Template: Technical and Organizational Measures

\ – Technical and Organizational Safeguards

1. General Considerations

This document outlines the technical and organizational measures established for the secure and compliant handling of personal data. It takes into consideration the rights of data subjects and aligns with Articles 24, 25, and 32 of the GDPR as applicable.

\ processes personal data across three primary categories:

1. (…)
2. (…)

The following outline of technical and organizational measures will be specified according to these data categories where relevant.

2. Organizational Measures

\ has appointed a data protection officer (DPO) to provide guidance on privacy matters, inform the team of regulatory and standards changes, and assist in reviewing and enhancing existing measures as necessary. The DPO can be reached at \.

The company plans to develop data privacy protocols documented as standard operating procedures (e.g., DPR-SOP) and templates.

Reference your existing Information-Security-Management-System (ISMS) here.

3. Confidentiality

3.1 Entry Control

\ operates from office premises that are not open to public access and are locked when not in use. The following safeguards have been put in place:

• Locked building entrances
• Locked office spaces

\ does not operate its own servers or server rooms. (…).

If you have dedicated server rooms, provide detailed descriptions of all security protocols to prevent unauthorized access.

If a third-party cloud provider is used, detail their security policies, which often come with supporting documentation.

If data is stored locally on user devices, include relevant security descriptions and emphasize that data does not leave those devices.

3.2 Access Control

Access to software systems is controlled with the following measures:

(…)

Outline your access restrictions to prevent unauthorized access to offices and electronic systems. Examples include:

• Each employee has a unique user ID with a password that meets stringent requirements (minimum 14 characters, including special characters).
• Passwords must be distinct and not reused for other accounts, changed annually.
• Centralized authentication via username and password, with mandatory 2-factor authentication and regular verification every 30 days.
• Access is logged and monitored, including failed login attempts.
• System locks automatically after XXX failed attempts.
• File and system access is restricted to employees, with selectively determined access levels.

3.3 Usage Control

The following safeguards are in place for the use of software systems:

(…)

Describe your policies for using internal systems. Examples include:

• Password policies for access control also apply to system usage.
• Role-based access controls with minimal administrative privileges.
• Authentication via username and password.
• Personal data use is limited to authorized individuals and only as necessary (De Minimis Principle).
• Activities are logged and changes are tracked.
• A paperless approach is prioritized, with any physical documents being shredded when no longer needed.

3.4 Pseudonymization

(…)

While this measure is more advanced, consider scenarios where identifiable data is not essential. Example:

• Customer data is pseudonymized if direct identification is not necessary for processing purposes.

3.5 Separation Control

(…)

This measure is especially relevant for organizations handling data from various customers:

• Ensuring data separation through system management practices, such as storing customer data in separate folders.

4. Integrity

4.1 Transfer Control

Transfer control ensures that only authorized parties can access personal data. Mobile devices storing personal data must be encrypted.

(…)

Outline how you secure data in transit. Examples include:

• The use of single USB flash drives or similar data carriers is prohibited. Printed documents must be destroyed immediately after use.
• Home office policies include connecting through VPN.

4.2 Input Control

The following input control measures are in place:

• Traceability of data inputs, modifications, and deletions by unique users.
• Traceability of changes in user authorizations.

This applies to most cloud-based environments (e.g., Google Drive, MS Sharepoint, Confluence, JIRA, etc.). Are there other relevant measures in your context?

4.3 Availability and Reliability

• Employees receive up-to-date equipment, such as (…) configuration.
• Personal data is processed on systems subject to regular, documented patch management, ensuring no unsupported systems are on the network (e.g., no Win95, XP, etc.). Automatic updates are enabled.
• High-speed internet access is continuously maintained (cloud services are accessible with any internet connection).
• Redundant storage and backups meet the highest technical standards to ensure continuous data availability.

For larger cloud services, include additional policies:

• Data centers and server rooms of cloud providers are equipped with modern features like temperature regulation, fire and water protection, and uninterrupted power supplies (UPS) that prevent data loss during controlled shutdowns.

4.4 Product Development

4.4.1 Development Tools

(…)

Consider how your organization ensures secure development practices. Examples include:

• Third-party applications must be approved before use by (…) in line with (…) for compliance with quality management and data privacy.
• Development tools should be sourced from secure sites (e.g., manufacturer servers).
• Single-sign-on authentication for third-party apps supports comprehensive access management.
• Less secure third-party apps are disabled by default settings.

4.4.2 Privacy-Friendly Settings

(…)

• Product development should ensure users can provide only the necessary information. Additional fields should be optional or avoided.
• Privacy-friendly settings should be pre-set by default.

4.6 Data Deletion

The company has established the following automatic data deletion plan:

Data Category	Retention Period	Responsible
User data	\
Customer data	– After contract termination – Lead data after 10 years of inactivity
Employee data	Until the end of employment
Applicant data	Up to 6 months post-hiring decision or longer if necessary for employment
Website data	Deleted after each session	Automated

5. Employee Work Environment

The company has implemented the following safeguards:

• Hard drives must be encrypted using modern encryption tools, such as Apple FileVault 2 for macOS or equivalent software for other systems.
• The email service provider’s built-in virus, spam, and phishing filters prevent malicious software and cyber attacks.
• Employees must configure their home office networks with secure firewalls.
• Workspaces should be cleared of any sensitive documents, particularly when accessible by others.
• Screen savers should be set to activate after the shortest possible period, and devices should be locked when left unattended.

6. Regular Review, Assessment, and Evaluation Procedures

Company data protection and IT security undergo routine reviews and continuous enhancements. Internal audits may include the following:

• Employee data confidentiality obligations, training, and education.
• Regular checks of data processing practices.
• Response protocols for data breaches and safeguarding data subject rights.

The company has implemented the following internal measures:

• Appointment of a data protection officer.
• Routine procedure audits.
• Ongoing reviews of technological developments per Article 32 GDPR.

---