Under Article 28(3)(c) the contract must oblige the processor to take all security measures necessary to meet the requirements of Article 32 on the security of processing.
Both controllers and processors are obliged under Article 32 to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:
- encryption and pseudonymisation;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore access to personal data in the event of an incident; and
- processes for regularly testing and assessing the effectiveness of the measures.
Adherence to an approved code of conduct or certification scheme may be used as a way of demonstrating compliance with security obligations. Codes of conduct and certification may also help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR
