Technical and organizational measures

English version just as a courtesy with no legally binding function. Only the german version is legally binding.

Mission statement and objective

Elatec GmbH endeavors to maintain lasting relationships with its employees and a consistently high level of customer satisfaction. In doing so, we place a special emphasis on how we foster our individual customer relationships and align all other corporate objectives based on this. A key part of these relationships is based on trust. As such, we fully advocate the protection of privacy and the right to data protection. Our aim is to offer employees, customers and visitors a secure and risk-free service.

In order to ensure that personal data processing occurs strictly in accordance with the underlying legal regulations, we orient our processes and technical configuration towards the guarantee objectives of the General Data Protection Regulation, the German Federal Data Protection Act and other relevant legislation. In particular, only the personal data required for the respective purpose should be collected, and the straightforward exercise of the rights of data subjects should be assured.

The following technical and organizational measures are based on the guarantee objectives of Art. 32 and the provision under Art. 25 of the General Data Protection Regulation. As far as measures aimed at ensuring security of the computer center are concerned, the measures provided by the hoster apply.

Measures

Basic protection measures

Elatec separates personal data from processed data wherever possible and at the relevant sections, preventing any link from being established between processed data and an identified or identifiable individual without additional information, which will be stored separately and securely. This applies in particular where data is processed as part of research projects.

Elatec uses state-of-the-art technology methods to encrypt personal data for transfer.

Entry control

The entry control measures set up ensure that unauthorized third parties are prevented from accessing data processing facilitates used to process or use personal data. Elatec protects its personal data processing-critical areas using adequate entry control systems. Entry rights for authorized individuals are granted individually based on defined criteria. This also applies to external individuals.

Access control

A role-based authorization concept uses the following measures to ensure that access to data processing systems is granted only to authenticated users: custom password assignment (at least eight characters, expiring automatically on a regular basis), partially password-protected screensavers for periods of inactivity, regularly updated anti-virus and spam filters on the network and the individual PCs.

Entry control

The entry control measures set up guarantee that those authorized to use a data processing system are permitted access solely to the data covered by their access authorization, and that personal data cannot be read, copied, changed or removed without authorization during processing, use and after saving. Access to personal data is granted on the basis of a role-based authorization concept. A user management system is in place to map the entry and departure of users with their respective permissions. Accesses to personal data are logged too. Data carriers are disposed of in line with data protection legislation.

Data transmission control

Elatec secures electronic communication channels by setting up closed networks and data encryption methods. By doing so, Elatec ensures that personal data cannot be read, copied, changed or removed without authorization during electronic transmission, transportation or where data is saved on data carriers, and makes it possible to review and ascertain the locations where the transmission of personal data using data transmission equipment is envisaged. Where data is physically transported on a data carrier, verifiable transportation processes are in place that prevent unauthorized access to data or logical data loss.

Input control

To ensure it can be subsequently reviewed and ascertained whether and by whom personal data has been entered, changed or removed in data processing systems, extensive input monitoring takes place. Software-based logging of the entry, changing and deletion of data is used as a primary means of doing this. In this connection, the traceability of the entry, modification and deletion of data is ensured through the assignment of individual user names.

The assignment of rights to enter, change and delete data takes place on the basis of an authorization concept. Responsibilities regarding the erasure of data in particular have been defined in a concept which is division-linked in any case.

Separation control

By ensuring a logical and physical separation of data, Elatec guarantees that data collected for different purposes can be processed separately. Any test and live systems used are kept completely separate. The relevant applications for storing employee and customer data are multi-client capable.

Availability control

Elatec takes measures that guarantee the protection of personal data against accidental destruction or loss. The first of these measures involves the direct safeguarding of server facilities against the relevant risks. From a technical point of view, this specifically entails: smoke alarms, server room temperature and moisture monitoring, an uninterruptible power supply and a RAID system. To guarantee availability, these technical measures are supplemented by organizational measures such as a backup concept, backup process checks, regular tests of data recovery and event logging, the storage of backup media in a secure location outside of the server room, and no sanitary connections in or above the server room.

Incident response management

In the event of privacy breaches, a documented reporting process is in place which factors in the reporting duty towards the supervisory authority and involves the relevant department, the IT department and the data protection officer(s). The process also includes the formal assignment of responsibilities in relation to the follow-up of security incidents and data breaches.

Control of contract processors

Where contract processors are used, Elatec will take measures to ensure that the personal data to be processed by the contractors can only be processed in line with the instructions of the Client. In this connection, the contractor is carefully selected with regard to privacy and data security and the security measures taken by the contractor and the documentation of these subject to review. In particular, Elatec will ensure that the agreement with the processor contains an obligation binding the employees of the contractor to data secrecy, an obligation on the part of the contractor to appoint a data protection officer where appointing one is mandatory, an arrangement stipulating effective rights of supervision over the contractor, rules on the use of additional sub-contractors, the assurance of the destruction of data after completion of the contract and a regular review of the contractor and its protection level.

Data protection management system

Elatec maintains a monitoring procedure on the basis of a risk management-based approach for the regular review, assessment and evaluation of the effectiveness of technical and organizational measures to guarantee the security of processing. This guarantees the protection of the relevant information, applications (including quality and security test methods), operating environments (e.g. monitoring the network against harmful interference) and the technical implementation of protection concepts (e.g. using vulnerability analyses). The systematic logging and elimination of vulnerabilities enables the continual review and improvement of protective measures as part of an IT security concept.

What´s more, a data protection management system is actively practiced within the company thanks to central documentation of all data protection procedures and rules accessible to employees. These measures are further reinforced with the appointment of data protection officer(s), staff training and confidentiality and data secrecy obligations.

Elatec will fulfill its obligations to provide information under Art. 13 and 14 GDPR, comply with the right of revocation of data subjects, the obligation to carry out a privacy impact assessment and the obligation to process information requested by data subjects as warranted by the circumstances. Corresponding processes have been created for this purpose.