Technical and organisational measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Formcentric GmbH has implemented the technical and organisational measures as detailed below to ensure a level of security appropriate to the risk.

1. Confidentiality (points (a) and (b) of EU GDPR art. 32(1))

Access control (physical)

Unauthorised access must be prevented, with ‘access’ being understood to mean physical access. Technical and organisational measures for access control, including those to obtain proof of identity for authorised parties:

☒ Specification of authorised personnel, including scope of authorisations granted

☒ Due care exercised when selected cleaning personnel

☒ Rules apply for those external to the company (visitors accompanied by employees, separation of processing areas from areas open to the public)

☒ Implementation of key management

☒ Physical measures in place and checked on a regular basis:

- Secure entry point (e.g. lockable doors, security locks)

- Door security system (electric door opener)

- Protection of equipment from theft, tampering and damage

- Monitoring system (e.g. alarm system, video surveillance)

☒ Subdivision into separate security zones

Access control (organisational)

Steps must be taken to prevent the ingress of unauthorised parties into IT systems and unauthorised system usage. Technical and organisational measures related to user identification and authentication:

☒ Planning and implementation of an authorisation model

☒ Authorisation model for user devices (PCs)

☒ Authorisation model for software/systems

☒ Identification of and authorisation check for users

☒ Implementation of a system to manage user identities

☒ Monitoring of access attempts plus response to security incidents

☒ Specification and control of access rights

☒ Encryption

☒ Appropriate password protection (password rules, encrypted archives)

☒ Application-specific security software (anti-malware, virus scanners, software/hardware firewalls)

☒ Two-factor authentication

☒ Rules apply for those external to the company

Access control (user-level)

Steps must be taken to prevent unauthorised activities in IT systems outside the scope of the rights granted. Needs-based design of authorisation model and access rights, plus monitoring and logging based on the following:

☒ Role-based access control for applications

☒ Implementation of rules for access rights and user rights

☒ Verification of rights

☒ Restriction by function (function-/time-based)

☒ Access restrictions (based on need-to-know and least privilege)

☒ Encrypted data storage

☒ Logging of application accesses, particularly those involving data input, modification and erasure

☒ Logging of unauthorised access attempts

☒ Routine analysis

☒ On-demand analysis

☒ Implementation of rules for data erasure

☒ Implementation of rules for disposing of storage media (use of file shredders or service providers certified to DIN 66933)

☒ Implementation of rules for handling electronic storage media

Separation control

Data collected for separate purposes must also be processed separately. Measures for the separate processing (storage, modification, erasure, transfer) of data collected for separate purposes:

☒ Multi-client capability

☒ Physical separation

☒ Logical client separation (software-based)

☒ Separation of production and test systems

☒ Specification of database rights

☒ Availability of policies and work instructions

☒ Availability of standard operating procedures (SOPs)

☒ Routine auditing to confirm intended use of information collected and IT systems

Pseudonymisation and encryption

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the utilisation of additional information, provided that such additional information is stored separately, and is subject to appropriate technical and organisational measures:

☒ Software-based encryption for data storage

☒ Hardware-based encryption for data storage

2. Integrity (point (b) of EU GDPR art. 32(1))

Transmission control

Rules must be introduced to cover the transmission and transfer of personal data: electronic transfer, data in transit, transfer control. Measures for transportation, transfer and transmission or storage on data storage media (manual or electronic), and for subsequent auditing.

For electronic data storage media:

☒ Encrypted data transmission (e.g. VPN, S/MIME)

☒ Electronic signatures

☒ On-demand completion of checks to confirm integrity, completeness and correctness

☒ Measures to prevent accidental data leaks (e.g. deactivation of USB ports, routine monitoring of authorised recipients, technical restriction to authorised recipients only)

☒ Documentation of types of data transmission (e.g. printout, data storage medium, automated transfer)

☒ Documentation of interfaces and access/transfer programs

For printouts and data storage media:

☒ Needs-based security for chosen transport mode (e.g. file containers, encryption of storage media, record of handover)

Input control

All data management and maintenance must be documented and fully auditable. Measures for the subsequent verification of data input, modification and erasure, including the personnel involved, are:

☒ Logging of input and auditing of input logs

☒ Granular auditability of input, modification and erasure of data by individual username (not user group)

☒ Issuing of rights for the input, modification and erasure of data based on an authorisation model

☒ Corporate policy for role-based input authorisation

3. Availability and resilience (point (b) of EU GDPR art. 32(1))

Availability control

Data must be protected against accidental destruction or loss. Data protection measures (physical/logical):

☒ Routine monitoring of system status

☒ Short-term recoverability of normal system status

☒ Backup and restart strategy (regular data backups):

☒ offline ☒ online ☒ onsite ☒ offsite ☒

☒ Data archiving strategy

☒ Availability of a business continuity/disaster recovery plan

☒ Regular testing of disaster recovery planning

☒ Availability of redundant IT systems (e.g. servers, storage)

☒ Replicability of virtual machines

☒ Effective physical safety mechanisms (fire safety, energy (UPS), a/c)

☒ Reporting procedures and contingency plans

Resilience control

Data processing must be fault- and error-tolerant.

☒ Anti-virus/-malware/ransomware protection

☒ Generous provision of network capacity

☒ Hardening of hardware, esp. versus DoS and DDoS attacks

☒ IDS/IPS

☒ Appropriate system architecture/DMZ

☒ Firewalls

4. Processes for regular testing, assessment and evaluation (point (d) of EU GDPR art. 32(1); EU GDPR art. 25(1))

☒ Rules set out in writing governing data protection responsibilities

☒ Rules set out in writing governing information security responsibilities

☒ Suitable Information Security Management system in place

☒ Suitable Incident Response Management system in place

☒ Completion of information classification

☒ Regular instruction and awareness-raising measures for employees and management staff

☒ Data protection by design and default (GDPR art. 25(2))

☒ Processing control, to ensure commissioned data processing (CDP) complies with

instructions:

- Strict adherence to signed agreements and audits in relation to the same

- Specification governing routine audits of the CDP process (e.g. submission of self-assessments, submission of contracts with subcontractors, completion of subcontractor audits by the contractor (contracted data processor))

- No commissioned data processing pursuant to GDPR art. 28 without corresponding client instruction, e.g. based on unambiguous contract design, formal CDP management, strict service provider selection, duty to provide proof of compliance beforehand, follow-up audits