Art. 95 (1) TKG 2003 obliges operators of public communications services to issue data security measures for each service provided by the operator. In case of a particular risk of a violation of confidentiality, the operator must, according to Art. 95 (2) TKG 2003, inform the subscriber concerning such risk and, where the risk lies outside the scope of the measures to be taken by the operator, of any possible remedies including their costs. Moreover, operators of public communications services must take data security measures for the following purposes in any case:
- to ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
- to protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure;
- to ensure the implementation of a security policy with respect to the processing of personal data.
RTR as the competent regulatory authority according to Art. 95 (3) TKG 2003 may review the measures taken by the operators of public communications services and issue recommendations with regard to the security level to be reached. In order to review the measures, RTR may request the operator according to Art. 90 TKG 2003 to provide the required information.