Processing safety Clause Samples
Processing safety. (1) The Technical and Organizational Measures described in Appendix 1 are defined as binding. They define the minimum owed by the Contractor. The description of the measures must be made in such detail that a knowledgeable third party can at any time undoubtedly recognize from the de- scription alone what the minimum owed is to be. A reference to information which cannot be taken directly from this agreement or its appendices is not permissible.
(2) The Contractor shall establish security pursuant to Art. 28 Para. 3 lit. c, 32 DS-GVO, in particular in connection with Art. 5 Para. 1, Para. 2 DS-GVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32
(1) of the GDPR must be taken into account.
(3) The data security measures may be adapted in accordance with the technical and organizational further development as long as the level agreed here is not undercut. The Contractor shall imple- ment any changes required to maintain information security without delay. The Customer shall be notified of any changes without delay. Significant changes shall be agreed between the parties.
(4) Insofar as the security measures taken do not or no longer meet the requirements of the Customer, the Contractor shall notify the Customer without delay.
(5) Copies or duplicates shall not be made without the knowledge of the client. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded.
(6) Dedicated data carriers originating from the Client or used for the Client shall be specially marked and shall be subject to ongoing management. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Inputs and outputs are documented.
Processing safety. (a) The processor implements at least the technical and organizational measures to ensure the security of personal data. These measures include the protection of data against any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.
(b) The subcontractor shall grant members of its staff access to the personal data being processed only to the extent strictly necessary for the performance, management and monitoring of the contract. The processor shall ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.
Processing safety. The level of security must reflect: That it is not a matter of processing personal data covered by Article 9 of the General Data Protection Regu- lation on "special categories of personal data", which is why there is no requirement that a "high" level of security must be established. • The data processor is then entitled and obliged to make decisions about which technical and organ- isational security measures are to be used in order to create the necessary (and agreed) level of security around the data. • However, the Data Processor must – in all cases and as a minimum – implement the following measures agreed with the Data Controller (based on the risk assessment carried out by the Data Controller): • Access to Flea Lover is through encrypted channels • User access is through https, with a certificate issued by the Internet Security Research Group (ISRG). • It can be accessed when the client has knowledge of the username and password. Both parameters are case sensitive. • Furthermore, https access can be granted via API. • Data is processed and stored on servers provided by Digital Ocean LLC, with whom there is a data processing agreement. This person is responsible for ensuring the ongoing confidentiality, integrity, availability and robustness of processing systems and services, as well as securing against unauthor- ized physical/technical access. • NoviPOS ApS ensures the necessary functionality in relation to traceability in searches for personal data and the data controller's need for anonymization of personal data.
Processing safety. The level of security must reflect: The processing of personal data relates entirely to personal data of a general nature, cf. GDPR Art 6. Accordingly, no personal data are processed, cf. GDPR Art 9. However, the processing involves a large amount of personal data of users, including children under 16 years of age. The data processor is then entitled and required to decide on the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security. However, the data processor must - in any case and as a minimum - apply the following measures agreed with the data controller: • Access to all data processor systems is secured with MFA and all data processor employees with access to operational environments have signed an enhanced privacy statement. • The primary operating environment is AWS in Ireland, where data is hosted and where AWS's built-in CloudTrail is enabled. This means that all data processor employee logins and actions performed in operational environments are logged for 90 days. Audit logs are continuously monitored. • The products use both "in transit" and "at rest" encryption. This means, among other things, that all connections to the backend are encrypted with TLS v1.3 "in transit". Encryption "at rest" depends on the media, but AES256 is most used. • Encryption keys and certificates are issued via Let's Encrypt, AWS KMS or ACM. • The data processor carries out continuous operational monitoring of the IT systems. • Access to the data processor's network is secured, among other things, by using a firewall, VPN client and protected WiFi.
Processing safety. 6.1 The contractor is responsible, according to article. 32 DSGVO, to take all necessary and suitable technical and organizational measures–taking into account the state of technology, the cost of implementation, the scope, circumstance and the purpose of processing client data, as well as the various likelihood and risks to the rights and freedoms of the affected persons–to guarantee an adequate level of protection against any risks to any client data.
6.2 The contractor has the right to change or adapt any technical and organizational measures throughout the term of the contract, as long as they fulfill and follow legal requirements.