Placeholder

Placeholder

Technical and organizational measures


1. Introduction

1.1. Controller

Controller pursuant to Art. 4 No. 7 of the EU General Data Protection Regulation (GDPR) is comstruct ICT GmbH, Agnes-Pockels-Bogen 1, 80992 Munich, Germany, E-mail: kontakt@comstruct.com. We are legally represented by Henric Meinhardt.​

1.2. Data Protection Officer

Our Data Protection Officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, E-mail: datenschutz@heydata.eu.

1.3. Subject of the document

This document summarizes the technical and organizational measures taken by the controller within the meaning of Art. 32(1) GDPR. These are measures with which the controller protects personal data. The document aims to support the controller in fulfilling its accountability obligation under Art. 5(2) GDPR.


2. Confidentiality (Art. 32(1)(b) GDPR)

2.1. Entry control

The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities:

  • Manual locking system (e.g. key)

  • Logging of visitors (e.g. visitor book)

  • Visitors only accompanied by employees

  • Careful selection of cleaning staff


2.2. Access control

The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:

  • Authentication with username and password

  • Use of anti-virus software

  • Use of firewalls

  • Use of mobile device management

  • Use of VPN technology for remote access

  • Encryption of data carriers

  • Automatic desktop lock

  • Encryption of notebooks / tablets

  • Management of user authorizations

  • Creation of user profiles

  • Central password rules

  • Use of 2-factor authentication

  • Logging of visitors (e.g. visitor book)

  • Key regulation / key log

  • General company policy on data protection or security

  • Company policy for secure passwords

  • Company policy "Clean Desk"

  • Company policy on the use of mobile devices

  • General instruction to manually lock the desktop when leaving the workstation


2.3. Access control to personal data

The following implemented measures ensure that unauthorized persons have no access to personal data:

  • Use of shredders (with cross cut function)

  • Physical deletion of data carriers before their reuse

  • Logging of destruction of data

  • Logging of access to applications (especially when entering, changing and deleting data)

  • Use of an authorization concept

  • The number of administrators is kept as small as possible

  • Management of user rights by system administrators

2.4. Separation control

The following measures ensure that personal data collected for different purposes is processed separately:

  • Separation of production and test systems

  • Encryption of records processed for the same purpose

  • Logical tenant separation (software-based)

  • Definition of database rights

3. Integrity (Art. 32(1)(b) GDPR)

3.1. Disclosure control

It is ensured that personal data cannot be read, copied, altered or removed without authorization during transmission or storage on data carriers and that it can be verified which persons or entities have received personal data. To ensure this, the following measures are implemented:

  • Establishment of VPN tunnels

  • WLAN encryption (WPA2 with strong password)

  • Logging of access and retrievals

  • Provision of data via encrypted connections such as SFTP or HTTPS

  • Use of signature procedures

  • Creation of an overview of regular retrieval and transmission processes

  • Disclosure of data in anonymized or pseudonymized form

3.2. Input control​

Through the following measures it is ensured that it can be checked who processed personal data at what time in data processing systems:

  • Logging of data entry, modification and deletion

  • Manual or automatic review of logs

  • Traceability of data entry, modification and deletion through individual user names (not user groups)

  • Granting of rights to enter, modify and delete data on the basis of an authorization concept

4. Availability and resilience (Art. 32(1)(b) GDPR)

Through the following measures it is ensured that personal data are protected against accidental destruction or loss and are always available to the controller:

  • Regular backups

  • Creation of a backup & recovery concept

  • Monitoring of the backup process

  • Storage of backups in a secure, off-site location

  • Creation of an emergency plan (e.g. BSI IT baseline protection 100-4)

  • Regular tests for data recovery and logging of the results

  • Hosting (at least of the most important data) with a professional hoster

5. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

5.1. Data protection management

The following measures are intended to ensure that an organization exists that meets the basic data protection requirements:

  • Use of the heyData platform for data protection management

  • Appointment of the heyData Data Protection Officer

  • Obligation of employees to maintain data confidentiality

  • Regular training of employees in data protection

  • Maintaining an overview of processing activities (Art. 30 GDPR)

5.2. Incident response management

The following measures are intended to ensure that reporting processes are triggered in the event of data protection breaches:

  • Reporting process for personal data breaches pursuant to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)

  • Reporting process for personal data breaches pursuant to Art. 4 No. 12 GDPR to the data subjects (Art. 34 GDPR)

  • Involvement of the Data Protection Officer in security incidents and data breaches

  • Use of anti-virus software

  • Use of firewalls

5.3. Privacy-friendly default settings (Art. 25(2) GDPR)​

The following implemented measures meet the requirements of the principles "Privacy by design" and "Privacy by default":

  • Training of employees in "Privacy by design" and "Privacy by default"

  • No more personal data are collected than are necessary for the respective purpose.

5.4. Processor control

Through the following measures it is ensured that personal data can only be processed in accordance with instructions:

  • Written instructions to the processor or instructions in text form (e.g. through a data processing agreement)

  • Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations

  • Confirmation from processors that they oblige their own employees to maintain data confidentiality (typically in the data processing agreement)

  • Careful selection of processors (especially with regard to data security)

  • Ongoing review of processors and their activities