Table of Contents
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Article 42
Article 43
Article 20
- The Controller shall notify the Competent Authority upon knowing of any breach, damage, or illegal access to personal data, in accordance with the Regulations.
- The Controller shall notify the Data Subject of any breach, damage or illegal access to their Personal Data that would cause damage to their data or cause prejudice to their rights and interests, in accordance with the Regulations.
FAQs
Controllers must implement comprehensive safeguards under Article 20 and related regulations, including:
- Data encryption (in transit and at rest) to protect data confidentiality.
- Access controls: Role-based permissions, multi-factor authentication, and strict logical access management.
- Cybersecurity systems: Firewalls, intrusion detection systems, malware protection, and regular vulnerability scans.
- Physical security: Restricted access to data centers, smart ID controls, CCTV, and secure storage for physical records.
- Personnel measures: Regular training on data protection policies, incident response, and handling procedures.
- Incident response planning: Clear protocols for detecting, reporting, and responding to data breaches.
- Data minimization: Limiting collection, processing, and retention to only what’s necessary.
- Vendor management: Contracts with third parties must include PDPL-compliant security clauses and ongoing audits.
Yes. Controllers must conduct regular risk assessments, including:
- Risk analysis: Identifying threats and vulnerabilities tied to their processing activities.
- Data Protection Impact Assessments (DPIAs): Mandatory for high-risk scenarios like large-scale processing, linking data sources, profiling, or using new technologies.
- Risk mitigation: Implementing appropriate technical and organisational measures based on assessment findings.
- Tracking risk management: Documenting the assessment, results, and mitigation steps for ongoing review.
Controllers must prove they are actively maintaining data security by:
- Documenting security controls: Keep records of encryption, access logs, system configurations, and training schedules.
- Conducting regular reviews: Periodic audits, penetration tests, and internal compliance checks help uncover weaknesses.
- Updating measures: Security controls must be amended in response to new risks, technology changes, or audit findings.
- Maintaining logs & reports: Details of access events, incidents, and corrective actions must be logged.
- Certifications & standards: Voluntary certifications (like ISO 27001) or internal codes of conduct show commitment to best practices.