Means of protection

Updated last 26.03.2021

What means for personal data protection must be applied?

Important to know
Important to know

The Regulation does not specify a list and does not contain any recommendations, regarding the means and measures, that need to be applied for the personal data protection. Тhese must meet the current state-of-the-art development and the requirements for the protection of the information at a given moment.

As already explained, the means include technical and organizational measures, which must ensure the personal data security. Тhe Regulation requires that, as appropriate, such measures and technical solutions are applied, which may continuously ensure the confidentiality of the data, making it possible for such data to remain available as a whole (without uncontrolled erasure or unauthorized alteration), as well as being permanently available and recoverable in case of an accident. It is important that the organization for the data processing must be promptly and fully restored in case of unintended erasure or unauthorized access. Тhe company, processing personal data, must also implement processes, enabling the regular testing of the systems, as well as assessment and regular evaluation of the efficiency of the technical solutions and the organization of the access and data security.

If appropriate, the data may be encrypted or pseudonymised. Article 4, item 5 of the Regulation states that, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject. Тhe attributing of the data to a specific subject, is allowed only with the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures. Pseudonymisation is usually achieved, using a cryptographic key, applied to a database or a file. Тhe key alters the personal data such as names or PIN in such a manner, that it becomes unreadable. Тhe data only becomes readable after re-application of the cryptographic key.

The Regulation requires that data is protected by design and by default.

Data can be protected by design, considering the technical products that are being developed. Such products must comply with the requirements of the Regulation and its principles, such as minimization of the data to be processed and protection of rights and freedom of the data subjects.

Data protection by default means processing only of personal data, necessary for each specific purpose of processing. For example, this includes defining the access to specific data only by specific individuals. Such access may be performed through a password or limited physical access to premises, where personal data is stored.

For more information
For more information

For more information, please visit the websites of the:

  • Opinions of the Article 29 Working Party

„after 2016“

archive „1997 – 2016“

Text of the Regulation.