Personal data security

Personal data security is a subject vaguely regulated by the Article 17 of the Data Protection Directive 95/46/EC that foresees “appropriate technical and organizational measures” for protecting personal data.

This section lists the national legislation connected to personal data security, which are the authorities responsible for enforcing such regulation and whether there are any security standards that could be referenced to.

CountrySecondary legislation on personal data securityWho enforces the data security?Number of IT people & expertise in enforcing authorities

Security standards references or taken into consideration


Datenschutzgesetz 2000 (DSG 2000)

E‑Government-Gesetz (E-GovG)
Datenschutzbehörde (Data Protection Authority)Not availableNone

1. Ordinance No. 1 of 30 January 2013 on the minimum level of technical and organisational measures and the admissible type of personal data protection

2. Ordinance for general requirements of the network and information security – this ordinance regulates the requirements that should be met by public authorities in relation to the maintenance of internal administrative services and the exchange of information between institution.

1. Commission for Personal Data Protection

2. State e-Government Agency

1. One person with expertise in information security

2. Not available

According to the Ordinance No. 1 of 30 January 2013 there are three levels of security that can be applied by a data controller. These levels involve different types of procedures concerning the access to data (limited access to registers, different types of authorization, identification of time and date of access, etc.)
Meanwhile there are number of secondary legislation acts that obliged different subjects which process data, including personal data, to implement ISO 27001 or equal standard to ensure the security of their information systems. For instance, pursuant to the Regulation on the Implementation of the Electronic Identification Act each Provider of electronic identification should certify its security procedures in accordance to the ISO 27001 standard.
Czech Republic

Law no. 181/2014 (Cyber law)

Depending on a type of organization (defined by the law and related ordinances) the breach must be reported to:

National CERTs

(coordinated by CZ.NIC or
Government CERT coordinated by the Czech National Security Authority

Government CERT does not specify number of employees as a security measures.


National CERT/CSIRT has 5 employees. It cooperates with and coordinates approx. 15 Czech CERT/CSIRT teams which are mostly operated by major ICT infrastructure providers.
RFC 2350

CNIL (French Data protection authority) creates a label to encourage efforts among public and private entities on the subject of protection of personal data. Amongst the criteria that the label holder should meet is having a Correspondant Informatique et libertés( CIL), French version of the Data Protection Officer.

In addition to the CNIL Label, the Commission put in a place a new regulatory tool “conformity packs”. Developed in consultation with representatives from concerned sectors, these packs regroup best practices that set out of the rights and duties under the internet freedom legislation, alongside tools to simplify the administrative formalities (simplified norms, single authorization,  statement exemptions). The goal is to ensure a practical legal framework adapted to the needs of respective sectors.

Extending the packs, CNIL has also set out “conformity clubs” which reunite informally actors from a given sector  in order to better identify trends and emerging practical issues.

The French Digital Bill guarantees the principle of confidentiality of electronic correspondence. Emails shall be as confidential as physical letters, and may not be analysed by email services, except in order to detect spam and viruses.


CNIL (French Data Protection Authority)


174EU Directive and ISO standards

Annex 1 to § 9 BDSG

Signaturgesetz (SigG)

§25a Kreditwesengesetz (KWG)

§ 91 II AktG


IT-security law (which entered into force on 25 July 2015)

DPAs are in charge of enforcing the BDSG, which contains the need of IT-security.

IT-security standards are developed by the Bundesamt für Informationssicherheit (BSI).

The BSI currently has more than 650 employees (plans to have up to 950 employees in the future).

The Federal Government is also currently establishing a new authority (to be finished in 2022) called ZITiS which shall focus on digital forensics, lawful interception, crypto analytics, big data analysis and technical challenges regarding prosecution, averting of a danger and counter-espionage. While there is a focus on law enforcement aspects, ZITiS will also act as consultant for public authorities, which – in regard to counter-espionage – can improve IT-security.

“IT-Grundschutz-Katalog”: Catalogue for standard security measures for IT systems from the BSI

Certification of IT-systems through the BSI

General guidelines for IT security delivered by  the BSI

The security of personal data is included in the main Italian Code of Data Protection Law no. 196/2003. In particular, the B Annex Disciplinare tecnico in materia di misure minime di sicurezza contains the basic requirements for data security.

On September 2014, the Authority has been consulted by the Italian Government about a possible simplification of the security standard of data protection. As stated in art.15 of the Data Protection Code, the person producing damage to other people as effect of personal data treatment have to indemnify the offended person in the measure established by the art. 2050 of Civil Code (civil responsibility).
The National Data Protection Authority with the Guardia di FInanza – Nucleo Speciale Privacy.Not availableSecurity standards considered: authentication procedures; usage of passwords; usage of anti-virus programs; doing periodically the back-up of the data; persons handling data have to be authorized by the data protection responsible within the organization for data collection, storage and use. Sensitive personal data required further levels of authentication and particular security standards and measures. Special private agencies verify and certify the compliance of security measures implemented by non Italian organizations  with the existing laws and Safe Harbour Framework principles. Also AGID –Agenzia per l’Italia Digitale – intervene in the definition and implementation of security standards on the Internet.
MaltaChapter 440 (2002, amended 2012). Data Protection Act.Information and Data Protection CommissionerUnknownUnknown

The Dutch Personal Data Protection Act (WPB Wet bescherming persoonsgegevens)

The Dutch Telecommunication Act (DTA Telecommunicatiewet Wet Onafhankelijke post- en telecommunicatieautoriteit).

On May 26, 2015, the Upper House of the Dutch Parliament passed a bill  (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp) that introduces a general obligation for data controllers to notify the Dutch Data Protection Authority of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. The new law will extend that obligation to all data controllers subject to the Dutch Data Protection Act. In this respect, the new Dutch law anticipates the proposed EU General Data Protection Regulation, which will introduce such an obligation across the EU, but not before 2017-2018. 

Dutch DPA (CBP)

Dutch ACM

CBP 80 staffs.

ACM (all together 520, including  professionals from 6 departments including the Telecommunications, Transport and Post Service Department)


Law 506/2005 on ePrivacy

Emergency Ordinance no. 111/2011 on electronic communications (consolidated text with 2014 updates)

Law 677/2001 on personal data protection

ANSPDCP (National Data Protection Authority) and ANCOM (National Autorithy for Communications Regulations)UnknownUnknown
SpainRoyal Decree 1720/2007 December 21“The file (meaning data) responsible and in cases the file handler)”-None (AGPD Security Guide)
SwitzerlandNoNot applicableNot applicableNot applicable
United KingdomUK DPA 1998 is the legislation for the protection of personal data. For personal data, the ICO.  For all other data, it depends.  The UK takes a holistic approach to data protection where security implementations cover other legal requirements, not just privacy and the protection of personal dataSignificant and expanding. Includes the ICO regulator, banking regulators, industry self-regulating bodies, law enforcement and government agencies.

UK distinguishes between ‘protection of personal data’ belonging to a person, by persons and organisations, and ‘personal data protection’ which are the security measures recommended for a person to protect all kinds of sensitive data that they hold, even if they do not own it.   

The UK references international and national security and privacy standards, such as ISO 27000 series.  It publishes: Good Practice Guides for organisations;  Cyber Essentials assessment scheme for organisations; Ten Steps to Cyber Security for citizens.

Last updated 28 February 2018.

Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.

Link - Posted on Friday 19 September 2014

« Basic Intellectual Property legislation Personal data breaches »