TECHNICAL AND ORGANIZATIONAL MEASURES ACCORDING TO ARTICLE 32(1)

GDPR As of: April 2024

A.

I. Confidentiality of IT Systems and Data Processing (Article 32(1)(b) GDPR)

1. Access Control

  • Measures suitable for preventing unauthorized access to data processing systems used for processing or using personal data; Technical and organizational measures for access control, particularly for authentication of authorized personnel:
  • To prevent unauthorized access to data processing systems storing personal data, electronic access control systems and personnel monitoring are employed. Access is granted only to authorized individuals (management and IT personnel). Video cameras monitor sensitive areas (entrances) of the building.

2. Access Management

Measures suitable for preventing data processing systems from being used by unauthorized individuals; Technical (password protection) and organizational (user master record) measures for user identification and authentication:

To prevent data processing systems from being used by unauthorized individuals, the following measures are taken to protect the IT systems accessing the administrative interface of the data processing system: Access is restricted to a necessary minimum number of administrators using a secret login/password combination (maximum password age 90 days, minimum password length 8 characters).

To prevent the data processing systems themselves from being used by unauthorized individuals, the following measures are taken to protect data stored in applications:

One user master record per user

Access only through a secure connection (e.g., HTTPS) and using a login/password combination (maximum password age 90 days, minimum password length 8 characters)

Automatic access lock after 20 minutes of inactivity; subsequent re-login to the system is possible.

3.Access Control

Measures suitable for ensuring that only those authorized to use a data processing system can access data to which they have access rights and that personal data cannot be read, copied, altered, or removed without authorization during processing, use, and storage; Customized design of authorization concepts and access rights, as well as their monitoring and logging:

To ensure that only those authorized to use the data processing systems can access data to which they have access rights, the data processing systems support the assignment of users to different authorization classes (based on company affiliation and role). Each user is assigned to such a class according to their access rights (authorization concept). To ensure that personal data cannot be read, copied, altered, or removed without authorization after storage, access to the storage location of personal data is only possible from systems with access control (as per 2. “Access Control”).

4. Separation Control

Measures suitable for ensuring that data collected for different purposes can be processed separately; Measures for separate processing (storage, modification, deletion, transmission) of data for different purposes:

To ensure that data collected for different purposes can be processed separately, the affiliation of the data (e.g., issuer, reason for data entry, etc.) is stored in the system. It is ensured through the authorization concept that reading, storing, modifying, and deleting data is only possible for authorized users.

II. Integrity of IT Systems and Data Processing (Article 32(1)(b) GDPR)

1. Transmission Control

Measures suitable for ensuring that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or while being transported or stored on data carriers, and that it can be verified and determined to which entities transmission of personal data by data transmission facilities is intended; Measures for transport, transmission, and communication or storage on data carriers (manual or electronic) as well as for subsequent verification:

To prevent unauthorized reading, copying, altering, or removal of personal data during electronic transmission from the user’s PC to the data storage location, strong encryption is used (shared key method; RSA 1024-bit). Personal data is not transported via the exchange of storage media. Only systems launched on a system with access control (as per 2. “Access Control”) and using a login/password combination set up solely for this purpose are authorized to read and store personal data. The entities to which transmission of personal data by data transmission facilities is intended are separately listed in an application manual.

2.Input Control

Measures suitable for ensuring that it can subsequently be verified and determined whether and by whom personal data have been entered, modified, or removed in data processing systems; Measures for subsequent verification of whether and by whom data have been entered, modified, or removed (deleted):

To ensure that it can subsequently be verified and determined whether and by whom personal data have been entered, modified, or removed in data processing systems, all user activities are logged. The unchanged data record remains stored in the system to determine the extent of changes.

III. Availability, Resilience, and Rapid Restoration of IT Systems and Data Processing (Article 32(1)(b) and (c) GDPR)

Measures suitable for ensuring that personal data are protected against accidental destruction or loss; Measures for data backup (physical/logical):

To ensure the protection of personal data against accidental destruction or loss, the following measures are taken:

Daily full backup to tapes, which are then stored in access-controlled locations (see point 1 “Access Control”).

Constantly updated operating system (security updates).

Constantly updated antivirus protection and firewall on IT systems with access to personal data.

Emergency plan – uninterrupted power supply (UPS) to prevent the loss of unsaved data during power outages and fluctuations.

B. Contract-specific technical and organizational measures include:

Personal data is stored exclusively in an access-controlled building (see point I.1 “Access Control”), in an access-protected IT system (see point I.2 “Access Management”), in an application with access protection (see point I.3 “Access Control”). For testing purposes, no personal data is copied to other systems. Test systems are configured so that no access to personal data in the production system is possible from there.

en_USEnglish