Technical and organisational measures

Technical and organisational measures according to Art. 32 DSGVO

Companies that collect, process or use personal data themselves or on behalf of others must take the technical and organisa and organisational measures necessary to ensure the implementation of the provisions of the EU GDPR. ensure. Measures are only necessary if their cost is proportionate to the intended protection purpose. protective purpose. In this annex, the technical and organisational measures taken by the manufacturer are as required by Article 32 of the GDPR. The measures taken by the manufacturer are presented below in tabular form. in the following. In the left column of the table, those measures are recorded that have been approved by the Gesellschaft für Datenschutz und Data Protection e.V. (hereinafter: “GDD”) as particularly suitable. The right-hand column documents the measures taken by the manufacturer are documented. This documents the technical and organisational measures.

Access control

Unauthorised access to the premises is prevented. Technical and organisational measures for access control, especially for the legitimisation of authorised persons.

• Suggested measures (GDD): Access control system, badge reader, magnetic card, chip card.

• Measures (Helm & Nagel): See the security measures documented in Appendix 3 of the hosting Company

Access control

The intrusion of unauthorised persons into the DP systems is prevented. Technical and organisational measures regarding user identification and authentication:

Passwords

• Proposed measures (GDD): Password procedure

• Measures (Helm & Nagel): Access to the application is only possible via the Internet with a personal username and password. password via the Internet. The passwords are created in particularly strong variants. Thereby usually passwords with at least 8 digits are accepted. Passwords that are similar to the master data of a user’s master data or are contained in a list of general passwords are not accepted. Also the manual The manual entry of new passwords by users also requires compliance with the above requirements. Access to the server is only possible for specially authorised staff. Access takes place exclusively via encrypted connections (SSH) via the private/public key procedure.

Data carrier

• Proposed measures (GDD): Encryption of data carriers.

• Measures (Helm & Nagel): The data storage devices of the manufacturer’s servers are subject to strong encryption. Access to the access to the servers is always encrypted.

Access control

Unauthorised activities in DP systems outside of granted authorisations are prevented. Needs-oriented Design of the authorisation concept and access rights as well as their monitoring and logging:

• Proposed measures (GDD): Differentiated authorisations (profiles, roles, transactions and objects).

• Measures (Helm & Nagel): Within the application, there is a differentiated division into rights and roles. The The possibilities of a user to move around within the application and to carry out actions are by assigning appropriate roles and rights. Changes to the data stock are logged.

Transfer control

The secure transfer of personal data is guaranteed. Measures during transport, transmission and or storage on data media (manually or electronically) as well as during subsequent verification:

• Proposed measures (GDD): Encryption / tunnel connection (VPN = Virtual Private Network).

• Measures (Helm & Nagel): Communication between client and server is exclusively encrypted. Helm & Nagel uses 256-bit encryption (SSL). At no time are security-relevant or customer-specific data customer-specific data is transmitted unencrypted.

Input control

Traceability or documentation of data management and maintenance is guaranteed. Measures for Subsequent checking of whether and by whom data has been entered, changed or removed (deleted):

• Proposed measures (GDD): Logging and log evaluation systems.

• Measures (Helm & Nagel): Changes to the data stock are logged.

Order control

Order data processing in accordance with instructions is guaranteed. Measures (technical / organisational) to delimit the competences between of competences between customer and manufacturer:

• Suggested measures (GDD): Clear contract design.

• Measures (Helm & Nagel): The manufacturer’s contract contains a special DSGVO-compliant data protection annex.

Availability control

Data is protected against accidental destruction or loss. Data protection measures (physical / logical):

Backup

• Suggested measures (GDD): Backup procedure.

• Measures (Helm & Nagel): A daily backup of the data is created automatically. The manufacturer creates The manufacturer creates several up-to-date copies of customer data on an ongoing basis, but in no case less frequently than once a week (unless no customer data has been updated during the period). updated during the period) several up-to-date copies of customer data, from which customer data can be restored, are kept. and shall retain them. The manufacturer shall log data recovery actions.

Firewall

• Suggested measures (GDD): Virus protection / Firewall

• Measures (Helm & Nagel): The manufacturer’s servers are protected by a firewall. This allows access to the server via 3 ports - 80 (http), 443 (https) and 22 (ssh). The manufacturer uses anti-malware controls to prevent, malware from gaining unauthorised access to client data, including malware from public networks.

Disconnection control

Data that is collected for different purposes is also processed separately. Measures for separate processing (storage, modification, deletion, transmission) of data with different purposes:

• Proposed measures (GDD): “internal multi-client capability” / purpose limitation.

• Measures (Helm & Nagel): Several client applications can be installed on each server. It is ensured that each application always works only in its own separate environment. On the servers there are only programmes that are necessary for operation. These are always kept up to date.

Hosting

Reference to the security measures of the hosting companies chosen by Helm & Nagel

Please note: Each of the hosting providers listed here will only receive personal data if this is necessary for the necessary for the performance of the activity defined in the commissioned processing. Otherwise there will be no data transfer does not take place. Our company is guided by Articles 21 and 22 of the “Code of Conduct” of the German Insurance Association GDV, last accessed on 26.06.2021, and the Guide to Processing Activities of Bitkom e.V., For a detailed list of the service providers commissioned by us, the data subject may contact data subject may contact the data protection officer, who will make this available in accordance with Art. 15 DSGVO. provides.

• Company: Microsoft Corp.

  • Registered office of the company: One Microsoft Way, Redmond, WA 98052, USA.

  • Place of data processing: Germany

  • Data Protection Officer: Microsoft Ireland Operations, Ltd, Attn: Data Protection, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521

  • Further information at https://docs.microsoft.com/de-de/azure/security/

• Company name: Telekom Deutschland GmbH

  • Registered office of the company: Landgrabenweg 151, 53227 Bonn, Germany

  • Place of Data processing: Germany

  • Data protection officer: Dr. Claus-Dieter Ulmer, +49 (0228) 1810, datenschutz@telekom.de

  • Further information at http://www.telekom.de/gk/dsgvo-auftragsverarbeitung

• Company name: Hetzner Online GmbH

  • Registered office of the company: Industriestr. 25, 91710 Gunzenhausen

  • Place of Data processing: Germany

  • Data protection officer: Alena Scholz, data-protection@hetzner.com.

  • Further information at https://www.hetzner.com/legal/privacy-policy