For your convenience, we have provided a translation of this page. This translation is for informational purposes only, and the definitive version of this page is the German version.

TOM-Checklist

  1. Confidentiality pursuant to Art. 32 Para. 1 lit. b GDPR

    1. Entry surveillance

      Measures suitable for preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used. Access control measures that can be used to secure buildings and rooms include automatic access control systems, the use of chip cards and transponders, control of access by gatekeepers and alarm systems. Servers, telecommunications systems, network technology and similar equipment should be protected in lockable server cabinets. In addition, it makes sense to support access control through organisational measures (e.g. service instructions that provide for the locking of service rooms during absences).

      Technical measures Organisational measures
      Manual locking system Visitors accompanied by staff
      Doors with knob on the outside Locking the doors when absent
    2. Equipment access control

      Measures suitable for preventing data processing systems (computers) from being used by unauthorised persons. Access control refers to the unauthorised prevention of the use of systems. Possibilities are, for example, boot password, user identification with a password for operating systems and software products used, screen saver with a password, the use of chip cards for logging in as well as the use of call-back procedures. In addition, organisational measures may also be necessary, for example, to prevent unauthorised access (e.g. guidelines for setting up screens, issuing guidance to users on how to choose a "good" password).

      Technical measures Organisational measures
      Login with username & password Manage user permissions
      Use of individual user IDs Data protection and/or data security policy
      Use and enforcement of complex passwords Principle of minimal allocation of authorisations
      Blocking of system/user in case of multiple failed attempts Regular review of assigned authorisations
      Anti-virus software clients Reduction of administrative authorisations
      Firewall Authentication-free accesses are deactivated by default
      Monitoring/logging of system accesses
      Regulations regarding secure passwords
    3. Access authority supervision

      Measures to ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage. Access control can be ensured, among other things, by suitable authorisation concepts that enable differentiated control of access to data. In doing so, it is important to differentiate both the content of the data and the possible access functions to the data. Furthermore, suitable control mechanisms and responsibilities must be defined in order to document the granting and withdrawal of authorisations and to keep them up to date (e.g. in case of hiring, change of job, termination of employment). Special attention should always be paid to the role and possibilities of administrators.

      Technical measures Organisational measures
      Physical deletion of data carriers Minimum number of administrators
      Management of user rights by administrators
      Regular security updates
    4. Segregation control

      Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of data.

      Technical measures Organisational measures
      Separation of productive and test environment Setting database rights
      Physical separation (systems / databases / data carriers)
    5. Pseudonymisation (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)

      The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information provided that this additional information is kept separately and is subject to appropriate technical and organisational measures.

      Technical measures Organisational measures
      Instruction to anonymise / pseudonymise personal data as far as possible in the event of disclosure or also after expiry of the statutory deletion period.
  2. Integrity (Art. 32 (1) (b) GDPR)

    1. Transfer control

      Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment. Encryption techniques and virtual private networks, for example, can be used to ensure confidentiality in electronic data transmission. Measures to be taken when transporting or forwarding data media include transport containers with locking devices and regulations for the destruction of data media in accordance with data protection requirements.

      Technical measures Organisational measures
      Data provision only via encrypted connections such as sftp, https Data transfer only in anonymised or pseudonymised form
      Data is deleted in accordance with data protection regulations after completion of the order.
      Visitors are not granted access to the network
    2. Input control

      Measures to ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g. operating system, network, firewall, database, application). It must also be clarified which data is logged, who has access to logs, by whom and on what occasion/at what time these are checked, how long storage is required and when deletion of the logs takes place.

      Technical measures Organisational measures
      The data is entered or recorded by the client himself. Traceability of entry, modification and deletion of data through individual user names (not user groups)
      Technical logging of the entry, modification and deletion of data Allocation of rights for entering, changing and deleting data on the basis of an authorisation concept
      Clear responsibilities for deletions
  3. Availability and resilience (Art. 32 (1) (b) GDPR)

    1. Availability control

      Measures to ensure that personal data are protected against accidental destruction or loss. This involves issues such as an uninterruptible power supply, air conditioning, fire protection, data backups, secure storage of data media, virus protection, RAID systems, disk mirroring, etc.

      Technical measures Organisational measures
      Monitoring of all relevant servers Existence of an escalation chain that specifies who is to be informed in the event of an error in order to restore the system as quickly as possible.
      Security-relevant updates and patches are applied regularly and promptly.
  4. Procedures for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR; Art. 25 Para. 1 GDPR)

    1. Data protection management

      Measures that enable data protection processes to be managed and demonstrably ensure compliance with data protection requirements.

      Technical measures Organisational measures
      Appointment of a Data Protection Officer (DPO)
      Regular reviews by the DPO
      Obligation of employees to maintain confidentiality
      Regular training/sensitisation of employees
      Employees are obliged to report data protection violations
      Fulfilment of the duty to inform according to Art. 13 and 14 DSGVO
      Regular review of the effectiveness of the technical protection measures
    2. Incident response management

      Measures to support the response to security breaches.

      Technical measures Organisational measures
      Formal process and responsibilities for following up on security incidents and data breaches
    3. Data protection-friendly default settings (Art. 25 para. 2 GDPR).

      Technical measures Organisational measures
      No more personal data is collected than is necessary for the respective purpose
    4. Order control

      Measures that ensure that personal data processed on behalf of a client can only be processed in accordance with the client's instructions. In addition to data processing on behalf, this item also includes the performance of maintenance and system support work both on site and via remote maintenance. If the contractor uses service providers in the sense of commissioned processing, the following points must always be regulated with them.

      Technical measures Organisational measures
      Central registration of existing service providers
      careful selection of contractors with regard to data protection and data security
      prior review of the security measures taken by the contractor and their documentation
      Review of existing IT security certificates of the contractors
      Conclusion of the necessary agreement on commissioned processing or EU standard contractual clauses
      Agreement on the obligation of the contractor's employees to maintain confidentiality
      Agreement on the appointment of a data protection officer by the contractor if required by law.
      Agreement on the use of further subcontractors
      Ensuring the destruction of data after completion of the contract
      Recording/logging of maintenance work
© 2022 Martin Melzer, All rights reserved.