Article 12 - Obligations concerning data security

(1) The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to:

  • a) prevent unlawful processing of personal data,
  • b) prevent unlawful access to personal data,
  • c) ensure the retention of personal data.

(2) In case of the processing of personal data by a natural or legal person on behalf of the controller, the controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.

(3) The controller shall be obliged to conduct necessary inspections, or have them conducted in his own institution or organization, with the aim of implementing the provisions of this Law.

(4) The controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term.

(5) In case the processed data are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.