Technical and Organizational Measures (TOMs)

Technical Security Measures

1. Confidentiality (Art. 32 Para. 1 lit. b GDPR)

Physical Access Control

The following implemented measures prevent unauthorized persons from gaining physical access to data processing facilities:

• Locking system with code lock
• Security locks
• Video surveillance of entrances

System Access Control

The following implemented measures prevent unauthorized persons from accessing data processing systems:

• Authentication with username and password
• Authentication with biometric data
• Use of firewalls
• Use of VPN technology for remote access
• Encryption of data carriers
• Encryption of notebooks / tablets
• Central password rules
• Use of 2-factor authentication
• Company policy for secure passwords
• Company "Clean Desk" policy
• Automatic desktop locking when leaving workstation

Data Access Control

The following implemented measures ensure that unauthorized persons cannot access personal data:

• Use of paper shredders (with cross-cut function)
• Physical deletion of data carriers before reuse
• Minimal number of administrators
• Secure storage of data carriers
• Central management of user rights by system administrators
• Policy for minimal data printing

Separation Control

The following measures ensure that personal data collected for different purposes is processed separately:

• Separation of production and test systems
• Logical client separation (software-based)
• Comprehensive authorization concept

2. Integrity (Art. 32 Para. 1 lit. b GDPR)

Transfer Control

It is ensured that personal data cannot be read, copied, modified or removed without authorization during transmission or storage:

• Setup of VPN tunnels
• WLAN encryption (WPA2 with strong password)
• Provision of data via encrypted connections (SFTP, HTTPS)
• Ban on uploading business data to non-company servers

Input Control

The following measures ensure that it can be verified who processed personal data at what time:

• Clear responsibilities for deletions
• Mandatory consultation before data deletion
• Comprehensive logging of data access

3. Availability and Resilience (Art. 32 Para. 1 lit. b GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available:

• Regular automated backups
• Comprehensive backup & recovery concept
• Continuous monitoring of backup process
• Secure, off-site storage of data backups
• Separation of operating systems and data
• Hosting with professional, certified providers

Organizational Measures

Data Protection Management

• Data Protection Officer (DPO)

  • External appointment: heyData GmbH as qualified Data Protection Officer
  • Contact: datenschutz@heydata.eu, Schützenstr. 5, 10117 Berlin
  • Qualification: Over 20 years experience, serves 1,500+ companies
  • Integration: Use of heyData platform for data protection management

• Data Protection Impact Assessment (DPIA)

  • Systematic evaluation of new processing activities
  • Risk assessment before introducing new features
  • Documentation and monitoring of results

• Record of Processing Activities

  • Complete documentation of all data processing according to Art. 30 GDPR
  • Regular updates and reviews
  • Categorization by processing purposes

Employee Training

• Data Protection Awareness Programs

  • Regular training for all employees
  • Special training for IT personnel
  • Training on "Privacy by Design" and "Privacy by Default"
  • Annual refresher courses

• Confidentiality Obligations

  • Written commitment of all employees to data secrecy
  • Clear Desk Policy
  • Logging of data access

Incident Response

• Data Breach Management

  • Reporting process: 72-hour notification obligation to supervisory authorities under Art. 33 GDPR
  • Data subject notification: Process according to Art. 34 GDPR
  • Incident Response Team: Involvement of Data Protection Officer
  • Escalation processes: Clear responsibilities and procedures

• Forensics and Investigation

  • Technical analysis of security incidents
  • Documentation of measures
  • Lessons Learned Process

Procedures for Regular Review (Art. 32 Para. 1 lit. d GDPR)

• Continuous Assessment: Regular review and evaluation of effectiveness
• Compliance Monitoring: Monitoring of compliance with all data protection regulations
• Adaptation: Continuous improvement based on new requirements

AI-specific Data Protection Measures

Protection Against AI Training with Customer Data

• No Use for AI Training

  • Explicit contractual assurance: No use of customer data for training own AI models
  • Strict purpose limitation: Data is used exclusively for providing agreed services
  • Monitoring of all subprocessors regarding this obligation

• Enterprise APIs and Data Protection

  • Use of Enterprise APIs with external AI providers
  • No transfer to original AI providers (e.g., OpenAI for Microsoft Azure)
  • Geographic control of data processing

Data Minimization in AI Processing

• Privacy by Design for AI

  • Collection of only data necessary for the respective AI purpose
  • Automatic filtering of personal data where possible
  • Pseudonymization and anonymization as standard

• Transparency in AI Processing

  • Clear information about AI models used
  • Information about geographic data processing (e.g., US notices for respective providers)
  • Choice options for users regarding different privacy levels

Data Residency and Sovereignty

• Geographic Control
  • Preference for EU hosting (Germany, Sweden, France)
  • Clear labeling of US-based services
  • Compliance with Data Privacy Framework Standards for US providers

Legal Measures

Legal Foundations

• Legal Bases for Processing

  • Art. 6 GDPR: Consent, Contract, Legal Obligation
  • Art. 9 GDPR: Special Categories of Personal Data
  • Transparent communication of legal bases

• Consent Management

  • Informed Consent mechanisms
  • Opt-in instead of opt-out procedures
  • Simple withdrawal options

Contracts and Agreements

• Data Processing Agreements (DPA)

  • Comprehensive agreements with all external service providers
  • Detailed technical and organizational measures (TOMs)
  • Regular review of contractual partners
  • Careful selection of subprocessors

• Order Control

  • Written instructions to all contractors
  • Confirmation of proper data destruction after order completion
  • Commitment of all subcontractors to data secrecy

Data Subject Rights

• Right of Access (Art. 15 GDPR)

  • Automated information systems
  • Processing deadlines of one month
  • Free initial information

• Right to Erasure (Art. 17 GDPR)

  • Right to be forgotten implementation
  • Automated deletion processes
  • Proof of complete deletion

• Data Portability (Art. 20 GDPR)

  • Standardized export formats
  • Direct transfer to other providers
  • Machine-readable formats

Compliance and Monitoring

• Data Protection Audit

  • Regular internal audits
  • External certifications
  • Continuous improvement processes

• Privacy by Design & by Default

  • Data protection as basic principle in development
  • Data minimization as standard
  • Pseudonymization and anonymization

• International Data Transfers

  • Review adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Transfer Impact Assessments (TIAs)
  • Data Privacy Framework certifications for US providers