Annex 2 – Technical and organizational measures of the contractor

Confidentiality (Art. 32 para. 1 lit. b GDPR)

- Access control

No unauthorized access to data processing systems:

Manual locking system, security locks (key control), doors with knobs on the outside, visitors are accompanied by employees, carefully selected cleaning staff;

- Access control

No unauthorized use of the system,

(secure) passwords including user names (central password assignment, “secure password” policy), anti-virus software server, anti-virus software client, anti-virus software mobile devices, firewall, encryption of data storage devices, encryption of smartphones, automatic desktop lock, encryption of notebooks/tablets, automatic locking mechanisms, managing user authorizations, creating user profiles, general data protection and/or security policy,

- Access control

No unauthorized reading, copying, modification or removal within the system:

Authorization concepts and needs-based access rights, logging of accesses;

- Separation control

Separate processing of data collected for different purposes: separation of production and test environments; multi-client capability, control via authorization concept, definition of database rights

Integrity (Art. 32 para. 1 lit. b GDPR)

- Distribution control

No unauthorized reading, copying, modification or removal during electronic transmission or transport:

Encryption, electronic signature, logging of accesses and retrievals, provision via encrypted connections https, documentation of the data recipients and the duration of the planned transfer or deletion periods,

- Input control

Determination of whether and by whom personal data has been entered, changed or removed from data processing systems: Overview of which programs can be used to enter, change or delete which data, allocation of rights to enter, change and delete data based on an authorization concept, clear responsibilities for deletions;

Availability and resilience (Art. 32 para. 1 lit. b GDPR)

- Availability control

Protection against accidental or deliberate destruction or loss: Backup strategy (online) including control of the backup process, uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans, fire and smoke alarm systems, fire extinguishers in the server room, server room monitoring of temperature and humidity, protective power strips in the server room, air-conditioned server room, RAID system, regular tests for data recovery and logging of the results, storage of the backup media in a safe place outside the server room, no sanitary connections in or above the server room, separate partitions for operating systems and data;

- Rapid recoverability (Article 32 paragraph 1 letter c GDPR);

Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

- Data protection management;

o Employees trained and obliged to maintain confidentiality/data secrecy

o Regular awareness-raising of employees, at least annually

o A review of the effectiveness of the technical protection measures is carried out at least annually

o Information Security Officer

o Review of the data protection impact assessment (DPIA)

- Incident-Response-Management;

- Data protection-friendly default settings (Art. 25 para. 2 GDPR);

- order control;

No order data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g.: clear contract design, formalized order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.

An external data protection officer has been appointed:

INSECCO – a brand of Alsterbyte IT Solutions GmbH

Lennart Maack

Friedrich-Penseler-Strasse 15,

21337 Luneburg

041312211969

datenschutz@insecco.de