Article 14 - Security of Processing

(1) The Data Controller must implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing, in particular where the Processing of Personal Data is performed pursuant to Article 8 or Article 10 above.
(2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
(3) The Data Controller must, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and must ensure compliance with those measures.