# Data Processing Security: What Data Controllers Need to Know
The topic of personal data security is becoming increasingly important in the current regulatory and technological landscape. In particular, the **EU Regulation 2016/679**, known as GDPR, includes fundamental provisions to ensure data protection, and its Article 28 establishes clear obligations for data controllers when collaborating with third parties. In this article, we will explore the main evidences of security guarantees that controllers can use to evaluate and choose their partners in data management.
## Obligations of the Data Controller
The GDPR requires data controllers to pay special attention when selecting data processors, ensuring that they provide appropriate guarantees for implementing the necessary technical and organizational measures for data protection. It is essential, therefore, that before proceeding with any delegation, the controller requests evidence of the security measures adopted.
## Verification of the Adequacy of Security Measures
One of the first actions to undertake is to verify the security measures implemented by the partner. It is advisable to request documentation on various aspects, including:
– The existence of a **Record of Processing Activities** compliant with Article 30;
– The adoption of a **Privacy Organizational Model**;
– The designation of a **Data Protection Officer** (DPO);
– Compliance with the security provisions set out in Article 32 of the GDPR.
In this context, the GDPR emphasizes the principle of data integrity and confidentiality, obliging processors to assess the risks related to potential breaches, ensure confidentiality, and implement adequate training for personnel authorized to access the data.
## Adherence to a Code of Conduct
Another key element is adherence to an **approved code of conduct** or certification mechanisms, as indicated in the relevant sections of the GDPR. Such adherence can serve as evidence of diligent and responsible data management, providing additional assurance for controllers.
## Past Experiences: The LAZIOcrea Case
An emblematic case of how such measures can become crucial is represented by the actions taken by the Privacy Authority against LAZIOcrea, a company involved in a significant data breach. The Authority highlighted how the Lazio Region and LAZIOcrea failed to adopt the necessary protection measures and to promptly inform the authority after the breach. This episode illustrates the importance of monitoring and verifying security procedures by the data controller.
## Certifications and Security Measures
Certifications, such as ISO/IEC 27001, can provide further assurances regarding the security measures adopted. ISO 27001 is an international standard that establishes the requirements for an **Information Security Management System** (ISMS). However, it is important to note that holding such certification does not exempt the data controller from the responsibility of monitoring and ensuring ongoing compliance with applicable regulations.
### Limitations of ISO 27001 Certification
Although ISO 27001 certification represents a significant step forward in ensuring information security, it does not guarantee the absence of risks or vulnerabilities. Additionally, the certification is limited to specific application areas and should be considered only as an indicator of good practices rather than an absolute guarantee. The controller must still perform a risk assessment and evaluate the effectiveness of the implemented protection measures.
## Regulations for Digital Infrastructures and Cloud Services
Another dimension to consider is that of digital infrastructures and cloud services, particularly for public administrations, which must comply with specific rules in their migration process to the cloud. Timely migrations…
