Appropriate security measures

Where Article 32 of the GDPR is not applicable, the controller or processor must nevertheless implement security measures appropriate to the risks arising from the processing of personal data.

National security

Art. 32 GDRP does not apply to controllers and processors as far as they process personal data to safeguard national security or defense