Technical and organisational measures (TOM)

Introduction

Ausfüllhinweis (optional)

In this annex, within the meaning of Art. 40 (8) (d) DSA, it must be described that and which "appropriate technical and organisational measures" have been taken to protect the pbD in relation to the risks of the research project.

If the research project is carried out within a research organisation, the research organisation should already have documentation of the TOM for its infrastructure. In such cases, it is possible to attach the research institution's TOM documentation to the application for data access and to document in this annex only the measures that have been taken additionally for the specific research project. Similarly, the contents of the research organisation's TOM documentation can be included in this appendix and used as a basis for creating separate comprehensive documentation for the specific research project. If the research organisation has not documented its TOMs (centrally), or if the researchers are carrying out their project in an infrastructure operated on their own responsibility (for which there are no TOMs to date), this appendix must in any case contain complete documentation of all TOMs.

There are no legal requirements as to how and in what detail the TOMs are to be presented. The following presentation is therefore a suggestion in terms of structure and depth, which can also be designed differently (a very detailed sample is available, for example, from the Bavarian supervisory authority, https://www.lda.bayern.de/media/checkliste/baylda_checkliste_tom.pdf).

The examples listed in the next step are measures that are typically taken in research operations. The examples are not to be understood as exhaustive, complete or universally applicable (some are alternatives) – they serve as guidance and must all be checked to see whether they are relevant to the specific research project. All examples that are not applicable should be deleted or amended as appropriate, and any missing information should be added.

With regard to the wording of Art. 40 (8) (d) DSA, the focus of the measures to be taken is on data confidentiality and security ("are able to comply with the specific data security and confidentiality requirements associated with each request and to protect personal data"). From the perspective of the data subjects , the other risk scenarios (data not available, incorrect, etc.) are generally only relevant insofar as the measures also concern the disclosure/transfer of their data. Beyond that, it is of little significance to the data subjects if their data is not available for research purposes. For the researchers involved, however, the availability and integrity of the data are the very basis of their work. Not least in their own interest, they should therefore ensure that strong security measures are also taken under 2. and 3.

Annex number

Name of the responsible body and the research project

1. Measures to ensure the confidentiality of data

Spatial access control

Technical/physical security measures (optional)

The rooms [relevant to research] at the research organisation have (optional)

an alarm system

an automatic access control system

chip cards/transponder systems

a manual locking system

security locks

A locking system with code lock

Securing building shafts

Doors with knobs on the outside

Video surveillance of entrances (in compliance with data protection requirements)

Measures (optional)

Individual offices are only accessible to authorised persons.

Individual office doors are locked when unoccupied.

The research organisation's servers are housed (optional)

in the data centre of [see below]

in specially secured rooms (see 2. for details)

in an employee office at the research facility

Name of the data centre (optional)

Additional measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Measures (optional)

There is an overall concept for building security in general (fire protection, access restriction and control, etc.).

Office keys or keys for server rooms and other rooms with relevant IT infrastructure are issued in accordance with the research organisation's guidelines and are documented in a traceable manner

There are written instructions on how to handle keys that have been issued to employees.

The rooms of the research organisation [relevant to research] can only be accessed after registering at a reception/gatekeeper and can only be entered with employee/visitor ID cards.

There are written instructions for dealing with visitors (outsiders are accompanied/access by outsiders is documented in a traceable manner).

There are written instructions on how to deal with external service providers (security personnel, tradespeople, cleaning services), such as confidentiality agreements, personal accompaniment in security zones, logging of attendance, etc.

Additional measures (optional)

Measure	Actions
Measure

Access control to data processing systems

Technical/physical security measures (optional)

Additional measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Workplace management: (optional)

Written instructions exist for secure password creation, data protection and data security, clean desk policy, mobile device policy.

Confidential documents are stored in locked cabinets.

Guidelines exist for printing, storing, destroying and transmitting paper documents

Members of the research organisation who work from home are instructed in the secure use of home office solutions (including regulations in the event of loss of a mobile device)

Outsourcing to third parties: (optional)

Prior review of the security measures taken by the contractor and their documentation

Conclusion of an agreement on order processing in accordance with the requirements of Art. 28 GDPR, including ensuring the destruction of data after completion of the order

If necessary: conclusion of EU standard contractual clauses

In the case of longer-term cooperation: Ongoing review of the contractor and its level of protection

Additional Measures (optional)

Measure	Actions
Measure

2. Measures to ensure the availability of data

IT infrastructure

Technical/physical security measures (optional)

• Measures have been taken for server rooms and other rooms of the research organisation with relevant IT infrastructure (cables, hazard warning systems, etc.) (optional)

for fire protection (smoke/fire detectors, fire extinguishers/automatic extinguishing systems, etc.)

for monitoring temperature and humidity

for adequate air conditioning

for uninterruptible power supply (UPS)

for centralised alarms in the event of limit values being exceeded or operational equipment failure (control room)

against natural hazards (e.g. flooding, heavy rain in server rooms in the basement)

for alarm notification in the event of unauthorised access

for video surveillance

Server rooms and other rooms of the research organisation with relevant IT infrastructure (cables, hazard warning systems, etc.) have (optional)

secure locking systems

Fire-retardant cabinets/safes for storing essential components (e.g. backup tapes)

Sturdy, burglar-resistant windows and doors on the ground floor

No windows that can be opened

Measures (optional)

There are no sanitary connections in or above the server room

Additional Measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Measures (optional)

The roles and responsibilities in the area of security are known and filled within the research organisation (including information security officer, IT manager, data protection officer)

Keys to server rooms and other rooms with relevant IT infrastructure (cables, hazard warning systems, etc.) are issued in accordance with the guidelines of the research organisation and are documented in a traceable manner.

Buildings and infrastructure are regularly inspected and maintained.

There is security certification in accordance with ISO 27001, BSI IT-Grundschutz or ISIS12.

The effectiveness of the technical protective measures is checked at least once a year (including pentests).

Security incidents and data breaches are documented

Additional Measures (optional)

Measure	Actions
Measure

Server

Technical/physical security measures (optional)

Measures (optional)

Use of backup and synchronisation mechanisms

Backups are made on two different backup media, one of which is located at an external site.

Additional Measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Measures (optional)

A backup and recovery concept is in place

Backup and recovery are regularly tested/practised and the results are logged

An emergency plan exists (e.g. BSI IT-Grundschutz 100-4)

Additional Measures (optional)

Measure	Actions
Measure

3. Measures to ensure integrity and accuracy

Access control

Technical/physical security measures (optional)

Electronic transmission: (optional)

Transmission exclusively via encrypted connections (transport encryption such as SSL/TLS, VPN, SSH, SFTP)

Use of IDS (intrusion detection system) and IPS (intrusion prevention system)

Checking incoming emails using anti-malware protection

Blocking of dangerous email attachments

Transmission exclusively via encrypted and authenticated connections (e.g. via electronic certificates)

Encryption of data before transmission

Use of state-of-the-art encryption mechanisms

Technical logging of transmission (accesses/retrievals)

Physical transport: (optional)

Encryption of relevant data

Encryption of the entire data carrier

Use of state-of-the-art encryption mechanisms

Disposal, deletion (optional)

Disposal in accordance with information security requirements

DIN 66399 applies to external service providers

Additional Measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Measures (optional)

Measure	Actions
Measure

Input control

Technical/physical security measures (optional)

Measures (optional)

Technical logging of data entry, modification and deletion at system level is ensured

Logging of data entry, modification and deletion at user level is ensured (logging of relevant user interaction)

Use of version control or document management systems

Regular manual or automated checking of logs

Only persons authorised for administration have access to the collected log data

Audit-proof storage of log data (e.g. on a separate logging server)

Additional Measures (optional)

Measure	Actions
Measure

Organisational security measures (optional)

Measures (optional)

Overview of which programmes can be used to enter, modify or delete which data

Traceability of data entry, modification and deletion by individual user names (not user groups)

Additional Measures (optional)

Measure	Actions
Measure

Summary

Your name

Your email address

To this email address the final document will be sent.

Your organisation