Skip to main content
Skip table of contents

Technical and organizational measures

Access control to premises and facilities

Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. These measures include:

  • Electronic access control system, security locks 

  • (Issue of) keys and chip cards according to duties

  • Careful selection of service personnel with long term affiliation

  • Chaperonage of visitors on premises

  • Offline management of electronic locks

  • Surveillance of facilities through a security firm

Access control to systems

Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

  • Assignment of privileges for the insertion, modification and deletion of data based on an authorization scheme

  • Periodic review of justified and up-to-date accounts in all systems; central management of system access, where possible; system specific supervision, including periodic reviews, and administration of access otherwise

  • Password management, authorization using at least username and password, MFA where possible, no access for guest users or anonymous accounts

  • Application of VPN for network access

  • Application of a firewall through trained personnel

  • Secure communication protocols for external services

Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized [input, reading, copying, removal] modification or disclosure of data. These measures include:

  • Application of an authorization scheme 

  • Principle of least privilege for accounts, minimization of accounts with administrative privileges

  • Printout data is destroyed using a paper shredder

  • Automated log of user access via IT systems

  • Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

  • Audit trail of administrative tasks on system-level

  • Separation of environments and privileges for test and production

Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures include:

  • Properly secured mobile devices

  • Encryption using a VPN or other encrypted protocols for remote access, transport and communication of data.

Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. These measures include:

  • Personal accounts assigned according to an authorization scheme

  • Logging user activities on IT systems

Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures include:

  • Careful selection of sub-processors

  • DPAs with regard to GDPR are in place with sub-processors

Availability control

Measures should be put in place to ensure that data are protected against accidental destruction or loss.
These measures include::

  • Ensuring system functionality and restoration capabilities in case of interruption, with appropriate fault reporting mechanisms in place

  • Proper electrical security measures including uninterruptible power supply (UPS) for self-hosted server facilities

  • Redundancy or fail-over of systems

  • Disaster Recovery Plans (DRP)

Organizational Control

Measures should be put in place to ensure that the organization’s processes and responsibilities are structured to maintain data security and operational continuity. These measures include:

  • ISO 27001 certification of ISMS

  • Periodic training of employees and sub-processors

  • Employee Handbook and Instructions on data security and privacy

  • Regular review, assessment and evaluation of the effectiveness of the TOMs

  • Contractual obligation of non-disclosure for every employee as part of the on-boarding process

  • Data protection officer / Data protection coordinator

  • Segregation of duties

  • Applicants screening

  • Incident response training

Infrastructure Control

Measures should be put in place to ensure that the physical and technological infrastructure supports the secure and reliable operation of systems and data. These measures include:

  • Device management, to enforce technical controls (passwords, updates, screenlock, encryption …)

  • Application of antivirus and endpoint security software (Anti-malware, Web filtering, DLP)

  • Capacity management

  • Security of network services

  • Cabling security

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close