TOM-Checklist
I. Confidentiality pursuant to Art. 32 Para. 1 lit. b GDPR
- Entry surveillance
Measures suitable for preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used. Access control measures that can be used to secure buildings and rooms include automatic access control systems, the use of chip cards and transponders, control of access by gatekeepers and alarm systems. Servers, telecommunications systems, network technology and similar equipment should be protected in lockable server cabinets. In addition, it makes sense to support access control through organisational measures (e.g. service instructions that provide for the locking of service rooms during absences).
| Technical measures | Organisational measures |
|---|---|
| Manual locking system | Visitors accompanied by staff |
| Doors with knob on the outside | Locking the doors when absent |
- Equipment access control
Measures suitable for preventing data processing systems (computers) from being used by unauthorised persons. Access control refers to the unauthorised prevention of the use of systems. Possibilities are, for example, boot password, user identification with a password for operating systems and software products used, screen saver with a password, the use of chip cards for logging in as well as the use of call-back procedures. In addition, organisational measures may also be necessary, for example, to prevent unauthorised access (e.g. guidelines for setting up screens, issuing guidance to users on how to choose a “good” password).
| Technical measures | Organisational measures |
|---|---|
| Login with username & password | Manage user permissions |
| Use of individual user IDs | Data protection and/or data security policy |
| Use and enforcement of complex passwords | Principle of minimal allocation of authorisations |
| Blocking of system/user in case of multiple failed attempts | Regular review of assigned authorisations |
| Anti-virus software clients | Reduction of administrative authorisations |
| Firewall | Authentication-free accesses are deactivated by default |
| Monitoring/logging of system accesses | |
| Regulations regarding secure passwords |
- Access authority supervision
Measures to ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage. Access control can be ensured, among other things, by suitable authorisation concepts that enable differentiated control of access to data. In doing so, it is important to differentiate both the content of the data and the possible access functions to the data. Furthermore, suitable control mechanisms and responsibilities must be defined in order to document the granting and withdrawal of authorisations and to keep them up to date (e.g. in case of hiring, change of job, termination of employment). Special attention should always be paid to the role and possibilities of administrators.
| Technical measures | Organisational measures |
|---|---|
| Physical deletion of data carriers | Minimum number of administrators |
| Management of user rights by administrators | |
| Regular security updates |
- Segregation control
Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of data.
| Technical measures | Organisational measures |
|---|---|
| Separation of productive and test environment | Setting database rights |
| Physical separation (systems / databases / data carriers) |
- Pseudonymisation (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information provided that this additional information is kept separately and is subject to appropriate technical and organisational measures.
| Technical measures | Organisational measures |
|---|---|
| Instruction to anonymise / pseudonymise personal data as far as possible in the event of disclosure or also after expiry of the statutory deletion period. |
II. Integrity (Art. 32 (1) (b) GDPR)
- Transfer control
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment. Encryption techniques and virtual private networks, for example, can be used to ensure confidentiality in electronic data transmission. Measures to be taken when transporting or forwarding data media include transport containers with locking devices and regulations for the destruction of data media in accordance with data protection requirements.
| Technical measures | Organisational measures |
|---|---|
| Data provision only via encrypted connections such as sftp, https | Data transfer only in anonymised or pseudonymised form |
| Data is deleted in accordance with data protection regulations after completion of the order. | |
| Visitors are not granted access to the network |
- Input control
Measures to ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g. operating system, network, firewall, database, application). It must also be clarified which data is logged, who has access to logs, by whom and on what occasion/at what time these are checked, how long storage is required and when deletion of the logs takes place.
| Technical measures | Organisational measures |
|---|---|
| The data is entered or recorded by the client himself. | Traceability of entry, modification and deletion of data through individual user names (not user groups) |
| Technical logging of the entry, modification and deletion of data | Allocation of rights for entering, changing and deleting data on the basis of an authorisation concept |
| Clear responsibilities for deletions |
III. Availability and resilience (Art. 32 (1) (b) GDPR)
- Availability control
Measures to ensure that personal data are protected against accidental destruction or loss. This involves issues such as an uninterruptible power supply, air conditioning, fire protection, data backups, secure storage of data media, virus protection, RAID systems, disk mirroring, etc.
| Technical measures | Organisational measures |
|---|---|
| Monitoring of all relevant servers | Existence of an escalation chain that specifies who is to be informed in the event of an error in order to restore the system as quickly as possible. |
| Security-relevant updates and patches are applied regularly and promptly. |
IV. Procedures for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR; Art. 25 Para. 1 GDPR)
- Data protection management
Measures that enable data protection processes to be managed and demonstrably ensure compliance with data protection requirements.
| Technical measures | Organisational measures |
|---|---|
| Appointment of a Data Protection Officer (DPO) | |
| Regular reviews by the DPO | |
| Obligation of employees to maintain confidentiality | |
| Regular training/sensitisation of employees | |
| Employees are obliged to report data protection violations | |
| Fulfilment of the duty to inform according to Art. 13 and 14 DSGVO | |
| Regular review of the effectiveness of the technical protection measures |
- Incident response management
Measures to support the response to security breaches.
| Technical measures | Organisational measures |
|---|---|
| Formal process and responsibilities for following up on security incidents and data breaches |
- Data protection-friendly default settings (Art. 25 para. 2 GDPR).
| Technical measures | Organisational measures |
|---|---|
| No more personal data is collected than is necessary for the respective purpose |
- Order control
Measures that ensure that personal data processed on behalf of a client can only be processed in accordance with the client’s instructions. In addition to data processing on behalf, this item also includes the performance of maintenance and system support work both on site and via remote maintenance. If the contractor uses service providers in the sense of commissioned processing, the following points must always be regulated with them.
| Technical measures | Organisational measures |
|---|---|
| Central registration of existing service providers | |
| careful selection of contractors with regard to data protection and data security | |
| prior review of the security measures taken by the contractor and their documentation | |
| Review of existing IT security certificates of the contractors | |
| Conclusion of the necessary agreement on commissioned processing or EU standard contractual clauses | |
| Agreement on the obligation of the contractor’s employees to maintain confidentiality | |
| Agreement on the appointment of a data protection officer by the contractor if required by law. | |
| Agreement on the use of further subcontractors | |
| Ensuring the destruction of data after completion of the contract | |
| Recording/logging of maintenance work |