§ GDPR · Article 32

GDPR Article 32: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 32 · All obligations · GDPR
At a glance
Article 32 of the GDPR imposes 3 obligations on controller, processor.
§ Obligations

All obligations under Article 32

Obligation 1
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and restoration capabilities. Regulation (EU) 2016/679, Article 32, Article 32
Obligated entity
controller, processor
Action required
implement
Deadline
Penalty
Obligation 2
Establish a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Regulation (EU) 2016/679, Article 32, Article 32
Obligated entity
controller, processor
Action required
test
Deadline
Penalty
Obligation 3
Take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data does not process them except on instructions from the controller, unless required by law. Regulation (EU) 2016/679, Article 32, Article 32
Obligated entity
controller, processor
Action required
ensure
Deadline
Penalty
Exemptions
required by Union or Member State law
§ Frequently asked

Questions about Article 32

Who must comply with Article 32 of the GDPR? +
controller, processor.
What does Article 32 of the GDPR require? +
implement test ensure
Need a cross-border briefing on GDPR Article 32?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles