The Processor shall ensure appropriate technical and organisational measures that comply with the state of the art, that take into account the implementation costs as well as the specific risks and that are suitable to effectively safeguard an appropriate level of protection of the rights of data subjects. The Controller shall assess the risks to the rights and freedoms of natural persons associated with the processing and implement measures to mitigate those risks.
The state of the art describes advanced procedures, facilities and operating methods that can, according to prevalent opinion of leading experts, achieve the legally required goals in data protection and security. Procedures, facilities and operating methods or comparable procedures, facilities and operating methods must have proven themselves in practice or - if this is not yet the case - should, if possible, have been successfully tested in operation.
In order to document the implementation of the technical and organisational measures, the Processor shall provide the Controller with a data protection report describing the actual implementation of the technical and organisational measures upon the Controller's request. The Controller reserves the right to request the data protection report periodically (once a year) or on an ad hoc basis. The Processor shall provide the data protection report to the controller within a reasonable period of time without charging any costs to the Controller. The structure of the data protection report is as follows, but may be narrower or broader depending on the needs and instructions of the Controller:
Unauthorised persons shall be prohibited from accessing the facilities where personal data are processed. The Processor shall implement the following access control measures:
.1Surveillance system with alarm system, video/television monitor
.2Door security (personal keys, electric door openers, individual entry, etc.)
.3Lockable room
.4Lockable computer cabinets/units
.5Access authorisations are exclusively assigned according to an access regulation
.6Screens not in the field of vision of unauthorised persons and bystanders
.7Access and tap-proof cable laying
.8signed confidentiality agreement before entering the office premises.
Unauthorised persons must be prevented from reading, copying, changing or removing data carriers. The measures are defined in 3.3. "Storage control"
Unauthorised storage, as well as unauthorised inspection, modification or deletion of stored personal data must be prevented. The Processor shall implement the following measures within the scope of storage control:
.1Personal data is stored exclusively for a specific purpose, separately from data stored for other purposes (e.g. in test and production environments).
.2The storage is separate from the data of other clients (e.g. in the case of multi-client capability of the corresponding applications and the underlying database systems)
.3The storage takes place exclusively temporarily in a virtual system (sandbox) assigned to the client
.4Contractual agreements with partner companies
.5Disclosure of personal data internally, as well as to third parties (production partners) only takes place through encrypted data records
The use of automated data processing systems by means of data transmission equipment (e.g. by remote access) by unauthorised persons shall be prevented. The Processor shall implement the following measures as part of the data media control:
.1Assignment of user rights exclusively by system administrators
.2Creation of a separate user account for each natural user
.3Login procedure with user ID and password
.4Enforced compliance with password rules
.5Forced change of the initial password assigned by the administrator
.6Rejection of insecure passwords, minimum password length of 8 digits
.7Time limit on the validity period of passwords
.8User logins require two-factor authentication
.9Encrypted storage of passwords
.10Logging of logins and failed attempts
.11Automatic blocking or pausing in case of repeated failed attempts
.12Assignment of users and user profiles to specific workplaces
.13Service company identifiers are only activated when required
.14Screensaver with password protection
.15Monthly meeting on the topic of cyber security measures and possible conspicuous activities, recruiting process requires basic knowledge in the field of cyber security
Access by authorised persons shall be limited to the personal data they need to perform their task. The Processor shall implement the following access control measures:
.1Differentiated authorisations according to a defined authorisation concept
.2Profiles, roles, transactions and objects for evaluations, knowledge, modification, deletion
.3No uncontrolled access to personal data by open user groups Logging of access to particularly sensitive data (read, change, delete) Separation of system files and user files
.4Separation of system files of different applications
.5Separation of user files of different users
.6Virus protection programmes with automated regular updates Encryption of locally stored data
.7Targeted, regular control of authorised devices in the system
it has to be possible to review facilities used for data transfers and determine in which parts personal data is transferred or provided. Data recipients to whom personal data are disclosed via data transfer (e.g. by remote access) must be identifiable. The measures are defined in 3.8 "Transport control".
In automated systems, it must be possible to subsequently check which personal data were entered at what time and by which person (log data). The following measure is taken by the processor in the context of access control:
.1Entries of personal data can be traced, the detailed circumstances (time and context), the person entering the data and the respective basis of the entry are logged.
During the disclosure of personal data as well as during the transport of data carriers, it must be prevented that data are read, copied, changed or deleted without authorisation. The Processor shall implement the following access control measures:
.1Implementing regulations exist for the transfer of personal data (e.g. transport routes, means, times, containers, mode of dispatch)
.2Data delivery and data reception are exclusively logged (identity of the sender/recipient, time, content and scope of the transfer)
.3The data transfer takes place in encrypted form
.4There are implementation rules for the archiving of the data carriers (media) used for the transfer
.5The data carriers (media) used for the transfer will be deleted/destroyed after completion of the transfer in accordance with data protection regulations
.6Data carriers and documents are always kept under lock and key; access is only possible for a dedicated group of authorised persons
.7Before data media are reused or disposed of, they are always completely (physically) erased in accordance with the respective state of the art. Printouts and files or parts of files are disposed of in a data protection-compliant and appropriate manner as soon as their intended use is no longer given.
Depending on the need for protection, it must be ensured that deployed systems can be recovered in the event of a malfunction. The Processor shall implement the following measures as part of access control:
.1A data protection concept is available for personal data, for the application programmes for their processing as well as for the correspondingly required system environment.
.2Only high quality data carriers are used for data backup
.3Restoring individual files is possible without much effort, and the availability of backup data and a suitable infrastructure (readers and software) is ensured.
.4The data carriers for data backup are kept under lock and key and are only accessible to the system administrators entrusted with this task
Itmust be ensured that, depending on the protection requirements, all functions of the system are available (availability, resilience), any malfunctions that occur are reported (reliability) and stored personal data cannot be damaged or disclosed by malfunctions of the system (integrity, confidentiality). The Processor shall implement the following access control measures:
.1Log data is protected against manipulation
.2Log data is deleted as soon as it is no longer required
.3There is a list of the IT equipment used as well as dedicated documentation of the hardware including the network connection
.4A register of the processing activities used is available
.5Work instructions are available in writing and are known (trained) to all employees involved in processing
.6Employees are trained on their obligations to cooperate under data protection law. The training is documented
.7Certifications or audits are carried out by independent or internal bodies. A data protection officer is appointed to perform tasks pursuant to Art 39 GDPR
.8A data breach notification concept is in place
.9Employees were informed in a documented manner about reporting channels and emergency plans in the event of data protection violations
.10It is ensured that the Controller is informed about data protection breaches
.11Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
.12It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
.13Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
.14It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
.15The execution of the order is ensured by internal control measures with regard to the qualitative, quantitative and temporal requirements of the order
.16The processing of personal data by Sub-processors is carried out on the basis of processing agreements pursuant to Art 28 GDPR
Measures shall be taken for the timely detection and traceability of (i) unauthorised access or disclosure of personal data and (ii) any event that may lead to a personal data breach. The Processor shall implement the following access control measures:
.1Detection of data breaches and unauthorised access is done through warnings from the management software
.2Ongoing monitoring of access authorisations
.3Implementation of 2-factor authentication when accessing data
.aAs part of the control of compliance with the above data protection requirements, the implementation of and compliance with the technical organisational measures may be audited by the Controller or a third party appointed by him. The Controller reserves the right to determine the audit interval and the audit depth. Due to data protection incidents on the one hand, or proof of compliance with data protection and data security requirements, such as data protection-specific certification procedures approved by the supervisory authority as well as data protection seals and seals of approval on the other hand, the audit interval and the audit depth may be narrower or wider.
.bAs a result, the Processor must provide sufficient guarantees that appropriate technical organisational measures are implemented in such a way that all data protection and data security requirements are met, thereby ensuring an adequate level of protection for the rights of the data subject.