Technical and Organisational Measures under Art. 32 GDPR

§ 1 Confidentiality (Article 32 (1) b GDPR)

1.1. Access control

Appropriate measures to prevent unauthorised persons from accessing data processing facilities where personal data are processed and used.

1.2. Access Control

Appropriate measures to prevent the data processing systems from being used by unauthorised persons.

1.3. User Control

Appropriate measures to ensure that persons authorised to use a data processing system can only access the data to which they have authorisation, and that during processing and use and after storage, personal data cannot be read, copied, altered or erased without authorisation.

1.4. Separation Requirement

1.5. Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisationalmeasures; • Internal regulations on pseudonymisation • Undertaking signed by employees • Technically automated implementation of regulations • Code changes to the pseudonymisation process can only be merged after separate approval • Control by means of unannounced spot checks

§ 2 Integrity (Art. 32 (1) b GDPR)

2.1. Control over Disclosure

Appropriate measures to ensure that personal data cannot without authorisation be read, copied, altered or erased during electronic transfer or during their transport or storage on data media, and that the places envisaged for a transfer of personal media by data processing facilities may be checked and determined.

2.2. Input Control

Appropriate measures making it possible to establish subsequently whether and by whom personal data have been entered into data processing systems, altered or deleted.

§ 3 Availability and Resilience (Art. 32 (1) b and c GDPR)

Measures to ensure that personal data are protected against accidental loss or destruction and can be quickly restored.

Data storage within a cloud architecture is backed up by several layers of redundancy and is itself immune to crashes. Every day, multiple-reflection backups are made as hard disk snapshots and may be reflected back as a replacement for a running system at any time. The systems are continuously monitored and, at peak times, action is taken to distribute the load. If a server crashes, it is restarted with the aid of self-healing.

§ 4 Process for Regularly Testing, Assessing and Evaluating (Art. 32 (1) d GDPR; Art. 25 (1) GDPR)


Status: 09. October 2023