DPA Annex 1 – Technical and organisational measures

1. Confidentiality (Art. 32 para. 1 lit. b DSGVO)

  1. Access control: No unauthorised access to data processing systems, e.g..: magnetic or chip cards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems;

  2. Access control: No unauthorized system use, e.g.: strong passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers;

  3. Access control: No unauthorized reading, copying, modification or removal within the system, e.g: Authorization concepts and need-based access rights, logging of accesses;

  4. Separation control: Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing

  5. Pseudonymisation (Art. 32 para. 1 lit. a FADP; Art. 25 para. 1 FADP): The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to appropriate technical and organisational measures;

2. Integrity (Art. 32 para. 1 lit. b DPA)

  1. Passing control: No unauthorized reading, copying, modification or removal during electronic transmission or transport, e.g: encryption, Virtual Private Networks (VPN), electronic signature;

  2. input control: determining whether and by whom personal data have been input, modified or removed from data processing systems, e.g: logging, document management;

3. Availability and resilience (Art. 32 para. 1 lit. b DSGVO)

  1. Availability control: Protection against accidental or deliberate destruction or loss, e.g: Backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans;

  2. Rapid recoverability (Art. 32 para. 1 lit. c DSGVO);

4. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d DSGVO; Art. 25 para. 1 DSGVO)

  1. Data protection management, incident response management, data protection-friendly presettings (Art. 25 para. 2 DSGVO), order control

  2. No commissioned data processing within the meaning of Art. 28 DSGVO without corresponding instructions from the person responsible, e.g: Clear contract design, formalised contract management, strict selection of the service provider, obligation to convince in advance, follow-up checks.