Art. 24 and the second paragraph of Art. 25 ZVOP-1 regulate technical and organisational measures for the protection of personal data and the obligation of secrecy with regard to the processed personal data. In terms of content, they are very similar, yet more detailed, to Art. 32 GDPR. For example, they explicitly provide for some core measures companies should take to guarantee the security of personal data, such as protecting premises, equipment and software, preventing unauthorised access to personal data during transmission, and logging data processing activities.
With regard to the security of sensitive data, see also the section “Sensitive data”.