Regulation (EU) 2016/679General Data Protection Regulation (GDPR) of the European Parliament and of the Council (¹⁸) applies to the processing of personal data by the Member States under this Regulation. Member States should implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with that Regulation and the provisions specifying its requirements in this Regulation. In particular those measures should ensure the security of personal data processed under this Regulation and in particular to prevent unlawful or unauthorised access or disclosure, alteration or loss of personal data processed. The competent supervisory authority or authorities of each Member State should monitor the lawfulness of the processing of personal data by the authorities concerned, including of the transmission to the authorities competent for carrying out security checks. In particular, data subjects should be notified without undue delay when a personal data breach is likely to result in a high risk to their rights and freedoms under Regulation (EU) 2016/679General Data Protection Regulation (GDPR).

18. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). ↩︎