!
No.
28
Data Protection
2019
(f) to ensure that the safeguards are continually
updated in response to new risks or deficiencies.
42. (1) In determining the appropriate measures
referred to in section 41, in particular, where the processing
involves the transmission of data over an information and
communication network, a data controller shall have regard
to—
Particulars of
determining
organisational
measures.
(a) the state of technological development available;
(b) the cost of implementing any of the security
measures;
(c) the special risks that exist in the processing of the
data; and
(d) the nature of the data being processed.
(2) Where a data controller is using the services of a
data processor—
(a) the data controller shall opt for a data processor
who provides sufficient guarantees in respect of
organisational measures for the purpose of
complying with section 41 (1); and
(b) the data controller and the data processor shall
enter into a written contract which shall provide
that the data processor shall act only on
instructions received from the data controller and
shall be bound by obligations of the data
controller.
(3) Where a data processor processes personal data
other than as instructed by the data controller, the data
processor shall be deemed to be a data controller in respect
of that processing.
(4) A data controller or data processor shall take all
reasonable steps to ensure that any person employed by or
acting under the authority of the data controller or data
processor, complies with the relevant security measures.
43. (1) Where personal data has been accessed or
acquired by an unauthorised person, and there is a real risk
of harm to the data subject whose personal data has been
subjected to the unauthorised access, a data controller
shall—
Notification and
communication of
breach.