9. Security of Processing

(1) The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction of, or damage to, such Personal Data.
(2) Having regard to the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected.
(3) The Data Controller shall, where Processing is carried out on its behalf, choose a Data Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and shall ensure compliance with those measures.
(4) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of the incident as soon as reasonably practicable.
(5) In the event of an unauthorised intrusion (including any loss of devices containing Personal Data or unauthorised disclosures) whether physical, electronic or otherwise, to any Personal Data, including by any of its Data Processors, the Data Controller shall inform the Registrar of the incident as soon as reasonably practicable.