Technical and organizational measures (TOM) as to Art. 32 DSGVO  

Organization:  

textada Project, Felix Hamborg, Moritz Bock, Franziska Weeber 

Date:  

October 12, 2023 

Organizations that collect, process or use personal data themselves or on behalf of others must take the technical and organizational measures required to ensure that the provisions of data protection laws are implemented. Measures are only necessary if their expense is in reasonable proportion to the intended protective purpose. The above-mentioned organization fulfills this requirement through the following measures:

1 Confidentiality   

1.1 Access control

  • Technical measures  
    • Manual closing system 
  • Organizational measures 
    • Key regulation  

1.2 Access control 

  • Technical measures 
    • Login with username + password 
    • Firewall
  • Organizational measures 
    • Manage user permissions 

1.3 Access control 

  • Technical measures 
    • none 
  • Organizational measures  
    • Deployment authorization concepts 
    • Minimum number of administrators

1.4 Separation control 

  • Technical measures 
    • Virtual separation of productive and test environment 
  • Organizational measures 
    • Control via authorization concept 

1.5 Pseudonymization 

  • Technical measures 
    • none 
  • Organizational measures 
    • none 

2 Integrity  

2.1 Transfer control 

  • Technical measures 
    • Logging of accesses and retrievals 
    • Provisioning over encrypted connections such as sftp,https 
    • Use of signature methods 
  • Organizational measures 
    • None 

2.2 Input control 

  • Technical measures 
    • Technical logging of data entry, modification and deletion 
  • Organizational measures 
    • Assignment of rights to enter, change and delete data on the basis of an authorization concept 

3 Availability and resilience 

3.1 Availability control 

  • Technical measures
    • Fire and smoke detection systems 
    • RAID system / hard disk mirroring 
  • Organizational measures  
    • Backup & recovery concept with encryption
    • Control of the backup process

4 Procedures for regular review, assessment and evaluation 

4.1 Data protection management 

  • Technical measures 
    • none 
  • Organizational measures 
    • The organization complies with the information obligations according to Art. 13 and 14 DSGVO 

4.2 Incident response management 

  • Technical measures 
    • Use of firewall and regular updating 
    • Use of spam filters and regular updating 
  • Organizational measures 
    • Documentation of security incidents and data breaches 

4.3 Privacy-friendly default settings 

  • Technical measures  
    • No more personal data is collected than is necessary for the respective purpose 
    • Simple exercise of the right of withdrawal of the data subject by technical measures
  • Organizational measures 
    • None 

4.4 Order control 

  • Technical measures 
    • none 
  • Organizational measures 
    • Selection of the contractor under due diligence aspects (especially with regard to data protection and data security) 
    • Conclusion of the necessary order processing agreement or EU standard contractual clauses. 
    • In the case of longer cooperation: Ongoing review of the contractor and its level of protection.