Technical and Organisational Measures
acc. to. Art. 32 of the GDPR
1 Organisational Control
Purpose: To structure the internal organisation in such a way that it meets the special requirements of data protection. This means that data protection should not adapt to the organization, but the organization should adapt to data protection.
- Employees are regularly (at least every two years) committed to maintain data secrecy
- Employees are regularly (at least once a year) made aware of data protection in the workplace
- A data security concept/information security management is in place.
2 Pseudonymisation acc. Art. 32 Abs. 1 lit. a) GDPR
- Personal data with normal protection requirements is divided into 2 parts and thus pseudonymised.
- Personal data with increased protection requirements is divided into 2 parts and thus pseudonymised.
- Whenever possible pseudonymised and anonymised data is used
3 Encryption acc. Art 32 Abs.1 lit. a) GDPR
- Encryption of hard drives containing personal data
- Encryption of e-mails (e.g. PGP)
4 Confidentiality acc. Art 32 Abs.1 lit. b) GDPR
a) Physical Access Control
Purpose: Deny unauthorised persons access to data processing systems with which personal data is processed or used
- All data are stored in the data centers of service providers, which have physical access control implemented.
b) Access control
Purpose: to prevent data processing systems from being used by unauthorised persons.
- Authentication with username and password
- Management of user authorisations
- Creating user profiles
- Use of anti-virus software
- Password assignment/ password rules
- Usage of firewalls
- Immediate blocking of authorizations when employees leave the company
- Sight protection for mobile computers
c) Control of Access Rights
Purpose: Ensure that persons authorised to use a data processing system, can only access the data subject that they are authorized for and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.
- Written authorization concept
- Assignment of user rights/ creation of user profiles
- Administration of rights by system administrator
- Number of administrators reduced to the vital minimum
- Automatic blocking of the workstation
- Recording of software accesses, in particular when entering, changing and deleting data
- Use of document/ data carrier shredders
- Encryption of data media
- Proper destruction of data media
- Deletion concept for data
- Separation Control
Purpose: Ensure that data collected for different purposes can be processed separately
- Consistent client separation (on the software side)
- Separation of production and test system
- Technology for defining database rights
- Separation of data from different principals
- Transfer Control
Purpose: Ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or during their transport or storage on data carriers. Verify and control to which departments personal data is intended to be transfer by data transmission systems
- Monitoring of user and time of specific changes made in the system
- Organisational specifications of responsibilities of an individual’s rights to make changes in the system are documented.
- Every employee has the necessary access to data according to their role and in order to fulfil their work contract
- Rights to access sensitive resources are comprehensively requested and allocated by individuals authorised to do so
- There is an input history for all users with access to personal data monitoring which individual performed which action at what point of time if personal data is modified.
5 Integrity acc. Art 32 Abs.1 lit. b) GDPR
a) Input Control
Purpose: Ensure that it is possible to subsequently check and verify whether and by whom personal data have been entered, modified or removed from data processing systems.
- Traceability of input, modification and deletion of data through individual users (not user groups)
- Retention/deletion period for logs available
b) Documentation Control
Purpose: Ensure that the procedures for processing personal data are documented so that they can be reproduced in a reasonable manner.
- Implementation of a data processing register
- Documentation of the IT systems used and their system configuration
c) Control of data processing on behalf
Purpose: Ensure that personal data processed on behalf can only be processed in accordance with the instructions of the client.
- Existing contracts regarding data processing on behalf
- Control of contract execution
- Destruction of data at the end of the contract
- Control for maintenance (especially remote maintenance)
- Employees with access rights are obliged to maintain data secrecy.
- Employees have received work instructions/guidelines or instruction sheets that provide information on measures for compliance with data protection and IT security.
- In case of errors regarding data processing or violation of data protection, the client will be informed immediately.
6 Availability Control acc. Art 32 Abs.1 lit. b) GDPR
Purpose: Ensure that personal data is protected against accidental destruction or loss.
- All data is stored in the data centers of service providers, which have measures implemented to protected against accidental destruction or loss.
7 Resilience acc. Art 32 Abs.1 lit. b) GDPR
Purpose: Ensure that the systems continue to operate under unforeseen overload.
- Memory Over commitment disabled
- Disk Over commitment disabled
- Virtual server environment
- Automatic server alarms to responsible persons
8 Restorability acc. Art 32 Abs.1 lit. c) GDPR
Purpose: Ensure that personal data can be restored after a breach.
- Backup concept
- Backups (description of rhythm, medium, storage time and place)
- Existing full server backups
- Disaster Recovery Concept
- Testing data recovery
- Testing Server Restores
9 Regularly Testing, assesing and vealuating acc. Art 32 Abs.1 lit. c) GDPR
Purpose: Ensure that processes remain up to date and that the technical equipment used is “state of the art”.
- Regular evaluation of procedures used
- Obligation to notify the DPO of newly implemented procedures
- Regular Software Security Updates
- Penetration tests are performed and documented