TECHNICAL AND ORGANIZATIONAL DATA PROTECTION MEASURES
ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED) Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
Entrance to the building is only possible with keycards provided to Employees.
Certain Locations are physically locked and access is restricted to authorized employees only. E.g. Server Room.
CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED) Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
User are Identified through Active Directory,
Passwords are protected using Policies and are required to change
Network security is managed by the internal IT Team and physical and logical access datacentres is restricted to authorized employees responsible for the job.
ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED) Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
Systems are protected by Username and Password of the employee;
Security of the password and the account and its acceptable use is governed by the policy.
Idle client systems are locked automatically after defined time and can be unlocked by the user using the password.
Users only have access to applications/data which they need based on their role for example Portal access for customer is done securely and they are only able to view their own information.
DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL) Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
All critical and sensitive data is transferred using a secure encrypted channel of communication like SSL Secured VPN, SFTP and access applications using https.
INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE) Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
Logging is done separately in the respective systems which handle data.
Control of instructions (warranty that the contract data processing complies with the instructions) Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
The Data Processor will amend, remove or delete any Personal Data if specifically instructed hereto by the Data Controller.
Upon receiving a written instruction from the Data Controller, the Data Processor will set up a procedure to ensure compliance with specifically requested traceability requirements.
AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS? Which measures are in place for data protection (physically/ logically)?
Perimeter security is in place.
Central antivirus and security software
The critical and sensitive data stored on the servers are located in a secured and certified datacentres.
Measures in place to ensure the availability of the data, network for maximum uptime
Daily backup schedule is configured for all critical data.
SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY) Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?
Development sheet is separated for each product, services have their own line of environments. All environments, documents and other data are shared for the members of that project/product.