Technical & Organisational Measures
- Introduction
Organizations that collect, process or use personal data themselves or on behalf of others must take the technical and organizational measures necessary to ensure compliance with the provisions of the data protection laws (Art. 32 GDPR). The measures must be suitable to adequately protect the personal data according to their nature and category. The measures are only necessary if their effort is in a reasonable relation to the intended protection purpose.
In order to meet the requirements for data processing security, the controller, Infortrend Technology Inc., 8F, 102, Section 3, Jhongshan Road, Jhonghe District, New Taipei City, Taiwan, R.O.C., e-mail: privacy@infortrend.com, takes the following measures:
- Confidentiality
- 2.1 Physical access control
The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities:
- Carefully selected security service
- Video surveillance of the entrance areas of the building and the data center
- Personal control at the gatekeeper or reception
- Keeping of a visitor book with visitor log
- Visitors only accompanied by employees
- Access control system
- Entry and exit registration system for Securing sensitive areas (e.g. server room)
- Work remotely: instruct employees, if possible, to work in study separate from living quarters
- Internal “data protection policy” that all employees agreed to and apply accordingly
- Careful selection of external service providers, e.g. cleaning staff.
Obligation to comply with data protection and confidentiality.
- 2.2 Data access control
The following implemented measures prevent unauthorized persons from accessing the data processing systems:
- Authentication with user and password
- Use of anti-virus software
- Firewall deployment
- Data transmission via secure data transfer protocols
- User Permissions Management
- General corporate policy on data protection or security
- Corporate policy for secure passwords
- Internal regulation of “Delete/Destroy”
- General instruction to manually lock desktop when leaving workstation
- 2.3 Data usage control
The following implemented measures ensure that unauthorized persons do not have access to personal data:
- Authorization and administration concept in place, minimum number of administrators
- Concept for requesting and approving authorizations
- User roles / group concept
- Administration of user rights by administrators
- Document shredder and secure storage of documents provided for destruction
- 2.4 Separation control
The following measures ensure that personal data collected for different purposes are processed separately:
- Separation of productive and test system
- Logical client separation (on the software side)
- Creation of an authorization concept
- Setting database rights
- 2.1 Physical access control
- Integrity
- 3.1 Transfer control
It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:
- Logging of accesses and retrievals
- Provision of data via encrypted connections such as SFTP or HTTPS
- 3.2 Input control
The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:
- Logging of the entry, modification and deletion of data
- Traceability of data entry, modification and deletion through individual user names (not user groups)
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- Clear responsibilities for deletions
- Instruction to employees to delete data only after consultation
- 3.1 Transfer control
- Availability and resilience
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:
- Fire and smoke detection systems
- Air conditioning and monitoring of the server room (temperature and humidity); CO2 fire extinguishers
- Protective socket strips in the server room
- RAID storage
- Backup and recovery concept (formulated)
- Control of the backup process
- Regular tests for data recovery and logging of results
- Storage of backup media in a safe place outside the server room
- Regular annual backups, additional backups and tested backups
- Tested emergency concept
- Virus scanner and “NGFW” (Next Generation Firewall)
- Regular software updates
- Storage of backups in suitable data vaults
- Procedures for regular review, assessment and evaluation
- 5.1 Data protection management
The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:
- Obligation of employees to data secrecy
- Regular training of employees in information security
- Keeping an overview of processing activities
- Data protection-friendly default settings
- - In principle, only data that is appropriate and necessary for business purposes is collected and processed. Procedures for automated data collection and processing are designed in such a way that only the necessary data is collected.
- - No more personal data is collected than is necessary for the respective purpose.
- - Simple exercise of the data subject's right of revocation through technical measures.
- 5.2 Incident response management
An organizational and technical process for dealing with security incidents is defined and implemented. This also ensures a uniform response and proceduralized handling of detected and suspected security incidents/malfunctions. This also includes uniform follow-up and monitoring as part of a continuous improvement process.
- Data breach notification process
- Assess severity, scope and expected resolution and notify Head of MIS
- Incident handling
- Involvement of the data protection officer in security incidents and data breaches, and review improvement measures
- 5.1 Data protection management