TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Measures of pseudonymization and encryption of personal data
Pseudonymisation of personal data that are no longer needed in plain text
Encryption of websites (SSL)
Encryption of e-mail (TLS 1.2 or 1.3)
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Confidentiality agreements with employees NDAs with third parties
Data Protection agreements with employees Firewall
Anti-Virus
Regular backups
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Regular backups of the whole system
Regular test of backup and recovery
Regular training of IT staff
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
In-house checks
Regular review of processes by IT
Regular audits (e.g. by the DPO
5. Measures for user identification and authorisation
Authentication with username / password
Regular checks of authorisations
Password guideline
Limitation of the number of administrators Management of rights by system administrator
Differentiation between authorisations
6. Measures for the protection of data during transmission
Use of encryption technologies
Logging of activities and events
Encryption of email (TlS 1.2 or 1.3)
Use of company internal / restricted drives
7. Measures for the protection of data during storage
Logging of actions and events
Limitation of the number of administrator’s
Firewall
8. Measures for ensuring physical security of locations at which personal data are processed
Manual locking system
Security locks
Key control
9. Measures for ensuring events logging
Logging activated on application level
Regular manual checks of logs
10. Measures for ensuring system configuration, including default configuration
Configuration change control process
Data protection by default is observed
Configuration only by system administrator
Regular training of IT staff
11. Measures for internal IT and IT security governance and management
IT security policy
Training of employees on data security
IT team with clear roles and responsibilities
12. Measures for certification/assurance of processes and products
Implementation of ISO 9001 – Quality Management
Clear overview of the provisions applicable to the provided products/services/processes Regular internal and/or external audits
Assignment of audit responsibilities to certified experts
13. Measures for ensuring data minimization
Identification of the purpose of processing
Assessment of a link between processing and purpose
Identification of the applicable retention periods for each data category
Secure erasure of the data after expiration of the retention period
14. Measures for ensuring data quality
Logging of entry and modification of data
Assignment of rights for data entry
Traceability of entry, modification of data by individual user names (not user groups)
15. Measures for ensuring limited data retention
Regular training on retention periods
Regular audit and assessment of retained data
16. Measures for ensuring accountability
Provision of training / awareness rising
Regular controls and checks
Appropriate policies on data protection
Conclusion of SCCs
Use of secure data erasure
Documented privacy policy
17. Measures for allowing data portability and ensuring erasure
Personal data is stored in a structured format
Monitoring of legal deadline ensured
Observation of retention periods
Establishment of data portability process
Proper handling of data subject requests
Secure data erasure ensured
Secure data carrier destruction
18. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
Standard Contractual Clauses (SCCs) are signed or agreed on
Contractually agreed on effective control rights
Contractually agreed on provision of assistance to the controller