1. Having regard to the state of the art and the cost of their implementation, the controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
Such measures shall be taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing.
2. Where personal data are processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of:
(a) preventing any unauthorised person from gaining access to computer systems processing personal data;
(b) preventing any unauthorised reading, copying, alteration or removal of storage media;
(c) preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored personal data;