Contracting parties
This agreement is concluded between
as the client (hereinafter referred to as "AG")
and Endereco UG (haftungsbeschränkt) as contractor with registered office in 97236 Randersacker, Balthasar-Neumann-Str. 4B (hereinafter "Contractor").
§ 1 General
(1) The Contractor shall process personal data on behalf of the Client within the meaning of Art. 4 (8) and Art. 28 of Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.
(2) Insofar as the term "data processing" or "processing" (of data) is used in this Agreement, the definition of "processing" within the meaning of Article 4 (2) of the GDPR shall apply.
§ 2 Subject matter, duration and specification of the commissioned processing
(1) The subject matter of the contract, the nature and purpose of the processing and the categories of data to be processed as well as the categories of data subjects shall be determined by the following legal relationship(s) between the contracting parties (hereinafter referred to as the main contract):
- Service contract with the Contractor based on the Client's registration on the Contractor's website and acceptance of the General Terms and Conditions.
The provisions of this AV contract shall take precedence over the main contract.
If the Customer orders further rights of use or other additional services at a later point in time, this agreement shall also apply accordingly to these services.
(2) The agreement on commissioned processing pursuant to Art. 28 DSGVO shall enter into force at the same time as the contract specified in more detail under §2 (1) of the commissioned processing contract and shall expire when this contract specified in more detail itself expires.
(3) The agreement is issued for regular execution.
(4) Within the scope of the fulfillment of the subject matter of the order, the Contractor shall be obliged to carry out the order in compliance with the provisions of this GC Agreement.all necessary processing steps with regard to the client's data (e.g. duplication of confirmations).The client is entitled to use the data (e.g. for loss backup, creation of log files, intermediate files and workspaces) insofar as this does not lead to a change in the content of the client's data.
§ 3 Place of processing
(1) The provision of the contractually agreed data processing shall generally take place in a member state of the European Union (EU) or in another state party to the Agreement on the European Economic Area (EEA). The Contractor shall nevertheless be permitted to process personal data outside the EEA in compliance with the provisions of this contract (Section 11) if it informs the Client in advance of the place of data processing and the requirements of Art. 44 et seq. GDPR are fulfilled. If the Client does not agree to such data processing, it has the right to object to the data transfer.
§ 4 Scope of application and responsibility
(1) The Contractor shall process personal data on behalf of the Client. Within the scope of this contract, the Client shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor as well as for the lawfulness of the data processing ("Responsible Party" within the meaning of Art. 4 No. 7 DSGVO).
(2) The instructions shall initially be stipulated by the contract and may thereafter be amended, supplemented or replaced by individual instructions (individual instructions) by the Principal in writing or in an electronic format (text form) to the office designated by the Contractor. Instructions not provided for in the contract shall be treated as a request for a change in performance and shall be documented by the Contractor. Verbal instructions shall be confirmed by the Principal in writing or text form without delay and documented by the Contractor.
is the contact person for instructions of the Client at the Contractor:
Name: Olena Schmitt
Function: internal data protection officer
Phone number: +49 931 663 98 39 2
email address: datenschutz@endereco.de
§ 5 Obligations of the Contractor as Processor
(1)The Contractor shall process personal data exclusively on the documented instructions of the Client, unless it is legally obliged to process them otherwise. In this case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification in the public interest.
The Contractor shall ensure that the processing of personal data is carried out in accordance with the Client's instructions. If the Contractor considers an instruction of the Client to be unlawful, in particular with regard to this contract or applicable data protection law, it shall inform the Client immediately. Until clarification or written confirmation by the Client, the Contractor shall be entitled to suspend the corresponding processing.
The parties agree that the responsibility for the legality of the instructions and the processing in accordance with the instructions lies with the Client
(2) The Contractor undertakes to organize the internal organization in his area of responsibility in such a way that it meets the special requirements of data protection. He shall take technical and organizational measures for the adequate protection of the Client's data that meet the requirements of the General Data Protection Regulation (Art. 32 DSGVO). The Contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the Processing on a permanent basis. The Client is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. Details of the measures taken by the Contractor in accordance with Art 32 DSGVO to ensure the security of the Processing are listed in Annex 3.
(3) The Contractor is obliged to check and adapt the technical and organizational measures taken by it regularly and also on an ad hoc basis for their effectiveness and necessity in accordance with Art. 32 GDPR. The Contractor shall be obliged to adapt the technical and organizational measures listed in Annex 3 in particular if this is necessary for compliance with
the obligations of this contract. The client must be informed immediately of any significant changes.
The Contractor reserves the right to change the security measures taken without separate notification if this does not fall below the contractually agreed level of protection and does not contradict the GDPR. In the standard case, these are improvements to data security through measures in terms of information security, data protection and quality management.
(4) The Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the scope of the instruction. Furthermore, the Contractor warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/confidentiality obligation shall continue to exist after termination of the order.
(5) To the extent agreed, the Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Art. 32 to 36 GDPR.
(6) The Contractor shall inform the Client without undue delay if it becomes aware of violations of the Client's personal data protection or if it becomes aware of circumstances that suggest a violation. The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned and shall consult with the Client on this without delay.
(7) The Contractor shall ensure that it complies with its obligations under Article 32 (1) d) of the GDPR to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing.
(8) The Contractor shall correct or delete the contractual data if the Client instructs it to do so and this is covered by the scope of instructions. If deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the Client or return these data carriers to the Client, unless already agreed in the contract.
(9) Data, data carriers and all other materials shall be either surrendered or deleted by the Contractor after the end of the contract at the Client's request analogous to § 5 para. 8. In the case of test and reject materials, an individual instruction for deletion shall not be required. If additional costs arise as a result of the Principal's deviating, market-unusual requirements for the release or deletion of the data that do not result from applicable data protection law or from the contracts, these shall be borne by the Principal.
(10) In the event of a claim against the Customer by a data subject with regard to any claims pursuant to Art. 82 of the GDPR, the Contractor undertakes to support the Customer in defending the claim within the scope of its possibilities.
§ 6 Duties of the AG as the responsible party
(1) The Client as Controller shall ensure that the Processing is carried out in accordance with the principles set out in Chapter II of the GDPR and that the technical and organizational measures taken by the Contractor as Processor (Annex 3) and those measures set out in the Contracts, if any, in addition thereto provide an adequate level of protection, taking into account the nature, scope, circumstances and purposes of the Processing and the varying likelihood and severity of the risks to the rights and freedoms of natural persons.
(2) The Customer shall inform the Contractor immediately and in full if it discovers errors or irregularities in the order results with regard to data protection provisions.
(3) As the controller, the client is obliged under Art. 32 - 36 GDPR to report all breaches of personal data protection to the supervisory authority and to notify the persons affected by them
(4) In the event of a claim against the Contractor by a data subject with regard to any claims pursuant to Art. 82 of the GDPR, Section 5 (10) shall apply accordingly.
(5) The Customer shall inform the Contractor of the contact person for data protection issues arising within the scope of the contract.
§ 7 Data Protection Officer of the Contractor
(1) The Contractor confirms that it has appointed a data protection officer in accordance with Art. 37 DSGVO. The Contractor shall ensure that the data protection officer has the required qualifications and expertise. The current contact details are easily accessible on the Contractor's website.
The Contractor may provide the Client with the name and contact details of its data protection officer separately in text form upon request.
§ 8 Requests from affected persons
(1) If a data subject approaches the Contractor with requests for correction, deletion or information, the Contractor shall refer the data subject to the Employer, provided that an assignment to the Employer is possible according to the data subject. The Contractor shall forward the request of the person concerned to the Client without delay. The Contractor shall support the Client within the scope of its possibilities upon instruction as far as agreed.
(2) In the case of requests from data subjects that cannot be clearly assigned, the contractor undertakes to ask the data subject for further information that serves exclusively to be able to correctly assign the request. The data subject shall be informed of the necessity of this information.
(3) Insofar as paragraphs 1 and 2 are fulfilled, the Contractor shall not be liable if the request of the person concerned is not answered by the Client or is not answered properly or on time.
§ 9 Control rights of the customer
(1) The Client shall have the right to monitor the Contractor's compliance with the statutory provisions on data protection and/or compliance with the contractual provisions made between the Parties and/or compliance with the Client's instructions at any time to the extent required.
(2) The Contractor shall be obliged to provide the Client with information insofar as this is necessary to carry out the inspection within the meaning of Paragraph 1.
(3) The Contractor undertakes to support the Client in its audits pursuant to Art. 28 para. 3 sentence 2 lit. h GDPR for compliance with the data protection regulations and the contractual agreements to an appropriate and necessary extent. The Contractor shall provide the Client with all information necessary to prove compliance with the obligations under Art. 28 GDPR, insofar as this is within its area of responsibility and its provision is proportionate. The information shall be provided within a reasonable period of time, usually within 14 days of a written request.
(4) The tests shall be carried out by the Client itself or by a third party commissioned by it. If the third party commissioned by the Client is in a direct competitive relationship with the Contractor, the Contractor shall have the right to object to this. Commissioned third parties must be sworn to secrecy by the Client. The Contractor shall have the right to demand the submission of a separate declaration of confidentiality by the commissioned third party. This applies in particular to the submission of declarations of professional or statutory confidentiality. The duty of confidentiality shall cover all information and business secrets obtained during the audit and shall continue to apply after the audit has been completed.
An audit can be carried out in particular by obtaining information and inspecting the stored data and data processing programs as well as through other measures. Other measures include requesting certifications, reports on data protection audits and on-site inspections. On-site inspections shall be carried out by the Client with reasonable advance notice (at least 5 working days) during normal business hours. The inspections must be carried out without disrupting operations and in compliance with the security and confidentiality interests of the Contractor and are limited to one inspection per calendar year.
As an exception, unannounced inspections are permissible if the PI has given cause for such an inspection due to a breach of contract or law. This may generally be the case if:
- reasonable suspicion of serious data protection violations
- Acute danger for data subject rights
- Suspicion of destruction/manipulation of evidence
The Client must document the specific reason in writing. In the event of unjustified unannounced inspections, the Client shall bear the costs incurred by the Contractor for disruption of operations.
The Contractor is obliged to facilitate and actively support inspections. This includes, in particular, entering the premises relevant for order processing, providing competent contact persons and access to the necessary documents and systems. The inspection shall be carried out in compliance with the business secrets of third parties, operational security and within reasonable business hours.
(5) In the event of measures by the supervisory authority vis-à-vis the Client within the meaning of Art. 58 of the GDPR, in particular with regard to information and control obligations, the Contractor shall be obliged to provide the Client with the necessary information and to enable the respective competent supervisory authority to carry out an on-site inspection. The Client shall be informed by the Contractor about corresponding planned measures.
(6) Subject to deviating provisions, the Contractor may demand additional remuneration for additional expenses incurred by it as a result of the Client's control measures. These shall be calculated according to the actual costs incurred and hourly rates.
§ 10 Subcontractors
(1) Der AG erteilt hiermit seine Zustimmung zur Verarbeitung der Daten durch die Tochtergesellschaft mobilemojo – Apps & eCommerce UG (haftungsbeschränkt) & Co. KG, als Unterauftragsverarbeiterin, soweit dies für die Leistungserbringung gemäß des zu Grunde liegenden Hauptvertrages erforderlich ist.
(2) All subcontractor relationships of the Contractor already existing at the time of conclusion of the contract are attached to this contract in Annex 2. For the subcontractors listed in Annex 2, approval shall be deemed to have been granted upon conclusion of this contract.
The Contractor has entered into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.
Before calling in or replacing the subcontractors, the Contractor shall inform the Client in text form.
The Client shall grant the Contractor general authorization to make use of other processors within the meaning of Art. 28 GDPR. The Contractor shall inform the Client in advance if it intends to involve or replace subcontractors. The Client may object to such changes. The objection to the intended change must be raised with the Contractor within 2 weeks of receipt of the information about the change.
is the contact person for the AG at the AN:
Name: Olena Schmitt
Function: internal data protection officer
Phone number: +49 931 663 98 39 2
email address: datenschutz@endereco.de
(3) If the Contractor places orders with subcontractors, it shall be incumbent on the Contractor to transfer its data protection obligations under this contract to the subcontractor. The disclosure of personal data of the AGs to the subcontractor and the subcontractor's initial activities are only permitted once all requirements for subcontracting have been met. In particular, the AN, to transfer its data protection obligations under this contract to the other processor in accordance with Art. 28 para. 4 sentence 1 GDPR.
(4) The subcontractors listed in Annex 2 to this contract shall be deemed approved.
§ 11 Transfer to third countries
(1) Data will only be transferred to third countries outside the EU and the EEA on the documented instruction of the controller, provided that the requirements of Art. 44 et seq. of the GDPR are met.
(2) Order processing in a third country, including by sub-processors, requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seq. GDPR are met, unless the Contractor is obliged to process in the third country by the law of the Union or of the Member States to which the Contractor is subject; in such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification on grounds of important public interest (Art. 28 para. 3 sentence 2 lit. a GDPR).
(3) Unless otherwise agreed in the contract, processing in a third country shall only be permitted with the prior consent of the Client. The Contractor shall inform the Client in advance which third country(ies) are involved and how the appropriate level of protection within the meaning of Art. 44 ff GDPR is ensured for the processing there.
(4) If a transfer of personal data to a third country is required for the provision of individual services and the Client expressly refuses this transfer without an alternative, equivalent technical solution being available within the EU/EEA, the service in question cannot be provided.
In such a case, the client has no claim to the use of the affected service or to compensation.
(5) The Contractor shall provide a contact that the Client can inform affected parties of as the office where the guarantees are available or where a copy of the guarantee can be requested.
§ Section 12 Duty to provide information, written form clause, choice of law
(1) Should the Client's data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall immediately inform the Client thereof. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the "responsible party " within the meaning of the General Data Protection Regulation.
(2) Amendments and supplements to this Annex and all of its components - including any warranties of the Contractor - shall require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to the waiver of this formal requirement.
(3) In the event of any contradictions, the provisions of this Annex on data protection shall take precedence over the provisions of the Agreement. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of the Annex.
(4) German law shall apply.
§ 13 Liability and compensation
(1) The Client and the Contractor shall be liable to data subjects under data protection law in accordance with the provision set out in Art. 82 DSGVO. Any liability and compensation provisions that do not comply with data protection law or go beyond this or individual provisions shall be agreed exclusively in the offers and contracts between the Client and the Contractor.
§ 14 Confidentiality and secrecy
(1) Both Parties undertake to maintain basic confidentiality and secrecy with regard to the contents of this Agreement. Exempt from this are statutory disclosure obligations to authorities, in court or criminal proceedings as well as contractual obligations to persons and auditors of both the Principal and the Contractor who undertake to maintain confidentiality vis-à-vis the Principal or the Contractor or who are subject to a confidentiality obligation, and ultimately also other order processors and affiliated companies for which the present provisions constitute an integral part within the scope of their performance of activities.
Annex 1 - Subject of the order
1. subject of processing
The mission of the AGs to the AN includes:
(1) Comparison, adaptation, transmission and storage of customer master data directly upon entry (address, e-mail, salutation, telephone, etc.)
(2) Data check, correction and evaluation of existing data (batch)
2. types of processing
Within the scope of the object of data processing described above, the AN following processing for the AG before:
(1) Collection and transmission of data entered by customers and employees to Endereco servers
(2) Comparison of the data entered by customers and employees with the data from address databases (hosted internally by Endereco and/or externally by our subcontractors)
(3) Intermediate storage of the data entered by customers and employees on the Endereco servers
(4) Correction and enrichment of data entered by customers and employees
(5) Transmission of corrected data back to the AG
(6) The deletion of the data takes place automatically, usually after 30 days.
(7) Storage of meta-information for each request (time, referrer)
3. purpose of processing
(1) Personal data is processed on the basis of Article 6(1)(f) of the GDPR. The legitimate interests of the controller consist in the prevention of fraud and ensuring a correct data basis for the execution of the respective business processes.
(2) The processing from point 2.7 serves the purpose of fraud prevention and the billing of the use of the services of endereco UG.
4. type(s) of personal data
The following types of data are processed as part of the contractual provision of services:
(1) Personal master data (e.g. postal addresses, salutation)
(2) Communication data (e.g. telephone, e-mail)
(3) Contract master data
(4) Technical data (referrer to the AG's system, time of the request)
5. categories of person concerned
(1) Customers of the AG
Annex 2 - Subcontractors
For the processing of data on behalf of the Client, the Contractor shall use the services of third parties who process data on its behalf ("subcontractors"). These are the following company(ies):
| Company/Subcontractor |
Address/Country |
Order content |
| netcup GmbH |
Daimlerstrasse 25,
76185 Karlsruhe,
Germany
|
Hosting of databases for auditing and reporting of customer data
|
| mobilemojo – Apps & eCommerce UG & CO.KG |
Balthasar Neumann St. 4B
97236 Randersacker
Germany
|
Subsidiary - development and operation of Endereco software |
| |
|
|
| sms77 e.K. |
Willestr. 4-6
24103 Kiel
Germany
|
Checking phone numbers for validity and reachability. Formatting of phone numbers |
| Post CH Network Ltd. |
Wankdorfallee 4
3030 Berne
Switzerland
|
Verification of postal addresses in Switzerland |
| Egon srl |
Via Monte di Pietà 19
20121 MILANO MI
Italia
|
Hosting and API for the solution for international address validation services |
| Cobisi Research™ |
Via della Costituzione, 31
35010, Vigonza (PD)
Italy
|
Email address verification |
| Melissa Data Ltd. |
Cecilia St. 42-44
50667 Cologne
Germany
|
Hosting and API for the solution for international address validation services |
|
Linkomat GmbH
|
Goldschlagstrasse 110/30,
1150 Vienna,
Austria
|
Verification of VAT IDs and company data |
| Optimaize Ltd. |
In the upper village 16,
CH-8602 Wangen near Zurich,
Switzerland
|
Names API |
| AZ Direct GmbH |
Carl-Bertelsmann-Str. 161s,
33311 Gütersloh
Germany
|
Verification of customer data including first name, surname and addresses |
| Austrian Post AG |
Rochusplatz 1
1030 Vienna
Austria
|
Hosting and API for the solution for address validation of Austrian addresses |
Annex 3 - Organizational and technical measures
As an organization that collects, processes or uses personal data itself or on behalf of others, we must take the technical and organizational measures necessary to ensure compliance with the provisions of data protection laws. Measures are only necessary if their cost is in reasonable proportion to the intended protective purpose.
Endereco UG meets this requirement through the following measures:
1. confidentiality according to Art. 32 para. 1 lit. b DSGVO
1.1 Access control
The following measures have been taken to prevent unauthorized persons from accessing the data processing equipment with which personal data are processed or used:
Technical measures:
- manual locking system
- Security locks
Organizational measures:
- Key arrangement (handing over of keys etc.)
- Visitors accompanied by employees
- Careful selection of cleaning personnel
- Other: The contracts with our hosting subcontractors regulate access controls to the servers and offices in the enclosed TOMs.
1.2 Access control
The following measures have been taken to prevent unauthorized third parties from using the data systems:
Technical measures:
- Login with username + password
- Automatic desktop lock
- no transmission of data via unencrypted connections
- Encryption of the data backup systems
- Use of intrusion detection systems (Cloudflare)
- Use of anti-virus software
- Encryption of data carriers in laptops/notebooks
- Use of a software firewall
Organizational measures:
- Manage user permissions
- Central password assignment
- Secure Password Policy
- Delete / Destroy Policy
- Clean desk policy
- Manual desktop lock" instructions
- Mobile Device Policy
1.3 Access control
The following measures have been taken to ensure that those authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage:
Technical measures:
- Logging of accesses to applications, especially when entering, changing and deleting data
- Use of document shredders (level P5)
- Secure storage of data media
- Encryption of data carriers
Organizational measures:
- Authorization concept
- Management of rights by system administrator
- Regular review and updating of access rights (especially when employees leave the company or similar)
- Secure Password Policy
1.4 Separation control
The following measures have been taken to ensure that data collected for different purposes can be processed separately:
Technical measures:
- There is a software separation of the data of the individual customers
- Development, test and production data are strictly separated
- Development, test and production systems are strictly separated
- Endereco uses different domains and SSL certificates for test and production systems
Organizational measures:
- Control via authorization concept
- Setting database rights
1.5 Pseudonymization (Art. 32 para. 1 lit. a) DSGVO, Art. 25 para. 1 DSGVO)
The processing of personal data shall be carried out in such a way that the data can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures:
Technical measures:
- Separation/deletion of assignment data and storage in separate and secured system
- no access to data by the store operator or licensee
Organizational measures:
- Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.
2. integrity (Art. 32 para. 1 lit. b DSGVO)
2.1 Input control
With the aid of the following measures, it is possible to check and determine retrospectively whether and by whom personal data have been entered into data processing systems, modified or removed:
Technical measures:
- Technical logging of the entry, modification and deletion of data
- Manual or automated control of the logs
Organizational measures:
- Overview of which programs can be used to enter, change or delete which data
- Traceability of input, modification and deletion of data through individual user names (not user groups)
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- Clear responsibilities for deletions
2.2 Transfer control
The following measures ensure that personal data cannot be obtained or accessed by unauthorized persons during transfer (physical and/or digital):
Technical measures:
- Encryption of communication channels (e.g. encryption of e-mail traffic)
- Encryption of physical data media during transport
- Safe transport containers
- Provisioning over encrypted connections such as sftp, https
Organizational measures:
- Documentation of the data recipients as well as the duration of the planned transfer or the deletion periods
- Care in the selection of transport personnel and vehicles
3. availability and resilience (Art. 32 (1) (b) GDPR)
3.1 Availability, recoverability and resilience of the systems
The following measures ensure that the data processing systems used function properly at all times and that personal data is protected against accidental destruction or loss:
Technical measures:
- Testing data recovery
- Regular backups of databases
- The technical measures for the availability, recoverability and resilience of the systems from the hardware side, are ensured by the TOMs of our subcontractors from the hosting areas.
◦ Fire and smoke detection systems
◦ Fire extinguisher server room
◦ Server room monitoring temperature and humidity
◦ Server room air-conditioned
◦ UPS
◦ RAID system / hard disk mirroring
Organizational measures:
• Erstellen eines Backup- & Recoverykonzepts
- Creation of an emergency plan for internal measures
- The organizational measures for the availability, recoverability and resilience of the systems from the hardware side, are ensured by the TOMs of our subcontractors from the hosting areas.
◦ No sanitary connections in or above the server room
◦ Backup & Recovery-Konzept (ausformuliert)
◦ Control of the backup process
◦ Existence of an emergency plan (e.g. BSI IT Grundschutz 100-4)
4. procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
4.1 Data protection management
Technical measures:
- Central documentation of all procedures and regulations on data protection with access for employees according to need / authorization (Wiki, Intranet ...)
- A review of the effectiveness of the technical protective measures is carried out at least once a year.
Organizational measures:
- Internal data protection officer
- Employees trained and committed to confidentiality / data secrecy
- Regular sensitization of employees, at least annually
- The data protection impact assessment (DSFA) is carried out as required
- The organization complies with the information obligations according to Art. 13 and 14 DSGVO
- Formalized process for handling requests for information from data subjects is in place
4.2 Incident response management
Support for security breach response
Technical measures:
- Use of firewall and regular updating
- Use of spam filters and regular updating
- Use of virus scanner and regular updating
- Intrusion Detection System (IDS)
Organizational measures:
- Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
- Documented procedure for handling security incidents
- Documentation of security incidents and data breakdowns e.g. via ticket system
- Formal process and responsibilities for following up on security incidents and data breaches
4.3 Data protection-friendly default settings (Art. 25 (2) GDPR)
Privacy by design / Privacy by default
Technical measures:
- No more personal data is collected than is necessary for the respective purpose
- Simple exercise of the right of withdrawal of the data subject by technical measures
Organizational measures:
4.4 Order control (outsourcing to third parties)
Technical measures:
Organizational measures:
- Prior verification of the safety measures taken by the contractor and their documentation
- Selection of the contractor under due diligence aspects (especially with regard to data protection and data security)
- Conclusion of the necessary agreement on commissioned processing or EU standard contractual clauses
- Written instructions to the contractor
- Obligation of the contractor's employees to maintain data secrecy
- Obligation to appoint a data protection officer by the contractor if the obligation to appoint exists
- Agreement on effective control rights vis-à-vis the contractor
- Regulation on the use of additional subcontractors
- Ensuring the destruction of data after the completion of the order
Status: 18.06.2025
