Security Concept

Confidentiality acc. Art. 32 §1 lit. GDPR

Measures to deny access for unauthorized persons to data processing equipment with which personal data is processed or used.

Technical measures Organizational measures
Manual locking system Key regulation / list
Electronic access control system with record keeping Visitors accompanied by employee
Security locks Visitor registration and badge
Doors with security knob outside  

Measures to prevent data processing systems (computers) being used by unauthorized persons.

Technical measures Organizational measures
Login with user name + password Management of user permissions
Login with biometric data Creation of user profiles
Anti-virus software server Safe Password Policy
Anti-virus software clients Delete/Destroy Policy
Firewall Gen. Policy Privacy and / or Security
Encryption of data carriers Mobile Device Policy
Encryption of smartphones Manual "Manual Desktop Lock"“
Automatic desktop lock  
Encryption of Notebooks / tablets  

Measures to ensure that the persons that are authorized to use a data processing system can exclusively access data that is subject to their access authorization, and that personal data in the processing, in the use and after storing cannot be read, copied, changed or deleted without authorization.

Technical measures Organizational measures
Physical deletion of data carriers Use of authorization concepts
Logging accesses to applications, specifically when entering, changing and deleting data Minimum number of administrators
Encryption of data carriers Administration of user rights by administrators
Encryption of smartphones  

Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical measures Organizational measures
Separation of productive and test environment Control through authorization concept
Physical separation (systems / databases / data carriers) Definition of database rights
Multi-client capability of relevant applications  

The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the need for additional information, provided that such additional information is kept separate and is subject to appropriate technical and organizational measures;

 

Technical measures Organizational measures
In case of pseudonymisation: Separation of the assignment data and storage in separate and secured system (possibly encrypted) Internal instruction to anonymise / pseudonymise personal data in case of disclosure or even after expiry of the statutory cancellation period

Integrity (Art. 32 Abs. 1lit .b GDPR)

Measures to ensure that personal data cannot be unauthorized read, copied, altered or removed during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine to which places a transfer of personal data is provided by means for data transmission.

 

Technical measures Organizational measures
Use of VPN Care in selecting transport personnel and vehicles
Logging of accesses and calls  
Safe transport containers  
Provision through encrypted connections such as sftp, https  

Measures to ensure that it is possible to retrospectively verify and determine whether and by whom data has been entered, modified or removed in the data processing systems.

Technical measures Organizational measures
Technical protocol for the entry, modification and deletion of data Overview with which programs which data can be entered, changed or deleted
Manual or automated control of the protocols Granting of rights to enter, modify and delete data on the basis of an authorization concept
  Storage of forms from which data has been taken over in automated processes
  Clear responsibilities for deletions

Availability and resilience (Art. 32 Abs 1 lit. b. GDPR)

Measures to ensure that personal data is protected against accidental destruction or loss.

Technical measures Organizational measures
  Backup & Recovery Concept
  Control of the backup process
  Keep the backup media in a secure location outside the server room

Procedure for regular review and evaluation (Art. 32 lit. 1 (d) of the GDPR, Art. 25 Abs. 1 GDPR)

Technical measures Organizational measures
  Employees trained and committed to confidentiality / data secrecy
  Regular sensitization of employees, at least annually
  The organization complies with the information obligations under Art. 13 and 14 GDPR

Data Privacy-friendly default settings (Art. 25 Abs. 2 GDPR)

Technical measures Organizational measures
No more personal data is collected than is necessary for the purpose  
Simple exercise of the right of withdrawal of the person concerned by technical measures  

SCRIBOS 360 – System Architecture

  • Redundant web- and data-base servers
  • Firewalls & secure SSL connection
  • Load balancing, back-up & access restriction
  • Encrypted ID codes stored only, decryption impossible
  • Intrusion prevention & detection system, backup power units
  • 24/7 monitoring & up-time/function control
  • Fast & reliable high speed internet hub
  • Certified high security: ISO 27001 certification for Data- & IT security