The level of security shall take into account, that the processing involves a large volume of personal data which are subject to Article 9 GDPR on ‘special categories of personal data’ which is why a ‘high’ level of security should be established.
The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller:
- The data processor ensures ongoing confidentiality, integrity, availability, and resilience by implementing strict access controls, robust encryption, redundancy capabilities. Regular system updates and monitoring is conducted to protect against threats and ensure continuous service availability.
- The data processor is able to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. This includes maintaining regular, secure backups. The system must also prioritize the restoration of critical data and services while ensuring data integrity throughout the recovery process.
- The data processor implements secure online data access protocols, including optional multi-factor authentication, role-based access control, and encrypted data transmission and storage.
- The data processor implements comprehensive measures to protect data during transmission, including the use of strong encryption protocols (TLS), end-to-end encryption, and secure transmission channels. Additional safeguards are in place to prevent and detect man-in-the-middle attacks, ensuring compliance with relevant data protection regulations.
- The organization must implement comprehensive measures to protect data during storage, including strong encryption for data-at-rest and role-based access controls. Data must be stored in redundant systems with regular backups and must comply with defined retention policies.
Comments
0 comments
Please sign in to leave a comment.