Art. 1 Principles
1 In order to guarantee an adequate level of data security, the controller and the processor must determine the extent to which personal data requires to be protected and adopt the technical and organisational measures that are appropriate to the risk.
2 The extent to which personal data requires to be protected shall be assessed according to the following criteria:
- a.
- the type of the data being processed;
- b.
- the purpose, nature, extent and circumstances of the processing.
3 The risk for the personality or fundamental rights of the data subject shall be assessed according to the following criteria:
- a.
- the causes of the risk;
- b.
- the main threats;
- c.
- measures taken or planned to reduce the risk;
- d.
- the probability and seriousness of a breach of data security despite the measures taken or planned.
4 When determining the technical and organisational measures, the following criteria shall also be considered:
- a.
- the state of the art;
- b.
- the implementation costs.
5 The extent to which personal data requires to be protected, the risk and the technical and organisational measures shall be reviewed throughout the period of processing. The measures shall be adjusted if necessary.