1. Confidentiality (pursuant to Art. 32, Sec.. 1 lit. b) GDPR)

1.1. Admission control

All measures to prevent unauthorised access to the data processing facilities are listed below:

• Motion detectors at the entrances
• Automatic access control system
• Chip cards / transponder systems
• Manual locking system
• Security locks and burglar-resistant doors
• Doors with knob on the outside
• Allocation of tokens for access
• Careful selection of cleaning and security staff
• Measures in case of loss of key / badge / dongle / token / chip

1.2. Access control

All measures to prevent unauthorised access to the data processing systems are listed below:

• Login with username + password
• Login with biometric data
• Anti-Virus software clients
• Firewall
• External access through mobile / home office (e.g. PC / laptop)
• External access by external service providers
• External access via smartphones / tablets
• Encryption of data carriers
• Automatic desktop lock
• Encryption of notebooks / tablets
• Encryption for WiFi use (WPA2)
• Creation and management of user profiles and permissions
• “Manual desktop lock” instructions
• „Secure Password“ policy
• „Delete / Destroy“ policy
• „Clean desk“ policy
• “Home-/Mobile-Office” policy
• Mobile Device Policy

1.3. Access control

The following lists all measures to prevent unauthorised reading, copying, alteration or deletion within the data processing systems:

• Document shredder
• External document shredder
• Physical deletion of data carriers
• Authorisation concept(s)
• Minimum number of administrators
• Data protection vault
• Management of user rights by administrators

1.4. Separation control

Below is a list of all the measures taken to separate personal data collected for different purposes:

• Separation of productive and test environment
• Physical separation (systems / databases / data carriers)
• Multi-client capability of relevant applications
• Needs-based access authorisations for employees
• Definition of database rights

1.5. Pseudonymisation (Art. 32 Sec. 1 lit. a) & Art. 25 Sec. 1 GDPR)

The pseudonymisation of data records is implemented through the following measures:

No pseudonymisation of data records takes place.

2. Integrity (pursuant to Art. 32, Sec. 1, lit. b) GDPR)

2.1. Transmission control

Personal data must be adequately protected during electronic transmission to prevent unauthorised reading, copying, modification or removal. We have taken the following technical and organisational measures for this:

• eMail encryption
• Use of VPN
• Provision via encrypted connections such as sftp, https
• Use of signature procedures
• Care in the selection of transport personnel and vehicles
• Logging of accesses and retrievals in log files

2.2. Input control

We use the following measures to control whether and by whom personal data are entered into the data processing system, changed, blocked or deleted:

• Technical logging of the entry, modification and deletion of data
• Manual or automated control of logs
• Software list with data processing programmes
• Assignment of individual user names
• Authorisation concept with assignment of user rights according to needs
• Secure storage of documents in paper form

3. Availability and resilience (pursuant to Art. 32, Sec. 1, lit. b) GDPR)

3.1. Availiability control

To ensure the availability and rapid recovery of personal data in the event of accidental or deliberate destruction or loss, we use the following measures:

• Storage of backup media in a secure location outside the server room
• Separate partitions for operating systems and data

Reev GmbH does not operate its own servers, but hosts the data in external data centres of the provider MCON with storage location in Germany. The TOM’s are regularly checked within the scope of the respective order processing relationship.

We guarantee the quick restoration of availability (Art. 32 para. 1 lit. c) GDPR) through the following measures:

Reev GmbH does not operate its own servers, but hosts the data in external data centres of the provider MCON with storage location in Germany. The TOM’s are regularly checked within the scope of the respective order processing relationship.

4. Procedures for regular monitoring, assessment and evaluation (pursuant to Art. 32, Sec. 1, lit d) & Art. 25, Sec. 1 GDPR)

Date of evaluation of technical and organisational measures: 10.01.23

4.1. Data protection management

To ensure data protection in our company, we use the following measures for regular review, assessment and evaluation:

• Software solutions for data protection management in use
• Central documentation of all procedures and regulations on data protection with accessibility for employees
• A review of the effectiveness of the technical protection measures is carried out at least annually
• External data protection officer: Sophie Hohmann, SiDIT GmbH, info@sidit.de
• Internal Information Security Officer: José Carvalho, reev GmbH, josé.carvalho@reev.com
• Employees trained and committed to confidentiality / data secrecy
• Regular sensitisation of employees at least annually
• Data protection impact assessment (DSFA) is carried out as required
• The organisation complies with the information obligations according to Art. 13 and 14 GDPR
• Formalised process for handling requests for information, deletion and data transfer from data subjects

4.2. Incident response management (pursuant to Art. 33 GDPR)

In case of the detection and notification of data protection breaches, we use the following measures:

• Use of firewall and regular updating
• Use of spam filter and regular updating
• Use of virus scanner and regular updating
• Documented process for detecting and reporting security incidents / data breaches
• Documented procedure for dealing with
  security incidents
• Involvement of DPO in security incidents and data breaches
• Involvement of IPM in security incidents and data breaches
• Documentation of security incidents and data breaches
• Formal process and responsibilities for following up on security incidents and data breaches

4.3. Privacy-friendly default settings

Within the framework of data protection-friendly default settings, we use the following measures:

• No more personal data is collected than is necessary for the respective purpose
• Simple exercise of the right of withdrawal of the data subject by technical measures

4.4. Order control (Outsourcing)

In the case of processing orders, we ensure implementation through the following measures:

• Prior examination of the safety measures taken by the contractor and their documentation
• Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
• Conclusion of the necessary agreement on commissioned processing or EU standard contractual clauses
• Written instructions to the contractor
• Obligation of the contractor’s employees to maintain data secrecy
• Obligation to appoint a data protection officer by the contractor if the obligation to appoint exists
• Agreement on effective control rights vis-à-vis the contractor
• Regulation on the use of further subcontractors
• Ensuring the destruction of data after termination of the contract
• In the case of longer cooperation: Ongoing review of the contractor and its level of protection