within the meaning of Art. 32 GDPR
Organisations that collect, process or use personal data themselves or by commission are required to take the technical and organisational measures necessary to ensure compliance with the provisions of data protection legislation. Measures are only deemed necessary if the outlay involved is commensurate with the desired level of protection.
1.1 Entry control
Measures that are suitable for denying unauthorised parties entry to data processing facilities with which personal data is processed or utilised. Entry control measures for building and site protection can include automatic entry control systems, the use of smart cards and transponders, entry control by gatekeeper services and alarm installations. Servers, telecommunications facilities, computer networking and similar facilities must be protected in lockable server cabinets. In addition, it makes sense also to back up entry control with organisational measures (such as regulations governing the locking of offices during absences).
| Technical measures | Organisational measures |
|---|---|
| Manual locking system in all offices. | Key system / list provided |
| Cleaning services have no access to the network or other technical facilities |
1.2 Access prevention control
Measures that are suitable for preventing data processing systems (computers) from being used by unauthorised parties. Access prevention control refers to the prevention of the unauthorised use of facilities. Possibilities include boot passwords, user recognition with passwords for operating systems and software products, screen savers with passwords, the use of smart cards for logging in and the deployment of callback processes. In addition, operational measures may also be necessary in order, for instance, to prevent unauthorised inspection (e.g. guidelines for the configuration of screens, provision of guidance to users on selecting a ‘good’ password).
| Technical measures | Organisational measuresB |
|---|---|
| Two-factor authentication for all systems that contain sensitive data | Management of user authorisations in productive systems by defined persons responsible |
| Encryption of hard drives on employee devices (laptops) | Creation of user profiles |
1.3 User access control
Measures that ensure that those authorised to use a data processing system are only able to access the data covered by their access authorisation and that personal data cannot be read, copied, altered or removed without authorisation during processing, utilisation and following storage. User access control can be upheld among other things by means of suitable authorisation concepts that facilitate differentiated control of data access. These differentiate not only the content of the data but also its possible accessors. In addition, suitable control mechanisms and responsibilities must be defined for documenting the granting and withdrawal of authorisations and keeping them up to date (e.g. upon appointment, change of workplace, termination of employment relationship). Particular attention must also always be paid to the role and options of the administrators.
| Technical measures | Organisational measures |
|---|---|
| Paper shredder | Checklist for the onboarding and offboarding of staff. |
1.4 Separation control
Measures that ensure that data collected for different purposes can be processed separately. This can be upheld, for example, by means of logical and physical separation of the data.
| Technical measures | Organisational measures |
|---|---|
| Separation of productive and test environment | Control via authorisation concept in the product, in the data storage system and in the analytics area |
2.1 Transfer control
Measures that ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers and that it is possible to check and ascertain to which destinations any transmission of personal data using data transmission facilities is envisaged. For example, encryption techniques and virtual private networks can be deployed in order to guarantee confidentiality during electronic data transmission. Measures during data carrier transport and data transfer include lockable containers and regulations governing the destruction of data carriers in compliance with data protection law.
| Technical measures | Organisational measures |
|---|---|
| Logging of accesses and retrievals | Documentation of data recipients and duration of the planned transfer and deletion periods |
2.2 Data entry control
Measures that ensure that it is possible to check and ascertain retrospectively whether and by whom personal data has been entered, altered or removed in data processing systems. Data entry control is achieved by means of logging that can take place at different levels (e.g. operating system, network, firewall, database, application). It is also necessary to establish which data are logged, who has access to the logs, who the logs are checked by and on what occasion/at what time, how long retention is necessary and when the logs are deleted.
| Technical measures | Organisational measures |
|---|---|
| Technical logging of entry, alteration and deletion of data | Traceability of entry, alteration and deletion of data by individual usernames |
3.1 Availability control
Measures that ensure that personal data is protected against accidental destruction or loss. This includes issues such as uninterruptible power supply, air-conditioning, fire protection, data backups, secure storage of data carriers, virus protection, RAID systems, disk mirroring etc.
| Technical measures | Organisational measures |
|---|---|
| All critical systems are stored in cloud or colocation services that guarantee corresponding measures via ISO 9001 and ISO 27001 | Backup & recovery concept |
| Existence of a contingency plan | |
| Backups are regularly installed on parallel systems in order to verify the restore processes |
4.1 Data protection measures
| Technical measures | Organisational measures |
|---|---|
| Operation of datensc[email protected] as a point of contact for data protection issues | |
| Employees receive training regarding the sensitivity of existing data of Flatfox and their attention is repeatedly drawn to threat scenarios. |
4.2 Incident response management
Support when responding to security breaches
| Technical measures | Organisational measures |
|---|---|
| Isolation of productive systems is possible via Cloudflare regardless of access to them. | Documented user lockout processes available in the event of suspicious activities |
4.3 Default privacy settings
Privacy by design / privacy by default
| Technical measures | Organisational measures |
|---|---|
| Sensitive data of interested parties that is no longer actively used is automatically deleted after an appropriate period (normally 60 days) |
4.4 Order control (outsourcing to third parties)
Measures that ensure that personal data processed by commission can only be processed in accordance with the instructions of the client. As well as data processing by commission, this item also includes the provision of maintenance and system support both on site and remotely. Should the contractor deploy service providers for the purpose of order processing, the following points must always be resolved with the latter.
| Technical measures | Organisational measures |
|---|---|
| Conclusion of the necessary agreement for order processing or EU standard contractual clauses | |
| Written instructions issued to the contractor |