Transcription
DPA ANNEX 1—TECHNICAL AND ORGANIZATIONAL MEASURES (TOM)AS OF: SEPTEMBER 2020—The present document supplements chapter 11 of the Data Processing Agreement (DPA) between Client and Contractorpursuant to Art 28 GDPR (EU General Data Protection Regulation).The technical and organizational measures are implemented by Anexia in accordance with Art 32 DSGVO. They arecontinuously improved by Anexia according to feasibility and state of the art - not least also in terms of the active ISO27001 certification - and brought to a higher level of security and protection.1. Confidentiality1.1. Physical Access ControlMeasures suitable for preventing unauthorized persons from gaining access to data processing systems with whichpersonal data are processed or used.Technical Measuresü Alarm systemü Automatic access control systemü Biometric access barriersü Smart cards / transponder systemsü Manual locking systemü Doors with knob outsideü Doorbell system with cameraü Video surveillance of entrancesü Biometric access control data centerOrganizational Measuresü Key regulation / Listü Reception / Receptionist / Gatekeeperü Visitors' book / Visitors' protocolü Employee / visitor badgesü Visitors accompanied by employeesü Care in selection of security guard personnelü Care in selection of cleaning servicesü Information Security Policyü Work instructions for operational safetyü Work instruction access control1.2. Logical Access ControlMeasures suitable for preventing data processing systems from being used by unauthorized persons.Technical Measuresü Login with username strong passwordü Anti-Virus Software Serversü Anti-Virus Software Clientsü Anti-virus software mobile devicesü Firewallü Intrusion Detection Systemsü Use of VPN for remote accessü Encryption of data carriersü Encryption of smartphonesü Automatic desktop lockü Encryption of notebooks / tabletü Two-factor authentication in data centeroperation and for critical systemsDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Organizational Measuresü User permission managementü Creating user profilesü Central password assignmentü Information Security Policyü Work instruction IT user regulationsü Work instruction operational securityü Work instruction access controlü Mobile Device PolicyPage 1 of 8
1.3. Authorization ControlMeasures to ensure that those authorized to use a data processing system can only access the data subject to their accessauthorization and that personal data cannot be read, copied, modified or removed without authorization duringprocessing, use and after storage.Technical Measuresü File shredder min. recommended security levelP-4 (DIN 66399)ü External destruction of files at leastrecommended security level P-6 (DIN 66399)ü Physical deletion of data carriersü Logging of accesses to applications, specificallywhen entering, changing, and deleting dataü SSH encrypted accessü Certified SSL encryptionOrganizational Measuresü Use of authorization conceptsü Minimum number of administratorsü Management of user rights by administratorsü Information Security Policyü Work instruction communication securityü Work instruction Handling of information and values1.4. Separation ControlMeasures that ensure that data collected for different purposes can be processed separately. This can be ensured, forexample, by logical and physical separation of the data.Technical Measuresü Separation of productive and test environmentü Physical separation (systems / databases / datacarriers)ü Multi-tenancy of relevant applicationsü VLAN segmentationü Client systems logically separatedü Staging of development, test and productionenvironmentOrganizational Measuresü Control via authorization conceptü Determination of database rightsü Information Security Policyü Data Protection Policyü Work instruction operational securityü Work instruction security in software development1.5. PseudonymizationThe processing of personal data in such a way that the data can no longer be attributed to a specific data subject withoutthe use of additional information, provided that such additional information is kept separately and is subject toappropriate technical and organizational measures.Technical Measuresü In case of pseudonymization: separation of theallocation data and storage in separate system(encrypted)ü log files are pseudonymized at the request ofthe clientDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Organizational Measuresü Internal instruction to anonymize/pseudonymizepersonal data as far as possible in the event ofdisclosure or even after the statutory deletionperiod has expiredü Information Security Policyü Data Protection Policyü Specific internal regulations on cryptographyPage 2 of 8
2. Integrity2.1. Transfer ControlMeasures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons duringelectronic transmission or while being transported or stored on data media, and that it is possible to verify and establishto which entities personal data are intended to be transmitted by data transmission equipment.Technical Measuresü Use of VPNü Logging of accesses and retrievalsü Provision via encrypted connections such assftp, https and secure cloudstoresü Use of signature procedures (casedependent)Organizational Measuresü Survey of regular retrieval and transmissionprocessesü Transmission in anonymized or pseudonymizedformü Careful selection of transport personnel andvehiclesü Personal handover with protocolü Information Security Policyü Data Protection Policy2.2. Input ControlMeasures that ensure that it is possible to check and establish retrospectively whether and by whom personal data hasbeen entered into, modified or removed from data processing systems. Input control is achieved through logging, whichcan take place at various levels (e.g., operating system, network, firewall, database, application).Technical Measuresü Technical logging of the entry, modificationand deletion of dataü Manual or automated control of the logs(according to strict internal specifications)DPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Organizational Measuresü Survey of which programs can be used to enter,change or delete which dataü Traceability of data entry, modification and deletionthrough individual user names (not user groups)ü Assignment of rights to enter, change and deletedata on the basis of an authorization conceptü Retention of forms from which data has beentransferred to automated processesü Clear responsibilities for deletionsü Information Security Policyü Work instruction IT user regulationsPage 3 of 8
3. Availability and Resilience3.1. Availability ControlMeasures to ensure that personal data is protected against accidental destruction or loss (UPS, air conditioning, fireprotection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.).Technical Measuresü Fire and smoke detection systemsü Fire extinguisher server roomü Server room monitoring temperature andhumidityü Server room air-conditioningü UPS system and emergency diesel generatorsü Protective socket strips server roomü RAID system / hard disk mirroringü Video surveillance server roomü Alarm message in case of unauthorizedaccess to server roomOrganizational Measuresü Backup conceptü No sanitary connections in the server roomü Existence of an emergency planü Storage of backup media in a secure locationoutside the server roomü Separate partitions for operating systems and datawhere necessaryü Information Security Policyü Work instruction operational securityü Regular testing of the diesel aggregates3.2. Recoverability ControlMeasures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technicalincident.Technical Measuresü Backup monitoring and reportingü Restorability from automation toolsü Backup concept according to criticality andcustomer specificationsDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Organizational Measuresü Recovery conceptü Control of the backup processü Regular testing of data recovery and logging ofresultsü Storage of backup media in a safe place outsidethe server roomü Existence of an emergency planü Information Security Policyü Work instruction operational securityPage 4 of 8
4. Procedures for regular Review, Assessment and Evaluation4.1. Data Protection ManagementTechnical Measuresü Central documentation of all data protectionregulations with access for employeesü Security certification according to ISO 27001ü A review of the effectiveness of the TOMs iscarried out at least annually and TOMs areupdatedü Data protection checkpoints consistentlyimplemented in tool-supported riskassessmentOrganizational Measuresü Internal data protection officer appointed: GroupData Protection Officer, DPOü Staff trained and obliged to confidentiality/datasecrecyü Regular awareness trainings at least annuallyü Internal Information Security Officer appointed:Group Information Security Officer, ISOü Data Protection Impact Assessment (DPIA) is carriedout as requiredü Processes regarding information obligationsaccording to Art 13 and 14 GDPR establishedü Formalized process for requests for informationfrom data subjects is in placeü Data protection aspects established as part ofcorporate risk managementü ISO 27001 certification of key parts of the companyincluding data center operations and annualmonitoring audits4.2. Incident Response ManagementSupport for security breach response and data breach process.Technical Measuresü Use of firewall and regular updatingü Use of spam filter and regular updatingü Use of virus scanner and regular updatingü Intrusion Detection System (IDS) for customersystems on orderü Intrusion Prevention System (IPS) for customersystems on orderDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Organizational Measuresü Documented process for detecting and reportingsecurity incidents / data breaches (also with regardto reporting obligation to supervisory authority)ü Formalized procedure for handling securityincidentsü Involvement of DPO and ISO in security incidentsand data breachesü Documentation of security incidents and databreaches via ticket systemü A formal process for following up on securityincidents and data breachesü Information Security Policyü Data Protection Policyü Work instruction oprational securityü Work instruction IT user regulationsPage 5 of 8
4.3. Data Protection by Design and by DefaultMeasures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.Technical Measuresü No more personal data is collected than isnecessary for the respective purposeü Use of data protection-friendly default settingsin standard and individual softwareOrganizational Measuresü Data Protection Policy (includes principles "privacyby design / by default")ü OWASP Secure Mobile Development SecurityChecks are performedü Perimeter analysis for web applications4.4. Order Control (outsourcing, subcontractors and order processing)Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with theclient's instructions.Technical Measuresü Monitoring of remote access by externalparties, e.g. in the context of remote supportü Monitoring of subcontractors according to theprinciples and with the technologies accordingto the preceding chapters 1, 2Organizational Measuresü Work instruction supplier management and supplierevaluationü Prior review of the security measures taken by thecontractor and their documentationüüüüüüüüüDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Selection of the contractor under due diligenceaspects (especially with regard to data protectionand data security)Conclusion of the necessary data processingagreement on commissioned processing or EUstandard contractual clausesFramework agreement on contractual dataprocessing within the group of companiesWritten instructions to the contractorObligation of the contractor's employees tomaintain data secrecyAgreement on effective control rights over thecontractorRegulation on the use of further subcontractorsEnsuring the destruction of data after terminationof the contractIn the case of longer collaboration: ongoing reviewof the contractor and its level of protectionPage 6 of 8
5. Organization and Data Protection at AnexiaIn its strategic guideline Quality, Risk and Compliance Policy, the Anexia Group of Companies has set itself the goal, amongother things, of providing its customers with the products and services to be delivered at the highest possible level ofinformation security in compliance with the law. This guideline provides the framework for transparent, sustainable,process-based and risk-oriented management of the corporate group within the framework of an IntegratedManagement System (IMS).In this context, Anexia has established a distinctive cross-sectional security organization to ensure comprehensiveprotection of its own corporate information and data as well as protection of the data of its customers and clients. Thefunctions of Information Security Officer (ISO), Data Protection Officer (DPO), Quality Officer (QO), Risk Officer (RO) andLegal Compliance Officer (LCO) with group-wide responsibility and direct authority in these areas of activity have beenestablished within the staff department "Quality, Risk & Compliance", which is directly assigned to the CEO, and acomprehensive set of internal guidelines and regulations ("Anexia Corporate Binding Rules" on information security anddata protection, among other things) has been established, which is binding for all employees and defines secure anddata protection-compliant handling of information and data.Employees are continuously informed and trained in the area of data protection. In addition, all employees arecontractually bound to data secrecy and confidentiality. External parties who may come into contact with personal datain the course of their work for Anexia are obligated to maintain secrecy and confidentiality as well as to comply with dataprotection and data secrecy by means of a so-called NDA (Non-Disclosure Agreement) before they begin their work.All affiliated companies of the Anexia group of companies within the EU or the EEA have concluded a joint frameworkagreement on data protection and commissioned data processing as a binding written legal instrument pursuant to Art28 GDPR in order to ensure a uniformly high standard of data protection and data security across the entire group andto clearly regulate the rights and obligations for any commissioned data processing.Any subcontractors entrusted with further processing (as “other processors”) are only used after approval by the Clientas the “controller” and after conclusion of a Data Processing Agreement (DPA) in accordance with Art 28 GDPR, withwhich they are fully bound by all data protection obligations to which Anexia itself is subject.All of these organizational measures are flanked by Anexia's current, high technical security standards, and bothdimensions are periodically reviewed and confirmed for adequacy and effectiveness in the course of ongoing internalaudits and annually by independent, external, DAkkS-accredited certification bodies as part of the ISO 9001 and ISO 27001monitoring and re-certification audits.DPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Page 7 of 8
6. CertificationsBoth the Quality Management System according to ISO 9001 and the Information Security Management Systemaccording to ISO 27001 of essential parts of Anexia incl. data center operation are certified by the independent TÜV NORDCERT GmbH.Measures overview:MeasureGDPR compliant implementedCommentsPhysical Access ControlPISO 27001 & ISO 9001 certifiedLogical Access ControlPISO 27001 & ISO 9001 certifiedAuthorization ControlPISO 27001 & ISO 9001 certifiedSeparation ControlPISO 27001 & ISO 9001 certifiedPseudonymizationPISO 27001 & ISO 9001 certifiedTransfer ControlPISO 27001 & ISO 9001 certifiedInput ControlPISO 27001 & ISO 9001 certifiedAvailability ControlPISO 27001 & ISO 9001 certifiedRecoverability ControlPISO 27001 & ISO 9001 certifiedData Protection ManagementPISO 27001 & ISO 9001 certifiedIncident Response ManagementPISO 27001 & ISO 9001 certifiedPrivacy by Design and by DefaultPISO 27001 & ISO 9001 certifiedOrder ControlPISO 27001 & ISO 9001 certifiedOrganizationPISO 27001 & ISO 9001 certifiedDPA-Art-28-GDPR Version-3 ANX-AT enUS ANNEX-1Page 8 of 8
27001 certification - and brought to a higher level of security and protection. 1. Confidentiality 1.1. Physical Access Control Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used. Technical Measures Organizational Measures
