Appendix 4: IT security measures. For the specific data processing, a level of protection is guaranteed suitable for the risks to the rights and freedoms of the natural persons affected by the processing. For this purpose, the protection objectives of Art. 32 para. 1 GDPR, such as confidentiality, integrity and availability of the systems and services, as well as their resilience in regard to the type, scope, circumstances and purpose of the processing, are considered in such a way that the risk is mitigated by means of suitable technical and organisational measures. The service provider has defined the security objectives, an IT security process and IT security management in its IT security concept to ensure the protection of Personal Data through appropriate technical and organisational measures. According to the specifications from the IT security concept, the risks associated with data processing were determined as well as a determination of the potential effects on the Data Subjects and the probability of occurrence. The determination of the technical measures to ensure data security takes place – as shown in the IT security concept – in consideration of the state of the art as well as the implementation costs. The ongoing guarantee of the requirements resulting from statutory provisions, e.g. GDPR, is ensured by the “IT security management”, where, in addition to the clear definitions and functions as well as tasks and responsibilities including, but not limited to, the implemented technical and organisational measures set forth below in this Appendix in accordance with Art. 32 GDPR, are implemented and continuously monitored and checked in the context of security checks. The measures described below represent the selection of the technical and organisational measures (“XXX”) to guarantee data security according to Art. 32 GDPR, suitable for the risk determined, taking into consideration the protection objectives according to the state of the art. The following protective level concept was used as a basis: Protection level Personal data for example (for individual data; for cumulative data, if necessary, higher protection level attached!) Severity of possible damage A have been made freely accessible by the Data Subject telephone directory, freely accessible website, freely accessible social media Minor B the improper handling of which does not lead to any particular adverse effects, but which were not made freely accessible by the person concerned Restricted access public files, lan...
