In the Opinion given yesterday 27 April 2023, Advocate General Giovanni Pitruzzella states at the outset that the controller is obliged to implement appropriate technical and organisational measures to ensure that processing of personal data is performed in accordance with the Regulation. Whether such measures are ‘appropriate’ must be determined taking into account the nature, scope, context and purposes of processing as well as the likelihood and severity of the risks for the rights and freedoms of natural persons, assessed on a case-by-case basis.
Key points:
First of all, the mere fact that a ‘personal data breach’ happened is not enought to make a conclusion that the security measures (technical and organisational) were not ‘appropriate’ to ensure data protection.
The assessment of the appropriateness of those measures must be based on a balancing exercise between the interests of the data subject and the economic interests and technological capacity of the controller, in compliance with the general principle of proportionality. The controller must take into account a number of factors, including the ‘state of the art’, which limits the technological level of measures to be implemented.
The national court, in order to decide if measures were appropriate, must carry out a specific analysis of the content of those measures and the manner in which they were applied and their practical effects.
Read full opinion here
Comments