures in consultation with the controller.
Appropriate security measures may include, for example:
regular updates of systems,
encryption of information
use of firewalls,
access control,
operational documentation,
security backup
requirements for strong passwords, electronic IDs, dual identification and more.
The security measures agreed between the controller and the processor shall be documented in the processing agreement, as well as the procedure for supervision.
