Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Paragraph 2.3.4  Security and confidentiality of data 

22. The parties should commit to ensure the security and the confidentiality of the personal data processing and transfers they carry out. In particular, the parties should commit to having in place appropriate technical and organisational measures to protect personal data against accidental or unlawful access, destruction, loss, alteration, or unauthorised disclosure. These measures may include, for example, marking information as personal data transferred from the EEA, restricting who has access to personal data, providing secure storage of personal data, or implementing policies designed to ensure personal data are kept secure and confidential.

The level of security should take into consideration the risks, the state of the art and the related costs.

23. The international agreement may furthermore specify that, if one of the parties becomes aware of a personal data breach, it will inform the other party (ies) as soon as possible and use reasonable and appropriate means to remedy the personal data breach and minimise the potential adverse effects, including by communicating to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person. It is recommended that the notification timeline for a personal data breach as well as the procedures for communication to the data subject are defined in the international agreement.