The Processor shall ensure appropriate technical and organisational measures that comply with the state of the art, that take into account the implementation costs as well as the specific risks and that are suitable to effectively safeguard an appropriate level of protection of the rights of data subjects. The Controller shall assess the risks to the rights and freedoms of natural persons associated with the processing and implement measures to mitigate those risks.
The state of the art describes advanced procedures, facilities and operating methods that can, according to prevalent opinion of leading experts, achieve the legally required goals in data protection and security. Procedures, facilities and operating methods or comparable procedures, facilities and operating methods must have proven themselves in practice or - if this is not yet the case - should, if possible, have been successfully tested in operation.
In order to document the implementation of the technical and organisational measures, the Processor shall provide the Controller with a data protection report describing the actual implementation of the technical and organisational measures upon the Controller's request. The Controller reserves the right to request the data protection report periodically (once a year) or on an ad hoc basis. The Processor shall provide the data protection report to the controller within a reasonable period of time without charging any costs to the Controller. The structure of the data protection report is as follows, but may be narrower or broader depending on the needs and instructions of the Controller:
Unauthorised persons shall be prohibited from accessing the facilities where personal data are processed. The Processor shall implement the following access control measures:
.1Surveillance system with alarm system, video/television monitor
.2Door security (personal keys, electric door openers, individual entry, etc.)
.3Lockable room
.4Lockable computer cabinets/units
.5Access authorisations are exclusively assigned according to an access regulation
.6Screens not in the field of vision of unauthorised persons and bystanders
.7Access and tap-proof cable laying
.8signed confidentiality agreement before entering the office premises.
Unauthorised persons must be prevented from reading, copying, changing or removing data carriers. The measures are defined in 3.3. "Storage control"
Unauthorised storage, as well as unauthorised inspection, modification or deletion of stored personal data must be prevented. The Processor shall implement the following measures within the scope of storage control:
.1Personal data is stored exclusively for a specific purpose, separately from data stored for other purposes (e.g. in test and production environments).
.2The storage is separate from the data of other clients (e.g. in the case of multi-client capability of the corresponding applications and the underlying database systems)
.3The storage takes place exclusively temporarily in a virtual system (sandbox) assigned to the client
.4Contractual agreements with partner companies
.5Disclosure of personal data internally, as well as to third parties (production partners) only takes place through encrypted data records
To prevent unauthorized access to automated data processing systems, particularly through data transmission equipment (e.g., remote access), the following measures are implemented as part of the data media control:
.1
.aUser rights are assigned exclusively by system administrators, ensuring that only authorized personnel have access to specific systems and data.
.bEach user is provided with a separate, unique user account to maintain accountability and traceability.
.2
.aUser logins require a secure user ID and password, adhering to company-wide password policies.
.bInitial passwords assigned by administrators must be changed immediately upon first login by the user to ensure they are known only to the user.
.cPasswords must meet security criteria, including a minimum length of 10 characters, inclusion of characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and special characters. Insecure passwords are rejected.
.dPasswords have a defined expiration period, with regular forced changes to enhance security.
.3User logins are protected by two-factor authentication (2FA) to add an additional layer of security, particularly for remote access to systems.
.4All passwords are stored using encrypted, one-way encryption methods or salted hash values to prevent unauthorized access.
.5
.aLogins and failed login attempts are logged for monitoring and audit purposes.
.bIn the event of multiple failed login attempts, accounts are automatically blocked or paused to prevent brute force attacks.
.cUsers and their profiles are assigned to specific workstations, ensuring that access is limited to designated areas.
.6
.aService company identifiers (e.g., accounts or access codes) are only activated when necessary, reducing exposure to unauthorized access.
.bPassword-protected screensavers are enforced to secure systems when left unattended.
.7
.aA monthly meeting is held to review cybersecurity measures and discuss any suspicious activities or vulnerabilities.
.bAs part of the recruiting process, basic cybersecurity knowledge is required, ensuring that new employees are equipped to follow security protocols effectively.
Access by authorised persons shall be limited to the personal data they need to perform their task. The Processor shall implement the following access control measures:
.1Differentiated authorisations according to a defined authorisation concept
.2Profiles, roles, transactions and objects for evaluations, knowledge, modification, deletion
.3No uncontrolled access to personal data by open user groups Logging of access to particularly sensitive data (read, change, delete) Separation of system files and user files
.4Separation of system files of different applications
.5Separation of user files of different users
.6Virus protection programmes with automated regular updates Encryption of locally stored data
.7Targeted, regular control of authorised devices in the system
it has to be possible to review facilities used for data transfers and determine in which parts personal data is transferred or provided. Data recipients to whom personal data are disclosed via data transfer (e.g. by remote access) must be identifiable. The measures are defined in 3.8 "Transport control".
In automated systems, it must be possible to subsequently check which personal data were entered at what time and by which person (log data). The following measure is taken by the processor in the context of access control:
.1Entries of personal data can be traced, the detailed circumstances (time and context), the person entering the data and the respective basis of the entry are logged.
During the disclosure of personal data as well as during the transport of data carriers, it must be prevented that data are read, copied, changed or deleted without authorisation. The Processor shall implement the following access control measures:
.1Implementing regulations exist for the transfer of personal data (e.g. transport routes, means, times, containers, mode of dispatch)
.2Data delivery and data reception are exclusively logged (identity of the sender/recipient, time, content and scope of the transfer)
.3The data transfer takes place in encrypted form
.4There are implementation rules for the archiving of the data carriers (media) used for the transfer
.5The data carriers (media) used for the transfer will be deleted/destroyed after completion of the transfer in accordance with data protection regulations
.6Data carriers and documents are always kept under lock and key; access is only possible for a dedicated group of authorised persons
.7Before data media are reused or disposed of, they are always completely (physically) erased in accordance with the respective state of the art. Printouts and files or parts of files are disposed of in a data protection-compliant and appropriate manner as soon as their intended use is no longer given.
Depending on the need for protection, it must be ensured that deployed systems can be recovered in the event of a malfunction. The Processor shall implement the following measures as part of access control:
.1A data protection concept is available for personal data, for the application programmes for their processing as well as for the correspondingly required system environment.
.2Only high quality data carriers are used for data backup
.3Restoring individual files is possible without much effort, and the availability of backup data and a suitable infrastructure (readers and software) is ensured.
.4The data carriers for data backup are kept under lock and key and are only accessible to the system administrators entrusted with this task
Itmust be ensured that, depending on the protection requirements, all functions of the system are available (availability, resilience), any malfunctions that occur are reported (reliability) and stored personal data cannot be damaged or disclosed by malfunctions of the system (integrity, confidentiality). The Processor shall implement the following access control measures:
.1Log data is protected against manipulation
.2Log data is deleted as soon as it is no longer required
.3There is a list of the IT equipment used as well as dedicated documentation of the hardware including the network connection
.4A register of the processing activities used is available
.5Work instructions are available in writing and are known (trained) to all employees involved in processing
.6Employees are trained on their obligations to cooperate under data protection law. The training is documented
.7Certifications or audits are carried out by independent or internal bodies. A data protection officer is appointed to perform tasks pursuant to Art 39 GDPR
.8A data breach notification concept is in place
.9Employees were informed in a documented manner about reporting channels and emergency plans in the event of data protection violations
.10It is ensured that the Controller is informed about data protection breaches
.11Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
.12It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
.13Measures are established to ensure that the principle of data minimisation and purpose limitation are observed when processing personal data
.14It is ensured that default settings limit the processing of personal data to what is necessary for the purpose of processing
.15The execution of the order is ensured by internal control measures with regard to the qualitative, quantitative and temporal requirements of the order
.16The processing of personal data by Sub-processors is carried out on the basis of processing agreements pursuant to Art 28 GDPR
Measures shall be taken for the timely detection and traceability of (i) unauthorised access or disclosure of personal data and (ii) any event that may lead to a personal data breach. The Processor shall implement the following access control measures:
.1Detection of data breaches and unauthorised access is done through warnings from the management software
.2Ongoing monitoring of access authorisations
.3Implementation of 2-factor authentication when accessing data
.aAs part of the control of compliance with the above data protection requirements, the implementation of and compliance with the technical organisational measures may be audited by the Controller or a third party appointed by him. The Controller reserves the right to determine the audit interval and the audit depth. Due to data protection incidents on the one hand, or proof of compliance with data protection and data security requirements, such as data protection-specific certification procedures approved by the supervisory authority as well as data protection seals and seals of approval on the other hand, the audit interval and the audit depth may be narrower or wider.
.bAs a result, the Processor must provide sufficient guarantees that appropriate technical organisational measures are implemented in such a way that all data protection and data security requirements are met, thereby ensuring an adequate level of protection for the rights of the data subject.