1. Confidentiality

1.1 Physical Access Control

No unauthorised access to the contractor’s data processing facilities

• Manual locking system
• Access control at reception
• Burglar alarm system
• CCTV surveillance of the office and outdoor areas
• Careful selection of cleaning staff

1.2 Admission Control

No unauthorised use of the contractor’s systems

• Creating user profiles in accordance with assigned tasks
• Assigning user rights
• Authentication using username and password
• Ensuring passwords meet IT security policy requirements regarding length and complexity
• Assigning user profiles to IT systems
• Encrypting data storage devices in laptops
• Implementing a hardware firewall
• Screen lock with password activation

1.3 Access Control

No unauthorised reading, copying, altering or removal within the contractor’s systems

• Granular authorisation models and access rights tailored to specific needs, logging of access events

• Management of access rights by senior management

• Reduction of administrator roles and their use to the ‘absolute minimum’

• Password policy including password length and password changes

• Logging of access to critical business applications, particularly when entering, modifying and deleting data, where technically feasible

• Proper destruction of data storage media

• Logging of destruction

1.4 Separation control 

Separate processing of data collected for different purposes within the contractor’s systems

• The client’s data will, as far as technically possible, be kept separate from the data of the contractor’s other clients

1.5 Pseudonymisation

Personal data is processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures

• not within the contractor’s remit

2. Integrity

2.1 Control of disclosure

No unauthorised reading, copying, alteration or removal during electronic transmission or transport from the contractor’s systems

• Authentication is carried out using encryption;
• where necessary, data carriers are secured during transport
• encryption is carried out using state-of-the-art methods

2.2 Input control

Determining whether personal data has been entered, modified or deleted in systems, and by whom

• Recording of activities

3. Availability and resilience

3.1 Availability checks

Protection against accidental or deliberate destruction or loss of data in the contractor’s systems

• Uninterruptible power supply (UPS)

• Air conditioning in server rooms

• Equipment for monitoring temperature and humidity in server rooms

• Protective power strips in server rooms

• Fire and smoke detection systems

• Fire extinguishers in server rooms

• Backup and recovery plan

• Data recovery testing

• Contingency plan

• Data backup at an external location

• Server rooms must not be located below rooms containing sanitary facilities

4. Procedures for the regular review, assessment and evaluation of TOM

4.1 Data Protection Management

• Regular review of the effectiveness of technical and organisational security measures
• Regular data protection training for employees
• Data protection policy and working instructions on safeguarding data subjects’ rights inform employees about GDPR requirements

4.2 Management der Reaktion auf Vorfälle

• Guidelines for identifying and reporting security incidents / data breaches (including obligations regarding reporting and notification)
• Documentation of security incidents / data breaches
• Dummy user account for triggering an alert in the event of misuse following a breach

4.3 Order verification

• No processing of personal data without specific instructions from the client;
• clear contract terms that comply with Article 28 of the GDPR;
• formalised contract management (ticket system);
• strict selection of service providers, with a duty to verify suitability in advance