Access Control Musterklauseln
Access Control. For the purposes of this Annex, access controls means measures to ensure that persons entitled to use data processing systems have access only to the data which they have the right access, and that personal data cannot be processed (read, copied, modified or removed) without authorisation while processing, using and after saving it. User rights are only ever granted to the minimum extent possible for the tasks performed by the respective employee. Authorisations are logged and regularly reviewed when they are granted and withdrawn. Access to personal data (read, edit, remove) is also logged and stored for 30 days. Access to the AWS server takes place over a private key file. Each of the employees responsible at the Data Processor receive their own key. Employees in other roles such as developers/testers do not have access to the servers on which the controller's personal data is processed.
Access Control. The principle of least privilege is used for providing logical access control. User access is provided via a unique user ID and password. HP’s password policy has defined complexity, strength, validity, and password-history related controls. Access rights are reviewed periodically and revoked upon personnel departure. User account creation and deletion procedures, as have been mutually agreed upon, are implemented to grant and revoke access to client systems used during the engagement.