Source: OJ L 333, 27.12.2022, p. 80–152
ENRecital 121 Lawful processing of personal data
The processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, to the extent necessary and proportionate for the purpose of ensuring security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, could be considered to be lawful on the basis that such processing complies with a legal obligation to which the controller is subject, in accordance with the requirements of Article 6(1), point (c), and Article 6(3) of Regulation (EU) 2016/679. Processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; could also be necessary for legitimate interests pursued by essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, as well as providers of security technologies and services acting on behalf of those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, pursuant to Article 6(1), point (f), of Regulation (EU) 2016/679, including where such processing is necessary for cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements or the voluntary notification of relevant information in accordance with this Directive. Measures related to the prevention, detection, identification, containment, analysis and response to incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, measures to raise awareness in relation to specific cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, exchange of information in the context of vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; remediation and coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure, the voluntary exchange of information about those incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, and cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, indicators of compromise, tactics, techniques and procedures, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; alerts and configuration tools could require the processing of certain categories of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, such as IP addresses, uniform resources locators (URLs), domain names, email addresses and, where they reveal personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, time stamps. Processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; by the competent authoritiesas defined in Article 46, the single points of contact and the CSIRTscomputer security incident response teams, could constitute a legal obligation or be considered to be necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6(1), point (c) or (e), and Article 6(3) of Regulation (EU) 2016/679, or for pursuing a legitimate interest of the essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, as referred to in Article 6(1), point (f), of that Regulation. Furthermore, national law could lay down rules allowing the competent authoritiesas defined in Article 46, the single points of contact and the CSIRTscomputer security incident response teams, to the extent that is necessary and proportionate for the purpose of ensuring the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; of essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, to process special categories of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; in accordance with Article 9 of Regulation (EU) 2016/679, in particular by providing for suitable and specific measures to safeguard the fundamental rights and interests of natural persons, including technical limitations on the re-use of such data and the use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.