Rechtliche Hinweise

Vendor Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between RealtimeBoard, Inc. dba Miro, for and on behalf of itself, its Affiliates and/or their respective customers (collectively ‘’Miro’’) and the Provider  and is appended to the Agreement (as defined below).

Recitals

Provider has entered into one or more purchase orders, contracts and/or agreements (the "Agreement") with Miro pursuant to which Provider has agreed to provide certain services to Miro (the "Services") that may entail processing of Personal Data (as defined below)

To comply with Applicable Privacy Law(s) (as defined below), Miro must ensure the appropriate protection of all data, including Personal Data when Miro engages third party vendors. Accordingly, Miro’s engagement of Provider is conditional upon Provider's agreement to the terms and conditions of this DPA which shall be incorporated into and form part of the Agreement and subject to the provisions therein.

Agreement

Definitions

"Applicable Privacy Law(s)" means all data protection and privacy laws and regulations applicable to the processing of Personal Data in question, including but not limited to EU/UK Data Protection Law, the CCPA and the Japanese ‘Act on the Protection of Personal Information’ as introduced, amended and superseded from time to time.

Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity, where “control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding (but only as long as the entity meets these requirements). 

"Authorized Persons" means any person who processes Personal Data on Provider's behalf, including Provider's employees, officers, partners, principals, contractors and Subcontractors.

"CCPA" means:

(a) the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018)

(b) where the California Privacy Rights Act of 2020, and 

(c) Applicable Data Protection Laws modelled on either of the foregoing.

"EEA" means, for the purposes of this DPA, the European Economic Area and Switzerland.

"EU/UK Data Protection Law" means:

(a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EUGDPR");

(b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the "UKGDPR");

(c) the EU e-Privacy Directive (Directive 2002/58/EC); and

(d) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (a), (b) or (c); 

In each case, as amended or superseded from time to time.

"Personal Data" means information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes "personally identifiable information" and "personal information".

"Miro Subsidiary" means any entity that is directly or indirectly controlled by, controlling or under common control with Miro. 

"Restricted Transfer" means:

(a) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; or

(b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

In each case, whether the transfer is direct or via onward transfer.

"SCCs" means:

(d) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"), or

(e) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (specifically, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) ("UK SCCs").

"Security Incident" means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any data processed under or in connection with the Agreement, including but not limited to Personal Data.

"Services" means the services provided by Provider to Miro under and as more particularly described in the Agreement.

Special Data Categories” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person's sex life or sexual orientation, or such other similar types of information designated for heightened protection under Applicable Privacy Laws.

"Subcontractor" means any third party (including any Provider affiliates) engaged directly or indirectly by Provider to process any Personal Data relating to this DPA and/or the Agreement. The term "Subcontractor" shall also include any third party appointed by a Subcontractor to process any Personal Data relating to this DPA and/or the Agreement.

Provider Due Diligence Questionnaire or VDDQ” means the OneTrust assessment completed by the Provider and confirming the privacy controls applicable to the processing.

The terms "Controller", "Processor," and "processing," have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply. 

Role and Scope of Processing

2.1 Parties agree that Miro is the Controller and Provider shall process Personal Data under the Agreement only as a Processor on behalf of Miro .

2.2 Provider will at all times:

(a) process the Personal Data only for the purpose of providing the Services to Miro under the Agreement and in accordance with Miro's documented instructions;

(b) not process the Personal Data for its own purposes or those of any third party; and

(c) not "sell" Personal Data (as understood within the requirements of Applicable Privacy Laws).

2.3 The Parties agree that the scope of Miro’s instructions for the Processing of Miro Personal Data is defined by: (i) the Agreement; (ii) any applicable ordering documents, including service orders, order forms, statements of work, and product or service descriptions and (iii) this DPA; 

2.4 The subject matter of the Processing of Miro Personal Data is set forth in the Agreement and this DPA. The nature and purpose of the Processing of Miro Personal Data involve the provision of the Services to Miro as set forth in the Agreement and this DPA. The types of Miro Personal Data Processed under this DPA and the relevant categories of Data Subjects are set out in Appendix 1 to this DPA and the VDDQ. Any Processing of Special Data Categories is subject to mutual agreement of the Parties and must be set out in the VDDQ.

2.5 Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it Processes under this DPA. 

2.6 Provider shall promptly notify Miro if it makes a determination that it cannot comply with its obligations under this DPA and in such event (and without prejudice to any other rights available to Miro) Provider shall work with Miro and take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing complies with the requirements of this DPA. Provider shall immediately (and procure that all Subcontractors) cease processing Personal Data if Miro determines that Provider has not or cannot correct any non-compliance in accordance with this Section 2.6 within a reasonable time frame.

Subprocessing

3.1 Provider may subcontract processing of Miro Personal Data to a Subcontractor, provided that:

(a) Provider maintains an up-to-date list of its Subcontractors (including the details and location of the processing), and provides a copy of this list to Miro by email to privacy@miro.com upon request, within 72 hours of such request, 

(b) Provider imposes the same data protection terms on any Subcontractor it engages as contained in this DPA (including data transfer provisions, where applicable), 

(c) Provider remains fully liable to Miro for the fulfilment of Subcontractor’s obligations under its subcontract and for any breach of this DPA or the Agreement by Provider that is caused by an act, error or omission of such Subcontractor or any further third party Subcontractors it appoints. 

3.2 Without prejudice to Section 3.1 above, Miro may require that Provider by notice in writing ceases or suspends subcontracting of the Processing of Personal Data to Subcontractor if, in Miro's reasonable opinion, the Subcontractor has suffered a Security Incident and is unable to comply with the terms of the Agreement.

3.3 If Miro objects to the engagement of a Subcontractor and the Parties cannot reach an agreement as to the use of the new Subcontractor Miro may terminate the portion of the Service for which the new Subcontractor is engaged and receive a prorated refund of prepaid fees applicable to the terminated portion of the Service for the period after termination as its sole and exclusive remedies.

Cooperation

4.1 Provider shall reasonably cooperate with Miro to enable Miro to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Provider, Provider shall promptly pass this onto Miro and shall not respond to such communication without Miro's express authorization.

4.2 If Provider receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data processed in connection with the Agreement, Provider shall not disclose any information but shall immediately notify Miro in writing of such request, and reasonably cooperate with Miro if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

4.3 To the extent Provider is required under Applicable Privacy Laws, Provider will assist Miro to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to data subjects.

4.4 Provider will promptly deal with all inquiries from Miro relating to its processing of Personal Data under the Agreement, including making available all information necessary to demonstrate its compliance with Applicable Privacy Laws and this DPA.

Data Access & Security Measures

5.1 Provider shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process any data only for the purpose of delivering the Services under the Agreement to Miro. 

5.2 Provider will implement and maintain all appropriate technical and organizational security measures to protect from Security Incidents and to preserve the security, integrity and confidentiality of all data processed under or in connection with the Agreement, including Personal Data ("Security Measures"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

Security Incidents 

6.1 In the event of a Security Incident, Provider shall promptly (and in no event later than 48 hours of becoming aware of such Security Incident) notify Miro by email to privacy@miro.com, providing written details of the Security Incident. Such notification must include, at a minimum, detail on the nature of the personal data breach including the categories and approximate number of data subjects and number of personal data records concerned; detail on the likely consequences and the measures to be taken or proposed to be taken to address the personal data breach, including measures to mitigate possible adverse effects. Provider shall also provide details of its Data Protection Officer or other contact point where Miro may obtain more information.

6.2 Furthermore, in the event of a Security Incident, Provider shall:

(a) provide timely information and cooperation as Miro may require tofulfil Miro's data breach reporting obligations under Applicable Privacy Laws; and 

(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep Miro up-to-date about all developments in connection with the Security Incident.

6.3 The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident shall be solely at Miro’s discretion, except as otherwise required by applicable laws.

Security Reports & Inspections

7.1 Provider shall maintain records in accordance with ISO 27001 or similar Information Security Management System ("ISMS") standards. Upon request, Provider shall provide copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by Miro to verify Provider's compliance with this DPA. 

7.2 While it is the parties' intention ordinarily to rely on Provider's obligations set forth in Section 7.1 to verify Provider's compliance with this DPA, Miro (or its appointed representatives) may carry out an inspection of the Provider's operations and facilities during normal business hours and subject to reasonable prior notice where Miro considers it necessary or appropriate (for example, without limitation, where Miro has reasonable concerns about Provider's data protection compliance, following a Security Incident or following instruction from a data protection authority). 

Data Transfers

8.1 Provider shall (and shall Procure that any Subcontractor) not make a Restricted Transfer unless

(a) such transfer or export complies with Applicable Law, and

(b) if necessary for such compliance, Provider enters into an appropriate data transfer agreement or SCCs with Miro.

8.2 The parties agree that when the transfer of Personal Data from Miro to Provider is a Restricted Transfer, it shall be subject to the appropriate SCCs as follows:

(a) in relation to data that is protected by EU GDPR, the EU SCCs will apply completed as follows:

(i)Module Two and Module 3 will apply, as appropriate;

(ii)in Clause 7, the optional docking clause will apply;

(iii)in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 3.1 of this DPA;

(iv)in Clause 11, the optional language will not apply;

(v)in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the Netherlands;

(vi)in Clause 18(b), disputes shall be resolved before the courts of Amsterdam;

(vii)Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA and the Provider Due Diligence Questionnaire; and

(viii)Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA;

(b) in relation to Personal Data protected by UK GDPR, the UK SCCs will apply completed as follows:

(i) Table 1 shall be deemed completed with the information set out in Annex I to this DPA and the Provider Due Diligence Questionnaire;

(ii) Table 2 shall be deemed completed with the information set out at paragraph (a)(i)-(iv) above;

(iii) Table 3 shall be deemed completed with the information set out set out in the Provider Due Diligence Questionnaire and Annex II to this DPA; and

(iv) for the purposes of Table 4, only the exporter may end the UK SCCs in accordance with Section 19.

(c) in the event that any provision of this DPA contradicts, directly or indirectly, the SCCs, the SCCs shall prevail.

8.3 The parties agree that in the event that Applicable Privacy Law no longer allows the lawful transfer of Personal Data to Provider and/or requires that Miro adopt an alternative transfer solution that complies with Applicable Privacy Law, Provider will fully cooperate with Miro to discuss and agree an amendment to this DPA to remedy such non-compliance and/or cease processing of Personal Data. If the parties, acting in good faith, are unable to agree such changes within 30 days, Miro may immediately terminate the Agreement (in whole or in part) without penalty. 

8.4 If Miro adopts an alternative lawful data export mechanism for the transfer of Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Customer Personal Data is transferred).

Deletion & Return 

9.1 Upon Miro's request, or upon termination or expiry of this DPA, Provider shall destroy or return to Miro all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Subcontractors). This requirement shall not apply to the extent that Provider is required by any applicable law to retain some or all of the Personal Data, in which event Provider shall isolate and protect the Personal Data from any further processing except to the extent required by such law. 

CCPA

10.1 To the extent that the Personal Data processed under this Agreement relates to residents of the state of California in the United States and the CCPA applies, the terms set forth in this Section 10 shall apply to this DPA. The following amendments shall be made to the definitions set forth in Section 1 of this DPA:

(a) “Business” has the meaning given to it in the CCPA; and

(b) “Service Provider” has the meaning given to in the CCPA.

10.2 For purposes of Personal Data constituting “personal information” under the CCPA (“Personal Information”), Miro is a Business and Provider is a Service Provider. Miro’s transfer of Personal Information to Provider is not a sale, and Provider provides no monetary or other valuable consideration to Miro in exchange for Personal Information.

10.3 Provider agrees to comply with all applicable requirements of the CCPA, and shall not:

(a) sell or disclose Personal Information for monetary or other valuable consideration;

(b) retain, use or disclose Personal Information for any purposes other than performing the Services under the Agreement; or

(c) retain, use or disclose Personal Information outside the direct business relationship between Providerand Miro.

10.4 Miro certifies that it understands and will comply with the requirements and restrictions set out in this Section and will comply with the requirements applicable to Service Providers under the CCPA.

10.5 As applicable to the Services, Provider shall reasonably assist Miro in responding to any request from a data subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the processing of Personal Data under the Agreement.

General

11.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Agreement.

11.2 In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.

11.3 The parties acknowledge and agree that any breach by Provider of this DPA shall constitute a material breach of the Agreement, in which event and without prejudice to any other right or remedy available to it, Miro may elect to immediately terminate the Agreement in accordance with the termination provisions in the Agreement.

11.4 The obligations placed upon the Provider under this DPA shall survive so long as Provider and/or its Subcontractors processes Personal Data on behalf of Miro.

11.5 In the event there is any act, error or omission on the part of the Provider and/or its Subcontractors which leads to Miro being liable for breach of Applicable Privacy Laws or any third party contract, then Provider shall indemnify Miro on demand for any damages, losses, liabilities, costs, harm or expenses (including reasonable legal fees) suffered by Miro as a result.

11.6 Notwithstanding anything else to the contrary in the Agreement, Provider acknowledges and agrees that any exclusion of damages or limitation of liability that may apply to limit the Provider's liability in the Agreement shall not apply to Provider's liability arising under or in connection with this DPA, howsoever caused, regardless of how such amounts or sanctions awarded are characterized and regardless of the theory of liability, which liability shall be expressly excluded from any agreed exclusion of damages or limitation of liability.

11.7 This DPA may not be modified except by a subsequent written instrument signed by both parties.

11.8 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Privacy Laws or the SCCs.

11.9 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.


Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the processing that Provider will perform on behalf of Miro (as the Controller).

A. LIST OF PARTIES

Controller(s) / Data exporter(s)

Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name: RealtimeBoard, Inc. dba Miro (“Miro”) Address: 201 Spear Street, Suite 1100, San Francisco, CA 94105 Contact person’s name, position and contact details: privacy@miro.com Activities relevant to the data transferred under these Clauses: The activities specified under Annex I(B) below. Signature and date: This Annex I shall automatically be deemed executed when the DPA is executed by Miro. Role (controller/processor):Controller

Processor(s) / Data importer(s)

Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection

Name: The entity identified as Provider in the Agreement Address: The Provider's address as set out in the Agreement Contact person’s name, position and contact details: The contact details set out in the VDDQ Activities relevant to the data transferred under these Clauses: The activities specified under Annex I(B) below. Signature and date: This Annex I shall automatically be deemed executed when the Agreement is executed by the Provider. Role (controller/processor):Processor

В. DESCRIPTION OF PROCESSING/ TRANSFER

EU SCC Module: 

C2P (Module 1)

Categories of Data Subjects: As set out in the VDDQ

Purpose(s) of the data transfer and further processing/ processing operations:As set out in the VDDQ

Categories of Personal Data: As set out in the VDDQ

Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set out in the VDDQ

Frequency of the transfer:As set out in the VDDQ

Nature and subject matter of the processing: As set out in the VDDQ

Duration of the processing: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Personal Data by Provider in accordance with the terms of the Agreement.

Retention period (or, if not possible to determine, the criteria used to determine the period): 90 Days post expiration/termination of the Agreement or as set out in the Agreement

P2P (Module 2)

Categories of Data Subjects: As set out in the VDDQAs set out in the VDDQ

Purpose(s) of the data transfer and further processing/ processing operations: As set out in the VDDQAs set out in the VDDQ

Categories of Personal Data: As set out in the VDDQ

Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set out in the VDDQ

Frequency of the transfer: As set out in the VDDQ

Nature and subject matter of the processing: As set out in the VDDQ

Duration of the processing: .The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Personal Data by Provider in accordance with the terms of the Agreement.

Retention period (or, if not possible to determine, the criteria used to determine the period): 90 Days post expiration/termination of the Agreement or as set out in the Agreement

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs): Where the EU GDPR applies, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)


Annex II

Technical and Organizational Security Measures

Provider has implemented stringent data privacy structures. These structures ensure adequate data privacy controls are applied to Personal Data processed under the Agreement.

 A. Organizational Control

B. Entry Control

C. Admission Control

D. Access Control

E. Transmission Control

F. Input Control

G. Job Control

H. Availability Control

I. Separation Control

The specific details regarding the technical and organizational measures are explained in the following text.

A. Organizational Control 

  • Measures which comply with the specific requirements of Applicable Data Privacy Law(s):

  • Instalment of an external Data Protection Officer with expertise 

  • Commitment of employees to data secrecy 

  • IT-Emergency concept 

  • Data back-up concept (for production data) 

  • Regulations regarding the correct and secure processing of duties done by data processing 

  • Regular instruction of relevant regulations 

  • Control of compliance with the regulations 

  • Organizational, spatial and/or personal separation of data processing from other business units and other customers 

  • Regulations and instructions for entry control 

  • Regulations and instructions for admission control 

  • Regulations and instructions for access control 

  • Regulations and instructions for transport of data storage media and transmission control  

  • Regular information and instruction of the employees 

  • Description of activities in working instructions 

  • Data deletion concept  

  • External Certifications or internal data privacy audit  

  • Documentation of IT-procedures, software, IT-configuration 

B. Entry Control 

  • Measures to limit entrance by unauthorized persons to areas where personal data is used or processed with electronic data processing devices:

  •  Entry control 

  • Regulations and instructions of entry control 

  • Gate control 

  • Identification badges / code cards 

  • Entry regulations organization for employees  

  • Entry regulations for external service providers (cleaning and maintenance personal, craftsmen, customers, visitors 

  • Classification of security areas 

  • Identification of admission authorized persons 

  • Safeguarding by alarm system, intrusion detector, police emergency call 

  • Security locks with centralized key administration and master key plan 

  • Revision secure organization of admission rights 

  • Revision secure grant and revocation of admission rights 

C. Admission Control 

  • Measures to limit admission by unauthorized persons to systems where personal data is used or processed with electronic data processing devices:  

  • Safeguarding of physical network infrastructure 

  • Firewall for internal networks against external vulnerabilities 

  • Control of use for electronic data processing 

  • Regulations and instructions of admission control 

  • Control and identification of authorized persons 

  • Logging of use for entry rights and regular reports 

  • Admission only with User-ID and password only 

  • Separation of function principle when granting entry authorization 

  • Identification of terminal or terminal user (e.g.: login with user-ID and password) 

  • Limitation of false log-in attempts 

  • Automatic screensaver protection in case of inactivity 

  • Lockable terminals and decentralized IT-systems  

  • Safeguarding of electronic data processing systems correspondent with the requirements 

  • Functional and/or timely limited use of terminals 

D. Access Control (Electronic data processing) 

  • Measures to limit access by unauthorized persons to systems where personal data is used or processed with electronic data processing devices:

  • Regulations and instructions for access control 

  • Processes for file organization 

  • Rights- and role-concept 

  • Assignment of rights for data-input as well as for information, modification and deletion of stored data 

  • Regulated procedure for granting, changing and revocation of access rights  

  • Selective access regulations for procedures, operation control tickets 

  • User adaptive access protection  

  • Selective access for files and functions 

  • Automatic screensaver protection in case of inactivity 

  • Requirement of user identifiers (Passwords) for files, system data, application data  

  • Machine control of authorizations 

  • Logging access to specific data (e.g.: Console log, machine Log) 

  • Functional and/or timely limited use of terminals  

  • Password policy at the level of configuration of IT-systems  

  • Identification and authentication of users 

  • Control of administrator activities  

  • Limitation of free style queries in databases  

  • Specific written directives for the restart-procedure  

  • Safeguards for access by self-acting institutions  

  • Use of encryption 

E. Access Control (Data media) 

  • Measures to limit access by unauthorized persons to data and/or applications being stored on storage devices outside of an electronic data processing system.   

  • Write-protection for data media 

  • Identification of authorized personnel 

  • Rules regarding the production of copies 

  • Labelling obligation for data media with classification  

  • Guidelines for the organization of data storage 

  • Data privacy conform elimination of out of use data media with protocol 

  • Controlled storage of in use and swapped out data media in a secure area (Archive, secure cabinets) 

  • Definitions of areas which are suitable or scheduled for the storage of data media (e.g.: disc, volume, tape, cartridge)  

F. Transmission Control 

  • Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

  •  Measures to ensure that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged. 

  •  Measures to ensure that an automated procedure for the retrieval of personal data is running a log procedure in order to have retrospect information which data has been retrieved by whom.  

  •  Determination of authorized person for transmission and transport  

  • Documentation of the retrieval and transmission programs 

  • Determination and documentation of the transmission procedure and the data receivers 

  • Protocol of data transmission and receivers 

  • Regulations and instructions for data media transport and transmission control 

  • Secured data lines 

  • Use of cryptographic procedures as far as useful or mandatory 

  • Electronic signature as far as useful or mandatory 

  • Reasonability check 

G. Input Control 

  • Measures to ensure that it is possible to check and establish whether and by whom personal data / social data have been entered, modified or removed into/from data processing systems. 

  • Automatic protocol of input, modification and deletion of personal data 

  • Protocol of the use of administration tools 

  • Protocol of system generation and modification of system parameters 

  • Complete protocol of all instances 

  • Revision secure protocol of access rights 

  • Protocol data can be analyzed in computer assisted processes 

  • Proof of the organizational defined responsibilities for input of data 

  • Definition of deletion and retention periods for the protocols 

  • Electronic signature (if applicable) 

H. Job Control 

  • Measures to ensure that, in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the principal. The following measures are relevant in case of sub-order for the subcontractor as well. 

  • Careful selection of the contractor (Sub-contractor) 

  • Written agreement with definition of the decisional authority based on statutory mandatory law 

  • Outline of the rights and duties of principal and contractor in regard to: 

  • Data security measures  

  • Transmission directives 

  • Retention and deletion periods 

  • Breach of contract 

  • Insurance 

  • Definition of safety measures 

  • Right of access to subcontractor premises  

  • Control of security measures at the subcontractor 

  • Control of the correct execution of the contract 

  • Sanctions in case of contract violations 

I. Availability Control 

  • Measures to ensure that personal data is protected from accidental destruction or loss (e.g.: loss of power, lightning, protection from water damage) 

  • Ordinance of work instructions and safety directives  

  • Fire preventions 

  • Definition and control of fire precautions and fire/water early warning system  

  • Risk- and weak-point-analysis for relevant IT-division 

  • Safeguarding of the electric power supply by uninterruptible power supply 

  • Regular and intense instruction of all employees  

  • Disaster recovery plan, emergency handbook, security-infrastructure  

  • Recovery-Procedures for production data 

  • Data mirroring 

  • Regular stringent data back up  

  • Storage of backup media in safeguarded locations for production data (Data generated in Service Processes/Help Desk is deleted after the ticket is closed in due time) 

  • Instructions for documentation of procedures and software development 

  • Formalized approval process for new IT-applications and in case of relevant changes of running applications  

  • Used software is checked and released in a formalized procedure 

  • Centralized procurement for hard- and software 

  • Database-Logging 

  • Function separation between functional department and IT-division 

J. Separation Control 

  • Measures to ensure that data collected for different purposes can be processed separately. 

  • Stringent company internal directives for data collection, data processing and use of data 

  • Grant of specific access rights 

  • Use of separate user roles to ensure separation control 

  • Use of pseudonyms as far as possible and reasonable 

  • Documentation of databases 

  • Documentation of application programs 

  • Documentation of the specific purposes of the collection, processing and use of data 

  • Instalment of logical databases 

  • Logical separation of data 

  • Physical separation of data