§ GDPR · Article 32
GDPR Article 32: Obligations, Deadlines & Penalties
At a glance
Article 32 of the GDPR imposes 3 obligations on controller, processor.
§ Obligations
All obligations under Article 32
Obligation 1
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and restoration capabilities.
Regulation (EU) 2016/679, Article 32, Article 32
- Obligated entity
-
controller, processor
- Action required
-
implement
- Deadline
-
—
- Penalty
-
—
Obligation 2
Establish a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Regulation (EU) 2016/679, Article 32, Article 32
- Obligated entity
-
controller, processor
- Action required
-
test
- Deadline
-
—
- Penalty
-
—
Obligation 3
Take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data does not process them except on instructions from the controller, unless required by law.
Regulation (EU) 2016/679, Article 32, Article 32
- Obligated entity
-
controller, processor
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
- Exemptions
- required by Union or Member State law
§ Frequently asked
Questions about Article 32
Who must comply with Article 32 of the GDPR?
+
controller, processor.
What does Article 32 of the GDPR require?
+
implement test ensure