Technical and organisational measures - TOMs

within the meaning of Art. 32 GDPR

Organisations that collect, process or use personal data themselves or by commission are required to take the technical and organisational measures necessary to ensure compliance with the provisions of data protection legislation. Measures are only deemed necessary if the outlay involved is commensurate with the desired level of protection.


1.1 Entry control

Measures that are suitable for denying unauthorised parties entry to data processing facilities with which personal data is processed or utilised. Entry control measures for building and site protection can include automatic entry control systems, the use of smart cards and transponders, entry control by gatekeeper services and alarm installations. Servers, telecommunications facilities, computer networking and similar facilities must be protected in lockable server cabinets. In addition, it makes sense also to back up entry control with organisational measures (such as regulations governing the locking of offices during absences).

Technical measuresOrganisational measures
Manual locking system in all offices.Key system / list provided
Cleaning services have no access to the network or other technical facilities

1.2 Access prevention control

Measures that are suitable for preventing data processing systems (computers) from being used by unauthorised parties. Access prevention control refers to the prevention of the unauthorised use of facilities. Possibilities include boot passwords, user recognition with passwords for operating systems and software products, screen savers with passwords, the use of smart cards for logging in and the deployment of callback processes. In addition, operational measures may also be necessary in order, for instance, to prevent unauthorised inspection (e.g. guidelines for the configuration of screens, provision of guidance to users on selecting a ‘good’ password).

Technical measuresOrganisational measuresB
Two-factor authentication for all systems that contain sensitive dataManagement of user authorisations in productive systems by defined persons responsible
Encryption of hard drives on employee devices (laptops)Creation of user profiles

1.3 User access control

Measures that ensure that those authorised to use a data processing system are only able to access the data covered by their access authorisation and that personal data cannot be read, copied, altered or removed without authorisation during processing, utilisation and following storage. User access control can be upheld among other things by means of suitable authorisation concepts that facilitate differentiated control of data access. These differentiate not only the content of the data but also its possible accessors. In addition, suitable control mechanisms and responsibilities must be defined for documenting the granting and withdrawal of authorisations and keeping them up to date (e.g. upon appointment, change of workplace, termination of employment relationship). Particular attention must also always be paid to the role and options of the administrators.

Technical measuresOrganisational measures
Paper shredderChecklist for the onboarding and offboarding of staff.

1.4 Separation control

Measures that ensure that data collected for different purposes can be processed separately. This can be upheld, for example, by means of logical and physical separation of the data.

Technical measuresOrganisational measures
Separation of productive and test environmentControl via authorisation concept in the product, in the data storage system and in the analytics area

2. Integrity

2.1 Transfer control

Measures that ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers and that it is possible to check and ascertain to which destinations any transmission of personal data using data transmission facilities is envisaged. For example, encryption techniques and virtual private networks can be deployed in order to guarantee confidentiality during electronic data transmission. Measures during data carrier transport and data transfer include lockable containers and regulations governing the destruction of data carriers in compliance with data protection law.

Technical measuresOrganisational measures
Logging of accesses and retrievalsDocumentation of data recipients and duration of the planned transfer and deletion periods

2.2 Data entry control

Measures that ensure that it is possible to check and ascertain retrospectively whether and by whom personal data has been entered, altered or removed in data processing systems. Data entry control is achieved by means of logging that can take place at different levels (e.g. operating system, network, firewall, database, application). It is also necessary to establish which data are logged, who has access to the logs, who the logs are checked by and on what occasion/at what time, how long retention is necessary and when the logs are deleted.

Technical measuresOrganisational measures
Technical logging of entry, alteration and deletion of dataTraceability of entry, alteration and deletion of data by individual usernames

3. Availability and resilience

3.1 Availability control

Measures that ensure that personal data is protected against accidental destruction or loss. This includes issues such as uninterruptible power supply, air-conditioning, fire protection, data backups, secure storage of data carriers, virus protection, RAID systems, disk mirroring etc.

Technical measuresOrganisational measures
All critical systems are stored in cloud or colocation services that guarantee corresponding measures via ISO 9001 and ISO 27001Backup & recovery concept
Existence of a contingency plan
Backups are regularly installed on parallel systems in order to verify the restore processes

4. Procedure for regular review, assessment and evaluation

4.1 Data protection measures

Technical measuresOrganisational measures
Operation of [email protected] as a point of contact for data protection issues
Employees receive training regarding the sensitivity of existing data of Flatfox and their attention is repeatedly drawn to threat scenarios.

4.2 Incident response management

Support when responding to security breaches

Technical measuresOrganisational measures
Isolation of productive systems is possible via Cloudflare regardless of access to them.Documented user lockout processes available in the event of suspicious activities

4.3 Default privacy settings

Privacy by design / privacy by default

Technical measuresOrganisational measures
Sensitive data of interested parties that is no longer actively used is automatically deleted after an appropriate period (normally 60 days)

4.4 Order control (outsourcing to third parties)

Measures that ensure that personal data processed by commission can only be processed in accordance with the instructions of the client. As well as data processing by commission, this item also includes the provision of maintenance and system support both on site and remotely. Should the contractor deploy service providers for the purpose of order processing, the following points must always be resolved with the latter.

Technical measuresOrganisational measures
Conclusion of the necessary agreement for order processing or EU standard contractual clauses
Written instructions issued to the contractor