WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)

Security: Data protection law requires controllers (not Member States) to adopt technical and organizational measures which, having regard to the state of the art and cost of their implementation, are to ensure a level of security appropriate to the risks represented. Controller must ensure that only those persons duly authorized have access. (¶¶ 24–25, 28–29)

It must be recalled that, in accordance with Article 17(1) of Directive 95/46 concerning security of processing, Member States are to provide that the controller must implement appropriate technical and organisational measures which, having regard to the state of the art and the cost of their implementation, are to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (see, to that effect, Rijkeboer, paragraph 62).

It follows that, contrary to the premiss on which the second and third questions are based, Article 17(1) of Directive 95/46 does not require Member States, except where they act as controllers, to adopt those technical and organisational measures, as the obligation to adopt such measures concerns solely the controller; namely, in the present case, the employer. Article 17(1) of Directive 95/46 does, however, require the Member States to adopt a provision in their national law providing for that obligation.

That line of argument cannot succeed. Contrary to the premiss on which it is based, the obligation for an employer, as a controller of personal data, to provide the national authority responsible for monitoring working conditions immediate access to the record of working time in no way implies that the personal data contained in that record must necessarily, on that ground alone, be made accessible to persons not authorised for that purpose. As the Portuguese government rightly pointed out, all controllers of personal data must, under Article 17(1) of Directive 95/46, implement appropriate technical and organisational measures to ensure that only those persons duly authorised to access the personal data in question are entitled to respond to a request for access from a third party.

Accordingly, it does not appear that Article 17(1) of Directive 95/46 is relevant for the purposes of resolving the dispute in the main proceedings.