Data Transfer Control. The transmission of personal or other confidential data occurs with transport encryption or higher. HWD has an internal policy concerning the use of cryptographic methods, with clear definitions about which cryptographic methods are permissible in which constellation and with which technical specifications. HWD thereby follows the guidelines of the German Federal Office for Information Security (BSI), as well as those of the US National Institute of Standards and Technology (NIST). Furthermore, HWD recommends the use of file-based encryption for the customer communication, whe- never personal data is transferred. This way, even the temporary storage of data on HWD or the custo- mer side is secured. This method requires, however, that the customer has the technical capacity to receive or transmit such an encrypted file. Insofar as HWD identifies this possibility with the customer, HWD will use such a method of file-based encryption, in coordination with the customer. HWD follows a standard process for the storage, deletion, and physical destruction of data media. The data media, their safe storage location, as well as their consecutive return, deletion, or destruction, are logged accordingly. The destruction security level is H-4 according to the DIN standard 66399-2. The shipping of personal data follows the strict conditions and safeguards provided for by law. Mobile data media with personal data are only stored in secured premises, and, if not in use, in a safe. Data which are no longer required for the provisioning of an order, e.g., blocked data, are stored in a sepa- rate, access-protected storage area. The repair and disposal of data media or hardware occur only by appropriately liable and certified companies. The same holds true for the disposal of data on paper.
Data Transfer Control. Measures to ensure that personal data cannot be read, copied, changed or deleted by unauthorized persons during electronic transfer, transport and saving to carrier media and to allow checking and tracing to which places or bodies the transfer of personal data by data transfer devices is intended. Setup of dedicated lines or VPN tunnels A guideline exists with clear provisions what to do when data media go astray Staff training on data protection Laptop hard disk encryption Documentation of recipients of data
Data Transfer Control. No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Vir- tual Private Networks (VPN), electronic signature;
Data Transfer Control. Aspects of the disclosure of personal data must be controlled: electronic transfer, data transport, transmission control, etc. to prevent loss, alteration or unauthorised disclosure. Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking: All communication channels are encrypted. Only secure protocols, algorithms and key lengths are in place according to best practice recommendations. IP Whitelists are in place to protect the service from third party access. 1.1.1.5. Separation Control Data collected for different purposes must also be processed separately. Measures to provide for separate Processing (storage, amendment, deletion, transmission) of data for different purposes: Customer data is processed in such a way that it can be fully and unambiguously identified and, if necessary, erased at any time. It is ensured that the data processed for different purposes is separated by purpose. If data can serve several purposes, the permissible purposes are clearly assigned. 1.1.2. Protection of integrity of data (Article 32 (1)(b) GDPR) 1.1.2.1. Input control Full documentation of data management and maintenance must be maintained. Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom: All customer related data are stored in a central database. Access to the data is controlled via the central application. For each transaction a transaction log is stored in the database. Access to and changes to customer data and systems are logged. Log information is protected against alterations. 1.1.2.2. Job control when commissioning the Data Processing to Sub- Contractors (if applicable) Commissioned Data Processing must be carried out by the Processor in relation to its Sub- Contractors involved according to instructions. No third party Data Processing as per Article 28 GDPR without corresponding instructions from the data controller. Measures (technical/organisational) to segregate the responsibilities between the Controller and the Processor: Each commissioned data processing requires a written contract, a Data Processing Agreement, a documented XXX of the data processor, an entitlement for audits. DCS operations monitors the service where possible. KPIs are in place to define the requirements between the parties. All employees involved in the processing are always known (a current overview exists), are trained in data protection and information se...
Data Transfer Control. The Data Processor shall take, among others, the following technical and organizational measures in order to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where personal data are or have had to be transmitted by data transmission equipment: 🗌 Remote access (including during remote maintenance or service procedures) to the IT systems only via VPN tunnels or other state-of-the-art secure, encrypted connections 🗌 Use of e-mail encryption 🗌 Data transferred by the Data Processor is transported and saved in encrypted form. The relevant areas of the data carriers are encrypted using data and hard drive encryption software 🗌 Data storage devices and paper documents are locked away when not in use (clean desk policy) 🗌 Physical transports are only performed with locked containers and/or guarded vehicles Use of document shredders Secure destruction processes in place to industry standards utilising specialised 3rd party with disposal certificates produced The secure transfer modes and encryption methods are regularly updated and kept state-of-the- art (e.g., according to the recommendations in the data protection manual issued by the BSI (Federal Office for Information Security)) 3rd party secure off-site tape storage utilised Secure communication session established via HTTPS and SFTP protocols across all applications / services Encrypted certificates utilised for authentication between the web client and the web server across all websites Other measures:
Data Transfer Control. No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature; - Encryption of laptops - Safe transmission of sent data (e.g. SFTP, VPN, TLS, SSL, PGP, S/MIME) - Central management of keys for encrypted systems - Deletion and destruction of data storage media according to DIN 32757 - Secure transport of removable media (for example backup, tapes)
Data Transfer Control. Aspects of the disclosure of personal data must be controlled: electronic transfer, data transport, transmission control, etc. Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking: • IT Storage Media: In case of recycling, discarding, repairs or service on storage media used for personal data, it is ensured that third parties cannot gain access to data on such media. Such security procedures are conducted either through encryption or by thorough deletion or overwriting to ensure that all previously stored personal data cannot be recovered by using a generally recognized specification (e.g. DOD 5220-22- M).
Data Transfer Control a. The Processor shall ensure that Client Data cannot be copied (in particular stored on external data carriers), passed on and/or deleted.
Data Transfer Control. Data Sharing and Transfer Data transfer is done remotely and there is a log of all personnel who access it from our Hosting Provider. In addition, data is encrypted enroute in order to avoid a breach during sharing/transfer. The TolaData employees access the server and databases remotely and are required to not take local copies or use data carriers of client data. Furthermore employees are required to use only hardware and software that has been officially released by the company, not to print out any sensitive documents and not to forward information to external IT services. Data Entry Control Logging In the Data Centers, all measures are taken to ensure that it can be subsequently verified and established whether and by whom data has been entered, modified or removed in the data processing system (including automatic access login, password policy, analysis of log files for specific events.) Same applies to the TolaData software which automatically logs additions, edits and deletions of data by the user. Same applies to TolaData employees: access to data processing systems is only possible after login, no passing of passwords, password policy is in place on how to proceed if a password becomes known, automatic logging when entering, changing and deleting data.
Data Transfer Control. No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature; Data Entry Control Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management Availability and Resilience (Article 32 Paragraph 1 Point b GDPR) Availability Control Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR); Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR) Data Protection Management; Incident Response Management; Data Protection by Design and Default (Article 25 Paragraph 2 GDPR); Order or Contract Control No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks. Signed for and on behalf of: Signed for and on behalf of: [insert name of Client] [insert name of Supplier] _______________________ _______________________ Name: Name: Title: Title: Date: Date:
