To achieve a comprehensive data protection-compliant data protection management system, technical and organisational measures (“TOM”) must be implemented in the company in accordance with Art. 24 GDPR, Art. 32 GDPR and Section 64 BDSG, among others, and documented in the event of an inspection by the supervisory authority for data protection. Every company, authority, institution or other body which, alone or jointly with others, decides on the purposes and means of processing personal data is a controller in the sense of the GDPR and must implement appropriate technical and organisational measures.
Technical measures are understood in particular: Use of an up-to-date virus scanner and firewall, password protection, backups, encryption of data carriers, building security, securing the server room, use of alarm systems, fire protection measures, VPN, lockable filing cabinets, logging, etc.
Organisational measures include in particular: Authorization concepts according to task and function, regular data protection training, data protection audits, visitor concepts, definition of authority to issue instructions, implementation of a data protection officer or internal data protection coordinators, provision of declarations of consent and other documents required by data protection law, applicant management, etc.
The purpose of the technical and organisational measures is in particular to guarantee and prove the security of the processing of personal data. On the other hand, comprehensive technical and organizational measures stand for a high quality feature.
The selection of relevant and necessary technical and organisational measures results from several criteria. These include, above all, the state of the art, the costs of implementation, the probability of occurrence and severity of the risk to the rights and freedoms of natural persons, and the nature, scope, circumstances and purpose of the processing. It is also important that the technical and organizational measures are regularly reviewed and updated as necessary (e.g. in the context of data protection audits).
The successful implementation and documentation of technical and organizational measures that meet the legal (minimum) requirements require comprehensive advice and ongoing support by specialized lawyers in order to avoid fines, the assertion of claims for damages, damage to image, the loss of contracts to competitors and ultimately to minimize liability risks.
Our law firm advises on technical and organizational measures on the following topics, in particular: