Security & Confidentiality


according to Law No. 133 of 2011 on personal data protection

Article 29. Confidentiality of personal data
(1) Controllers and third parties who have access to personal data must ensure the confidentiality of those data, except where:
a) processing relates to data which are voluntarily and manifestly made public by the personal data subject;
b) personal data have been depersonalized.
(2) Any person acting on behalf, on the account or in any other way under the authority of the controller will be able to process personal data only on instructions from the controller, unless he is required to do so by law.
(3) The Centre’s leadership and employees are obliged to guarantee nondisclosure of the professional secrecy with regard to confidential information to which they have access, even after their functions have been served out.

Article 30. Security of personal data processing
(1) While the processing of personal data, the controller must implement appropriate technical and organizational measures to protect personal data against destruction, alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure an adequate level of security appropriate to the risks represented by the processing and the nature of the data.
(2) If the processing of personal data is carried out on behalf of the controller, he must empower a processor that shall ensure sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out.
(3) The carrying out of processing by way of a processor must be governed by a contract or legal act stipulating, in particular that:
a) the processor shall act only on instructions from the controller;
b) the obligations set out in paragraph (1) shall also be incumbent on the processor.
(4) The requirements for ensuring security of personal data at their processing within personal data information systems are established by the Government.