FULL ARTICLE TEXT
Article 32 in full
Article 32: Security of processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Read the full text on EUR-Lex (CELEX 32016R0679, Article 32).
What this Article requires
Article 32 imposes a risk-based, technology-neutral security obligation on controllers and processors. The standard is appropriateness, assessed against four factors: the state of the art (what controls are currently available and generally adopted), the costs of implementation (proportionality to the controller's resources), the nature/scope/context/purposes of processing (more sensitive processing requires more rigorous measures), and the risk to the rights and freedoms of natural persons (the higher the potential harm, the higher the required protection).
The flexibility of the standard is a feature, not a bug. A small Spanish retailer processing low-volume customer data is not held to the same security standard as a multinational airline processing payment-card data for hundreds of millions of passengers. The state-of-the-art benchmark also evolves over time: controls that were appropriate in 2018 may not be appropriate in 2026, as attacker capabilities and defensive technologies advance.
How DPAs interpret Article 32
DPA practice has converged on a set of baseline controls expected for most mid-and-large-scale processing operations. These include multi-factor authentication for privileged access, network segmentation between differently-sensitive environments, encryption of personal data at rest and in transit, logging and monitoring of access to personal data, file-integrity monitoring for customer-facing infrastructure, regular vulnerability assessment and penetration testing, documented incident-response procedures, and demonstrable security-awareness training for personnel with access to personal data. The list is not exhaustive and is not prescriptive in every case, but a controller missing several of these baseline controls faces a steep uphill battle in any Article 32 enforcement.
The ENISA Cloud Security Guide, the EDPB Guidelines 9/2022 on personal data breach notification (which include security-architecture expectations), and the German BSI baseline catalogues (Grundschutz) are recurring reference points for what "state of the art" means in practice. National industry codes (FCA cybersecurity guidance, NHS Data Security and Protection Toolkit, BSI IT-Grundschutz) inform sectoral expectations.
Landmark fines under Article 32
British Airways £20 million (ICO, 2020): the most-cited Article 32 case in the UK. The decision identifies specific weaknesses (absent MFA on Citrix remote access, inadequate network segmentation, inadequate file-integrity monitoring on payment-page asset chains) that exemplify what falls below the appropriate-measures standard for a payment-card environment.
Marriott £18.4 million (ICO, 2020): the leading authority on Article 32 due-diligence in M&A. Marriott's due-diligence on the Starwood acquisition did not adequately assess the security of the acquired environment, and post-acquisition integration did not remediate the inherited weaknesses.
1&1 Telecom GmbH €9.55 million (BfDI, 2019, reduced to €900k on appeal): the leading German authority on customer-authentication-as-security. The original fine addressed inadequate authentication in call-centre operations, allowing impersonators to obtain personal information about subscribers. The subsequent reduction by the Bonn Regional Court on proportionality grounds remains a reference point for appeal-stage Article 32 jurisprudence.
Equifax-style cases: while Equifax itself was a US-only matter, comparable credit-reference-agency cases in the EU have generated Article 32 fines in the mid-seven-figure range. The Italian Garante decisions against telecom providers (Tim, Vodafone) have addressed authentication, breach detection and credential-management controls.
Common compliance failures
The recurring Article 32 failure patterns are predictable. Missing or weak MFA on privileged access. Network segmentation that allows lateral movement between sensitive and non-sensitive environments. Unencrypted personal data at rest, particularly payment-card and special-category data. Inadequate logging and monitoring, such that intrusions go undetected for months or years. Inadequate testing of incident-response procedures (paper-only response plans that have never been exercised). Inadequate access controls, such that personnel can access personal data they do not need for their role (the "principle of least privilege" violation). Inadequate vendor and processor management, where security expectations are not contractually binding or operationally verified.
Defensive controls
For each processing operation involving personal data, document a risk assessment that identifies the threats, vulnerabilities, and potential harms to data subjects. From the risk assessment, derive the appropriate controls and document the rationale for choosing them. Implement, test and monitor the controls on an ongoing basis, with documented review cycles. Maintain demonstrable evidence: risk assessments, control inventories, test results, incident-response exercise records, training records, and audit findings. For higher-risk processing (special-category data, large-scale processing, new technology), conduct an Article 35 DPIA and include the security-controls analysis as part of the DPIA.
Fine band you can expect
For small controllers (sub-£1M turnover) with isolated security failures, ICO and continental DPA decisions are typically in the €5,000-€50,000 range. For mid-sized controllers (£1M-£100M turnover), Article 32 fines range from €100,000 to several million euros, with the exact figure depending on the number of records affected, the sensitivity of the data, and the aggravating-mitigating factor balance. For enterprise controllers (£100M+ turnover), fines have reached the £20M (BA) and £18.4M (Marriott) range, with potential upper-tier interaction (where Article 5(1)(f) findings push the calculation into Article 83(5) territory) supporting higher figures.