Technical and organizational measures
Technical and organizational measures (TOM) are the measures prescribed in Article 32 of the General Data Protection Regulation (GDPR) to ensure the security of the processing of personal data.
scope of application
According to Art. 32 GDPR, the controller and the processor are obliged to take suitable technical and organizational measures (TOM for short) to ensure a level of protection appropriate to the risk. The measures are to be determined taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons. The criteria that the TOM must meet, as well as some examples of corresponding measures, are described in Art. 32 (1) GDPR.
Individual measures
The technical-organizational measures in detail according to the annex to § 9 BDSG in a defined order:
| TOM | target | Examples of a TOM |
|---|---|---|
| access control | Prevent unauthorized persons from gaining access to the data processing systems. | Doorman alarm system |
| Access control | Prevent unauthorized persons from using data processing systems. | Password procedure encryption |
| Access control | Ensure that only authorized persons can access data and that they cannot be read, changed, copied or removed without authorization. |
Logging authorization concepts |
| Transfer control | Ensure that data cannot be read, copied, changed or removed without authorization during electronic transmission / transport. | Encryption VPN |
| Input control | Ensure that it can be checked retrospectively whether and who has changed or removed data. | Logging log evaluation systems |
| Order control | Ensure that data that is processed in the order can only be processed in accordance with the instructions of the client. | Contract drafting for ADV inspections |
| Availability control | Ensure that data is protected against accidental destruction or loss. |
Data protection / backup firewall / virus protection |
| Separation requirement | Ensure that data collected for different purposes is processed separately |
Client separation of the systems |
Web links
Individual evidence
