GDPR Article 32
The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
Article 32 of the EU General Data Protection Regulation — Regulation (EU) 2016/679 — is the security clause of the GDPR. It requires the controller and processor to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The text is short — five paragraphs — but it is the article most often cited in CNIL and other supervisory authority sanctions because it is the operational link between the GDPR’s principles and what an organization actually does.
The article’s structure is:
- 32(1) — appropriate technical and organizational measures, taking into account the state of the art, costs, nature/scope/context/purposes of processing, and risk to data subjects. Lists examples: pseudonymisation, encryption, confidentiality/integrity/availability/resilience of systems, restoration after incident, regular testing.
- 32(2) — the assessment of “appropriate” security must consider risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
- 32(3) — adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance.
- 32(4) — the controller and processor must ensure that any natural person acting under their authority who has access to personal data does not process it except on instructions from the controller — which in practice means staff have been trained and bound.
It is paragraph 32(4) — combined with the “organizational measures” wording of 32(1) — that grounds the regulator’s increasing focus on training and behavior. A 2022 CNIL deliberation against Cityscoot, for example, sanctioned insufficient password security under Article 32; multiple DPA decisions across the EU have cited inadequate awareness training. After NIS2 added explicit cybersecurity training obligations in Article 21, the question of what counts as adequate organizational measure has been answered with: continuous, role-appropriate, evidence-producing training — not an annual click-through e-learning.
This is the shift Engarde (engarde.cc) was built for: producing the behavioral evidence that demonstrates Article 32 compliance in inspection — per-employee training history, behavior baselines, remediation curves — alongside the technical controls that ANSSI guides describe. Related EU frameworks: DORA for financial entities and NIS2 for essential and important entities.
Related terms
- CNIL (Commission nationale de l'informatique et des libertés)France's independent data-protection authority — enforces GDPR, runs the 72-hour breach-notification clock and publishes binding guidance on personal-data handling.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- DORA (Digital Operational Resilience Act)EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.