Appendix 4: IT security measures. For the specific data processing, a level of protection is guaranteed suitable for the risks to the rights and freedoms of the natural persons affected by the processing. For this purpose, the protection objectives of Art. 32 para. 1 GDPR, such as confidentiality, integrity and availability of the systems and services, as well as their resilience in regard to the type, scope, circumstances and purpose of the processing, are considered in such a way that the risk is mitigated by means of suitable technical and organisational measures. The service provider has defined the security objectives, an IT security process and IT security management in its IT security concept to ensure the protection of Personal Data through appropriate technical and organisational measures. According to the specifications from the IT security concept, the risks associated with data processing were determined as well as a determination of the potential effects on the Data Subjects and the probability of occurrence. The determination of the technical measures to ensure data security takes place – as shown in the IT security concept – in consideration of the state of the art as well as the implementation costs. The ongoing guarantee of the requirements resulting from statutory provisions, e.g. GDPR, is ensured by the “IT security management”, where, in addition to the clear definitions and functions as well as tasks and responsibilities including, but not limited to, the implemented technical and organisational measures set forth below in this Appendix in accordance with Art. 32 GDPR, are implemented and continuously monitored and checked in the context of security checks. The measures described below represent the selection of the technical and organisational measures (“XXX”) to guarantee data security according to Art. 32 GDPR, suitable for the risk determined, taking into consideration the protection objectives according to the state of the art. The following protective level concept was used as a basis: Protection level Personal data for example (for individual data; for cumulative data, if necessary, higher protection level attached!) Severity of possible damage A have been made freely accessible by the Data Subject telephone directory, freely accessible website, freely accessible social media Minor B the improper handling of which does not lead to any particular adverse effects, but which were not made freely accessible by the person concerned Restricted access public files, land register access, non-freely accessible social media; masked IBAN (the last six numbers blacked out), customer master data, date of birth, place of birth Minor C The Data Subject could be impaired in his or her social status or in his or her economic circumstances (“reputation”) by improper handling income, tax data, administrative offences, passport data, IBAN (complete); contract data (delivery and order data) Manageable D The Data Subject could be significantly impaired in his or her social status or in his or her economic commitment to an institution criminality, official assessments, job references, health data, Substantial circumstances (“existence”) by improper handling liabilities, garnishments, data of special categories according to Art. 9 GDPR E Their improper handling could impair the health, life or freedom of the Data Subject Data about persons who can be a potential victim of a criminal act, witness protection program Great F which are processed within the framework of remote maintenance/remote access Special regulations that address the specific situation of remote maintenance/remote access. The Parties have found that the processing of Personal Data regulated in this Order Processing Agreement is subject to the following protection requirement: Protection level Check as appropriate A ☐ B ☐ C ☒ D ☐ E ☐
Appears in 5 contracts
