Technical and organizational measures

Access control to premises and facilities

Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:

Electronic access control system, security locks
(Issue of) keys and chip cards according to duties
Careful selection of service personell with long term affiliation
Chaperonage of visitors on premises
Offline management of electronic locks
Surveillance of facilities through a security firm

Access control to systems

Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

Assignment of privileges for the insertion, modification and deletion of data based on a authorisation scheme
Periodic review of justified and up-to-date accounts in all systems; central management of system access, where possible; system specific supervision, including periodic reviews, and administration of access otherwise
Password management, authorisation using at least username and password, MFA where possible, no access for guest users or anonymous accounts
Application of Anti-virus and security software
Application of VPN for network access
Application of a firewall through trained personnel
Secure communication protocols for external services

Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized [input, reading, copying, removal] modification or disclosure of data. These measures shall include:

Application of an authorisation scheme
Organisational training on correct behaviour; like lock screen, no password reuse, complex passwords, avoid copying of data
Principle of least privilege for accounts, minimisation of accounts with administrative privileges
Print-out data is destroyed using a paper shredder
Contractual obligation for non-disclosure
Differentiated access rights
Access rights defined according to duties
Automated log of user access via IT systems
Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment
Audit trail of administrative tasks on system-level
Separation of environments and privileges for test and production

Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

Properly secured mobile devices
Encryption using a VPN or other encrypted protocols for remote access, transport and communication of data.

Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:

Personal accounts assigned according to an authorisation scheme
Logging user activities on IT systems

Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:

Careful selection of sub-processors
DPAs with regard to GDPR are in place with sub-processors

Availability control

Measures should be put in place to ensure that data are protected against accidental destruction or loss.
These measures must include:

Ensuring that installed systems may, in the case of interruption, be restored
Ensure systems are functioning, and that faults are reported
Proper electrical security measures including uninterruptible power supply (UPS) for self-hosted server facilities
Redundancy or fail-over of systems

Organisational Control

Periodic training of employees and sub-processors
Employee Handbook and Instructions on data security and privacy
Contractual obligation of non-disclosure for every employee as part of the on-boarding process
Data protection officer