Technical and organisational measures, including to ensure the security of the data

1. Confidentiality (Art. 32 Para. 1 lit. b) GDPR)

Access Security

Measures that deny unauthorized persons access to data processing equipment used to process or use personal data:

• Access to offices and workplaces only for authorized employees
• Guidelines for handling guests and visitors
• Organizational instructions and logging for key issuance

Access Control

Measures that prevent data processing systems from being used by unauthorized persons:

• Authentication with username and password
• Computer systems only usable with password and via password-protected connection
• Administrator access only possible for authorized administrators – client systems only usable after password-based network authentication
• Remote access only possible via encrypted VPN connections
• Binding procedure for resetting “forgotten” passwords
• Binding procedure for granting authorizations
• Clear assignment of authorizations
• Clear assignment of user accounts to users
• Policy for secure, proper handling and changing of passwords as well as password complexity (length, characters, etc.)
• Use of anti-virus software on clients

Authorization Control

Measures that ensure that persons authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage:

• Authorization mechanism with possibility for exact differentiation at field level
• Binding authorization granting procedure
• Binding procedure for restoring data from backup

Separation Control

Measures that ensure that data collected for different purposes are processed separately:

• Authorization concept regarding separate storage and multi-client capability

2. Integrity (Art. 32 Para. 1 lit. b) GDPR)

Transfer Control

Measures that ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it can be checked and established to which bodies a transfer of personal data by means of data transmission facilities is envisaged:

• Personal data may only be transmitted and provided via encrypted transport routes (e.g., https, sftp)
• Encryption of email attachments (in conjunction with transport encryption): Messages are encrypted during transmission from email programs to the server; attachments are in an archive (e.g., zip) which is password-protected
• Regular adaptation of encryption mechanisms due to identified security vulnerabilities
• Use of encryption in storage and transport
• Use of application firewalls and intrusion detection systems to prevent and detect attacks. Binding work instructions for administrators in case of alarm
• Access to personal data only via authenticated channels
  
  

Input Control

Measures that ensure that it can be subsequently checked and determined whether and by whom personal data have been entered, modified or removed in data processing systems:

• Registration of users and date/time of respective changes in the system
• Logging of input, modification and deletion of data
• Assignment of rights for input, modification and deletion of data based on an authorization concept
• Use of application firewalls and intrusion detection systems to prevent and detect attacks. Binding work instructions for administrators in case of alarm
• Access auditing and analysis of the audit log
  
  

3. Availability and Resilience (Art. 32 Para. 1 lit. b) GDPR)

Availability Control

Measures that ensure that personal data are protected against accidental destruction or loss:

• Backup and recovery concept for each server system and/or application with disaster-proof, protected storage of backups (backup vault)
• Proof of secure and proper archiving in physically protected archive and binding regulation of authorized access
• Use of protection programs (virus scanners, firewalls, encryption programs, SPAM filters) and design of their use
• Use of storage systems with redundancy (RAID) where sensible and necessary
• Policy for maintenance and implementation of updates
• Automated standard routines for regular updating of protection software (e.g., virus scanner)

4. Procedures for Regular Review, Assessment and Evaluation
(Art. 32 Para. 1 lit. d) GDPR; Art. 25 GDPR)

Data Protection Management

Organizational instruction for regular training and data protection commitment of employees

• Filing system for relevant documents
• Regular (at least once a year) review of all relevant documents and processes
• Process for reporting and handling data protection-relevant matters
  
  

Order Control

Measures that ensure that personal data processed on behalf of others are processed only in accordance with the instructions of the client:

• Detailed information about the nature and extent of the commissioned processing and use of the client’s personal data
• Detailed information about the purpose limitation of the client’s personal data and a prohibition of use by the service provider outside the written order

The service provider has appointed a data protection officer and ensures through the data protection organization their appropriate and effective involvement in the relevant operational processes.