The Processor shall ensure appropriate technical and organisational measures that comply with the state of the art, that take into account the implementation costs as well as the specific risks and that are suitable to effectively safeguard an appropriate level of protection of the rights of data subjects. The Controller shall assess the risks to the rights and freedoms of natural persons associated with the processing and implement measures to mitigate those risks.
The state of the art describes advanced procedures, facilities and operating methods that can, according to prevalent opinion of leading experts, achieve the legally required goals in data protection and security. Procedures, facilities and operating methods or comparable procedures, facilities and operating methods must have proven themselves in practice or - if this is not yet the case - should, if possible, have been successfully tested in operation.
In order to document the implementation of the technical and organisational measures, the Processor shall provide the Controller with a data protection report describing the actual implementation of the technical and organisational measures upon the Controller's request. The Controller reserves the right to request the data protection report periodically (once a year) or on an ad hoc basis. The Processor shall provide the data protection report to the controller within a reasonable period of time without charging any costs to the Controller. The structure of the data protection report is as follows, but may be narrower or broader depending on the needs and instructions of the Controller:
Unauthorised persons shall be prohibited from accessing the facilities where personal data are processed. The Processor shall implement the following access control measures:
Surveillance system with alarm system, video/television monitor
Door security (personal keys, electric door openers, individual entry, etc.)
Lockable room
Lockable computer cabinets/units
Access authorisations are exclusively assigned according to an access regulation
Screens not in the field of vision of unauthorised persons and bystanders
Access and tap-proof cable laying
signed confidentiality agreement before entering the office premises.
Unauthorised persons must be prevented from reading, copying, changing or removing data carriers. The measures are defined in 3.3. "Storage control"
Unauthorised storage, as well as unauthorised inspection, modification or deletion of stored personal data must be prevented. The Processor shall implement the following measures within the scope of storage control:
Personal data is stored exclusively for a specific purpose, separately from data stored for other purposes (e.g. in test and production environments).
The storage is separate from the data of other clients (e.g. in the case of multi-client capability of the corresponding applications and the underlying database systems)
The storage takes place exclusively temporarily in a virtual system (sandbox) assigned to the client
Contractual agreements with partner companies
Disclosure of personal data internally, as well as to third parties (production partners) only takes place through encrypted data records
To prevent unauthorized access to automated data processing systems, particularly through data transmission equipment (e.g., remote access), the following measures are implemented as part of the data media control:
User rights are assigned exclusively by system administrators, ensuring that only authorized personnel have access to specific systems and data.
Each user is provided with a separate, unique user account to maintain accountability and traceability.
User logins require a secure user ID and password, adhering to company-wide password policies.
Initial passwords assigned by administrators must be changed immediately upon first login by the user to ensure they are known only to the user.
Passwords must meet security criteria, including a minimum length of 10 characters, inclusion of characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and special characters. Insecure passwords are rejected.
Passwords have a defined expiration period, with regular forced changes to enhance security.
User logins are protected by two-factor authentication (2FA) to add an additional layer of security, particularly for remote access to systems.
All passwords are stored using encrypted, one-way encryption methods or salted hash values to prevent unauthorized access.
Logins and failed login attempts are logged for monitoring and audit purposes.
In the event of multiple failed login attempts, accounts are automatically blocked or paused to prevent brute force attacks.
Users and their profiles are assigned to specific workstations, ensuring that access is limited to designated areas.
Service company identifiers (e.g., accounts or access codes) are only activated when necessary, reducing exposure to unauthorized access.
Password-protected screensavers are enforced to secure systems when left unattended.
A monthly meeting is held to review cybersecurity measures and discuss any suspicious activities or vulnerabilities.
As part of the recruiting process, basic cybersecurity knowledge is required, ensuring that new employees are equipped to follow security protocols effectively.
Access by authorised persons shall be limited to the personal data they need to perform their task. The Processor shall implement the following access control measures:
Differentiated authorisations according to a defined authorisation concept
Profiles, roles, transactions and objects for evaluations, knowledge, modification, deletion
No uncontrolled access to personal data by open user groups Logging of access to particularly sensitive data (read, change, delete) Separation of system files and user files
Separation of system files of different applications
Separation of user files of different users
Virus protection programmes with automated regular updates Encryption of locally stored data
Targeted, regular control of authorised devices in the system
it has to be possible to review facilities used for data transfers and determine in which parts personal data is transferred or provided. Data recipients to whom personal data are disclosed via data transfer (e.g. by remote access) must be identifiable. The measures are defined in 3.8 "Transport control".
In automated systems, it must be possible to subsequently check which personal data were entered at what time and by which person (log data). The following measure is taken by the processor in the context of access control:
Entries of personal data can be traced, the detailed circumstances (time and context), the person entering the data and the respective basis of the entry are logged.
During the disclosure of personal data as well as during the transport of data carriers, it must be prevented that data are read, copied, changed or deleted without authorisation. The Processor shall implement the following access control measures:
Implementing regulations exist for the transfer of personal data (e.g. transport routes, means, times, containers, mode of dispatch)
Data delivery and data reception are exclusively logged (identity of the sender/recipient, time, content and scope of the transfer)
The data transfer takes place in encrypted form
There are implementation rules for the archiving of the data carriers (media) used for the transfer
The data carriers (media) used for the transfer will be deleted/destroyed after completion of the transfer in accordance with data protection regulations
Data carriers and documents are always kept under lock and key; access is only possible for a dedicated group of authorised persons
Before data media are reused or disposed of, they are always completely (physically) erased in accordance with the respective state of the art. Printouts and files or parts of files are disposed of in a data protection-compliant and appropriate manner as soon as their intended use is no longer given.
Depending on the need for protection, it must be ensured that deployed systems can be recovered in the event of a malfunction. The Processor shall implement the following measures as part of access control:
A data protection concept is available for personal data, for the application programmes for their processing as well as for the correspondingly required system environment.
Only high quality data carriers are used for data backup
Restoring individual files is possible without much effort, and the availability of backup data and a suitable infrastructure (readers and software) is ensured.
The data carriers for data backup are kept under lock and key and are only accessible to the system administrators entrusted with this task
Itmust be ensured that, depending on the protection requirements, all functions of the system are available (availability, resilience), any malfunctions that occur are reported (reliability) and stored personal data cannot be damaged or disclosed by malfunctions of the system (integrity, confidentiality). The Processor shall implement the following access control measures:
Log data is protected against manipulation
Log data is deleted as soon as it is no longer required
There is a list of the IT equipment used as well as dedicated documentation of the hardware including the network connection
A register of the processing activities used is available
Work instructions are available in writing and are known (trained) to all employees involved in processing
Employees are trained on their obligations to cooperate under data protection law. The training is documented
Certifications or audits are carried out by independent or internal bodies. A data protection officer is appointed to perform tasks pursuant to Art 39 GDPR
A data breach notification concept is in place
Employees were informed in a documented manner about reporting channels and emergency plans in the event of data protection violations
It is ensured that the Controller is informed about data protection breaches
Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
The execution of the order is ensured by internal control measures with regard to the qualitative, quantitative and temporal requirements of the order
The processing of personal data by Sub-processors is carried out on the basis of processing agreements pursuant to Art 28 GDPR
Measures shall be taken for the timely detection and traceability of (i) unauthorised access or disclosure of personal data and (ii) any event that may lead to a personal data breach. The Processor shall implement the following access control measures:
Detection of data breaches and unauthorised access is done through warnings from the management software
Ongoing monitoring of access authorisations
Implementation of 2-factor authentication when accessing data
As part of the control of compliance with the above data protection requirements, the implementation of and compliance with the technical organisational measures may be audited by the Controller or a third party appointed by him. The Controller reserves the right to determine the audit interval and the audit depth. Due to data protection incidents on the one hand, or proof of compliance with data protection and data security requirements, such as data protection-specific certification procedures approved by the supervisory authority as well as data protection seals and seals of approval on the other hand, the audit interval and the audit depth may be narrower or wider.
As a result, the Processor must provide sufficient guarantees that appropriate technical organisational measures are implemented in such a way that all data protection and data security requirements are met, thereby ensuring an adequate level of protection for the rights of the data subject.