Technical and Organizational Measures
1. Confidentiality (Art. 32 §1 lit. b DS-GVO)
1.1 Access control: Unauthorised persons must be denied access to rooms in which data processing equipment is located.
Definition of security areas:
- Implementation of effective accessprotection
- Determination of persons withauthorised access
- Administration of personal accessauthorisations
- Supervision of external personnel
1.2 Access control: Preventing data processing systems from being used by unauthorised persons.
- Access protection
- Implementation of secure access procedures, strong authentication
- Implementation of simple authentication by username password
- Logging of access for critical systems
- Monitoring of critical IT systems
- Secure (encrypted) transmission of authentication secrets
- Blocking in case of failed attempts/activity and process for resetting blocked access IDs
- Prohibition of storage function for passwords and/or form entries (server/clients)
- Determination of authorised persons
- Management and documentation of personal authentication media and access authorisations
- Automatic access blocking and manual access blocking
1.3 Only data for which access authorisation exists can be accessed. Data cannot be read, copied, modified or removed without authorisation during processing, use or after storage:
- Creation of an authorisation concept
- Implementing access restrictions
- Avoiding the concentration of functions
1.4 Purpose control: It must be ensured that data collected for different purposes can be processed separately:
- Data economy in handling personal data
- Separate processing of different data sets
- Separation of test and development environment
1.5 Data protection-friendly default settings: If data is not required to achieve the purpose of use, the technical default settings are defined in such a way that data is only collected, processed, passed on or published as a result of an action by the data subject.
2. Integrity (Art. 32 §1 lit. b DS-GVO)
2.1 Transfer control: the aim of transfer control is to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during its transport or storage on data carriers, and that it is possible to verify and establish to which entities personal data is intended to be transferred by data transmission equipment.
- Determination of entities/persons authorised to receive/transmit data
- Secure data transfer between server and client
- Secure transmission in the backend
- Secure transmission to external systems
- Risk minimization through network separation
- Implementation of security gateways at the network transfer points
- Hardening of the backend systems
- Description of interfaces
- Implementation of machine-to-machine authentication
- Secure storage of data, including backups
2.2 Input control: The purpose of input control is to ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered, modified or removed from data processing systems.
- Logging of inputs
3. Availability, resilience, disaster recovery
3.1 Availability and resilience (Art. 32 §1 lit. b DSGVO)
- Monitoring
- Resource planning and provisioning
- Defense against misuse that burdens the system
- Data backup concepts and implementation
3.2 Disaster Recovery - Rapid Recovery from Incident (Art. 32 §1 lit. c GDPR)
- Emergency plan
- Data protection concepts and implementation
4. Data protection organization
- Definition of responsibilities
- Implementation and control of appropriate processes
- Implementation of training measures
- Commitment to confidentiality
- Regulations on the internal allocation of tasks
- Observance of separation of functions and allocation
- Introduction of suitable deputy regulations
5. Order control
The aim of order control is to ensure that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.
- Selection of further contractors according to suitable guarantees
- Conclusion of an agreement on commissioned processing with further contractors
- Conclusion of an agreement on commissioned processing with xyz
6. Process for regular review, assessment and evaluation (Art. 32 §1 lit. d GDPR; Art. 25 §1 DS-GVO)
- Process for the evaluation of technical and organizational measures
- Security Incident Management Process
- Implementation of technical reviews