All entities that collect, process or use personal data are obliged to take appropriate technical and organizational measures to protect personal data. The requirements for the measures to be taken in detail arise from the annex to Section 9 of the Federal Data Protection Act.
This document contains an overview of the technical and organizational measures for the protection of personal data implemented by qamaas GmbH in accordance with Article 32 GDPR.
Qamaas GmbH regularly checks the technical and organizational measures taken to see if they correspond to the state of the art and the organizational possibilities. In this respect, Qamaas GmbH is permitted to implement alternative adequate measures. This ensures that the level of security of the measures set out in this document is not undercut.
The in-house organization must be designed in such a way that it meets the special requirements of data protection.
- A directive lays down the requirements for the handling of personal data, the regulations for compliance with the EU GDPR and the use of IT systems.
- In accordance with Article 37 GDPR, qamaas GmbH has appointed an expert and independent company data protection officer.
- The Data Protection Officer shall keep a list of the processing activities
- In accordance with Art. 32, paragraph 4, all employees are obliged to deal confidentially with business and business secrets in accordance with the confidentiality of data and, in addition, in the contract of employment.
- All employees are informed about data protection and data security in connection with the obligation to keep data secret.
- Employees with access to switching or telephone systems are obliged to comply with telecommunications secrecy in accordance with Section 88 TKG and are instructed accordingly
- All employees are regularly informed about current data protection issues.
- Employees are trained annually on data protection issues. The curriculum of the training is planned by the Data Protection Officer
Confidentiality (Art. 32 sec. 1 lit. b GDPR)
Physical Access Control
- Security locks at the main entrance and access with key card, locking of the access door outside business hours
- Burglar-resistant door at the main entrance of the building and in the entrances of the used units
- Key control (key or key card issuance only to trusted employees, documented with key monitoring, return on departure is monitored)
- Access to servers is via independent closure
- Careful selection of cleaning staff
- Regulation on access for third parties (accompaniment)
Data Access Controll
- Assignment of user rights with rights/role concept in domain
- Creating user profiles
- Protection class concept for data and systems
- Password assignment (12 characters, complexity requirement according to Win-AD standard)
- Authentication with username / password
- Mapping user profiles to IT systems
- Use of VPN technology
- Use of anti-virus software
- Using a hardware firewall
Data Usage Controll
- Number of administrators reduced to the “most necessary”
- Authorization concept with written documentation
- Managing access rights by system administrator
- Regularly, no copy of the data of the client is carried out in the systems of the contractor. If the production of copies becomes necessary for troubleshooting, this is only done with the consent of the client. The data is then logically kept separate from other data and deleted immediately after completion of the task.
Integrity (Art. 32 sec. 1 lit. b GDPR)
- Facilities of service lines or VPN tunnels
- During physical transport, careful selection of transport personnel and vehicle
- Secure storage of disks
- proper destruction of data carriers (DIN 66399-1 ff)
- Use of shredders or service providers incl. logging of destruction
- Crypto-conzep t for mobile disks
- Traceability of input, modification and deletion of data by individual user names (not user groups)
- Granting of rights to enter, modify and delete data on the basis of an authorization concept
- Logging inputs, changes, and deletions in specific applications.
Availability and resilience (Art. 32 sec. 1 lit. b GDPR)
- Uninterruptible Power Supply (UPS)
- Protective socket strips in server rooms
- Fire extinguishers in front of server rooms
- Server rooms not under sanitary facilities
- Monitoring of the servers regarding temperature development
- Sufficient air conditioning
- Emergency concept regarding continuation and restart
Rapid recoverability (Art. 32 sec. 1 lit. c GDPR);
- Backup & recovery concept including regular data recovery testing
- Retention of data backup in a secure, outsourced location
- Documentation of the IT infrastructure
- Emergency concept regarding continuation and restart
Regular review, evaluation and evaluation procedures (Art. 32 sec. 1 lit. d GDPR; Article 25(1) GDPR)
- Selection of the contractor from a point of view of due diligence (in particular with regard to data security)
- prior examination and documentation of the security measures taken by the contractor
- written instructions to the contractor (e.g. by contract data processing contract) in accordance with Section 11 (2) of the German Data Protection Act (BDSG)
- Obligation of the Contractor’s employees to keep data
secret (Section 5 BDSG)
- Contractor has appointed Data Protection Officer (if required by law)
- Effective control rights agreed with the contractor
- Ongoing review of the Contractor and its activities
- Privacy Management
- Privacy-friendly preferences (Art. 25 sec. 2 GDPR)