Common use of Security risk Clause in Contracts

Security risk. The Data Processor must take the measures necessary to identify, evaluate and limit any reasonably foreseeable internal and external risks to the availability, confidentiality or integrity of all personal data covered by the Data Processing Agreement. The Data Processor must take appropriate technical steps to limit the risk of any unauthorised access. The Data Processor must evaluate and improve the effectiveness of these precautions when necessary. The Data Processor must document identified risks, as well as when a risk is reduced to an acceptable level. The above obligation involves the Data Processor carrying out a risk evaluation followed by measures to counter identified risks. This could include any relevant measures from the following list: Pseudonymisation and encryption of personal data Capability to ensure continued confidentiality, integrity, availability and resilience of processing systems and services Capability to correctly re-establish availability of and access to personal data in the case of a physical or technical incident A procedure for regular trial, assessment and evaluation of the effectiveness of the technical and organisational measures for ensuring security of processing. The Data Processor must have formal procedures for handling security incidents. The Data Processor must be able to document which employees are authorised to access personal data processed under the Data Processing Agreement. When it is no longer necessary to save input data materials, the Data Processor must delete or destroy the input data materials. The method for this must follow best practice. Output data may only be used by persons who are engaged in purposes for which the personal data is being processed, as well as for auditing, technical maintenance, operational monitoring and corrective measures etc.