L’obligation de sécurité des données personnelles : vers un standard de « diligence digitale » ?

The effectivity of the fundamental rights protecting privacy and personal data depends to a large extent on the measures put in place to ensure data security. As early as 2008, in the case of I. v. Finland , the European Court of Human Rights found that lack of approp the riate safeguards to secure data against unauthorized use constituted a violation of the positive obligation to ensure respect for the right to privacy enshrined in Article 8 of the European Convention on Human Rights. It is therefore quite log that the ical GDPR now places the principle of personal data security on the same level as the traditional principles of data quality (lawfulness, fairness, transparency, purpose limitation, data minimization, data accuracy and limitation of data retention). According to this "new" principle, data must be processed in such a way as to ensure appropriate security, "including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or orga nizational measures”. The purpose of this contribution is to analyze the duty of security as imposed by the GDPR in light of the recent interpret work of the data protection authorities and of the European courts. After having recalled the basic co ative ncepts and definitions of the GDPR, this paper clarifies the objectives, the nature and the debtors of duty of security, details the methodology of ri analysis and the factors to be taken into account in order to determine appropriate measures, analyzes sk some of the security measures favored by data protection authorities and, finally, briefly recalls the applicable obligations in case of a data br each.