Common use of Specification of the technical and organisational measures Clause in Contracts

Specification of the technical and organisational measures. 9.1 The Contractor’s selection is carried out in particular based on the assessment that it provides sufficient guarantees of compliance with the technical and organisational measures for data security and the processing of Personal Data in accordance with the requirements of the legal regulations ensures a level of processing security appropriate to the risk to the rights and freedoms of the rights of the natural persons affected by the processing 9.2 If it is not a case of remote maintenance/remote access, the Contractor shall ensure the protection objectives of Art. 32 para. 1 GDPR, such as the confidentiality, integrity, availability and resilience of the systems and services used for data processing and their resiliency in regard to the type, scope, circumstances and purposes of the processing. In addition, it is ensured in this case that the availability of data and access to it is quickly restored upon the occurrence of a physical or technical incident and that as far as possible transport and storage encryption is used. 9.3 The Contractor has used a recognised methodology for the risk assessment for the processing of Personal Data under the contract, which takes into account the probability of occurrence and severity of the risks for the rights and freedoms of the Data Subjects. 9.4 For its area of responsibility, the Contractor guarantees the implementation of appropriate technical and organisational measures for compliance with the data protection regulations according to the current state of the art and permanent containment of the risk associated with data processing. The data protection concept described in Appendix 4 represents the selection of the technical and organisational measures appropriate with regard to the determined risk, taking into account the protection objectives in accordance with the state of the art, and in particular taking into account the IT systems and processing operations used at the Contractor and is determined in a binding manner. 9.5 The contractual processing of data in the home office is permissible if the Contractor ensures appropriate security measures for the criticality of the data processing – comparable to data processing in the office. The Contractor must take appropriate technical and organisational precautionary measures for this and provide proof upon request. 9.6 Technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The specified measures may not fall below the security level. Significant changes that are significant for the security of the data (e.g. in the organisation of data processing on order) are to be coordinated with the Client in advance. The Contractor is obliged to carry out, as warranted but at least yearly, a review, assessment, and evaluation of the effectiveness of the technical and organisational measures for ensuring the security of the processing (Art. 32 para. 1 lit. d GDPR). 9.7 The Contractor shall provide the Client with its current data protection and data security concept as well as its IT security governance concept for processing in accordance with this Agreement.

Specification of the technical and organisational measures. 9.1 The Contractor’s selection is carried out in particular based on the assessment that it provides sufficient guarantees of compliance with the technical and organisational measures for data security and the processing of Personal Data in accordance with the requirements of the legal regulations ensures a level of processing security appropriate to the risk to the rights and freedoms of the rights of the natural persons affected by the processing 9.2 If it is not a case of remote maintenance/remote access, the Contractor shall ensure the protection objectives of Art. 32 para. 1 GDPR, such as the confidentiality, integrity, availability and resilience of the systems and services used for data processing and their resiliency in regard to the type, scope, circumstances and purposes of the processing. In addition, it is ensured in this case that the availability of data and access to it is quickly restored upon the occurrence of a physical or technical incident and that as far as possible transport and storage encryption is used. 9.3 The Contractor has used a recognised methodology for the risk assessment for the processing of Personal Data under the contract, which takes into account the probability of occurrence and severity of the risks for the rights and freedoms of the Data Subjects. 9.4 For its area of responsibility, the Contractor guarantees the implementation of appropriate technical and organisational measures for compliance with the data protection regulations according to the current state of the art and permanent containment of the risk associated with data processing. The data protection concept described in Appendix 4 represents the selection of the technical and organisational measures appropriate with regard to the determined risk, taking into account the protection objectives in accordance with the state of the art, and in particular taking into account the IT systems and processing operations used at the Contractor and is determined in a binding manner. 9.5 The contractual processing of data in the home office is permissible if the Contractor ensures appropriate security measures for the criticality of the data processing – comparable to data processing in the office. The Contractor must take appropriate technical and organisational precautionary measures for this and provide proof upon request. 9.6 Technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The specified measures may not fall below the security level. Significant changes that are significant for the security of the data (e.g. in the organisation of data processing on order) are to be coordinated with the Client in advance. The Contractor is obliged to carry out, as warranted but at least yearly, a review, assessment, and evaluation of the effectiveness of the technical and organisational measures for ensuring the security of the processing (Art. 32 para. 1 lit. d GDPR). The result and complete audit report must be reported to the Client. 9.7 The Contractor shall provide the Client with its current data protection and data security concept as well as its IT security governance concept for processing in accordance with this Agreement.