Technical and organisational measures

For a comprehensive and data protection-compliant data protection management system, technical and organizational measures (“TOM”) must be implemented in the company in accordance with Art. 24 DSGVO, Art. 32 DSGVO and Section 64 BDSG, among others, and documented in the event of an inspection by the data protection supervisory authority. Every company, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data is a controller within the meaning of the DSGVO and must implement appropriate technical and organizational measures.

Technical measures include: Use of an up-to-date virus scanner and firewall, password protection, backups, encryption of data carriers, building security, securing the server room, use of alarm systems, fire protection measures, VPN, lockable filing cabinets, logging, etc.

Organizational measures include: Authorization concepts according to task and function, regular data protection training, data protection audits, visitor concepts, definition of authority to issue directives, implementation of a data protection officer or internal data protection coordinators, provision of declarations of consent and other documents required under data protection law, applicant management, etc.

The purpose of technical and organizational measures is, in particular, to ensure and demonstrate the security of the processing of personal data. On the other hand, comprehensive technical and organizational measures stand for a high quality feature.

The selection of relevant and necessary technical and organizational measures results from several criteria. These include, above all, the state of the art, the cost of implementation, the probability and severity of the risk to the rights and freedoms of natural persons, and the nature, scope, circumstances and purpose of the processing. It is also important that the technical and organizational measures are regularly reviewed and updated as necessary (e.g., as part of data protection audits).

The successful implementation and documentation of technical and organizational measures that meet the legal (minimum) requirements require comprehensive advice and ongoing support from specialized lawyers in order to avoid fines, the assertion of claims for damages, damage to image, the loss of contracts to competitors, and ultimately to minimize liability risks.


Our law firm advises on technical and organizational measures, including the following topics:

  • Preparation of a comprehensive checklist on technical and organizational measures (TOM checklist)
  • Creation of a checklist for the procurement of software and its data protection-friendly basic settings (Data Protection by Design and by Default)
  • Advice on the selection of software and mobile apps and their implementation (role-based authorization concept, data security concept, deletion concept, input logging, log files, export of master data and transaction data as part of an information procedure)
  • Examination of general terms and conditions and IT contracts of software vendors for their legal validity
  • Support in the selection, implementation and documentation of the required technical and organizational measures (best practice)
  • Inspections of various departments, HR, IT, server rooms, data centers
  • Training of employees in IT security and data protection (awareness)
  • Special training for managers, HR, IT, marketing, sales, etc. on IT security and data protection
  • Conducting data protection audits to identify weaknesses
  • Review and auditing of technical and organizational measures of external service providers in the context of contract processing
  • Review of suitable guarantees from commissioned subcontractors (e.g., order processors) with regard to their technical and organizational measures
  • Integration of technical and organizational measures into an IT security management system (ISMS) in accordance with ISO 27001
  • Cooperation with the IT security officer(s)