COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: • Measures of pseudonymisation and encryption of personal data • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Measures for user identification and authorisation • Measures for the protection of data during transmission • Measures for the protection of data during storage • Measures for ensuring physical security of locations at which personal data are processed • Measures for ensuring events logging • Measures for ensuring system configuration, including default configuration • Measures for internal IT and IT security governance and management • Measures for certification/assurance of processes and products • Measures for ensuring data minimisation • Measures for ensuring data quality • Measures for ensuring limited data retention • Measures for ensuring accountability • Measures for allowing data portability and ensuring erasure]
COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 Data Protection Commission of Ireland
COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and access any Network User and Authorised User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Network User and Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Network User and Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Network User and Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for password strength and complexity. Passwords are also encrypted at rest. Application Security Developer training and awareness: Softwar...
COMPETENT SUPERVISORY AUTHORITY. 3.1. In respect of the New Standard Contractual Clauses:
COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
COMPETENT SUPERVISORY AUTHORITY. Supervisory authority. Identify the competent supervisory authority/ies in accordance with Clause 13 [INSERT] ANNEX II
COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 ● The supervisory authority as determined by clause 13 of the SCCs. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
COMPETENT SUPERVISORY AUTHORITY. Where the data exporter is established in an EU Member State - the supervisory authority of such EU Member State shall act as competent supervisory authority Where the data exporter is not established in an EU Member State, but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) - the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
COMPETENT SUPERVISORY AUTHORITY. As set out in Section 5.6 above ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availabili...
