*translated by ChatGPT

DIRECTIVE/2023/1
On organizational and security measures applicable to the
processing of personal data:
1. The attacks on information systems that have been occurring in increasing
numbers, especially in the year 2022, some of which have been large in scale
and complexity, have mostly affected personal data.
2. It has been found that the main attack vectors have been the exploitation of
infrastructure vulnerabilities, lack of user training to detect phishing
campaigns that then allow the distribution of malware, with special relevance
to ransomware attacks, and a lack of awareness by those responsible for data
processing regarding the risks to the rights of data subjects that a lack of
investment in security mechanisms entails.
3. In fact, in most of the attacks that have been witnessed, the consequences for
the rights of data subjects could have been prevented or at least substantially
reduced.
4. Therefore, the National Data Protection Commission (hereinafter CNPD), as
the national supervisory authority, in pursuit of the mandate defined in Article
57(1)(d) of the General Data Protection Regulation (GDPR), in conjunction with
Article 3 of Law No. 58/2019 of August 8, considers it appropriate to raise
awareness among data controllers and processors about their obligations in
the field of the security of personal data processing.
5. It should be noted that the security measures for the processing of personal
data listed below are not exhaustive and are necessarily dynamic, due to their
direct dependence on technological development, and are therefore subject
to updates whenever necessary.

I. Regarding data breach notification

6. A personal data breach is "a breach of security that causes, accidentally or

unlawfully, the destruction, loss, alteration, unauthorized disclosure, or access
to personal data transmitted, stored or otherwise processed," as defined in
Article 4(12) of the GDPR.
7. The GDPR introduces the obligation to notify the competent national
supervisory authority, in this case the CNPD, of a personal data breach, where
possible, within 72 hours of becoming aware of it, in situations where the
breach is likely to result in a risk to the rights and freedoms of natural persons
(see Article 33(1) of the GDPR).
8. With regard to this deadline, it is always stated that even if the data controller
does not initially have all the necessary information, they must notify the
supervisory authority without delay, informing them that they will provide the
 results of the investigation later. It should be noted that the deadline is
continuous and does not stop on Saturdays, Sundays and public holidays.
9. However, the necessary information to notify the supervisory authority may be
provided in phases, as explained in Article 33(4) of the GDPR.
10. Even if the data controller considers that notifying the CNPD is not required,
they are required to document any data breaches, as set out in Article 33(5) of
the GDPR.
11. The data controller is also required to inform data subjects of a data breach, if
the legal requirements are met and under the conditions described in Article
34 of the GDPR, that is, "when the personal data breach is likely to result in a
high risk to the rights and freedoms of natural persons," and as soon as
reasonably possible. The main objective of this notification is to provide
specific information about the measures they should take to protect
themselves from the negative consequences of the breach of their personal
data.
12. Since 2018, it has been the responsibility of the data controller to ensure
respect for the rights and interests of data subjects, with the duty to verify,
before carrying out any processing, and to demonstrate compliance with all
data protection rules and whether the specific data processing activities they
carry out comply with the principles set out in Article 5(1) of the GDPR.
13. In the context of a deep evolution of technology and an increasingly digital
economy and society, achieving this objective depends on those responsible
for data processing adapting their business or public management models
and their respective technical and organizational means to ensure effective
compliance with the law and proper protection of personal data and the
sphere of interests, rights, and freedoms of the data subjects.
14. This adaptation should not be merely superficial and formal (bureaucratic),
and those responsible for data processing should keep up with the changes of
a disruptive time, through regular substantive and in-depth evaluation of
processing operations and the impact that technologies have on the
functioning of their organizations and, in the case of personal data, on the
risks to the rights and freedoms of individuals.
15. The use of subcontracting does not change the fact that the data controller
has overall responsibility for the protection of personal data. Subcontractors
act only on behalf of the controller, following their instructions (cf. Article 4).
With regard to the processing of personal data, the GDPR requires that their
actions result strictly from what is prescribed by the data controller (cf. Article
28(3)(a) of the GDPR). This is without prejudice to the subcontractor informing
the data controller immediately if the latter gives instructions that violate the
GDPR or other provisions of Union or Member State law (cf. Article 28(3)(h),
second paragraph, of the GDPR).
 *translated by ChatGPT

16. In fact, regardless of the proposals made by subcontractors, the ultimate

decision on data processing operations belongs to the data controller, who
cannot exempt themselves from playing their role and fulfilling their legal
obligations, eventually deferring to subcontractors responsibilities that are
solely theirs.
17. The data controller must have in place an internal policy that allows them to
detect and manage security incidents impacting the protection of personal
data, and when data processing is carried out by subcontractors, effective
control mechanisms regarding the subcontractors' actions, ensuring that they
do not harm compliance with the obligations that fall on the controller in this
area.
18. In this context, and in the exercise of its duties and competencies, the National
Data Protection Commission (CNPD) defines, in a succinct manner, guidelines
so that data controllers, and subcontractors (with the necessary adaptations),
can ensure adequate data security, including protection against unauthorized
or unlawful processing, and against accidental loss, destruction, or damage,
through the adoption of appropriate technical and organizational measures.

II. Technical and organizational measures to be adopted by the data controller

and processor
19. In accordance with the requirements set out in Article 32(1) and (2) of the
GDPR, it is the responsibility of the data controller to assess and implement
the necessary technical and organizational measures to ensure that the
processing of personal data is carried out with an appropriate level of security,
including the ability to ensure the confidentiality, integrity, availability, and
resilience of processing systems and services.
20. To that end, and depending on the characteristics and sensitivity of each
processing of personal data and the specificities of the organization, the
following security measures should be considered:
A. Organizational measures
a. Define and regularly exercise the incident response and disaster recovery
plan, providing the necessary mechanisms to ensure the security of
information and the resilience of systems and services, as well as ensuring that
data availability is promptly restored after an incident;
b. Classify information according to the level of confidentiality and sensitivity
and adopt the appropriate organizational and technical measures for each
classification;
c. Document security policies;
d. Adopt analysis procedures to monitor network traffic flows;
e. Define policies for secure password management, imposing requirements
for size, composition, storage, and frequency of password changes;
 f. Create a user lifecycle management policy to ensure that each worker has
access only to the data necessary to perform their functions and regularly
review permissions for different user profiles, as well as the
deactivation/revocation of inactive profiles, if possible;
g. Adopt an alarm system that allows for the identification of situations of
unauthorized access or misuse;
h. Define, at an early stage, the best practices for information security to be
adopted, both in the software development phase and in acceptance testing,
particularly considering data protection principles from the design and by
default, risk analysis of data processing and data lifecycle, methods of
pseudonymization and anonymization of data - even when the system is
developed and maintained by subcontractor(s);
i. Conduct systematic IT security audits and vulnerability assessments
(penetration testing) so that users are aware of their vulnerabilities and
organizations can monitor the most vulnerable targets and invest in training
with specific and targeted content, according to the vulnerabilities detected;
j. Verify that the defined security measures are being implemented, ensuring
that they are effective and regularly updated, especially when processing or
circumstances change, including those implemented by subcontractors in data
processing;
k. Document and promptly correct any security vulnerabilities detected;
l. Take the necessary measures to ensure full compliance with Article 33 of the
GDPR, particularly with regard to the development of an internal policy to deal
with and document any personal data breaches;
m. Foster a culture of privacy and information security among employees, so
that each employee is empowered to recognize potential threats and act
accordingly, as a way of reducing the occurrence and impact of human error;
n. Inform employees of their duty of confidentiality regarding personal data
processing;
o. Periodically evaluate internal technical and organizational security measures
and update and review them as necessary.
B. Techniques

i. Authentication
a. Use strong credentials with long passwords (at least 12 characters), unique,
complex, and with numbers, symbols, uppercase and lowercase letters,
changing them frequently;
b. Consider, especially in sensitive information, user privileges or access
methods (e.g. remote), the application of multi-factor authentication;
 *translated by ChatGPT

ii. Infrastructure and systems

a. Ensure that the operating systems of servers and terminals are updated, as
well as all applications (e.g. browser and plugins);
b. Keep the firmware of network equipment up to date;
c. Design and organize systems and infrastructure to segment or isolate data
systems and networks to prevent malware propagation within the
organization and to external systems;
d. Strengthen the security of workstations and servers, including:
i. block access to sites that may pose a security risk;
ii. block suspicious redirects through search engines;
iii. immediately block files and applications infected with malware;
iv. periodically inspect the system's state and resource usage;
v. monitor the use of installed software;
vi. activate and maintain audit logs;
vii. validate IP access to servers that are exposed to the public; viii.
change the default configured port for remote access protocol (RDP).

iii. Email Tool

a. Clearly and unambiguously define internal policies and procedures on the specific
sending of email messages containing personal data, which introduce additional
checks necessary to:

i. ensure the insertion of email addresses of recipients in the 'Bcc:' field,

in cases of multiple recipients;
ii. prevent errors in manual input of email addresses;
iii. ensure that attached files contain only the personal data intended to
be communicated;
b. Consider the creation of distribution lists or contact groups, with the aim of
preventing the disclosure of recipient addresses in mass email operations;
c. Consider creating rules to delay the delivery of email messages containing personal
data, keeping them in the 'Outbox' for a determined time, allowing for compliance
checks after clicking 'Send';
d. Encrypt with a code, to which only the recipient has access, the emails and/or
attachments sent containing personal data;
e. Confirm with the recipient, before sending an email containing personal data, their
preferred email address for contact;
f. Conduct training actions to enable workers to operate email sending mechanisms
in accordance with defined procedures, sensitizing them to the most common errors
potentially susceptible to data breaches and encouraging double-checking;
 g. Reinforce the alert system of the alarm tool used by the entity, to ensure
immediate visibility of users' creation of automatic email forwarding rules to external
accounts;
h. Reinforce the system with anti-phishing and anti-spam tools that can block links
and/or attachments with malicious code;
i. Adopt security controls that allow for the classification and protection of sensitive
email messages.

iv. Protection against malware

a. Use secure encryption, especially for access credentials, special data, highly
personal data, or financial data;
b. Create an updated, secure, and tested backup system, completely separate from
the main databases and without external accessibility;
c. Reinforce the system with anti-malware tools that include the ability to detect and
block ransomware threats in real-time.

v. Use of equipment in an external environment

a. Store data in internal systems protected by appropriate security measures and
remotely accessible through secure access mechanisms (VPN);
b. Allow access only through VPN;
c. Block accounts after several invalid login attempts;
d. Activate multi-factor authentication for equipment users;
e. Apply data encryption in the operating system;
f. Whenever applicable, activate the "remote wipe" and "find my device" features;
g. Automatically back up work folders when the equipment is connected to the
entity's network;
h. Define clear and appropriate rules for the use of equipment in an external
environment.

vi. Storage of paper documents containing personal data

a. Use durable paper and printing;
b. Store documentation in a location with humidity and temperature control;
c. Store documents containing sensitive personal data in a closed, fire-resistant, and
flood-resistant location;
d. Control access, with a record of the date and time of access, who accessed, and the
specific document(s) accessed;
e. Destroy documents using specific equipment that ensures secure destruction.

vii. Transport of information containing personal data

a. Adopt measures to prevent unauthorized reading, copying, altering, or deletion of
personal data during transport;
 *translated by ChatGPT

b. Use secure encryption during transport, on potentially permanent mass or archive

devices (CD/DVD/USB drive).

Conclusion

21. Data controllers and processors are encouraged to define and implement
prevention plans in advance so that they can protect their systems and
infrastructure and have mechanisms ready to detect a personal data breach
and quickly mitigate its negative effects on the rights of the data subjects. This
incident response plan should include an assessment of the risk to these
individuals, which allows the data controller to conclude whether to notify the
data breach to the supervisory authority and the affected data subjects.
22. The necessary information to notify the supervisory authority can be provided
in phases, but this does not exclude the obligation of the data controller to act
in a timely manner to respond to the personal data breach.
23. Thus, under Article 57(1)(d) of the GDPR, the Portuguese Data Protection
Authority recommends that the data controller, as well as the processor (with
the necessary adaptations), adopt security measures listed in this guideline, as
appropriate to the characteristics and sensitivity of the personal data
processing carried out and to the specificities of their organization, in order to
comply with the obligations set out in Article 32(1) and (2) of the GDPR
regarding the security of personal data processing.

Approved at the CNPD meeting on January 10, 2023.

Note: translated using ChatGPT.

Please find the original here: https://www.cnpd.pt/comunicacao-publica/noticias/diretriz-sobre-
medidas-de-seguranca/