Note: The technical and organizational measures are currently being revised and will probably be available from June and will also be updated here then.

Measures to ensure confidentiality

Unauthorized persons are prevented from gaining access to data processing systems with which personal data is processed or used by means of the following measures:

  • Manual locking system

  • Security locks

  • Key control (key issuance)

  • Determination of persons authorized to access

Access control

Unauthorized persons are prevented from gaining access to data processing systems with which personal data is processed or used by means of the following measures:

  • Manual locking system

  • Security locks

  • Key control (key issuance)

  • Determination of persons authorized to access

Entry control

It is prevented that data processing systems of the contractor can be used by unauthorized persons by the following measures:

  • Authorization concept

  • Authentication with user name and password

  • Use of a password policy (minimum length and complexity)

  • Passwords must be changed regularly

  • Passwords must not be stored

  • Inactive work devices automatically deactivate after 5 minutes with a password-protected screen saver

  • Employees lock their work devices when they are absent

  • Encryption of data carriers

  • Use of anti-virus software

Access control

Measures are taken to ensure that only authorized persons can access data held by the customer at the contractor's premises, and that personal data cannot be read, copied, modified or removed without authorization during processing, use or after storage:

  • Avoiding concentration of functions

  • Management of users and rights by the system administrator(s)

  • Encryption of data carriers

  • Data carriers are erased before reuse

Separation control

It is ensured that data collected for different purposes can be processed separately.

  • Logical client separation (on the software side)

  • Separate databases

  • Separate directory structures

  • Production and test systems are separated from each other

  • Separate tables within databases

Measures to ensure integrity

Transfer control

Measures are taken to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to verify and determine where personal data is intended to be transmitted by data transmission equipment:

  • Encrypted transmission (SSL/TLS)

  • Encryption of data carriers

  • Encryption of smartphones

  • Measures to ensure availability and resilience

Order control

Ensuring that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.

  • Written agreement with all data processing (sub-)contractors

  • Careful selection of (sub)contractors with regard to data protection and data security

  • Control rights agreed in writing with the (sub)contractors

  • Compliance with the agreements is checked regularly

  • In the event of serious violations, the customer is informed immediately Definition of persons authorized to issue instructions and recipients of instructions

  • Data protection officer appointed in writing

  • Employees are bound to confidentiality

  • In the event of serious violations, the client is informed immediately.

Availability control

It is ensured that personal data on the contractor's systems are protected against accidental destruction or loss.

  • Use of certified subcontractors who guarantee high availability of data

Did this answer your question?