|Title:||Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data|
|Topic:||Personal data processing by the Community institutions, including in the context of internal communication networks|
|Direct / indirect relevance||Direct. The text directly prescribes an obligation to assess security measures with regard to data processing and to take the required security precautions.|
|Scope:||Directly applicable to all Community institutions and bodies (including on a national scale)|
|Legal force:||Internal regulation, directly binding to the affected institutions|
|Affected sectors:||All Community institutions and bodies (including on a national scale)|
|Relevant provision(s):||Article 22 - Security of processing
1. Having regard to the state of the art and the cost of their implementation, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
Such measures shall be taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing.
2. Where personal data are processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of:
(a) preventing any unauthorised person from gaining access to computer systems processing personal data;
(b) preventing any unauthorised reading, copying, alteration or removal of storage media;
(c) preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored personal data;
(d) preventing unauthorised persons from using data-processing systems by means of data transmission facilities;
(e) ensuring that authorised users of a data-processing system can access no personal data other than those to which their access right refers;
(f) recording which personal data have been communicated, at what times and to whom;
(g) ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom;
(h) ensuring that personal data being processed on behalf of third parties can be processed only in the manner prescribed by the contracting institution or body;
(i) ensuring that, during communication of personal data and during transport of storage media, the data cannot be read, copied or erased without authorisation;
(j) designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection.
Article 23 – Processing of personal data on behalf of controllers
1. Where a processing operation is carried out on its behalf, the controller shall choose a processor providing sufficient guarantees in respect of the technical and organisational security measures required by Article 22 and ensure compliance with those measures.
2. The carrying out of a processing operation by way of a processor shall be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
(a) the processor shall act only on instructions from the controller;
(b) the obligations set out in Articles 21 and 22 shall also be incumbent on the processor unless, by virtue of Article 16 or Article 17(3), second indent, of Directive 95/46/EC, the processor is already subject to obligations with regard to confidentiality and security laid down in the national law of one of the Member States.
3. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in Article 22 shall be in writing or in another equivalent form.
Article 35 – Security
1. The Community institutions and bodies shall take appropriate technical and organisational measures to safeguard the secure use of the telecommunications networks and terminal equipment, if necessary in conjunction with the providers of publicly available telecommunications services or the providers of public telecommunications networks. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
2. In the event of any particular risk of a breach of the security of the network and terminal equipment, the Community institution or body concerned shall inform users of the existence of that risk and of any possible remedies and alternative means of communication.
|Relevance to RM/RA:||The cited articles provide an internal regulation which is a practical application of the principles of the Privacy Directive described above. They require that any personal data processing activity by Community institutions:
• undergoes a prior risk analysis in order to determine the privacy implications of the activity, and to determine the appropriate legal, technical and organisation measures to protect such activities;
• is effectively protected by such measures, which must be state of the art keeping into account the sensitivity and privacy implications of the activity;
• are governed by suitable and enforced agreements when a third party is charged with the processing task
Furthermore, article 35 of the Regulation requires the Community institutions and bodies to take similar precautions with regard to their telecommunications infrastructure, and to properly inform the users of any specific risks of security breaches.