Date of creation: 08/09/2020

1 Availability (pursuant to Art. 32, Sec. 1, lit. b) GDPR)

1.1 Access control

All measures to prevent unauthorised access to the data processing facilities are listed below:

  • Motion detectors at the entrances
  • Automatic access control system
  • Chip cards / transponder systems
  • Manual locking system
  • Security locks and burglar-resistant doors
  • Doors with knob on the outside
  • Allocation of tokens for access
  • Careful selection of cleaning and security staff
  • Measures in case of loss of key / badge / dongle / token / chip


1.2 Access control

All measures to prevent unauthorised access to the data processing systems are listed below:

  • Login with username + password
  • Login with biometric data
  • Anti-Virus software clients
  • Firewall
  • Encryption of data carriers
  • External access only possible via VPN
  • Iphone encryption
  • System passwords at Apple
  • Encryption of notebooks / tablets
  • Automatic desktop lock
  • Creation and management of user profiles and permissions
  • “Secure Password” policy
  • “Clean desk” policy
  • “Manual desktop lock” instructions
  • Encryption for WiFi use (WPA2)


1.3 Access control

The following lists all measures to prevent unauthorised reading, copying,

alteration or deletion within the data processing systems:

  • External document shredder (DIN 66399)
  • Physical deletion of data carriers
  • Data protection safe


1.4 Separation control

Below is a list of all the measures taken to separate personal data collected for different purposes:

  • Separation of productive and test environment
  • Multi-client capability of relevant applications
  • Specification of database rights


There is no pseudonymisation of the data records.


2 Integrity (pursuant to Art. 32, Sec. 1, lit. b) GDPR)


2.1 Transmission control

Personal data must be adequately protected during electronic transmission to prevent unauthorised reading, copying, modification or removal. We have taken the following technical and organisational measures for this:

  • eMail encryption
  • Use of VPN
  • Provision via encrypted connections such as sftp, https
  • Use of signature procedures
  • Care in the selection of transport personnel and vehicles


2.2 Input control

We use the following measures to control whether and by whom personal data are entered into the data processing system, changed, blocked or deleted:

  • Manual or automated control of the logs
  • Traceability of entry, modification and deletion of data by
  • individual user names (not user groups)
  • Retention of forms from which data are transferred to automated processing operations
  • Have been applied


3 Availability and resilience (pursuant to Art. 32, Sec. 1, lit. b) GDPR)


3.1 Availability control

To ensure the availability and rapid recovery (Art. 32, Sec. 1, lit. c) GDPR) of personal data in the event of accidental or deliberate destruction or loss, we use the following measures:

  • Data protection safe (S60DIS, S120DIS, other suitable standards with expanding seal, etc.)
  • RAID system / hard disk mirroring
  • Regular archiving / backup of data
  • Storage of the backup media in a safe place outside the server room
  • Separate partitions for operating systems and data

4 Procedures for regular monitoring, assessment and evaluation (pursuant to Art. 32, Sec. 1, lit d) & Art. 25, Sec. 1 GDPR)


4.1 Data protection management

To ensure data protection in our company, we use the following measures for regular review, assessment and evaluation:

  • External data protection officer: Company SiDIT
  • Regular sensitisation of employees at least annually
  • The data protection impact assessment (DPIA) is carried out as required


4.2 Incident response management (pursuant to Art. 33 GDPR)

In case of the detection and notification of data protection breaches, we use the following measures:

  • Use of firewall and regular updating
  • Use of spam filters and regular updating
  • Use of virus scanner and regular updating
  • DPO involvement in security incidents and data breaches


4.3 Privacy-friendly default settings

Within the framework of data protection-friendly default settings, we use the following measures:

  • No more personal data is collected than is necessary for the respective purpose
  • Simple exercise of the right of withdrawal of the data subject by technical measures


4.4 Order control

In the case of processing orders, we ensure implementation through the following measures:

  • Selection of the contractor under due diligence aspects (especially in relation to
  • data protection and data security)
  • Conclusion of the necessary agreement to order processing and/or EU
  • Standard contract clauses
  • Written instructions to the contractor
  • Obligation of the contractor’s employees to maintain data secrecy
  • Agreement on effective control rights vis-à-vis the contractor
  • Regulation on the use of further subcontractors

As of: September 2020