The controller and the processor must take technical and organisational measures in order to ensure, depending on the level of protection required, that the data being processed:
- are only accessible to authorised persons (confidentiality);
- are available when they are required (availability);
- are not altered without authorisation or unintentionally (integrity);
- are processed in a traceable manner (traceability).