Lawfulness of processing is not a factor that should be considered when looking at security of processing under Article 32 of the GDPR. Lawfulness of processing is a separate requirement that applies to all processing of personal data, regardless of the level of security. Security of processing under Article 32 of the GDPR should be based on the following factors:
The state of the art and the costs of implementation of the security measures;
The nature, scope, context and purposes of the processing;
The risk of varying likelihood and severity for the rights and freedoms of natural persons;
Adherence to an approved code of conduct or an approved certification mechanism (as an element to demonstrate compliance). References:
Article 32 of the GDPR1
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, p. 36
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit