Technical & Organizational Measures

The following document describes p36’ current technical and organizational measures. p36 may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.
‍
The technical and organizational measures are implemented by p36 in accordance with Art 32 DSGVO. They are continuously improved by p36 according to feasibility and state of the art - not least also in terms of the active ISO 27001 certification - and brought to a higher level of security and protection.
For hosted applications of p36 on SAP Data Centers, SAP´s Technical and Organizational measures apply.
‍
For hosted applications of p36 on AWS Data Centers, AWS's Technical and Organizational measures apply.

‍Control Measures to prevent unauthorized persons from gaining access to data processing systems with which personal data is processed or used.

• Transponder system
  
• Auto-locking entrance doors
  
• Video surveillance of company site
  

• Transponder Management
  
• Visitor Management
• Visitors' list
  
• Visitor badges
  
• Visitors accompanied by employees
  
• Service Provider Management (e.g. Cleaning  Services)
  
• Information Security Policy
  
• Access Control Policy
  
• Physical Security Policy
  

Measures suitable for preventing data processing systems from being used by unauthorized persons.

• Login with user ID + strong password
  
• Secure Password Management Tool  
• Two-factor authentication where possible
  
• Anti-Virus Software Clients
  
• Firewall
  
• Encryption of smartphones
  
• Automatic screen lock  
  
• Encryption of notebooks
  
• Logical network separation
  

• User Permission Concept
  
• Regular Review of User Permissions
• Password Management Policy
  
• Information Security Policy
  
• Mobile Device Policy
  
• Access Control Policy
  
• Procedures for Access Control Management
  
• Workstations and Notebooks Policy
  
• Procedures for (IT) On-/Offboarding
  
• Procedures for Hard-/Software Procurement
  
• Network concept
  

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

• File shredder min. recommended security level P-4 (DIN 66399)
  
• External destruction of files at least recommended security level P-6 (DIN 66399)
• Physical deletion of data carriers
  
• Logging of accesses to applications, specifically when entering, changing, and deleting data
  
• Logical network separation  
  
• SSH encrypted access
  
• Certified SSL encryption
  

• User Permission Concept
  
• Procedures for (De-)Registration of users
• Minimum number of administrators
  
• Management of user rights by administrators  
  
• Regular Review of User Permissions
  
• Information Security Policy
  
• Access Control Policy
  
• Policy for Classification and handling of information
  
• Network concept
  

Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

• Separation of productive and test environment
  
• Multi-tenancy of relevant applications
• Client systems logically separated
  
• Staging of development, test and production environment
  

• Control via role/permission concept
  
• Determination of database rights
• Information Security Policy
  
• SOPs for secure software development
  

The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures..

• Personal data are pseudonymized at the request of the client
  
• Use of VPN
• Disk encryption for notebooks
  

• Internal instruction to anonymize/pseudonymize personal data as far as possible or removing all personal data for certain types of processing
  
• Information Security Policy    
• Policy for Classification and handling of information  
  
• Cryptographic concept
  
• Procedures for hard disk encryption
  

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment.

• Use of VPN
  
• Logging of accesses and retrievals
• Provision via encrypted connections such as TLS, HTTPS and SSL
  
• Use of signature procedures (case-dependent)
  

• Regular review of regular retrieval and transmission processes/policies
  
• Transmission in anonymized or pseudonymized form
• Manual/automatic logging analysis
  
• Information Security Policy
  
• Policy for Classification and handling of information
  
• Cryptographic concept
  

Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).

• Technical logging of the entry, modification and deletion of data
  
• Logging of administrative access to systems
• Manual or automated analysis of the logs
  

The input control, as well as the period for which the resulting data are retained,are governed by the Client's instructions for his data and on his infrastructure or inhis applications

• Traceability of data entry, modification and deletion through individual Access IDs etc.
  
• Traceability of Administrative access to systems
• Assignment of rights to enter, change and delete data based on a permission concept
  
• Information Security Policy
  
• Logging Management
  
• Procedures for logging management and evaluation
  

Measures to ensure that personal data are protected against accidental loss or destruction.

• Fire and smoke detection systems
  
• System monitoring

• Procedures for Business and Disaster Recovery
  
• Existence of an emergency plan
• Vulnerability Management
  
• Information Security Policy
  
• Procedures for Incident Management
  

Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.

• Backup monitoring and reporting
  
• Restoration from manual/automated backups
• Backup concept according to criticality
  

• Recovery concept
  
• Regular review of the backup procedures  
• Regular testing of data recovery and logging of results
  
• Existence of an emergency plan
  
• Information Security Policy
  
• Procedures for Incident Management
  

• Internal data protection officer appointed  
  
• Employees trained and obliged to confidentiality/data secrecy
• Regular awareness trainings at least annually and within onboarding of new employees
  
• Internal Information Security Officer appointed
  
• Data Protection Impact Assessment (DPIA) is carried out as required
  
• Processes regarding information obligations according to Art 13 and 14 GDPR established
  
• Data protection aspects established as part of risk management
  
• Central documentation of all data protection regulations with access for employees
  
• Information Security certification according to ISO 27001
  
• Regular reviews of the effectiveness of the TOMs is carried out at least annually and TOMs are updated
  

Support for security incident response and data breach process.

• Use of firewall and regular updating
  
• Use of spam filter and regular updating
• Use of virus scanner and regular updating
  

• Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
  
• Formalized procedure for handling security incidents
• Involvement of DPO and ISO in security incidents and data breaches    
  
• Documentation of security incidents and data breaches via ticket system
  
• A formal process for following up on security incidents and data breaches
  
• Information Security Policy
  

Measures according to Article 25 GDPR that comply with the principles of data protection by design and by default.

• Appropriate measures based on criticality and according to the current state of the art
  
• No more personal data is collected than is necessary for the respective purpose
• Use of data protection-friendly default settings in standard and individual software
  

Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.

• Service provider Management  
  
• Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
• Obligation of the contractor's employees to maintain data secrecy
  
• Evaluation of security measures taken by the service provider
  
• Selection of the service provider under due diligence aspects (especially with regard to data protection and data security)
  

Both the Quality Management System according to ISO 9001 and the Information Security Management System according to ISO 27001 of p36 are certified by the independent TÜV SUED GmbH.