PLEASE READ THIS DATA PROCESSING AGREEMENT (HEREINAFTER CALLED THE “DPA") CAREFULLY AS IT FORMS A BINDING CONTRACT BETWEEN THE CLIENT AND INSIGHT. INSIGHT AND CLIENT ARE INDIVIDUALLY REFERRED TO AS “PARTY” AND COLLECTIVELY AS “PARTIES".
THIS AGREEMENT IS INCORPORATED INTO AND FORMS PART OF THE SUPPLY AGREEMENT BETWEEN THE PARTIES THAT REFERENCES IT. THE SUPPLY AGREEMENT BETWEEN THE PARTIES MAY REQUIRE THAT INSIGHT ACCESSES AND PROCESSES PERSONAL DATA ON BEHALF OF THE CLIENT. THIS DPA TOGETHER WITH ITS EXHIBIT(S) SPECIFY THE OBLIGATIONS OF THE PARTIES WHEN INSIGHT ACTS AS A PROCESSOR AND CLIENT AS A CONTROLLER.
The “Effective Date” of this DPA is the effective date of the Supply Agreement referencing this DPA.
AGREEMENT
This Data Processing Agreement has been entered into by and between the Insight entity (“Insight”) and the Client entity (“Client”) specified in the applicable Supply Agreement.:
WHEREAS
- Client and Insight have entered and/or may enter into agreement(s) regarding the supply of IT products and/or IT services (together the “Services”) as may be further detailed in statements of work (“SOWs”) and/or purchase orders and related documents (“Orders”) (together the “Supply Agreements”);
- Pursuant to the Supply Agreements, Insight may process personal data that is subject to the Data Protection Legislation on behalf of Client in its performance and support of the Services and to comply with its other obligations under the Supply Agreements (“Data”) on the terms of this Agreement, and this Agreement applies to Insight’s processing of such Data for those Services.
THE PARTIES HAVE AGREED ON THE FOLLOWING:
1. Definitions
1.1. All capitalized terms not defined in this Agreement shall have the meanings set forth in the Supply Agreement. In this Agreement, the following terms shall have the following meanings:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) "controller", "processor", "data subject", "personal data", and "processing" shall have the meanings given in the Data Protection Legislation.
(c) “Data” shall have the meaning given in section (b) of the preamble above. For purposes of this Agreement, Data is limited to that which is processed by Insight on behalf of Client in connection with the provision of the Services.
(d) "Data Protection Legislation" shall mean as applicable to Insight in its processing of the Data, any laws, rules or regulations relating to data privacy, trans-border data flow or data protection, including, but not limited to: (i) all applicable European and/or United Kingdom data protection legislation including the UK Data Protection Act 2018 (“UK GDPR”), the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the Swiss Federal Data Protection Act (“Swiss DPA”), and any national implementing laws, regulations and secondary legislation, as amended or succeeded from time to time, in the UK, Switzerland or the EU and any individual member state; (ii) any other privacy and data security law, rule, regulation, declaration, decree, directive, statute, or other enactment, order, mandate or resolution issued or enacted by any governmental entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial or other government) applicable to the protection of the personally identifiable information or data of natural persons or households, including, but not limited to the California Consumer Privacy Act of 2018 and the California Consumer Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), as amended, and any other laws of the individual states or the federal government of the United States of America, and (iii) any laws, rules, regulations, declarations, decrees, directives, statutes, or other enactments, orders, mandates, or resolutions issued or enacted by any governmental entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial, or other government) that replace, extend, re-enact, consolidate or amend any of the foregoing.
(e) “EEA” shall mean the European Economic Area.
(f) “Order” shall have the meaning given in section (a) of the preamble above.
(g) “Security Incident” means the confirmed accidental or unlawful destruction, and/or loss, alteration, unauthorised disclosure of, and/or access to the Data in Insight’s possession or control (e.g., maintained on Insight’s electronic systems or physically located at Insight’s facilities).
(h) “Services” shall have the meaning given in section (a) of the preamble above.
(i) “SOW” shall have the meaning given in section (a) of the preamble above.
(j) “Standard Contractual Clauses” means where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs").
(k) “Sub-processor” shall have the meaning given in section 5.1 below.
(l) “Supply Agreement” shall have the meaning given in section (a) of the preamble above.
(m) “TOMs” shall have the meaning given in section 4.1 below.
(n) “UK” shall mean the United Kingdom.
2. Relationship of the Parties:
2.1. Insight and Client shall comply with the Data Protection Legislation. Client is the data controller of any Data processed by Insight for the purpose of performing the Services. Except to the extent where Insight is considered a data controller pursuant to Data Protection Legislation, Insight shall process such Data as a data processor on Client's behalf and in accordance with Client's documented instructions (and such instructions are to process the Data as required to perform the Services and otherwise fulfil the obligations of the Supply Agreements). Client warrants that it has the lawful right and authority to provide the Data to Insight for Insight to process the Data in connection with the performance of the Services and this Agreement and that any Data provided or otherwise made available to Insight has been processed in accordance with the Data Protection Legislation.
3. Obligations of Insight
3.1. Insight shall, in relation to Data processed in connection with the performance of the Supply Agreements:
a) process Data specifically for the performance of the Services; and
b) ensure that all personnel of Insight who access Data (i) have a need to know or access the Data as necessary for the purposes of performing and/or supporting the Services under the Supply Agreements or to comply with Data Protection Legislation in the context of that individual’s duties to Insight, and (ii) do so under obligations of confidentiality.
4. Security measures
4.1. Insight shall, in relation to any Data processed in connection with the performance by Insight of its obligations under the Supply Agreement and taking into account the nature and scope of Insight’s processing of the Data, have in place appropriate technical and organisational measures (“TOMs”) as required under Data Protection Legislation, including without limitation to protect against unauthorised or unlawful processing of Data and against accidental loss or destruction of, unauthorized disclosure of, or access to or damage to, the Data. Insight’s current TOMs are detailed in Schedule 2.
5. Sub-processors
5.1. Client generally authorises Insight to (a) appoint third parties to process Data (“Sub-processors”) and (b) to transfer the Data to such third parties including, without limitation, those within Insight’s group of companies, including its Affiliates, for the performance of the Services. Insight and Insight’s Affiliates may engage Sub-processors in connection with the performance of the Services. Insight shall ensure that its Sub-processors enter into contractual obligations for the protection of Data in accordance with Data Protection Legislation. The Sub-processors currently engaged by Insight and authorised by Client are described at https://www.insight.com/en_US/help/terms-and-policies/sub-processors.html. Client hereby consents to these Sub-processors, their locations, and processing activities as it pertains to Data.
5.2. Insight shall: (a) make available an up-to-date list of the Sub-processors it has appointed upon written request from Client; and (b) undertake to notify Client if it adds any new Sub-processors at least ten (10) calendar days prior to allowing such Sub-processor to process Data by submitting a written notification to the email address notified by Client in writing at https://www.insight.com/en_US/help/terms-and-policies/sub-processors.html to Insight for this purpose, in which case Client agrees to subscribe to these notifications in the manner provided by Insight. Client may reasonably object in writing to Insight’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, Client or Insight, as its sole and exclusive remedy, may terminate for convenience the specific Services supplied pursuant to the Supply Agreement that rely upon and cannot be provided without the appointment of the new Sub-processor.
6. International transfers
6.1. Client authorises Insight to transfer and process the Data outside of the originating country, including the EEA, the UK and Switzerland in order to comply with the Supply Agreement or to perform and/or support the Services, provided that Insight has taken such measures such that the transfer and resulting processing is subject to a compliant transfer mechanism where one is required by Data Protection Legislation.
6.2. If any Data (protected by the GDPR, UK GDPR or Swiss DPA) is transferred to any third party located in a country outside the EEA, the UK and/or Switzerland that the applicable authorities have not recognized as providing an adequate level of protection for personal data, then the Standard Contractual Clauses shall apply, or other alternative transfer mechanism (e.g., Binding Corporate Rules) permitted by Data Protection Legislation. To the extent that Client within region is transferring Data directly to Insight outside of the EEA, UK, or Switzerland and (where required) pursuant to the Data Protection Legislation, which direct transfer is reflected in, or reasonably follows from the (territorial) scope and purpose of the relevant Services agreement and/or as further detailed in (the manner of placing) Supply Agreements, Client is considered a data controller and data exporter and Insight is considered a data processor and data importer. Schedule 1 shall be used to document the subject-matter, nature and purpose of the data processing in respect of any such exports of Data, which may be further specified or superseded in a specific Supply Agreement.
6.3. In relation to transfers of Data protected by the GDPR, the EU SCCs shall apply, completed as follows:
6.3.1. Module Two – Controller to Processor will apply;
6.3.2. In Clause 7, the optional docking clause will not apply;
6.3.3. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be set out in Section 5.2 of this Agreement;
6.3.4. In Clause 11, the optional language will not apply;
6.3.5. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;
6.3.6. In Clause 18(b), disputes shall be resolved before the courts of the Netherlands;
6.3.7. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Agreement, as applicable; and
6.3.8. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this Agreement.
6.4. In relation to transfers of Client Data protected by the UK GDPR, the UK SCCs shall apply, completed as follows:
6.4.1. In Table 1 of the UK SCCs, the parties’ details and key contact information is located in Annex 1(A) of Schedule 1 of this Agreement;
6.4.2. In Table 2 of the UK SCCs, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 6.3 of this Agreement;
6.4.3. In Table 3 of the UK SCCs: The list of Parties is located in Annex 1(A) of this Schedule 1. The description of the transfer is set forth in Annex 1(B) (Nature and Purpose of the Processing) of Schedule 1 (Description of the Processing/Transfer). Annex II is located in Schedule 2. The list of Sub-processors is located at https://www.insight.com/en_US/help/terms-and-policies/sub-processors.html; and
6.4.4. In Table 4 of the UK SCCs, both the importer and the exporter may terminate the UK SCCs in accordance with the terms of the UK SCCs.
6.5. In case of any transfers of Data from the United Kingdom and/or transfers of Data from Switzerland, (a) general and specific references in the EU SCCs to GDPR or EU or member state law shall have the same meaning as the equivalent reference in the Data Protection Legislation of the United Kingdom or Switzerland, as applicable; and (b) any other obligation in the EU SCCs determined by the member state in which the data exporter or data subject is established shall refer to an obligation under the UK GDPR or the Swiss DPA, as applicable. To extent that and for so long as the EU SCCs as implemented in accordance with this Agreement cannot be relied on by the Parties to lawfully transfer Data in compliance with the UK GDPR or the Swiss DPA, as applicable, the applicable standard data protection clauses issued, adopted or permitted under the UK GDPR or the Swiss DPA, as applicable, shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Schedules 1 and 2 of this Agreement.
7. Cooperation rights of the Data Subject Requests and Assistance
7.1. Insight shall provide reasonable and timely assistance to Client (at Client's expense) to enable Client to respond to:
a) any request from a data subject to exercise any of its rights under Data Protection Legislation (including its rights of access, correction, objection, erasure and data portability, as applicable) (“Data Subject Request”); and
b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.
7.2. If Insight receives a Data Subject Request and to the extent Insight is considered a data processor pursuant to a Supply Agreement, Insight will:
a) promptly redirect the data subject to Client; and
b) not respond to that Data Subject Request except on the documented instructions of Client, or as required by Data Protection Legislation to which Insight may be subject, in which case Insight, to the extent permitted by the Data Protection Legislation, shall inform Client of that legal requirement before Insight responds to the Data Subject Request.
7.3. Insight shall provide reasonable assistance following written request to assist Client to comply with its obligations under Data Protection Legislation including with respect to Security Incident notifications, data protection impact assessments, and consultations with supervisory authorities or regulators; this includes to provide to Client known reasonable information.
8.1. If Insight becomes aware of a Security Incident, Insight shall inform Client without undue delay and shall provide reasonable information in Insight’s possession and reasonable cooperation to Client so that Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Legislation.
8.2. Insight shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Client informed on material developments in connection with the Security Incident.
9. Deletion or Return of Data
9.1. Upon termination or expiry of this Agreement, Insight shall destroy (to the extent technically practicable) or return to Client on Client's written request all Data in its possession or control.
9.2. This requirement shall not apply to the extent that Insight is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Insight shall, in accordance with the standards in this Agreement, securely isolate and protect from any further processing except to the extent required by such law. Insight’s obligations under this Agreement with respect to the Data Insight has retained shall continue for so long as Insight retains any such Data.
10. Liability
10.1. To the extent that the Supply Agreements consist of Insight’s standard online contract terms and conditions of trading, the exclusions and limitations on liability contained in those standard terms shall apply to any liability arising under or in respect of this Agreement, otherwise the rest of this Section 10 shall apply.
10.2. Notwithstanding anything to the contrary in this Agreement or the Supply Agreements (including any limitation of liability provisions, exclusions thereto, or order-of-precedence provisions), to the maximum extent permissible under applicable law (including without limitation Applicable Data Protection Legislation), subject to Section 10.3, the total amount of Insight’s liability arising out of or related to this Agreement (including but not limited to any breach of this Agreement) for any and all claims or obligations of any kind or nature on an aggregate basis shall not exceed: (a) for Insight’s Services, the total amount paid by the Client to Insight under the relevant statement(s) of work (entered into pursuant to the Supply Agreement) for the Services giving rise to the liability during the twelve (12) month period immediately prior to the date the liability first arose; and (b) for products, the total amount paid by Client to Insight under the relevant purchase order(s) (entered into pursuant to the Supply Agreement) for the products giving rise to the liability.
10.3. Neither Party excludes or limits liability to the other Party under this Agreement for: (a) fraud (b) death or personal injury to the extent caused by negligence; or (c) any claim or liability insofar as it would be unlawful to exclude or limit such liability.
10.4. Subject to Section 10.3, to the maximum extent permissible under applicable law (including without limitation Applicable Data Protection Legislation), Insight shall not in any circumstances be liable under or in connection with this Agreement no matter how the liability arises, whether in contract, tort (including for negligence) breach of statutory duty, misrepresentation (whether innocent or negligent), restitution, or otherwise, for any: (a) loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation, or goodwill; (b) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management, consultant, professional or expert time); or (c) incidental, consequential, indirect or special damages.
11.1. To the extent Insight is a service provider, as defined under CCPA/CPRA (“Service Provider”), and receives from Client data that constitutes personal information, as defined under CCPA (“Personal Information”), Insight, in its role as a Service Provider, will not (a) sell or share, each as defined under CCPA/CPRA, such Personal Information; (b) shall not retain, use, or disclose such Personal Information for any purpose other than performing the Services under the Supply Agreements or as otherwise permitted under CCPA/CPRA; (c) retain, use, or disclose the Personal Information for a commercial purpose other than providing the Services unless otherwise permitted under the Supply Agreements or another written agreement between the Parties; or (d) retain, use, or disclose such Personal Information outside of the direct business relationship between Client and Service Provider unless otherwise permitted under the Supply Agreements or another written agreement between the Parties. Insight, in its role as a Service Provider, agrees to comply with the CCPA/CPRA as applicable to Service Provider in its performance of the Services to Client under the Supply Agreements.
11.2. In the event of any conflict between the terms of this Section 11 and any other terms of this Agreement, the terms in this Section 11 shall control but only to the extent they apply in connection with the Personal Information.
12. Audit
12.1. Insight shall maintain complete and accurate records and information to demonstrate its compliance with this Agreement.
12.2. Insight will permit, once per calendar year, Client to audit Insight’s compliance with this Agreement, and shall make available to Client all directly relevant information and management level staff necessary for Client to conduct such audit. Insight acknowledges that Client may enter its premises for the purposes of conducting this audit, provided that Client gives it at least thirty (30) calendar days’ prior written notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Insight’s operations. For the avoidance of doubt, in no event shall Client or its designees be permitted to access Insight’s information systems, network servers, scan summaries or activities logs. Client shall provide, without charge, Insight with a copy of the audit report. To the extent the audit report contains any Insight Confidential Information or is derived from any Insight Confidential Information, it shall be deemed Insight Confidential Information.
13. Miscellaneous
13.1. Notwithstanding any other provision of this Agreement and/or the Supply Agreements, Client agrees that Insight shall not be considered a data processor or data controller or in any other way have any responsibilities or liability (and Client holds Insight harmless) in respect of the processing of personal data pursuant to a product or service (including cloud service) provided by a third party supplier transacted by Insight and where Insight is not the manufacturer of such product or prime contractor for performance of the services. Such processing of personal data shall be subject to the arrangements, licenses and contract terms between Client and the third-party supplier.
13.2. From the date of its entry into effect, this Agreement supersedes all prior data processing agreements or clauses between the Parties and/or their Affiliates (without affecting rights and obligations accrued thereunder or in relation to any breach), and constitutes the entire and only agreement between the Parties relating to processing of Data by Insight on behalf of Client.
13.3. Any subsequent additions, deletions or modifications to this Agreement are not binding unless agreed upon in writing by authorized representatives of both Parties.
13.4. If any part of this Agreement is for any reason found to be invalid, illegal or unenforceable, all other parts will remain in effect.
13.5. In the event that any provision of the Supply Agreements contradicts with any provision of this Agreement, the provision of this Agreement will prevail. If there is any conflict between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail with respect to Data that is subject to the GDPR or the UK GDPR.
13.6. This Agreement will be governed by the substantive laws of as agreed upon in the Supply Agreements without giving effect to any conflict of law rules.
13.7. Any dispute arising out of or in relation to this Agreement or the execution thereof shall be submitted to the competent court as agreed upon in the Supply Agreements.
Schedule 1 – Description of the Processing / Transfer
This Schedule 1 includes certain details of the processing of Data as required by Article 28(3) GDPR.
This Schedule 1 may be superseded in respect of a particular Service(s) by inclusion of a new schedule within a statement of work (“SOW”).
Annex 1(A): List of Parties
Data Importer: Insight entity specified in the Supply Agreement Address: as specified in the Supply Agreement Contact person’s name, position and contact details:
Role: data processor |
Data Exporter: Client entity as specified in the Supply Agreement Address: as specified in the Supply Agreement Contact person’s name, position and contact details: as specified in the Supply Agreement or as subscribed to receive notifications via https://www.insight.com/en_US/help/terms-and-policies/sub-processors.html Role: data controller |
Annex 1(B): Description of Processing / Transfer
- SCOPE AND SUBJECT MATTER OF THE PROCESSING
The subject matter of the processing is set out in the applicable Supply Agreement and any related individual contract(s) for the supply of Services entered in to between Client and Insight, as documented in a SOW or Order and related documentation.
- NATURE AND PURPOSE OF PROCESSING
The performance of Services, as further documented in the applicable Supply Agreement and any related individual contract(s) for the supply of Services entered in to between Client and Insight, as documented in the applicable SOW or Order and related documentation.
- FREQUENCY AND DURATION OF THE PROCESSING
Transfers will be made from time to time for the duration necessary for:
- the performance of the Services;
- any other purposes stipulated in the Supply Agreement or any applicable SOW and/or Order;
- complying with applicable laws and regulations.
- TYPES OF DATA
- Contact details including name, email address, postal address, phone number
- Any other types of data connected to the scope and subject matter of the processing and relevant to the purpose of processing, as set out in the applicable Supply Agreement, any related individual contract(s), SOW, and/or Order.
- CATEGORIES OF DATA SUBJECT
- Client employees
- Any other categories of data subjects connected to the scope and subject matter of the the processing and relevant to the purpose of processing, as set out in the applicable Supply Agreement, any related individual contract(s), SOW, and/or Order.
Annex 1(C): Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to the processing of personal data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
Schedule 2 – Technical and Organisational Measures
The following technical and organisational measures are implemented in relation to the processing of Data, in accordance with Data Protection Legislation (including Articles 28 and 32 (1) of the GDPR):
1. Confidentiality
1.1. Physical Access Control
Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Alarm system | ☒ Key regulation / list |
| ☒ Smart cards / transponder system | ☒ Front Desk / Reception / gatekeeper |
| ☒ Security lock | ☒ Visitor book / protocol of visitors |
| ☒ Video surveillance of entrances | ☒ Employee / visitor passes |
| ☒ Visitors accompanied by staff | |
| ☒ Care in selection of security staff | |
| ☒ Care in selection of cleaning services |
1.2. Logical Access Control
Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Login with username + password | ☒ Manage user permissions |
| ☒ Login with biometric data | ☒ Creating user profiles |
| ☒ Anti-Virus-Software Server | ☒ Central password assignment |
| ☒ Anti-Virus-Software Clients | ☒ “Secure password” policy |
| ☒ Anti-Virus-Software mobile devices | ☒ “Delete / Destroy” policy |
| ☒ Firewall | ☒ “Clean desk“ policy |
| ☒ Intrusion Detection System | ☒ General privacy and/or security policy |
| ☒ Mobile Device Management | ☒ Mobile Device Policy |
| ☒ Use of VPN for remote access | |
| ☒ Encryption of data carriers | |
| ☒ Automatic desktop lock | |
| ☒ Encryption of notebooks/tablets |
1.3. Data Access Control
Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Document shredder (at least level 3, Cross Cut) | ☒ Use of authorization concepts |
| ☒ External document shredder (DIN 32757) | ☒ Minimum number of administrators |
| ☒ Physical deletion of data media | ☒ Data protection vault |
| ☒ Logging of access to applications and systems | ☒ Management of user rights by administrators |
1.4. Separation Control
Measures that ensure that data collected for different purposes can be processed separately.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Separation of production and test environment | ☒ Control via authorization concept |
| ☒ Physical separation (systems / databases / data carriers) | ☒ Determination of database rights |
| ☒ Multitenancy of relevant applications | ☒ Data records are provided with purpose attributes |
1.5. Pseudonymization
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is stored separately and is subject to appropriate technical and organisational measures.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ In case of pseudonymization: Separation of assignment data and storage in separate and secured systems (possibly encrypted) | ☒ Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of data transmission or even after the expiration of the legal deletion period |
2. Integrity
2.1. Transmission Control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to check and determine to which entities personal data is intended to be transmitted by data transmission equipment.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ E-Mail encryption | ☒ Documentation of data recipients and duration of planned transfer or deletion periods |
| ☒ Use of VPN | ☒ Overview of regular retrieval and transmission processes |
| ☒ Logging of accesses and retrievals | ☒ Care in the selection of transport personnel and vehicles |
| ☒ Secure transport containers | |
| ☒ Use of signature procedures |
2.2. Input Control
Measures that ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Technical logging of data entry, modification and deletion | ☒ Oversight of which programs can be used to enter, change or delete which data |
| ☒ Manual or automated control of logs | ☒ Traceability of data entry, modification and deletion through individual user names (not user groups) |
| ☒ Assignment of rights to enter, change and delete data based on an authorization processes | |
| ☒ Retention of forms from which data has been transferred to automated processes |
3. Availability and Resilience
3.1. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Fire and smoke detection systems | ☒ Backup & recovery concept (formulated) |
| ☒ Fire extinguisher server room | ☒ Control of the backup procedure |
| ☒ Server room monitoring temperature and humidity | ☒ Regular tests for data recovery and logging of results |
| ☒ Server room air conditioned | ☒ Storage of backup media in a secure location outside the server room |
| ☒ UPS (Uninterruptible power supply) | ☒ No sanitary connections in or above the server room |
| ☒ Protective socket strips server room | ☒ Existence of an emergency plan (e.g. the German BSI IT-Grundschutz 100-4) |
| ☒ Data protection safe (S60DIS, S120DIS, other suitable standards with swelling seal etc.) | ☒ Separate partitions for operating systems and data |
| ☒ Video surveillance server room | |
| ☒ Alarm message in case of unauthorized access to server room |
4. Procedures for regular review, assessment, and evaluation
4.1. Data Protection Management
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Central documentation of all procedures and regulations for data protection with access for employees according to need/authorization | ☒ Appointment of a data protection officer (DPO) |
| ☒ Security certification according to ISO 27001, or implementation of another appropriate documented security protocol standard | ☒ Employees trained and bound to confidentiality/data secrecy |
| ☒ Regular review of the effectiveness of technical protection measures (at least annually) | ☒ Regular employee awareness training (at least annually) |
| ☒ Appointment of an information security officer (ISO) | |
| ☒ Implementation of data protection impact assessment (DPIA) if needed | |
| ☒ Implementation of information obligations pursuant to Art. 13 and 14 GDPR | |
| ☒ Formalized process for handling requests for information from data subjects is in place |
4.2. Incident-Response-Management
Support for the response to security breaches.
| Technical Measures | Organisational Measures |
|---|---|
| ☒ Use of firewall and regular updating | ☒ Documented process for detecting and reporting security incidents / data breaches |
| ☒ Use of spam filter and regular updating | ☒ Documented process for handling security incidents / data breaches |
| ☒ Use of virus scanner and regular updating | ☒ Involvement of DPO and/or ISO (if available) in case of security incidents / data breaches |
| ☒ Intrusion Detection System (IDS) | ☒ Documentation of security incidents and data breaches e.g. via ticket system |
| ☒ Intrusion Prevention System (IPS) | ☒ Formal process and responsibilities for following up on security incidents and data breaches |
4.3. Order Control
Measures that ensure that personal data processed on behalf of the data controller can only be processed in accordance with the data controller’s instructions.
| Organisational Measures: |
|---|
| ☒ Entering into contractual terms with the contractor in accordance with applicable data protection legislation, including obligations with regard to data protection and data security |
| ☒ Conclusion of the necessary agreement on commissioned data processing resp. EU standard contractual clauses |
| ☒ Agreement on effective control rights towards the contractor |
Version January 2024