Last review date: 15 January 2025
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ obligation to take specific security measures e.g., encryption
☒ encryption
☒ other
- Information access controls, including access and privileges management, user identification controls, and the maintenance of evidence of the interaction with the personal data
- Backup copies
- Information copy controls
- Training of employees, depending on their roles and responsibilities
- Security measures for physical environments and clean desks
Last review date: 15 January 2025
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ other
There are obligations to adopt measures to guarantee the confidentiality of the information for the selected sectors. The DPA has stated that a cyberattack could breach the duty to guarantee confidentiality.
Last review date: 15 January 2025
Yes.
☒ financial services
Last review date: 15 January 2025
Yes.
Last review date: 15 January 2025
☒ data protection authorities
☒ cybersecurity authorities
☒ affected individuals
Last review date: 15 January 2025
Yes, the banking sector and companies that provide digital services in certain sectors (financial entities, basic services providers, health institutes, Internet service providers, etc.), as provided by Urgent Decree 007-2020.
☒ cybersecurity authorities
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ providers of critical infrastructure
☒ other
If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.
It is mandatory for companies that provide digital services in certain sectors, such as financial entities, basic services providers, health institutes, Internet service providers, etc. to notify in the event of a data breach.