TRANSFER SECURITY MEASURES | GENERAL DESCRIPTION | IMPLEMENTED MEASURES |
Measures of pseudonymisation and encryption of Personal Data | Pseudonymization – Measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures. | • Standardized Information Gathering (SIG) Questionnaire • SOC2 |
Encryption – Measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process. | • SIG • SOC2 • PCI Compliance Letter • Cloud Controls Matrix (CCM) | |
Measures for ensuring ongoing confidentiality, integrity, availabilty and resiliance of processing systems and services | Confidentiality – Measures ensuring that information is accessed only by an authorized person and prevent the intrusion by unauthorised persons into systems and applications used for the processing of personal data. | • SIG |
Integrity – Measures ensuring that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed. | • SIG | |
Availability and resilience – Measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences, and ensure the ability to withstand attacks or to quickly restore systems to working order after an attack. | • SOC2 | |
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | Measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident. | • SIG |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Measures that ensure the regular review and assessment of security measures. | • SIG |
Measures for user identification and authorisation | Measures to validate and authenticate users. | • SIG |
Measures for the protection of Personal Data during transmission | Measures ensuring transmission control to ensure that personal data cannot be read, copied, changed or deleted without authorization during their transfer and that it can be monitored and determined to which recipients a transfer of data is intended. | • SIG |
Measures for the protection of Personal Data during storage | Measures ensuring transmission control to ensure that personal data cannot be read, copied, changed or deleted without authorization while stored on data media. | • SIG |
Measures for ensuring physical security of locations at which Personal Data are processed | Measures for entry control, especially regarding legitimation of authorized persons | • SIG |
Measures for ensuring events logging | Measures for ensuring the verifiability of event log files | • SIG |
Measures for ensuring system configuration, including default configuration | Measures to ensure that all in-scope systems and devices are compliant with baseline configuration settings | • SIG |
Measures for internal IT and IT security governance and management | • Data Protection Officer | |
Measures for certification/assurance of Processes and products | Certifications | • SOC1 |
Measures for ensuring Personal Data minimisation | Measures to reduce the amount of data collected | • SIG |
Measures for ensuring Personal Data quality | Measures to ensure that the data pipeline creates and sustains good data quality | • SIG |
Measures for ensuring limited data retention | Data retention | • SIG • Privacy and Data Compliance Tool User’s Guide |
Measures for ensuring accountability | Businesses must maintain certain records of the personal data that they process | • SOC2 |
Measures for allowing erasure | • Privacy and Data Compliance Tool User’s Guide |