Common use of Technical and Organisational Security Measures Clause in Contracts

Technical and Organisational Security Measures. The Data Processor shall, taking into consideration the current technical capabili- ties, implementation costs and the nature of the processing in question, its scope, content, and purpose, in addition to the likelihood of risks materialising and their impact on the rights of physical individuals and their rights to freedom, implement appropriate technical and organisational measures to, among other things, prevent the occurrence of: • accidental or illegal destruction, loss, or change • unauthorised transfer, access or misuse • other illegal processing, cf. Security Annex attached as Appendix 3 6.1 The Data Processor must be able to demonstrate to the Data Controller that the Data Processor has the necessary technical and organisational security measures in place. The Parties agree that the guarantees stated in Appendix 3 are sufficient at the moment of entering into this Data Processing Agreement. 6.2 Without undue delay and no later than 24 hours after the Data Processor has be- come aware of a security breach, the Data Processor shall notify the Data Controller in writing of this. This notification shall, at a minimum, and to the extent possible in light of the nature of the incident, include the following: 1) information on the nature of the found security breach, 2) what categories of registered individuals is affected by it, and 3) an approximate number of the affected registered individuals, including categories of comprehensive personal data and the number of these in addition to what preventive or mitigating measures the Data Processor has imple- mented as a result of the found security breach. 6.3 Upon written request, the records must be made available to the Data Controller or the supervising authorities.

Technical and Organisational Security Measures. The Data Processor shall, taking into consideration the current technical capabili- tiescapabilities, implementation im- plementation costs and the nature of the processing in question, its scope, content, and purpose, in addition to the likelihood of risks materialising and their impact on the rights of physical individuals and their rights to freedom, implement appropriate technical and organisational measures to, among other things, prevent the occurrence of: •  accidental or illegal destruction, loss, or change •  unauthorised transfer, access or misuse • other illegal processing, cf. Security Annex attached as Appendix 3misuse 6.1 The Data Processor must be able to demonstrate to the Data Controller that the Data Processor has the necessary technical and organisational security measures in place. The Parties agree that the guarantees stated in Appendix 3 are sufficient at the moment of entering into this Data Processing Agreement. 6.2 Without undue delay and no later than 24 hours after the Data Processor has be- come become aware of a security breach, the Data Processor shall notify the Data Controller in writing of this. This notification shall, at a minimum, and to the extent possible in light of the nature of the incident, include the following: 1) information on the nature of the found security breach, 2) what categories of registered individuals is affected by it, and 3) an approximate number of the affected registered individuals, including categories of comprehensive com- prehensive personal data and the number of these in addition to what preventive or mitigating miti- gating measures the Data Processor has imple- mented implemented as a result of the found security breach. 6.3 Upon written request, the records must be made available to the Data Controller or the supervising authorities.