Text source about obligation to have IT Security Structure in place on premises
I work as a freelance within Human Resources for a pharmaceutical SME company in ***, which belongs to an international group. We have strong co-determination rights regarding the works council.
Members of the international headquarters want to know in which chapter of the GDPR it is written down, that a company, i.e. in ***, who has servers on its premises with various software programmes that process personnel data, must have a IT Security Structure: i.e. who has access to the servers' room, which security measures have been taken in case of fire or other emergency incidents, etc.
Thanks a lot for a link or some further information
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The GDPR only states that the data controller must ensure that data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).” (Article 5 paragraph 1, f) GDPR)Article 32 GDPR, among the obligation of the data controller, states that:“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
A) the pseudonymization and encryption of personal data;
B) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
C) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
D) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Setting access policies and determining roles and responsibilities is considered an organizational security measure and of course there is no indication of what technical security measures must be applied, the aim of GDPR is to be technological neutral but ISO27001 standard on the security of information can be a good guide.
Here you can find some information on security aspects and GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- Privacy, cyber security, and ISO 27001 – How are they related? https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001
If you want to know more about the EU GDPR compliance, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
May 24, 2021