Home Privacy Law GDPR Article 32 GDPR (Security of Processing)

Article 32 GDPR (Security of Processing)

Article 32 of GDPR: Security of Processing

Article 32 of GDPR requires that companies implement proper security measures to protect personal data so as to minimize the risk of any adverse consequences to data subjects.

Implement security measures appropriate to the risk (Article 32(1) GDPR)

Companies should implement appropriate security measures to protect individuals’ rights and freedoms along with minimizing risk to the data subject.

Data controllers and data processors should consider the appropriate level of security measures based on:

  1. The state of the art in the field of security and technology 
  2. The cost of implementation of the appropriate security measures
  3. Nature of processing
  4. Scope of processing
  5. Context of processing
  6. Purpose of processing
  7. Risk to data subjects

Companies can protect personal data by implementing any of the following measures:

  1. Pseudonymisation and encryption of personal data (Article 32(1)(a) GDPR)
  2. Ensure personal data confidentiality, integrity, availability and resilience of processing systems (Article 32(1)(b) GDPR)
  3. Restoration of the data and access to personal data in a timely fashion should there be an incident of any kind (Article 32(1)(c) GDPR)
  4. Ongoing testing and evaluation of the effectiveness of the security measures implemented (Article 32(1)(d) GDPR)

Risks to be considered by organizations (Article 32(2) GDPR)

In the context of their assessment as to the appropriate level of security measures, companies should consider the following risks associated with the processing of personal data:

  1. Accidental destruction of data
  2. Unlawful destruction of data
  3. Loss of data
  4. Alteration of data
  5. Unauthorized disclosure of data
  6. Unauthorized access to data

Approved code of conduct or certification (Article 32(3) GDPR)

Companies can prove and establish their compliance with their obligations under Article 32 of GDPR by adhering to an approved code of conduct or obtain approved certifications.

Authorization of individuals having access to personal data (Article 32(4) GDPR)

Individuals having access to personal data and working under the authority of the data controller or data processor must only process the data based on the data controller’s instructions.

Any other processing by these individuals will be a violation of GDPR.

Recitals applicable to Article 32 of GDPR

Relevant Recitals: 75, 76, 77, 78, 79, 83

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 32 or relevant recitals

None

GDPR Text: Article 32 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

What Is Business Flexibility (Explained: All You Need To Know)

What Is Business Flexibility (Explained: All You Need To Know)

What Is Liquidity Ratio (Explained: All You Need To Know)

What Is Liquidity Ratio (Explained: All You Need To Know)

What Are Laundry Services (Explained: All You Need To Know)

What Are Laundry Services (Explained: All You Need To Know)

What Is A Business Enterprise (Explained: All You Need To Know)

What Is A Business Enterprise (Explained: All You Need To Know)

What Is Price Fixing (Explained: All You Need To Know)

What Is Price Fixing (Explained: All You Need To Know)

Editor's Picks

How Much Money Do You Need To Start A Business (Best Overview)

How Much Money Do You Need To Start A Business (Best Overview)

Georgia Business Search (Step-By-Step)

Georgia Business Search (Step-By-Step)

What Is As of Date (In Business: Meaning And Common Mistakes)

What Is As of Date (In Business: Meaning And Common Mistakes)

What Does “He Him His” Mean In A Signature (All You Need To Know)

What Does He Him His Mean In A Signature (All You Need To Know)

Commercial Impracticability (What It Is And How It Works)

Commercial Impracticability (What It Is And How It Works)