01179 119 190
Try free of charge

General summary of technical and organisational measures in accordance with Article 32(1) GDPR

Controller: Office24 Ltd., 18A Heath Road, Nailsea, Bristol, BS48 1AD

Last revised: 29 April 2020


1. Physical access control

The contractor is obliged to prevent unauthorised persons from accessing data processing systems with which the contract data is processed (physical access control).

Methods: alarm system, external security service provider, transponder locking system, video surveillance at access points, intercom systems at entrances, motion detectors, careful selection of cleaning staff and security personnel, basic “no visitors policy” with use of visitor badges for exceptions


2. Data access control

The contractor is obliged to prevent data processing systems from being used by unauthorised persons (data access control), most notably through the use of state-of-the-art encryption procedures.

Methods: secure passwords (following defined rules) for user accounts; automatic blocking mechanisms; two-factor authentication; encryption of databases and data carriers, VPN or TLS connections with user name and password entry.


3. Data usage control

The contractor is obliged to ensure, in particular by using state-of-the-art authentication systems and encryption procedures, that those authorised to use a data processing system can only access the contract data to which their authorisation relates, that they can only process these data on the instructions of the contractor, and that contract data cannot be read, copied, changed modified or removed without authorisation during processing (data usage control).

Methods: authorisation systems and needs-based access rights; access logs; authentication and encryption procedures; secure passwords; automatic blocking mechanisms.


4. Data transfer control

The contractor is obliged to ensure, in particular by using state-of-the-art authentication systems and encryption procedures, that contract data cannot be read, copied, changed or removed without authorisation during electronic transmission or when in transit, and that it is possible to check and establish the locations to which contract data is to be transmitted by means of data transmission equipment (data transfer control).

Methods: encryption; virtual private networks (VPN); electronic signature.


5. Data entry control

The contractor is obliged to ensure that checks can be made on data processing systems after contract data have been entered, changed, transferred or removed in order to establish whether any of these cases apply and who is responsible (data entry control) and that the origin of contract data can be traced at any time (authenticity control).

Methods: logging; document management; documentation of input and output.


6. Availability control

The contractor is obliged to ensure that contract data is protected from accidental or deliberate destruction or loss (availability control). This in particular includes putting measures in place to ensure the resilience of the systems and services, the safe storage of the contract data in accordance with data security principles, and regular saving of data including routine backups, to such extent as is necessary.

Methods: read-only/version control; backup strategy, uninterruptible power supply (UPS); antivirus software; firewalls; system maintenance/stress tests; updates; reporting channels and emergency plans.


7. Separation control

The contractor is obliged to ensure that contract data collected for different purposes can be processed separately (separation control).

Methods: separate access rights


8. Implementation review

The contractor is obliged to ensure that the data protection principles are effectively adhered to and that the necessary safeguards are included in the processing in order to comply with the data protection requirements and to protect the rights of data subjects.

Methods: training and briefing of employees; reviews/spot checks


9. Effectiveness review

The contractor is obliged to implement a procedure for the periodic review, assessment and evaluation of the effectiveness of the technical and organisational measures in order to ensure the security of the processing practices.

Methods: full audit trail of up-to-date and transparent documentation of the data processing operations; data privacy management; incident response management; stress tests/spot checks/simulated attacks “from outside”; adjustments to stay in line with the state of the art (updates, training)


10. Order control

The contractor is obliged to ensure that the personal data is processed only as instructed by the client and that any instructions received are followed without undue delay.

Methods: clear contractual structures; briefing of employees; formalised order management; strict selection of service providers; mandatory vetting procedures; follow-up checks