Data Processing Agreement

Annex 1 – Technical and Organisational Measures (TOMs)

An adequate level of protection is ensured for the Processing and the Data processed, which is appropriate to the risks for the interests or fundamental rights and freedoms of data subjects concerned. To this end, especially the protection objectives of confidentiality, integrity and availability of the systems and services and their resilience with respect to the nature, extent, circumstances and purposes of the Processing shall be taken into account in such a way that the risk is mitigated on a lasting basis by appropriate technical and organisational remedial measures.

Organisational Measures

Organisational measures have been taken to ensure an adequate level of data protection and its maintenance.
  1. The Processor has implemented an appropriate data protection management system (also referred to as data protection concept) and ensures its implementation.
  2. A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.
  3. A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.
  4. System and security tests, such as code scans and penetration tests, are carried out regularly and also without cause.
  5. Regular evaluation of the log files (without occasion) to detect unusual entries.
  6. The technical and organizational measures are reviewed and adjusted regularly according to the PDCA cycle (Plan-Do-Check-Act).
  7. The development of the state of the art as well as developments, threats and security measures are continuously monitored and derived in a suitable manner to the own security concept.
  8. An adequate procedure is in place to ensure that the rights of data subjects are respected (in particular as regards access, rectification, erasure or limitation of processing, data transfer, revocations & objections). The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.
  9. An adequate procedure is in place to ensure an immediate and legally compliant response to threats and violations of data protection. The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.
  10. Security incidents are consistently documented, even if they do not lead to an external notification (e.g. to the supervisory authority, affected persons) (so-called "security reporting").
  11. Consultation and involvement of the Data Protection Officer on security issues and in security procedures concerning the protection of personal data.
  12. Sufficient technical qualification of the data protection officer for security-relevant issues and opportunities for further training in this area of expertise..
  13. Sufficient technical qualification of the IT security officer for security-relevant issues and opportunities for further training in this area of expertise.
  14. Service providers who are engaged to perform ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they respect the protection of personal data. If the service providers are given access to the Data processed for the Customer in the course of their activities or if there is any other risk of access to the personal data, they have to be specifically bound to secrecy and confidentiality.
  15. The protection of personal data shall be taken into account, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of the Processing, as well as the varying likelihood and severity of risks for rights and freedoms of natural persons posed by the Processing, already at the stage of development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by using privacy friendly presets.
  16. Software and hardware used shall always be kept up to date and software updates shall be carried out without delay within a reasonable period of time in consideration of the degree of risk and any need for review. No software and hardware is used which is no longer updated by their providers or makers with regard to data protection and data security issues (e.g. expired operating systems).
  17. Standard software and corresponding updates are only obtained from trusted sources.
  18. Device management allows you to determine which employees or agents use which devices in which areas.
  19. A "paperless office" is being maintained, which means that documents are generally only stored digitally and only in exceptional cases in paper form.
  20. Documents in paper format will only be retained if no digital copy is available that is adequate in view of the Processing, its purpose and the interests of those data subjects affected by the documents, or if retention has been agreed with the Customer or is required by law.
  21. A erasure, deletion and disposal concept corresponding to the data protection requirements of the Processing and the state of the art is in place. The physical destruction of documents and data carriers is carried out in compliance with data protection regulations and in accordance with legal requirements, industry standards and state-of-the-art industry norms (e.g. DIN 66399). Employees have been informed about legal requirements, deletion periods and, where applicable, about specifications for data deletion or equipment destruction by appropriate service providers.
  22. The Processing of the Customer's Data that has not been deleted in accordance with the agreements of this DPA (e.g. as a result of statutory archiving obligations) shall be restricted to the extent necessary by restriction flags and/or segregation.

Data Protection at Employee Level

Measures have been taken to ensure that employees involved in the processing of personal data have the necessary expertise and reliability required by data protection law.
  1. Employees are bound to confidentiality and secrecy with regard to data protection.
  2. Employees are made aware of and informed about data protection in accordance with the requirements of their function. The training and awareness raising is repeated at appropriate intervals or as and when required by circumstances.
  3. Relevant guidelines, e.g. for e-mail/internet use, handling of malicious code messages, use of encryption techniques, are kept up-to-date and are easy to find (e.g. on the intranet).
  4. If employees work outside the internal premises of the Processor (home and mobile office), employees shall be instructed about the special security requirements and protection obligations in these situations and shall be obliged to comply with them, subject to control and access rights.
  5. If employees use private devices for business activities , employees shall be instructed about the special security requirements and protection obligations in these situations and shall be obliged to comply with them, subject to control and access rights.
  6. The keys, access cards or codes issued to employees, as well as authorisations granted with regard to the processing of the Data, shall be collected or revoked after they leave the services of the Processor or after the change of their responsibilities.
  7. Employees are obliged to leave their working environment tidy and thus in particular to prevent access to documents or data carriers containing personal data (Clean Desk Policy).

Physical Access Control

Physical access control measures have been taken to prevent unauthorised persons from physically approaching the systems, data processing equipment or procedures by which the Data are processed.
  1. With the exception of the workstation computers and mobile devices, no data processing systems are maintained on the Processor's own business premises. The client's data is stored with external server providers in compliance with the requirements for Processing.
  2. Visitors are not allowed to move freely, but only when accompanied by staff.
  3. The access is secured by a manual locking system.
  4. The issue and return of keys and/or access cards is logged.
  5. Employees are required to lock or specially secure equipment when they leave their work environment or the equipment.
  6. Records (files, documents, etc.) will be stored in a secure manner, e.g. in filing cabinets or other adequately secured containers and adequately protected against physical access by authorised persons.
  7. Data carriers are stored securely and adequately protected against access by unauthorised persons.

Electronic Access Control

Electronic access control measures have been put in place to ensure that access (i.e. already the possibility of exploitation, use or observation) by unauthorised persons to systems, data processing equipment or procedures is being prevented.
  1. A password concept specifies that passwords must have a minimum length and complexity in line with the state of the art and security requirements.
  2. All data processing systems are password protected.
  3. Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.
  4. A password management software is used.
  5. A two-factor authentication is used for the access to Data of the Customer.
  6. Failure to login to internal systems will be limited to an appropriate number (e. g. by disabling of login credentials).
  7. Access credentials are deleted or deactivated when their users have left the company or organization of the Processor.
  8. The server systems and services used are equipped with intrusion detection systems.
  9. Up-to-date anti-virus software is used.
  10. Use of software firewall(s).
  11. External interfaces are blocked against unauthorized hardware access (e.g. blocking of USB ports).
  12. Backups are stored in encrypted form.

Internal Access Control (permissions for user rights of access to and amendment of data)

Internal access control measures have been put in place to ensure that persons authorised to use a data processing system can only access the Data covered by their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the Processing. Furthermore, input control measures have been taken to ensure that it is possible to subsequently check and establish whether and by whom the Data have been input, modified, removed or otherwise processed in data processing systems.
  1. A rights and roles concept (authorisation concept) ensures that access to personal data is only possible for a group of people selected according to necessity and only to the extent necessary.
  2. The rights and roles concept (authorisation concept) is evaluated regularly, within a reasonable time frequency and when required by an occasion (e.g. violations of access restrictions), and updated as necessary.
  3. The accesses to individual files of the Customer are logged.
  4. The entry, modification and deletion of individual Data of the Customer will be recorded.
  5. Log-ins in the data processing equipment or processing systems are logged.
  6. The protocol and log files are protected against modification, loss and unauthorised access.
  7. The activities of the administrators are appropriately monitored and recorded to the extent permitted by law and to the extent technically feasible.
  8. It is ensured that it is traceable which employees or agents had access to which Data and when (e.g. by logging software usage or drawing conclusions from access times and the authorization concept).

Transmission Control

Measures have been taken to control the transmission of the Data to ensure that the Data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.
  1. When accessing internal systems from outside (e.g. for remote maintenance), encrypted transmission technologies are used (e.g. VPN).
  2. Mobile data carriers are encrypted.
  3. E-mails are encrypted during transmission. E-mails are encrypted during transit, which means that the emails are protected against being read by someone with access to the networks through which the email is travelling, on its way from the sender to the destination.
  4. Unless otherwise instructed by the Processor, the Data processed in the course of the Processing will be transmitted end-to-end encrypted.
  5. The transmission and processing of the client's personal data via online offers (websites, apps, etc.) is protected by TLS/SSL or equivalent secure encryption.
  6. Files are encrypted before being sent to cloud storage services.

Adherence to Instructions, Purpose Limitation and Separation Control

Measures have been taken to ensure that Data processed on behalf of the Customer are only processed in accordance with the instructions of the Customer. The measures ensure that the Data collected for different purposes are processed separately and that there is no merging, combining or other combined processing of the Data contrary to the instructions.
  1. The processing operations carried out on behalf of the Customer shall be separately documented to an appropriate extent in a record of processing activities.
  2. Careful selection of sub-processors and other service providers.
  3. Employees and agents are informed in a clear and comprehensible manner about the instructions of the Customer and the permitted processing framework and are trained accordingly. Separate information and training is not required if compliance with the instructions can be reasonably expected in any event, e.g. due to other agreements or internal practice.
  4. Compliance with instructions of the Customer and the permissible scope of processing of personal data by employees and contractors of the Processor is reviewed at appropriate intervals.
  5. The deletion terms which apply to the Processing of the Customer's Data shall if necessary be separately documented within the deletion policy of the Processor.
  6. Necessary evaluations and analyses of the Processing of the Customer's Data shall, as far as possible and reasonable, be processed anonymously (i.e. without any personal reference) or at least pseudonymously in accordance with Article 4 (5) GDPR (i.e. in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person).
  7. The Data of the Customer shall be processed logically separated from data of other processing operations of the Processor and protected against unauthorised access or connection or combination or mixing with other data (e.g. by storage in different databases or by appropriate attributes).

Safeguarding the Integrity and Availability of Data and the Resilience of Processing Systems

Measures have been taken to ensure that personal data are protected against accidental destruction or loss and can be quickly restored in an emergency.
  1. Fail-safe server systems and services are used, which are designed as redundant dual or multiple systems.
  2. The availability of the data processing systems is permanently monitored and controlled, especially for availability, errors and security incidents.
  3. The Data is stored with external hosting providers. The hosting providers are carefully selected and comply with the state of the art in terms of protection against damage caused by fire, moisture, power failures, disasters, unauthorized access, data backup and patch management as well as facility security.
  4. The Processing of Data is carried out on data processing systems which are subject to regular and documented patch management, i.e. in particular regularly updated.
  5. The server systems, services and procedures used for the Processing are subjected to load tests and hardware tests at appropriate intervals.
  6. The server systems used for processing have protection against Denial of Service (DoS) attacks.
  7. The server systems used for processing have an uninterruptible power supply (UPS), which is adequately secured against failures and ensures a controlled shutdown in emergencies without data loss.
  8. Video surveillance at the server location.
  9. Intrusion (physical) and contact detectors at the server location.
  10. The server systems used for processing have adequate fire protection (fire and smoke detection systems and appropriate fire extinguishing devices or fire extinguishing equipment).
  11. Server systems are used that have protection against moisture damage (e.g. moisture detectors).
  12. Server systems and services are used which provide a backup system at other locations on which the current data is kept and thus provide an operational system even in case of a disaster.
  13. The Customer's data records are protected by the system against inadvertent modification or deletion (e.g. by access restrictions, security checks and backups).
  14. Server systems and services are used which have an appropriate, reliable and controlled backup & recovery concept.
  15. Recovery tests are carried out regularly at appropriate intervals to check that the backups can actually be restored (data integrity of the backups).

As of: March 2022

Download PDF