Security Concept
Confidentiality acc. Art. 32 §1 lit. GDPR
Measures to deny access for unauthorized persons to data processing equipment with which personal data is processed or used.
Technical measures | Organizational measures |
---|---|
Manual locking system | Key regulation / list |
Electronic access control system with record keeping | Visitors accompanied by employee |
Security locks | Visitor registration and badge |
Doors with security knob outside |
Measures to prevent data processing systems (computers) being used by unauthorized persons.
Technical measures | Organizational measures |
---|---|
Login with user name + password | Management of user permissions |
Login with biometric data | Creation of user profiles |
Anti-virus software server | Safe Password Policy |
Anti-virus software clients | Delete/Destroy Policy |
Firewall | Gen. Policy Privacy and / or Security |
Encryption of data carriers | Mobile Device Policy |
Encryption of smartphones | Manual "Manual Desktop Lock"“ |
Automatic desktop lock | |
Encryption of Notebooks / tablets |
Measures to ensure that the persons that are authorized to use a data processing system can exclusively access data that is subject to their access authorization, and that personal data in the processing, in the use and after storing cannot be read, copied, changed or deleted without authorization.
Technical measures | Organizational measures |
---|---|
Physical deletion of data carriers | Use of authorization concepts |
Logging accesses to applications, specifically when entering, changing and deleting data | Minimum number of administrators |
Encryption of data carriers | Administration of user rights by administrators |
Encryption of smartphones |
Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.
Technical measures | Organizational measures |
---|---|
Separation of productive and test environment | Control through authorization concept |
Physical separation (systems / databases / data carriers) | Definition of database rights |
Multi-client capability of relevant applications |
The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the need for additional information, provided that such additional information is kept separate and is subject to appropriate technical and organizational measures;
Technical measures | Organizational measures |
---|---|
In case of pseudonymisation: Separation of the assignment data and storage in separate and secured system (possibly encrypted) | Internal instruction to anonymise / pseudonymise personal data in case of disclosure or even after expiry of the statutory cancellation period |
Integrity (Art. 32 Abs. 1lit .b GDPR)
Measures to ensure that personal data cannot be unauthorized read, copied, altered or removed during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine to which places a transfer of personal data is provided by means for data transmission.
Technical measures | Organizational measures |
---|---|
Use of VPN | Care in selecting transport personnel and vehicles |
Logging of accesses and calls | |
Safe transport containers | |
Provision through encrypted connections such as sftp, https |
Measures to ensure that it is possible to retrospectively verify and determine whether and by whom data has been entered, modified or removed in the data processing systems.
Technical measures | Organizational measures |
---|---|
Technical protocol for the entry, modification and deletion of data | Overview with which programs which data can be entered, changed or deleted |
Manual or automated control of the protocols | Granting of rights to enter, modify and delete data on the basis of an authorization concept |
Storage of forms from which data has been taken over in automated processes | |
Clear responsibilities for deletions |
Availability and resilience (Art. 32 Abs 1 lit. b. GDPR)
Measures to ensure that personal data is protected against accidental destruction or loss.
Technical measures | Organizational measures |
---|---|
Backup & Recovery Concept | |
Control of the backup process | |
Keep the backup media in a secure location outside the server room |
Procedure for regular review and evaluation (Art. 32 lit. 1 (d) of the GDPR, Art. 25 Abs. 1 GDPR)
Technical measures | Organizational measures |
---|---|
Employees trained and committed to confidentiality / data secrecy | |
Regular sensitization of employees, at least annually | |
The organization complies with the information obligations under Art. 13 and 14 GDPR |
Data Privacy-friendly default settings (Art. 25 Abs. 2 GDPR)
Technical measures | Organizational measures |
---|---|
No more personal data is collected than is necessary for the purpose | |
Simple exercise of the right of withdrawal of the person concerned by technical measures |
SCRIBOS 360 – System Architecture
|