Technical and organisational measures (TOM)

Technical and organisational measures (TOM)

1. Confidentiality

1.1 Entry control

1.1.1 Technical measures:
  • Door security with security locks and/or badge system
  • Logging of accesses
  • Alarm systems
  • Video surveillance when entering the data centre
1.1.2 Organisational measures:
  • Policies and guidelines - access for authorised persons only
  • Awareness training for employees
  • Zone concept with different security levels and access authorisations
  • Periodic control of access authorisations
  • Alarm in case of unauthorised access attempts

1.2 Access control (server)

1.2.1 Technical measures:
  • Multiple authentication via VPN and various checkpoints
  • Network zoning, firewalls to secure and control network transitions
  • Logging of all accesses
1.2.2 Organisational measures:
  • Policies and guidelines - access only for authorised, minimum administrators
  • Network zone concept with protection of network transitions
  • Awareness training for employees
  • Personalised user accounts
  • Periodic control of access authorisations

1.3 Access control (application)

1.3.1 Technical measures:
  • Logging of login access to the application and logging in history for communication with applicants.
1.3.2 Organisational measures:
  • Authorisation control
  • Role concept
  • Management of user rights by user manager (of the client)

1.4 Separation control

1.4.1 Technical measures:
  • Physical separation (systems/ databases/ data carriers)
  • Multi-client capability of relevant applications through object-oriented database
  • Use of object-oriented database with separation of clients by hierarchy. The hierarchy is directly linked to the traversing in the URL.
  • Documents are stored per customer in a separate order structure.
1.4.2 Organisational measures:
  • Control via authorisation concept
  • Setting database rights

1.5 Pseudonymisation

1.5.1 Technical measures:
  • Anonymisation of data and anonymous use for statistical purposes
  • Automatic hashing of the data after expiry of the archiving period
  • Automatic deletion of data after expiry of the deletion period
  • Automatic archiving of data in the talent pool in the absence of consent for further storage and automatic deletion of data

2. Integrity

2.1 Transfer control

2.1.1 Technical measures:
  • Encrypted connection (https)
  • Access to server via VPN
2.1.2 Organisational measures:
  • Access is only possible at any time to the authorised positions (HR, supervisor, if applicable chief of staff).
  • Access is only possible at any time to the authorised applications (for line managers)
  • The application is activated by the HR manager directly in the application overview. The status and who can view application data can be displayed and saved at any time. The history records who was able to view the data at what time.

2.2 Access control

2.2.1 Technical measures:
  • Accesses to the firewall and in the application are recorded in log files
2.2.2 Organisational measures:
  • Assignment of roles and rights on the basis of an authorisation concept
  • Entry of data (e.g. comments) traceable through individual, personal user names (not user groups)
  • Clear responsibilities for role administration (creation and deletion of users)
  • The authorisation for access to applicant data can be set. Only assigned persons can access and change application data. Details of an application such as status, comments or ratings are recorded with the person processing the application. These recorded data can be viewed by the responsible persons.
  • Refline provides users with detailed instructions on how to use the application.

3. Availability and resilience

3.1 Availability control

3.1.1 Technical measures:
  • Fire detection and protection systems
  • Air conditioning
  • UPS
  • RAID storage systems
  • Redundant systems
  • Two site concept
  • Backups
  • Malware protection
3.1.2 Organisational measures:
  • Policies and regulations
  • Awareness training for employees
  • Regular tests
  • Regular maintenance of the infrastructures and systems
  • Periodic checks

4. Procedures for regular review, assessment and evaluation

4.1 Data protection measures

4.1.1 Technical measures:
  • Review and adaptation of the software solution to the data protection requirements incl. automation of deletion processes
4.1.2 Organisational measures:
  • Internal Data Protection Officer
  • Training and commitment of employees with regard to data protection and confidentiality
  • Regular sensitisation of employees at least annually
  • Formalised process for handling requests for information

4.2 Incident response management

4.2.1 Technical measures:
  • Malware protection systems
  • Automatic monitoring of activities
4.2.2 Organisational measures:
  • Policies and guidelines

4.3 Privacy-friendly default settings

  • Privacy by design / privacy by default
4.3.1 Technical measures:
  • No more personal data is collected than is necessary for the respective purpose
  • Simple right of revocation of the data subjects (deletion function)

4.4 Order control (outsourcing to third parties)

4.4.1 Organisational measures:
  • Third parties are screened and selected with the utmost care.