Policy Observatory
Personal data security
Personal data security is a subject vaguely regulated by the Article 17 of the Data Protection Directive 95/46/EC that foresees “appropriate technical and organizational measures” for protecting personal data.
This section lists the national legislation connected to personal data security, which are the authorities responsible for enforcing such regulation and whether there are any security standards that could be referenced to.
| Country | Secondary legislation on personal data security | Who enforces the data security? | Number of IT people & expertise in enforcing authorities | Security standards references or taken into consideration |
|---|---|---|---|---|
| Austria | Datenschutzgesetz 2000 (DSG 2000) E‑Government-Gesetz (E-GovG) | Datenschutzbehörde (Data Protection Authority) | Not available | None |
| Bulgaria | 1. Ordinance No. 1 of 30 January 2013 on the minimum level of technical and organisational measures and the admissible type of personal data protection 2. Ordinance for general requirements of the network and information security – this ordinance regulates the requirements that should be met by public authorities in relation to the maintenance of internal administrative services and the exchange of information between institution. | 1. Commission for Personal Data Protection | 1. One person with expertise in information security 2. Not available | According to the Ordinance No. 1 of 30 January 2013 there are three levels of security that can be applied by a data controller. These levels involve different types of procedures concerning the access to data (limited access to registers, different types of authorization, identification of time and date of access, etc.) Meanwhile there are number of secondary legislation acts that obliged different subjects which process data, including personal data, to implement ISO 27001 or equal standard to ensure the security of their information systems. For instance, pursuant to the Regulation on the Implementation of the Electronic Identification Act each Provider of electronic identification should certify its security procedures in accordance to the ISO 27001 standard. |
| Czech Republic | Law no. 181/2014 (Cyber law) | Depending on a type of organization (defined by the law and related ordinances) the breach must be reported to: National CERTs (coordinated by CZ.NIC or | Government CERT does not specify number of employees as a security measures. National CERT/CSIRT has 5 employees. It cooperates with and coordinates approx. 15 Czech CERT/CSIRT teams which are mostly operated by major ICT infrastructure providers. | RFC 2350 |
| France | CNIL (French Data protection authority) creates a label to encourage efforts among public and private entities on the subject of protection of personal data. Amongst the criteria that the label holder should meet is having a Correspondant Informatique et libertés( CIL), French version of the Data Protection Officer. In addition to the CNIL Label, the Commission put in a place a new regulatory tool “conformity packs”. Developed in consultation with representatives from concerned sectors, these packs regroup best practices that set out of the rights and duties under the internet freedom legislation, alongside tools to simplify the administrative formalities (simplified norms, single authorization, statement exemptions). The goal is to ensure a practical legal framework adapted to the needs of respective sectors. Extending the packs, CNIL has also set out “conformity clubs” which reunite informally actors from a given sector in order to better identify trends and emerging practical issues. The French Digital Bill guarantees the principle of confidentiality of electronic correspondence. Emails shall be as confidential as physical letters, and may not be analysed by email services, except in order to detect spam and viruses.
| CNIL (French Data Protection Authority)
| 174 | EU Directive and ISO standards |
| Germany | Annex 1 to § 9 BDSG Signaturgesetz (SigG) §25a Kreditwesengesetz (KWG) § 91 II AktG
IT-security law (which entered into force on 25 July 2015) | DPAs are in charge of enforcing the BDSG, which contains the need of IT-security. IT-security standards are developed by the Bundesamt für Informationssicherheit (BSI). | The BSI currently has more than 650 employees (plans to have up to 950 employees in the future). The Federal Government is also currently establishing a new authority (to be finished in 2022) called ZITiS which shall focus on digital forensics, lawful interception, crypto analytics, big data analysis and technical challenges regarding prosecution, averting of a danger and counter-espionage. While there is a focus on law enforcement aspects, ZITiS will also act as consultant for public authorities, which – in regard to counter-espionage – can improve IT-security. | “IT-Grundschutz-Katalog”: Catalogue for standard security measures for IT systems from the BSI Certification of IT-systems through the BSI General guidelines for IT security delivered by the BSI |
| Italy | The security of personal data is included in the main Italian Code of Data Protection Law no. 196/2003. In particular, the B Annex Disciplinare tecnico in materia di misure minime di sicurezza contains the basic requirements for data security. On September 2014, the Authority has been consulted by the Italian Government about a possible simplification of the security standard of data protection. As stated in art.15 of the Data Protection Code, the person producing damage to other people as effect of personal data treatment have to indemnify the offended person in the measure established by the art. 2050 of Civil Code (civil responsibility). | The National Data Protection Authority with the Guardia di FInanza – Nucleo Speciale Privacy. | Not available | Security standards considered: authentication procedures; usage of passwords; usage of anti-virus programs; doing periodically the back-up of the data; persons handling data have to be authorized by the data protection responsible within the organization for data collection, storage and use. Sensitive personal data required further levels of authentication and particular security standards and measures. Special private agencies verify and certify the compliance of security measures implemented by non Italian organizations with the existing laws and Safe Harbour Framework principles. Also AGID –Agenzia per l’Italia Digitale – intervene in the definition and implementation of security standards on the Internet. |
| Malta | Chapter 440 (2002, amended 2012). Data Protection Act. | Information and Data Protection Commissioner | Unknown | Unknown |
| Netherlands | The Dutch Personal Data Protection Act (WPB Wet bescherming persoonsgegevens) The Dutch Telecommunication Act (DTA Telecommunicatiewet Wet Onafhankelijke post- en telecommunicatieautoriteit). On May 26, 2015, the Upper House of the Dutch Parliament passed a bill (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp) that introduces a general obligation for data controllers to notify the Dutch Data Protection Authority of data security breaches and provides increased sanctions for violations of the Dutch Data Protection Act. The new law will extend that obligation to all data controllers subject to the Dutch Data Protection Act. In this respect, the new Dutch law anticipates the proposed EU General Data Protection Regulation, which will introduce such an obligation across the EU, but not before 2017-2018. | Dutch DPA (CBP) Dutch ACM | CBP 80 staffs. ACM (all together 520, including professionals from 6 departments including the Telecommunications, Transport and Post Service Department) | http://www.eerstekamer.nl/wetsvoorstel/33662_meldplicht_datalekken_en https://cbpweb.nl/nl/richtsnoeren-beveiliging-van-persoonsgegevens-2013 |
| Romania | Emergency Ordinance no. 111/2011 on electronic communications (consolidated text with 2014 updates) | ANSPDCP (National Data Protection Authority) and ANCOM (National Autorithy for Communications Regulations) | Unknown | Unknown |
| Spain | Royal Decree 1720/2007 December 21 | “The file (meaning data) responsible and in cases the file handler)” | - | None (AGPD Security Guide) |
| Switzerland | No | Not applicable | Not applicable | Not applicable |
| United Kingdom | UK DPA 1998 is the legislation for the protection of personal data. | For personal data, the ICO. For all other data, it depends. The UK takes a holistic approach to data protection where security implementations cover other legal requirements, not just privacy and the protection of personal data | Significant and expanding. Includes the ICO regulator, banking regulators, industry self-regulating bodies, law enforcement and government agencies. | UK distinguishes between ‘protection of personal data’ belonging to a person, by persons and organisations, and ‘personal data protection’ which are the security measures recommended for a person to protect all kinds of sensitive data that they hold, even if they do not own it. The UK references international and national security and privacy standards, such as ISO 27000 series. It publishes: Good Practice Guides for organisations; Cyber Essentials assessment scheme for organisations; Ten Steps to Cyber Security for citizens. |
Last updated 28 February 2018.
Suggestions? Corrections? Additions? Please send us an email at observatory (at) mappingtheinternet (dot) eu. Or suggest via this webform.