Article 32. Security of processing 1. Taking into account the state of the art, the costs of

implementation and the nature, scope, context and purposes of processing as well as the risk of varying

likelihood and severity for the rights and freedoms of natural persons, the controller and the processor

shall implement appropriate technical and organizational measures to ensure a level of security

appropriate to the risk, including inter alia as appropriate.

A, the pseudonymization and encryption of personal data.

B, the ability to ensure the ongoing confidentiality, integrity, availability and

resilience of processing systems and services. C, the ability to restore the availability

and access to personal data in a timely manner in the event of a physical or technical

incident. D, a process for regularly testing, assessing and evaluating the effectiveness of technical

and organizational measures for ensuring the security of the processing.

2.

In assessing the appropriate level of security account shall be taken in particular of the risks

that are presented by processing, in particular from accidental or unlawful destruction,

loss, alteration, unauthorized disclosure of, or access to personal data transmitted,

stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to an Article 40 or an approved

certification mechanism as referred to an Article 42 may be approved certification mechanism as referred to an Article 42

may be used as an element by which to demonstrate compliance with the requirements set out in paragraph

one of this article.

4. The controller and processor shall take steps to ensure that any natural person acting

under the authority of the controller or the processor who has access to personal data

...