1. Introduction

This Annex details the Parties obligations on the protection of all personal data processed in the course of the fulfillment of the Agreement (“Data”) and all processing activities associated therewith which Company, Company’s employees or any third party, acting on behalf of the Company, carry out on behalf of the Customer (“Contract Processing” or "Processing").

 

2. Scope, Objectives and Duration

2.1 The scope and duration and the detailed stipulations on the type and purpose of Contract Processing shall be defined and governed by the Agreement. Further details about the scope of the Contract Processing are determined in Exhibit 1 to this Annex E. Details about the processing activities, the Data specifically, included (without limitation) in the Contract Processing and the data subjects concerned are defined and listed in Exhibit 1 to this Annex E.

2.2 Within the scope of the Agreement, Company may gain access to Data of Customer or other third parties. The Processor will use such Data provided only for the purposes defined under the Agreement and this Annex E.

2.3 Company shall process Data solely on behalf and based on written instructions of Customer. Customer remains “controller” of the Data as defined in Article 4 (7) of the General Data Protection Regulation (“GDPR”) and is responsible within the meaning of this statutory provision for the legitimacy of the processing of the Data.

2.4 It is the responsibility of Customer to disclose by transmission or make available as little Data as possible to Company in order to comply with the principle of data minimization and to distinguish in how far Data may be pseudonymized or anonymized before made available or disclosed to Company.

2.5 Regarding Customer´s individual instructions on processing, Customer shall be entitled to, in writing or in any other recordable format of notification set forth in the Agreement, modify, amend or replace such individual instructions by issuing such instructions to the point of contact designated by Company. For the avoidance of doubt, the scope and purposes of Contract Processing shall be defined and governed by the Agreement and shall not be extended by Controller’s instructions.

2.6 Company is entitled to generate necessary Data temporarily or duplicate the Data for technical procedures and safety reasons, as far as it does not modify or transform its contents. Company is not permitted to make unauthorized permanent copies of Data, unless stated otherwise in the Agreement. Company is further instructed to store and use the Data in pseudonymized form for the improvement of the Service on behalf of Customer.

2.7 Company and any person acting under the authority of Customer or of Company, who has access to personal data, shall not process such Data except on instructions from Customer, unless required to do so by European Union or Member State law.  In such case Company shall notify Customer of such legal requirement before processing, unless that law prohibits such notification on important grounds of public interest. To the extent that Data belonging to Customer is concerned, Company ensures that persons authorized to process such Data have committed themselves to confidentiality and secrecy or are under an appropriate statutory obligation of confidentiality.

2.8 The period of this Annex E is defined by the period of the Agreement.

 

3. Territory

3.1 The Processing and use of the Data primarily takes place in the territory of the Federal Republic of Germany, in a Member State of the European Union (“EU”) or in another contracting state to the Agreement on the European Economic Area (“EEA”).

3.2 Company may process Data outside the EU or the EEA ("Third Country") if and provided that (i) an appropriate level of data protection has been established for that Third Country on the basis of a valid decision by the European Commission, or (ii) the processing is performed in accordance with the applicable EU Standard Contractual Clauses ("SCC"), which must be agreed to between Customer and the respective third party ("Data Importer"). Unless the Data Importer and Company are identical, Company shall join those SCC. The provisions set forth in this Annex E remain unaffected.

 

4. Technical and Organizational Measures

4.1 Company has implemented and will apply the technical and organizational measures set forth in Exhibit 2. Customer has reviewed such measures and agrees that the measures are appropriate taking into account the state of the art, nature, scope, context and purposes of the Processing.

4.2 In the event that Customer has to carry out an assessment of the impact of the processing operations on the protection of personal data, including the consultation of the supervisory authority pursuant to Articles 35, 36 of the GDPR, Company shall spend best efforts to support Customer as far as technically and commercially feasible.

4.3 With regard to compliance with the Protective Measures agreed upon and their verified effectiveness, parties refer to Company’s existing ISO27001 certification issued by ‘TÜV Rheinland’ presented to and sufficient for Customer as proof of the appropriate guarantees, as documented in Exhibit 2 to this Annex E and as required in section 4.1.

4.4 The Protective Measures are subject to technological progress and development and Company reserves the right to implement alternative and adequate Protective Measures at any time without prior notice, provided that the level of security of such alternative Protective Measures shall not be less protective than the ones set forth in Exhibit 2. In such case, Company will notify Customer in order to enable Customer to evaluate the level of security resulting from such changes.

 

5. Subcontractors

5.1. Customer hereby generally consents to Company’s use of subcontractors. Company will provide Customer with a list of all subcontractors already assigned at the Effective Date of the Agreement within Exhibit 1 of this Annex E.

5.2. Company shall, prior to the replacement or change of subcontractors, inform Customer thereof in writing or any applicable recordable form of notification set forth in the Agreement. In the event that a replacement or change is needed du to urgent emergency or security reasons, Company may notify Customer after the change or replacement has been made. In any case, Customer shall be entitled to reasonably oppose to any change or replacement of subcontractors within ten (10) business days and for materially important reasons. Where Customer fails to oppose to such change within such period of time, Customer shall be deemed to have expressed its consent to such change or replacement. Where a materially important reason for such opposition exists and failing a bona fide resolution of this matter by the Parties, either Party shall be entitled to terminate the Agreement with immediate effect.

5.3. Where Company commissions subcontractors for the purpose of Contract Processing, Company shall contractually ensure that Company’s obligations on data protection resulting from the Agreement and this Annex E are valid and binding upon subcontractor.

 

6. Notification obligations

6.1. In each case where Company reasonably believes that an instruction would be in breach of applicable law, Company shall notify Customer of such breach without undue delay. Company shall be entitled to suspend the performance on such instruction until Customer confirms or modifies such instruction.

6.2. In the event that Company has a valid reason to believe that either itself, its employees or any third party acting on behalf of Company is being in breach of any of the data protection and/or data security provisions set forth in this Annex E or in any data protection statutory provisions, Company will notify Customer without undue delay. This applies only if Data belonging to Customer´s domain are affected. In cases where either Company itself or its employees or subcontractors are being in breach of the provisions set forth herein, Company shall or shall procure its subcontractors to implement the measures necessary for securing the Data and for mitigating potential negative consequences for the data subject.  Company shall coordinate such efforts with Customer without undue delay.

6.3. Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Company’s control, Company shall notify Customer of such action without undue delay. Company shall further notify to all pertinent parties in such action, that any Data affected thereby is in Customer’s sole property and area of responsibility, that Data is at Customer’s sole disposition, and that Customer´s is the responsible body in the sense of the GDPR.

6.4. In the event Company becomes aware of a personal data breach Company shall notify Customer without undue delay. If Customer has to communicate a personal data breach to the data subject pursuant to Article 34 of the GDPR, Company will support Customer and provide Customer with appropriate information as far as this is technically and commercially feasible. 

 

7. Customer’s Right to Instruct and Inspection

7.1. Within the framework of the Agreement and this Annex E Customer reserves the right to issue instructions about manner, scope and processing procedures that can be concretized by giving single documented instructions. Any changes of the Data or of the procedures shall be jointly agreed upon.

7.2. If Company is not able to comply with any requests or instructions given by Customer, regardless of the reason, the processor is obliged to notify Customer immediately, who under those circumstances may postpone the Data transfer.

7.4. Where, in individual cases, audits and inspections by Customer or an independent auditor appointed by Customer are necessary, such inspections will be conducted during Company’ s normal business hours, and without interfering with Company´s operations, upon prior notice of not less than fourteen (14) calendar days. Such inspections are subject to the execution of a confidentiality agreement with provisions being at least as restrictive as the confidentiality provisions contained within the Agreement. Company shall be entitled to reject inspectors which are or act on behalf of competitors of Company. Any inspector appointed by Customer has to comply with the same confidentiality obligations as defined and applied between the Parties.

7.5. In the event the aforementioned audits or inspections shall take place more frequently than once per contract year, Company shall be entitled to requesting a remuneration for Company’s support in conducting such audits or inspections.

7.6. Where a data protection supervisory authority or another authority with statutory competence for the subject matter conducts an inspection on behalf of Customer, section 7.5. shall apply in appropriate manner.

 

8. Enquiries and claims by Data Subjects

8.1. Where a data subject asserts claims regarding its rights prescribed by the GDPR against Company  and where Company is able to correlate the data subject to Customer, based on the information provided by the data subject, Company shall refer such data subject to Customer. Company shall forward the data subject´s request to Customer. Company shall support Customer, where legally required and technically feasible. Except for cases of gross negligence and willful intent, the Company shall not be liable in cases where Customer fails to respond to the data subject´s request in total, correctly, or in timely manner.

8.2. In the event that such support leads to unreasonable efforts for Company, Customer shall remunerate any such efforts based on the man-day rate agreed to between the Parties in the Agreement or elsewhere.

8.3. Subject to the provision of section 9, in the event that a data subject asserts any claims against Customer in accordance with Article 82 of the GDPR, Company shall spend best efforts to support Customer in defending against such claims, where legally required, technically and commercially feasible. In the event that such support leads to unreasonable efforts for Company,  Customer shall remunerate any such efforts based on the man-day rate agreed to between the Parties in the Agreement or elsewhere.

 

9. Liability and Damages

9.1. In the event that a breach of any obligation set forth in this Annex E or under applicable law causes a third-party claim or leads to statutory fines or any other claims towards either Customer or Company, both are jointly liable following the principal of Art. 82 of the GDPR.

9.2. Company is solely liable towards Customer subject to the applicable liability provisions and limitations of the Agreement, for damages caused within his sphere of responsibility and only in the event that he culpably

9.2.1. did not comply with the specific statutory processing obligations set forth in the provisions of the GDPR applicable to data processors;

9.2.2. processed Customer’s Data or otherwise acted irrespective of and not in compliance with the legitimate instructions provided by Customer in regard to the Data;

9.2.3. actively infringed Customer´s legitimate instructions; or

9.2.4. is in breach of this Annex E.

9.3. In the event that Customer is liable towards the data subject, Customer may recover any damages paid to such data subject only under the provision of section 9.2.

 

10. Correction and Deletion of Data

10.1 In conformity with the instructions of Customer, Company is obliged to correct, delete or restrict the Data processed. Once a data subject refers to Company for the purpose of correction, deletion or restriction of his/her personal data and Company can uniquely assign the data subject to Customer, Company is obliged to inform Customer and pass the request to Customer immediately.

10.2 Company shall completely and irrevocably delete or destroy Data provided to him by Customer including all copies made due to technical and organizational necessities as soon as the processing of the Data has been completed or after termination of the Agreement and/or if Data storage is no longer required due to Customer´s instruction.  Insofar as Company is obliged to legal storage and retention periods, the Data shall be deleted by Company immediately by the end of such particular period. In lieu of or in addition to deletion or destruction of Data, Company and Customer can agree that Company returns all Data to Customer in a standardized and machine-readable format. In the event that Customer opts to receive the Data in such format or requires Company to apply specific deletion or erasure procedures, to hand over, sanitize or destroy any media or data carrier, the Data has been or is stored on, Company  may request remuneration for any additional efforts related to such requirements. Such remuneration shall be based on the man-day rate agreed between the parties in the Agreement or elsewhere.

 

11. Miscellaneous

11.1. In case the Parties have already signed mutual data processing agreements, these agreements shall be replaced by this Annex E.  

11.2. This Annex E is subject to law and forum of the jurisdiction and competent courts set forth in the Agreement. In the event that the Agreement does not contain a choice of law and forum provision, it shall be governed by German law and the parties hereby unconditionally submit to the exclusive jurisdiction of the Courts of Cologne, Germany.

11.3. In the event that any of these provisions of the Annex E or its amendments is or becomes ineffective the validity of the other implied provisions shall not be affected. In the event of the ineffectiveness of a provision, the Parties shall be obliged to negotiate on an effective and reasonable substitute provision with due regard to the economic purpose of the ineffective provision.

 

Exhibit 1
Scale, scope and purpose of Data Collection, Processing and Use; List of Subcontractors; Categories of Personal Data and Data subjects

 

1. Type and Scope of Data Processing

 

Name Procedure/System/Process

Name of Assigned Systems

Point of Contact

Data Categories

Purpose of Data Processing

Destructions of files and data media

external company

HR

anything you can imagine to a natural person

comply with legal or contractual obligations regarding data deletion

Firewall

Sophos

Research and Developement

IP addresses, usernames

access management referring to IUK technology and corporate network

Groupware (E-Mail-System/ electronic calendar and directory)

Open-Xchange App Suite & Dovecot

Research and Developement

name, address, email, phone number or any other information relating to an identified or identifiable natural person  

support of customers and business partners regarding their contractual obligations; shipping of goods/provision of services, customer care, application management, communication via electronic media, contacting employees, documentation of appointments, management of internal and external contact information, appointments and documents

Backups and filing

-

Research and Developement

name, address, email, phone number or any other information relating to an identified or identifiable natural person  

storage of data in case of an error, auditability

Encrypted and access-protected connection to corporate network (VPN)

Sophos

Research and Developement

IP addresses, usernames

access management referring to IUK technology and corporate network, management of authorizations

Confluence

Atlassian Confluence

Research and Developement

email (employee & customer), name (employee & customer), IP address (employee & customer)

internal storage and distribution of information; Know-How Management

Ticketing system

OTRS

Services

name (employee & customer), email address (employee & customer), IP address (employee & customer)

capture of external requests and request of internal support, logging of data regarding any failure and administration of its correction

Project management

Atlassian Jira

Research and Developement

email (employee & customer), name (employee & customer), IP address (employee & customer)

project planning, administration of tasks, steering

 

 

Email Security

Vade Secure

 

any information relating to an identified or identifiable natural person  

Transport of all incoming and outgoing emails. Filtering for Viruses, SPAM and malware

Email Transport

MTA

 

any information relating to an identified or identifiable natural person  

 

Accepting incoming emails from internet email servers and forwarding them to internal systems, or vice versa.

Email Servers

Dovecot

 

any information relating to an identified or identifiable natural person  

Accepting internal emails from incoming MTAs and storing them in the storage system.

Providing users access to the emails via POP3 or IMAP protocol

Groupware Servers

AppSuite

 

any information relating to an identified or identifiable natural person  

Providing users access to emails via webfrontend.

Providing users access to calendar, address book, tasks, stored files.

Allowing users to edit documents via webfrontend

Database Servers

MySQL

 

any information relating to an identified or identifiable natural person  

Storing user login data.

Storing all non-email data: calendars, contacts, tasks, file meta-data.

Directory Servers

OpenLDAP

 

authentication data, email addresses

 

Storing user login data and mailrouting information

 

Storage Servers

Ceph/Scality

 

any information relating to an identified or identifiable natural person  

Storing email data

Logging Servers

 

 

email addresses, IP addresses, login names

 

Monitoring and analysis

 

2. Type of Service

 

 

Outsourcing/ partial outsourcing of a business process or (customer care, sales, accounting, development, collection etc.)

x

Operating (application, system, components)

x

Support (application, system, components)

x Hosting (data, applications, systems, components)
x Maintenance (application, system, components)

 

3. Place/Location of Data Storage

 

3.1 The Location of Data Storage is the German Federal Republic in case the Parties agreed upon the provision of Services by the Open-Xchange GmbH, Olper Hütte 5f, 57462 Olpe, Germany in the Order Form.

3.2 The Location of Data Storage is the USA in case the Parties agreed upon the provision of Services by theOpen-Xchange, Inc, 530 Lytton Avenue, 2nd Floor, Palo Alto, CA94301, USA in the Order Form.

 

4. Place/Location of Data Access

 

X

German Federal Republic

X

USA

X

Other Country within EU or EEA: Finland, France, Spain, Italy

X Third Country: Japan

 

5. Subcontractors

 

5.1 List of Subcontractors

Name

Address

Role

audriga GmbH

Spitalstrasse 23A, 76227 Karlsruhe, Germany

Migration Services

MicroDoc Computersysteme GmbH

Elektrastrasse 6A, München, Germany

OX Software Development & Support

M-Way Solutions GmbH

Stresemannstraße 79, Stuttgart, Germany

OX Software Development & Support

tarent solutions GmbH

Rochusstrasse 2-4

53123 Bonn, Germany

Professional Services & Software Development

VADE SECURE SAS

3 Avenue Antoine Pinay, 59510 HEM

Anti-Spam/Anti-Virus

X-ION GmbH

Sonnenau 19, Hamburg, Germany

IaaS platform

Scality

11 rue Tronchet, 75008 Paris, France

Storage platform

Rackspace 1 Fanatical Pl, San Antonio, TX 78218, USA IaaS platform

Open-Xchange S.r.l. (OX Group)

Via Treviso 12, 10144 Torino, Italy,

Support and Professional Services

Open-Xchange SAS (OX Group)

33 Rue La Fayette, 75009 Paris, France

Support and Professional Services

Open-Xchange S.L. (OX Group)

Camino del Cerro de los Gamos 1 Edificio 1, 28224 Pozuelo de Alarcon, Madrid, Spain

Support and Professional Services

Open-Xchange AG (OX Group)

Hohenzollernring 72, 50672 Cologne, Germany

Parent Company

Open-Xchange Oy (OX Group)

Lars Sonckin Kaari 16, Espoo, Finland

Mail Server

OX Dovecot K.K. (OX Group)

4F Hamacho Koen Building, 2-60-10 Nihonbashihamacho Chyuo-ku

103-0007 Tokyo

Support and Professional Services

 

5.1 Additional Subcontractors

5.1.1 In case the Parties agreed upon the provision of Services by the Open-Xchange GmbH (OX Group), Olper Hütte 5f, 57462 Olpe, Germany in the Order Form, the Open-Xchange, Inc, 530 Lytton Avenue, 2nd Floor, Palo Alto, CA94301, USA is used as a further Subcontractor for Support and Professional Services.

5.1.2 In case the Parties agreed upon the provision of Services by the Open-Xchange, Inc. (OX Group), 530 Lytton Avenue, 2nd Floor, Palo Alto, CA94301, USA in the Order Form, the Open-Xchange GmbH, Olper Hütte 5f, 57462 Olpe, Germany is used as further Subcontractor for Support and Professional Services.

 

6. Categories of Data Subjects

 

X

Customers (resp. their persons in charge)

 

Potential Customers, Prospects

 

Suppliers (resp. their persons in charge)

X End Users; End Customers

 

7. Category of Data

 

X

Master Data – means data required to establish, accomplish or - if necessary – terminate a contractual relationship, (e.g.: name, customer ID, contract numbers, information regarding products, tariffs, invoices etc.)

X

Contact Information – e.g. postal address, email-address, phone number, messenger Ids etc.

X

Banking Information – e.g. account number, IBAN/BIC, credit card information etc.

X

Communication Information – e.g.  email content, messenger content etc.

X

Geodata – e.g. from network communication, GPS, IP-Locating, etc.

 

Others (Please specify):

X Traffic Data (excl. Geodata) – means information necessarily incurred while initiation, maintenance or transaction of a communication process such as IP-address, device identifier, log-files etc.
X Device Data (excl. Geodata) – means e.g.  information read by mobile Apps; log-files; system status; user settings, browser information etc.
X User Data – means information regarding type, extent, duration or date of usage
X User Generated Content – means content such as documents, pictures, soundfiles, email text content etc. made by data subjects on purpose
X User-Account-Information – e.g: username, password, private settings etc.
 
8. Special Categories of Data

 

X

Data revealing Racial or Ethnic Origin

X

Data revealing Religious or Philosophical Beliefs

X

Genetic Data

X

Data concerning Health

X Data revealing Political Opinions
X

Data revealing Trade Union Membership

X

Biometric Data

X

Data concerning Sex Life and Sexual Orientation

 

*OX does not actively process these data categories. These data categories are provided solely by the end users themselves within their emails or other applications within the Service. All emails are encrypted at rest.

 

9. Data Protection Officers

 

Title: Mrs

First Name: Juliane

Last Name: Rychlik

Address: Fuhlsbüttler Straße 389; 22309 Hamburg/ Germany

 

 

Exhibit 2
Technical and Organizational Measures

 

1.

Corporate measures of access and data media control, which prevent unauthorized persons from getting physical access to the information systems, the data processing device and the confidential files and data media

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                        

Implemented mechanisms:

  • key management / documentation of key distribution
  • door protection (electronic door-opener; biometric access control)
  • special server room protection
  • restricted areas

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 9.1 (Secure areas), 9.2 (Equipment security)

 

2.

Corporate security measures concerning user control, which prevent data processing systems from being used without authorization

 

 

Implemented mechanisms:

  • personal and individual user-log-in to the system resp. network
  • keyword policies (description of keyword parameter concerning complexity and interval of updating)
  • additional system-log-in for certain applications
  • automatic blocking of clients after a certain time lapse without user activity (password protected screen saver or automatic log-off)

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls), 11.4 (Network access control) and 11.5 (Operating system access control); 12.3 (Cryptographic controls)

 

 

3.

Corporate measures of access control, which ensure that users entitled to use a data processing system can only access data to which they have a corresponding right of access

 

 

Implemented mechanisms:

  • administration of access and/or authorization rights as well as of system roles
  • groups
  • documentation of access rights
  • authorization routine
  • logging
  • regularly reviewing / auditing
  • encryption of notebooks, PCs and external hard drives
  • keyword identification for shell access

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 8 (Human resources), 10.10 (Monitoring)

 

4.

Corporate security measures taken concerning transmission and storage control, to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport

 

 

Implemented mechanisms:

  • encryption of end user emails
  • encryption of notebooks, PCs and external hard drives
  • tunneled remote access (VPN)
  • logging
  • secured WLAN with WPA-enterprise
  • SSL-encryption for web-access
  • rules of destruction of data carriers

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information)

 

 

5.

Corporate measures of input controlthat ensure to determine who has entered, modified or removed data from relevant systems

 

 

 

Implemented mechanisms:

  • access rights
  • logging within the system
  • security and/or logging software
  • “group based” and/or “function-related responsibilities”

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 12.2 (Correct processing in applications); 10.10 (Monitoring)

 

6.

Corporate measures guaranteeing that controller’s personal data are processed just on behalf of the Controller and just within the Controller’s instructions (commission control)

 

 

 

Implemented mechanisms:

  • regular training of employees with access rights
  • regular refresher courses
  • separate commitment of relevant employees on data protection compliance
  • regular data protection audits
  • determination of contact persons and responsibilities

 

International standards

  • ISO/IEC 27001:2013 certified, determined in No. 12.5 (Security in development and support processes); 10.2 (Third party service delivery management); 6.2.3 (Addressing security in third party agreements)

 

7.

General corporate security measures concerning availability control and reliability against accidental loss or destruction of electronic data, files and data media

 

 

Implemented mechanisms:

  • back-up procedures
  • mirroring of servers and/or hard drives
  • uninterruptible electric power supply
  • storage procedures for back-ups (save deposit at a bank)
  • antivirus protection / firewall
  • emergency plans
  • air conditioning of server room

 

International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 10.5 (Information backup); 14 (Business continuity management)

 

 

8.

Measures in the Processor’s systems which guarantee that data can be processed separately for separate purposes so that there is no unnecessary access to data which are stored for other purposes (separation control)

 

Implemented mechanisms:

  • separated systems
  • separated databases
  • access authorization
  • separation by access rights

 

International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 10.10 (Monitoring)

 

 

9.

Corporate measures of recoverability guaranteeing that deployed relevant systems can be restored in case of failure

 

 

 

Implemented mechanisms:

  • back-up procedures
  • mirroring of servers and/or hard drives
  • storage procedures for back-ups (save deposit at a bank)
  • emergency plans



International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 10.5 (Information backup); 14 (Business continuity management)

 

 

10.

Corporate measures of data integrityto prevent stored personal data from damages caused by malfunctions of relevant systems

 

Implemented mechanisms:

  • access authorization
  • separation by access rights
  • separation by test and production environments

 

International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 10.10 (Monitoring)

 

 

11.

Corporate measures of transport control, which ensure that the privacy and integrity of data is protected when transmitting personal data when transporting data media

Implemented mechanisms:

  • encryption of end user emails
  • encryption of notebooks, PCs and external hard drives
  • tunneled remote access (VPN)
  • logging
  • secured WLAN with WPA-enterprise
  • SSL-encryption for web-access

 

International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information)

 

12.

Corporate measures to ensure encryption and pseudonymizationof data in order to ensure the integrity of personal data, as far as technically feasible.

Implemented mechanisms:

  • encryption of end user emails
  • encryption of notebooks, PCs and external hard drives
  • SSL-encryption for web-access
  • Adherence to the privacy policy that regulates storage and encryption
  • partial encryption of the storage

 

International standards:

  • ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information)