Article 91 Security of processing of operational personal data
1. The controller and the processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, in particular as regards the processing of special categories of operational personal data.
2. In respect of automated processing, the controller and the processor shall, following an evaluation of the risks, implement measures designed to:
(a) deny unauthorised persons access to data processing equipment used for processing ('equipment access control');
(b) prevent the unauthorised reading, copying, modification or removal of data media ('data media control');
(c) prevent the unauthorised input of operational personal data and the unauthorised inspection, modification or deletion of stored operational personal data ('storage control');
(d) prevent the use of automated processing systems by unauthorised persons using data communication equipment ('user control');