SCHEDULE 2 – DESCRIPTION OF TECHNICAL AND ORGANIZATIONAL MEASURES
This Schedule 2 describes the technical and organizational measures as supplied by the Data Processor which the Data Processor warrants to comply with when processing the Personal Data covered by this DPA.
The measures listed in this Schedule 2 are non-exhaustive and the Data Processor warrants to ensure that the technical and organizational measures are, at any time, in compliance with applicable regulation on protection of personal data, e.g. in any national regulation or the EU PDR.
ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED)Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?
CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED)
Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?
ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED)Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?
DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL)
Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?
INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE)
Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?
CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS)
Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?
AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS?
Which measures are in place for data protection (physically/ logically)?
SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY)
Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?