Data Processing Agreement

Technical and organisational security measures according to Art. 32 GDPR

version 1.0

  • 1. Confidentiality (Article 32 (1) (b) GDPR)

    1.1 Entry control

    • Unauthorised persons should be denied access to rooms containing data processing equipment.
      Definition of security areas
      • Realisation of effective access protection
      • Logging of access
      • Determination of persons with access authorisation
      • Management of personal access authorisations
      • Accompaniment of external personnel
      • Monitoring the rooms

    1.2 Login control

    • The use of data processing systems by unauthorised persons must be prevented.
      • Determination of the protection requirement
      • Login protection
      • Implementation of secure login procedures, strong authentication
      • Implementation of simple authentication via username password
      • Logging of login
      • Monitoring of critical IT systems
      • Secure (encrypted) transmission of authentication secrets
      • Blocking in the case of failed attempts/inactivity and process to reset locked login identifiers
      • Ban memory function for passwords and/or form input (server/clients)
      • Determination of authorised persons
      • Management and documentation of personal authentication media and login permissions
      • Automatic login lock and manual login lock

    1.3 Access Control

    • Only the data for which access is authorised can be accessed. Data can not be read, copied, altered or removed without authorisation during processing, use, and after storage.
      • Create an authorisation concept
      • Implementation of access restrictions
      • Assigning minimal authorisations
      • Administration and documentation of personal access rights
      • Avoiding the concentration of roles

    1.4 Usage purpose control

    • It must be ensured that data collected for different purposes can be processed separately.
      • Data economy in handling personal data
      • Separate processing of different data sets
      • Regular usage purpose check and deletion
      • Separation of test and development environment

    1.5 Privacy-friendly presets

    • If data is not required to achieve the intended purpose, the technical default settings will be set in such a way that data will only be collected, processed, passed on or published by an action of the data subject.
  • 2. Integrity (Article 32 (1) (b) GDPR)

    2.1 Transfer Control

    • The aim of the transfer control is to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which places personal data is provided by means of data transmission.
      • Determination of receiving/transferring instances/persons
      • Examination of the legality of the transfer abroad
      • Logging of transmissions according to logging concept
      • Secure data transfer between server and client
      • Backup of the transmission in the backend
      • Secure transmission to external systems
      • Risk minimisation through network separation
      • Implementation of security gateways at the network transfer points
      • Hardening of the backend systems
      • Description of the interfaces
      • Implementation of machine-machine authentication
      • Secure storage of data, including backups
      • Secure storage on mobile data carriers
      • Introduction of a disk management process
      • Process for collection and disposal
      • Privacy-compliant deletion and destruction procedures
      • Management of deletion logs

    2.2 Input control

    • The purpose of the input control is to ensure that it can be subsequently verified and ascertained whether and by whom personal data has been entered, changed or removed in data processing systems.
      • Logging of the inputs
      • Documentation of the input permissions
  • 3. Availability, resilience, disaster recovery

    3.1 Availability and resilience (Article 32 (1) (b) GDPR)

      • Fire protection
      • Redundancy of primary technology
      • Redundancy of the power supply
      • Redundancy of the communication connections
      • Monitoring
      • Resource planning and deployment
      • Defence against systemic abuse
      • Data backup concepts and implementation
      • Regular check of emergency facilities

    3.2 Disaster Recovery - Rapid recovery after incident (Article 32 (1) (c) GDPR)

      • Emergency plan
      • Data backup concepts and implementation
  • 4. Data protection organisation

      • Definition of responsibilities
      • Implementation and control of suitable processes
      • Notification and approval process
      • Implementation of training measures
      • Commitment to confidentiality
      • Regulations for the internal distribution of tasks
      • Consideration of role separation and assignment
      • Introduction of a suitable representative scheme
  • 5. Order control

    • The purpose of order control is to ensure that personal data processed as part of the order can only be processed in accordance with the instructions of the client.
      • Selection of other processors for suitable warranties
      • Conclusion of an data processing agreement with other processors
      • Conclusion of an data processing agreement with STRATOs
  • 6. Procedure for regular review, assessment and evaluation (Article 32 (1) (d) GDPR, Article 25 (1) GDPR)

      • Information security management according to ISO 27001
      • Process for the evaluation of technical and organisational measures
      • Security incident management process
      • Conducting technical reviews