2. The measures provided for in 1 above must ensure, considering the state of the
art and the cost of their implementation, such measures shall ensure an adequate
level of security appropriate to the risks represented by the processing face and
the nature of the data to be protected.
3. When processing is carried out on his behalf, the controller must choose a
processor providing sufficient guarantees in respect of the technical security
measures and organisational measures governing the processing to be carried
out, and must ensure compliance with those measures.
4. The carrying out of processing by way of a processor must be governed by a
contract or legal act binding the processor to the controller and stipulating in
particular that the processor shall act only on instructions from the controller and
that the obligations referred to in 1 shall also be incumbent on the processor.
5. Proof of the will to negotiate, the contract or the legal act relating to data
protection and the requirements relating to the measures referred to in 1 shall be
in writing in a supporting document legally certified as affording proof.
Article 16
(Special security measures)
1. The controllers of the data referred to in paragraphs of 1, in 2 and 5 of Article 8
and in 1 of Article 9 shall take adequate measures and added information
security, particularly to:
a) prevent unauthorised persons access to the premises used for processing data
(control of entry to the premises);
b) prevent data media from being read, copied, altered/modified by
unauthorised persons (control of data media);
c) prevent unauthorised input as well as unauthorised obtaining of knowledge,
the alteration or elimination of personal data input (control of input);
d) prevent automatic data processing systems from being used by unauthorised
persons by means of data transmission premises (control of use);
e) guarantee that authorised persons may only access data covered by
authorisation (control of access);
f) guarantee the checking of entities to whom personal data may be transmitted
by means of data transmission premises (control of transmission);
g) guarantee that it is possible to check a posteriori, in a period appropriate to
the nature of the processing, the establishment in the regulations applicable
to each sector of which personal data are introduced, when and by whom
(control of input);
h) prevent unauthorised reading, copying, altering, or eliminating of data in
transmitting and transporting personal data (control of transport).
2. Taking account of the nature of the entities responsible for processing and the
type of premises in which it is carried out, the CNPD may waive the existence of
certain security measures, subject to guaranteeing respect for the fundamental
rights, freedoms and guarantees of the data subjects.
3. The systems must guarantee the logical separation between data relating to
health and sex life, including genetic data, and other personal data.