Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in s...
Security of processing
Security of processing
1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons inherent in the processing and implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following:
a. Pseudonymisation and encryption of personal data;
b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessing.
2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement measures to mitigate those risks. To this ef- fect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.
Security of processing-Sécurité du traitement
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. L’importateur de données et, xxxxxx la transmission, l’exportateur de données mettent en œuvre des mesures techniques et organisationnelles appropriées pour garantir la sécurité des données, notamment pour les protéger d’une violation de la sécurité entraînant, de manière accidentelle ou illicite, la destruction, la perte, l’altération, la divulgation ou l’accès non autorisé à ces données (ci-après la « violation de données à caractère personnel »). Lors de l’évaluation du niveau de sécurité approprié, ils tiennent dûment compte de l’état des connaissances, des xxxxx de mise en œuvre, de la nature, de xx xxxxxx, du contexte et de la ou des finalités du traitement ainsi que des risques inhérents au traitement pour la personne concernée. Les Parties envisagent en particulier de recourir au chiffrement ou à la pseudonymisation, notamment pendant la transmission, lorsque la finalité du traitement peut être atteinte de cette manière. En cas de pseudonymisation, les informations supplémentaires permettant d’attribuer les données à caractère personnel à une personne concernée précise restent, dans la mesure du possible, sous le contr...
Security of processing
a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security of processing The level of security shall take into account that the processing may involve confidential and special catgetories of personal data (ref. Article 9 GDPR), depending of the scope of the assignment. Confidential information may be social security number, salary, bank account numbers, etc. Special categories may include trade union membership and health information (sick leaves, etc.). The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary level of data security. The data processor shall however - in any event and at a minimum - implement the following measures that have been agreed with the data controller: All systems require personal logon with password. All systems containing confidental information have muliti factor authentication logon All computers may be remotely locked and erased by IT department. All employees must annualy complete a security awareness program. Access to systems, mail, etc. via phones, pads, etc, have the same security measures as computers. Data is encrypted during transfer. There is access control at all locations, and all data centeres have a high level physical access control C.
Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex
Security of processing
1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
a. Pseudonymisation and encryption of personal data;
b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.
Security of processing
(1) The Service Provider must protect the personal data of the data subject, in particular, against unauthorized access, alteration, public disclosure, erasure, damage, or destruction.
(2) The Service Provider shall protect the personal data processed by him by taking appropriate organizational and technical (information technology) measures against unauthorized access and use. In respect of data security, IT systems processing various personal data may only be operated by the persons with the right of access. The criterion for the right of access shall be considered to be met if its extent is in compliance with the stipulation that the right of access must be provided on a need-to- know basis, i.e. it may only be granted to persons whose job-related tasks include processing. The rights of access and their use shall be revised by the Service Provider on a regular basis.
(3) The Service Provider shall act in compliance with the applicable laws and with reasonably due care; accordingly, he shall control, develop, operate, and handle his information technology systems based on the integrated management system in line with standards ISO 22301 and ISO 27001, during which, he shall use high availability hardware and software solutions and he shall regularly revise such properties thereof, and he shall develop, upgrade, or replace them as necessary. The certificates in line with the international industrial standards and the applicable laws obtained by the Service Provider are included in the documents attached as annexes hereto.
(4) The Service Provider shall satisfy all applicable PCI DSS requirements in the system in which the Service Provider shall have access to or process (store, use, transfer) the card data of his clients, and he shall ensure the continuous protection of such personal data.
(5) The Service Provider undertakes to protect the data traffic of the User Interface created for the Subscriber within the scope of the VCC Live Service with currently available, state-of-the-art encryption. Accordingly, the Service Provider shall ensure encrypted data connection between the server and the Subscriber and act with reasonably due care while operating the servers.
(6) Concerning data security, in relation to operating the electronic communication means used during the provision of services, the Service Provider guarantees that the processed data will be available to the authorized persons (availability), the authenticity and authentication of t...
Security of processing
1. The Data Processor shall take all the measures required pursuant to Article 32 of the Gen- eral Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
2. The above obligation means that the Data Processor shall perform a risk assessment and thereafter implement measures to counter the identified risk. Depending on their rele- xxxxx, the measures may include the following:
a. Pseudonymisation and encryption of personal data
b. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
c. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
d. A process for regularly testing, assessing and evaluating the effectiveness of tech- nical and organisational measures for ensuring the security of the processing.
3. The Data Processor shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agree- ment.
4. The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.
