General Technical and Organizational Measures Measures According to Art. 32 para. 1 GDPR
The contractor has taken the following technical and organizational measures.
1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
Entrance Control
Measures to prevent unauthorized persons from gaining access to data processing systems with which personal data is processed or used.
The FASTEC building is equipped with an access control system. Only authorized persons can enter the building using an RFID chip. Access to each office floor is secured by another access control system, as is the server room.
Access Control
Technical (password/password protection) and organizational (user master record) measures with regard to user identification and authentication:
Only people with a valid user account have access to the FASTEC network in combination with their password. There is a strict separation between the “FASTEC network” and other existing networks, such as the guest WLAN.
When accessing the FASTEC network from outside (VPN), two-factor authentication using OTP is also required.
Admission Control
Measures to ensure that persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
All IT systems used at FASTEC have differentiated authorizations, which are also configured in such a way that employees only have access to the data required for their area.
Separation Control
Measures for separate processing (storage, modification, deletion, transmission) of data with different purposes:
Data that is used for processing different purposes is also stored separately.
Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.
Pseudonymization does not take place.
2. Integrity (Art. 32 para. 1 lit. b GDPR)
Transfer Control
Measures to ensure that personal data cannot be read, copied, altered or removed with-out authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.
In general, FASTEC does not transmit any personal data of our customers’ employees to third parties.
Access to customer systems is usually via VPN systems provided by the customer.
Input Control
Measures to ensure that it is subsequently possible to check and determine whether and by whom personal data has been entered, modified or removed from data processing systems.
FASTEC employees do not enter the data of our customers’ employees.
3. Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss.
As FASTEC does not carry out any order processing in the strict sense, there is no personal customer data that would have to be protected against loss.
Nevertheless, FASTEC has of course taken measures with regard to other systems to prevent data loss. These include regular backups in various fire protection sections, uninterruptible power supplies, virus protection/firewall as well as fire extinguishers and air conditioning in the server room.
4. Procedures for Regular Review, Assessment and Evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR))
Data Protection Management
All FASTEC employees are instructed annually on the subject of data protection. We work continuously on our data protection management system in cooperation with our external data protection officer.
Data Protection-Friendly Default Settings (Art. 25 para. 2 GDPR)
This point does not apply, as our customers’ employee data is not entered and there are therefore no data protection settings that need to be set so that as little data as possible is collected.
Order Control
Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions.
The order control is realized by a clear contract design.