Technical and Organisational Measures under Article 32 GDPR
Documentation of technical and organisational measures in accordance with Article 32 GDPR
1. Anonymisation / Pseudonymisation
What measures are taken to ensure the anonymisation of personal data?
Anonymisation means the processing of personal data in such a way that the data can no longer be attributed to a data subject.
Pseudonymisation means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information (through a potential linking identifier), provided that such additional information is stored separately and is subject to technical and organisational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.
personal data is replaced with random codes that can no longer be recovered afterwards
masking of data without the possibility of restoring it to its original form
X complete deletion of dataother method:
2. Encryption
What measures are taken to ensure the encryption of personal data?
Data encryption measures transform plain text, based on an additional piece of information (known as a key), into corresponding secret text (ciphertext or encrypted text), which must not be decipherable by anyone who does not possess the key.
use of cryptographic tools
X data dispersion in such a way that it does not allow identification of the data subject through direct access to a specific portionencryption of storage media
X encryption of communicationsother method:
3. Ability to ensure confidentiality
What measures are taken to ensure the ongoing confidentiality of data?
Confidentiality means that personal data is protected against unauthorised disclosure.
electronic access control system
secured doors and/or windows
bars on windows and doors
security staff at the facility, gatekeeper
alarm system
video surveillance
special protection for the server room
X procedures for connecting to the database hosted in Microsoft Azure cloud based on individual password authentication, with or without two-factor authentication (the option belongs to the Beneficiary)additional login for certain applications
X automatic client/session lockout (timeout expiry)
X permission management
X permission documentationsystem encryption
X encryption of communications
X encryption of storage media/external laptops (e.g. through operating systems, BitLocker, DiskCryptor, TrueCrypt, SafeGuard Easy, WinZip)encrypted remote connections (VPN - Virtual Private Network)
secured WLAN
X SSL encryption for internet accessother method:
4. Ability to ensure integrity
What measures are taken to ensure the ongoing integrity of data?
Integrity refers to the accuracy and completeness of data and to the correct functioning of systems. When the term integrity is used in relation to data, it means that the data is complete and unaltered.
X use of access rights
system logs
X clearly defined functional responsibilities with clear segregationother method:
5. Ability to ensure availability
What measures are taken to ensure the ongoing availability of data?
The availability of IT systems and services, IT applications, and the related functions or information of IT networks is ensured if users are able to use them at any time in accordance with their intended purpose.
X backup procedures
X hard disk mirroring
uninterruptible power supply
X antivirus/firewall protection
X emergency planair conditioning
fire and flood control
alarm system
proper archiving and destruction
other method:
6. Ability to ensure resilience
What measures are taken to ensure the ongoing resilience of data?
Systems are resilient when they can withstand disruptions sufficiently so as to preserve their functionality even in the event of unforeseen access or overload.
X penetration testing
other method:
7. Recovery
What measures are taken to ensure the availability and accessibility of personal data in the event of a security incident?
X backup procedures
X uninterruptible power supply
X emergency plan
delegated arrangements
other methods:
8. Process for periodic testing
How is it ensured that data security measures are periodically tested?
X there is a predefined testing procedure
X test reports are evaluated
X implementation of improvement proposals
other method:
9. Unauthorised access to personal data
What measures are taken to prevent access to and availability of personal data to unauthorised persons?
X individual password-based login procedures, with the option of two-factor authentication
X additional login for certain applications
X automatic client/session lockout (timeout expiry)
X permission management
X permission documentation
system encryption
other method:
10. Training of natural persons (employees)
How do you ensure that personal data is processed strictly in accordance with the controller's instructions?
X involvement of employees in codes of conduct
X implementation of internal confidentiality rules
employee commitments regarding data secrecy
periodic employee training
training process carried out at onboarding
assignment of a contract and a project manager for the relevant orders
other method:
11. Certifications attesting the Operator's/Processor's capacity to ensure quality and security measures in the operations provided to data subjects
X ISO 9001 certification
X ISO 27001 certification
PSI-DSS certification
other PCI compliance certifications
other certifications: ...
12. Auditing of the application(s) or exposed systems and cybersecurity / vulnerability assessment / compliance verification
latest pentest conducted on:
latest security audit conducted on 1 March 2025
latest GDPR audit conducted on: .......
other audit processes: .....
