The obligation of companies to implement technical and organisational measures to ensure the safety of processing of personal data under Article 32 of the General Data Protection Regulation (GDPR)

Abstract

The ensuring of the safety of processing activities is a key requirement that companies are obligated to perform in order to comply with the so-called “security principle” of the General Data Protection Regulation. The security principle requires the implementation of appropriate technical and organisational measures to ensure the safety of processing activities as well as to ensure the on-going process of monitoring, assessing and testing of the company’s security systems. The thesis examines the scope of the General Data Protection Regulation as well as examines the obligations of the key actors in terms of implementation of technical and organisational measures, specifically the obligations of the controller, the processor and joint controllers as well as analyses the consequences of non-compliance. In addition, the thesis provides clear analysis of the Article 32 of General Data Protection Regulation, examines the role of the Data Protection Officer and Supervisory Authorities in the process of implementation of technical and organisational measures as well as examines the variety of different technical and organisational measures both mentioned in Article 32 of the General Data Protection Regulation and those mentioned through-out the General Data Protection Regulation, but not mentioned in Article 32. Following thesis also provides clear and understandable guidelines for the correct implementation of Article 32 of the General Data Protection Regulation