Security Concept



Technical measures

Manual locking system

Electronic access control system with record keeping

Security locks

Doors with security knob outside

Organizational measures

Key regulation / list

Visitors accompanied by employee

Visitor registration and badge

Measures to prevent data processing systems (computers) being used by unauthorized persons.

Technical measures

Login with user name + password

Login with biometric data

Anti-virus software server

Anti-virus software clients

Firewall

Encryption of data carriers

Encryption of smartphones

Automatic desktop lock

Encryption of Notebooks / tablets

Organizational measures

Management of user permissions

Creation of user profiles

Safe Password Policy

Delete/Destroy Policy

Gen. Policy Privacy and / or Security

Mobile Device Policy

Manual Manual Desktop Lock“

Measures to ensure that the persons that are authorized to use a data processing system can exclusively access data that is subject to their access authorization, and that personal data in the processing, in the use and after storing cannot be read, copied, changed or deleted without authorization.

Technical measures

Physical deletion of data carriers

Logging accesses to applications, specifically when entering, changing and deleting data

Encryption of data carriers

Encryption of smartphones

Organizational measures

Use of authorization concepts

Minimum number of administrators

Administration of user rights by administrators

Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical measures

Separation of productive and test environment

Physical separation (systems / databases / data carriers)

Multi-client capability of relevant applications

Organizational measures

Control through authorization concept

Definition of database rights

The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the need for additional information, provided that such additional information is kept separate and is subject to appropriate technical and organizational measures.

Technical measures

In case of pseudonymisation: Separation of the assignment data and storage in separate and secured system (possibly encrypted)

Organizational measures

Internal instruction to anonymise / pseudonymise personal data in case of disclosure or even after expiry of the statutory cancellation period

Integrity (Art. 32 Abs. 1lit .b GDPR)

Measures to ensure that personal data cannot be unauthorized read, copied, altered or removed during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine to which places a transfer of personal data is provided by means for data transmission.

Technical measures

Use of VPN

Logging of accesses and calls

Safe transport containers

Provision through encrypted connections such as sftp, https

Organizational measures

Care in selecting transport personnel and vehicles

Measures to ensure that it is possible to retrospectively verify and determine whether and by whom data has been entered, modified or removed in the data processing systems.

Technical measures

Technical protocol for the entry, modification and deletion of data

Manual or automated control of the protocols

Organizational measures

Overview with which programs which data can be entered, changed or deleted

Traceability of input, modification and deletion of data by individual user names (not user groups)

Granting of rights to enter, modify and delete data on the basis of an authorization concept

Storage of forms from which data has been taken over in automated processes

Clear responsibilities for deletions

Availability and resilience (Art. 32 Abs 1 lit. b. GDPR)

Measures to ensure that personal data is protected against accidental destruction or loss.

Technical measures

Organizational measures

Backup & Recovery Concept

Control of the backup process

Keep the backup media in a secure location outside the server room

Procedure for regular review and evaluation (Art. 32 lit. 1 (d) of the GDPR, Art. 25 Abs. 1 GDPR)

Technical measures

Organizational measures

Employees trained and committed to confidentiality / data secrecy

Regular sensitization of employees, at least annually

The organization complies with the information obligations under Art. 13 and 14 GDPR

Data Privacy-friendly default settings (Art. 25 Abs. 2 GDPR)

Technical measures

No more personal data is collected than is necessary for the purpose

Simple exercise of the right of withdrawal of the person concerned by technical measures

Organizational measures

tesa 360 – System Architecture

Security Concept graph
System Architecture
  • Redundant web- and data-base servers
  • Firewalls & secure SSL connection
  • Load balancing, back-up & access restriction
  • Encrypted ID codes stored only, decryption impossible
  • Intrusion prevention & detection system, backup power units
  • 24/7 monitoring & up-time/function control
  • Fast & reliable high speed internet hub
  • Certified high security: ISO 27001 certification for Data- & IT security
Read more