Technical and organizational measures according to Article 32 GDPR
LoyJoy GmbH implements the following technical and organizational measures to ensure compliance with the provisions of the General Data Protection Regulation (GDPR).
Confidentiality (Art. 32(1)(b) GDPR)
Physical access control
Measures suitable to prevent unauthorized persons from gaining access to data processing facilities where personal data are processed or used.
| Technical measures | Organizational measures |
|---|---|
| Manual locking system | Key management / key register |
| No operation of own data centers | Visitors accompanied by employees |
System access control
Measures suitable to prevent data processing systems (computers) from being used by unauthorized persons. System access control refers to preventing the unauthorized use of facilities.
| Technical measures | Organizational measures |
|---|---|
| Login with email address and access token | Managing user permissions |
| Login with a security key in the FIDO2 standard | Creating user profiles |
| Firewall | “Clean desk” policy |
| Encryption of storage media | Visitors accompanied by employees |
| Encryption of smartphones | General data protection and/or security policy |
| Automatic desktop lock | Instruction: “manual screen lock” |
| Encryption of laptops/tablets | Use of external storage media prohibited by policy |
| Management of endpoints via Mobile Device Management | |
| Blocking access to the LoyJoy Platform after too many failed attempts |
Data access control
Measures to ensure that persons authorized to use a data processing system can access only the data that are subject to their access authorization, and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage.
| Technical measures | Organizational measures |
|---|---|
| Logging of access to applications, specifically on input, modification, and deletion of data | Use of authorization concepts |
| Process for granting and revoking permissions | |
| Minimal number of administrators | |
| Administration of user rights by administrators |
Separation control
Measures to ensure that data collected for different purposes can be processed separately.
| Technical measures | Organizational measures |
|---|---|
| Separation of production and test environments | Control via authorization concept |
| Physical separation (systems / databases / data carriers) | Definition of database rights |
| Multi-tenancy capability of relevant applications incl. service providers |
Pseudonymization (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)
Processing personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.
| Technical measures | Organizational measures |
|---|---|
| Pseudonymization: separation of mapping data and storage in a separate and secured system | Internal instruction to anonymize/pseudonymize personal data, where possible, in the event of disclosure or after expiry of statutory retention/deletion periods |
Integrity (Art. 32(1)(b) GDPR)
Transfer control
Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport or during storage on data carriers, and that it can be verified and established to which entities a transmission of personal data is envisaged via data transmission facilities.
| Technical measures | Organizational measures |
|---|---|
| Logging of access and retrievals | |
| Provision via encrypted connections such as sFTP, HTTPS | |
| Patches and updates are applied automatically to the LoyJoy infrastructure. Automated updates are enabled on employees’ devices. Effectiveness is reviewed regularly. | |
| Only encrypted Wi-Fi networks (at least WPA2) are used. | |
| Use of encryption to ensure the integrity of data, software, and IT systems in accordance with the state of the art. |
Input control
Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered into, modified in, or removed from data processing systems.
| Technical measures | Organizational measures |
|---|---|
| Technical logging of the entry, modification, and deletion of data | Traceability of entry, modification, and deletion of data through individual user IDs |
| Assignment of rights to enter, modify, and delete data based on an authorization concept |
Availability and resilience (Art. 32(1)(b) GDPR)
Availability control
Measures to ensure that personal data are protected against accidental destruction or loss.
| Technical measures | Organizational measures |
|---|---|
| Fire and smoke detection systems | No operation of own data centers |
| Automatic availability monitoring with notification in case of unavailability | Documented backup & recovery concept |
| All company computers are equipped with malware protection | Storage of backup media in a secure location outside the server room |
| Emergency plans |
Rapid recoverability (Art. 32(1)(c) GDPR)
Rapid recoverability is ensured through the comprehensive measures of our sub-processors in line with current technical standards.
In the event of a permanent unavailability of a sub-processor, the processor would, after a reasonable period, switch operations to an alternative cloud service provider. If the processor is responsible for the unavailability, mitigation measures are initiated without delay.
Procedures for regular review, assessment, and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
Data protection management
| Technical measures | Organizational measures |
|---|---|
| A review of the effectiveness of the technical protective measures is conducted at least annually | Employees are trained and bound to confidentiality/data secrecy |
| Our infrastructure provider, Google Cloud EMEA, holds ISO 27001 and PCI DSS certifications. | Regular employee awareness-raising, at least annually |
| Data Protection Impact Assessments (DPIAs) are carried out as needed | |
| The organization complies with the information obligations under Art. 13 and 14 GDPR | |
| A formalized process for handling data subject access requests is in place |
Incident response management
Support in responding to security breaches.
| Technical measures | Organizational measures |
|---|---|
| Use of a firewall and regular updates | Documented process for detection and reporting of security incidents/data breaches (including reporting obligations to supervisory authorities) |
| Use of a spam filter and regular updates | Documented procedures for dealing with security incidents |
| Documentation of security incidents and data breaches, e.g., via a ticket system | |
| Formal process and assigned responsibilities for the follow-up of security incidents and data breaches |
Privacy-friendly default settings (Art. 25(2) GDPR)
| Technical measures | Organizational measures |
|---|---|
| No more personal data are collected than are required for the respective purpose | |
| Easy exercise of the data subject’s right of withdrawal through technical measures |
Processor control
Measures to ensure that personal data processed on behalf of a controller are processed only in accordance with the controller’s instructions.
| Technical measures | Organizational measures |
|---|---|
| Prior review of the security measures implemented by the processor and documentation thereof | |
| Selection of the processor with due diligence (especially regarding data protection and data security) | |
| Conclusion of the necessary data processing agreement and/or EU Standard Contractual Clauses | |
| Commitment of the processor’s employees to confidentiality | |
| Obligation for the processor to appoint a Data Protection Officer where required | |
| Ensuring the destruction of data after the end of the engagement |