|Title:||Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)|
|Topic:||Personal data processing in the telecommunications sector|
|Direct / indirect relevance||Direct. The text directly prescribes an obligation to assess security measures with regard to data processing and to take the required security precautions.|
|Scope:||Directly applicable to all EU Member States|
|Legal force:||EU Directive, requires transposition into national law|
|Affected sectors:||Publicly available electronic communications services in public communications networks in the Community|
|Relevant provision(s):||Article 4 - Security
1. The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with the provider of the public communications network with respect to network security. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
2. In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.
|Relevance to RM/RA:||The cited article requires that any provider of publicly available electronic communications services:
• Takes the appropriate legal, technical and organisational measures to ensure the security of its services. It should be noted that this extends beyond the scope of the Privacy Directive described elsewhere, since article 4 is not limited to the protection of personal data;
• Informs his subscribers of any particular risks of security breaches, takes the necessary measures to prevent such breaches, and indicates the likely costs of security breaches to the subscribers.