For a comprehensive and data protection-compliant data protection management system, technical and organizational measures (“TOM”) must be implemented in the company in accordance with Art. 24 DSGVO, Art. 32 DSGVO and Section 64 BDSG, among others, and documented in the event of an inspection by the data protection supervisory authority. Every company, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data is a controller within the meaning of the DSGVO and must implement appropriate technical and organizational measures.
Technical measures include: Use of an up-to-date virus scanner and firewall, password protection, backups, encryption of data carriers, building security, securing the server room, use of alarm systems, fire protection measures, VPN, lockable filing cabinets, logging, etc.
Organizational measures include: Authorization concepts according to task and function, regular data protection training, data protection audits, visitor concepts, definition of authority to issue directives, implementation of a data protection officer or internal data protection coordinators, provision of declarations of consent and other documents required under data protection law, applicant management, etc.
The purpose of technical and organizational measures is, in particular, to ensure and demonstrate the security of the processing of personal data. On the other hand, comprehensive technical and organizational measures stand for a high quality feature.
The selection of relevant and necessary technical and organizational measures results from several criteria. These include, above all, the state of the art, the cost of implementation, the probability and severity of the risk to the rights and freedoms of natural persons, and the nature, scope, circumstances and purpose of the processing. It is also important that the technical and organizational measures are regularly reviewed and updated as necessary (e.g., as part of data protection audits).
The successful implementation and documentation of technical and organizational measures that meet the legal (minimum) requirements require comprehensive advice and ongoing support from specialized lawyers in order to avoid fines, the assertion of claims for damages, damage to image, the loss of contracts to competitors, and ultimately to minimize liability risks.
Our law firm advises on technical and organizational measures, including the following topics: