I.

Access control

Access to buildings, offices or other rooms equipped with IT systems, in particular data centers for the operation of databases, storage systems or web servers, must be controlled. This also includes rooms equipped with employees' workstations and rooms with network components or cabling.

A
Safety areas

Premises where there is an increased risk of data breaches due to high concentration of data processing or other use of personal data shall be identified as secure areas.

B
Access protection & its logging

The areas identified must be protected against unauthorized access by third parties by means of technical and organizational measures, such as locking systems, a gatekeeper, burglar alarm systems, turnstiles including a chip card system, separation systems or similar. The records obtained via access control must be kept for a period of at least three months for re-inspection. To prevent misuse, the records must be evaluated at regular intervals.

C
Persons authorized to access

Access without authorization must always be denied. General access criteria must be defined on the basis of authorization groups. In addition, the designated security areas may only be made accessible in accordance with the "principle of minimum authorization". Keys or other means of access must be distributed individually for each person, with the possibility of passing them on to third parties being ruled out. The attention of authorized persons must be drawn to this.

E        
Procedure regarding access authorization

Application for, approval of, and issuance of access authorization shall be recorded in general procedures, as shall general administration and eventual withdrawal. Compliance with these specifications must be ensured. This also includes a procedure for blocking authorizations. If an access authorization holder resigns, changes his or her area of assignment or leaves the company, he or she must be denied access to all areas or those areas relevant to his or her previous activities as quickly as possible. Persons familiar with monitoring the security areas must be informed of these changes.

F
External

Persons from outside the company are only granted access in accordance with the regulations provided for this purpose. At a minimum, these requirements must demand that non-facility personnel be able to show proof of their identity upon request, for example in the form of a special ID card for guests or suppliers. When issuing these IDs, the name and origin (client or business or private address) must be noted. Employees of the responsible party are occasionally required to check the legitimacy of the external party. If this appears necessary for security reasons, external persons must be followed during their activities.

G
Supervision outside operating hours

Guarding of the above-mentioned buildings or premises must also be ensured during the time when operations are not in progress.

II.

Access control
In addition to physical access to data processing equipment, the authority to use data processing equipment must also be verified. 

A
Access protection in general & increased security level

The data processing systems may only be made accessible after prior identification and authentication of the respective persons. This requires state of the art control (for example in the form of user identification including password controls or chip cards including PIN to be queried).

If more stringent authentication is necessary due to the need to protect the data, this can be achieved on the one hand by combining various elements (e.g., physical card with cognitive PIN; one-time-use TAN with permanent user password, etc.) or on the other hand by means of a unique characteristic of the person authorized to access (e.g., biometric features).

B
Basic requirements for access protection

Provided that a special need for protection as described above is not necessary, minimal requirements must nevertheless be placed on authentication. These include specifying a minimum password length, which is ensured by default settings. Such passwords must consist of at least 8 characters containing three of the following four character elements, namely a combination of uppercase or lowercase letters (abcde.../ABCDE...), digits (1,2,3,4...) and special characters (!,",§,$,%...).

It is not allowed to use thematic or otherwise easy to understand password variants. During the input, the password must not be visible on the screen in the so-called "plain text".

There is no obligation to change passwords on a regular basis. However, if it cannot be ruled out that passwords were accessed as part of an attack on the system, all passwords that may have been affected must be changed immediately.

Any replacement passwords issued in the meantime shall be replaced as soon as possible. The initial passwords must be securely transmitted to the recipients, which you replace with others after initial use. 

C
Recording of access

attempts

Attempts to gain access, whether successful or not, must be recorded with details of the access data used, the data processing system used and the IP address. This data must be kept for 6 months and regularly rechecked on a random basis to prevent misuse.

D
Safe handling of access equipment

Access data must not be passed on unsecured via the network.

Passwords must not be left on the memory of the data processing system or in its immediate environment (e.g. form entry in the browser, password tables on system memory, notes at the workstation).

E
Locking access

If authentication is attempted several times without success, the respective access must be blocked. A procedure is set up and used to reset the identifier or reactivate the access. In the event that an access is not active for more than 180 days, it must also be technically blocked independently.

F
Limitations of the power

In accordance with the principle of minimum authorization, access to data processing systems must be limited to those areas that are required to perform the respective tasks or functions of the authorized persons. If persons are only to be given temporary access to data processing systems (e.g., in the course of internships, training or consulting activities), these must be assigned individually per person and the respective identifier may not be used again after the end of the activity (intern 1, intern 2, etc.).

G
Procedure regarding access authorizations

Procedures are set up and used for requesting, approving, granting and withdrawing access to data processing systems and the associated plastic authentication means.

The extent to which access is granted always depends on the respective area of responsibility for which access to data processing systems is required. Accesses, including authentication means, are assigned separately for each person with an individual access combination. In addition, accesses may not be passed on to third parties, and the authorized persons must be made aware of this in a special manner.
In addition, a process for blocking or deleting access authorizations, including identifiers and authentication media, must be set up. All access authorizations and, in particular, the authentication media that are no longer required must be revoked as quickly as possible if the area of responsibility is moved. All affected departments must also be informed of any changes (especially the authorization management).

H
Protection of data processing equipment at the workplace

Users shall be effectively instructed to lock data processing systems (in particular PC workstations) even if they are left for a short time, whereby at least the entry of a password must be required for reactivation.

The data processing systems must be set in such a way that after no more than five minutes of inactivity by the user, the system is automatically locked and the password must be entered.

III.

Access control

Those authorized to access the respective data processing systems must only be permitted to access the data that is necessary for them. The aim of the control is to ensure that personal data may not be read, copied, modified or deleted without authorization.

A
Procedure regarding authorization

A procedure must be set up that regulates the authorizations of users and administrations so that access to data in the system is only possible to the extent that the respective users need it to perform their tasks. In this context, the scope determines the division of tasks and functions. A process for creating, changing and removing authorizations must also be created. It must be possible to decisively show which task owners are responsible for the administration of the system and which user groups can perform individual actions in the system.

B
Access restrictions

If access authorization is granted, this must be associated with access authorization. This can be done in particular by naming predefined roles in the system. Users may only use programs and the associated data on which they depend for their specific job or the processes required for it and for which they are individually authorized by their role.

If data from several sources, in particular several clients, are stored in the system or accessible from data processing systems, (logical) restrictions must be set up so that access is granted only to the client being processed. In addition, processing must be reduced to the minimum necessary for processing.
The data processing systems must be identified as such and must also be recognizable as authentic. When accessing the data processing systems, the authorized person must also identify or authenticate himself by means of unique identifiers (e.g.: by means of a badge reader/user name/password combination).

With regard to granting access to data, the principle of minimum authorization also applies. Access may only be granted to a scope of data that is indispensable for the fulfillment of tasks or functions. Access must also be limited in terms of time, provided that there is no loss of quality.

C
Procedure regarding

Access authorizations

A procedure is introduced for the application, approval, allocation and withdrawal of access authorizations, which also regulates, among other things, how these processes can be controlled. The granting and withdrawal of authorizations and the assignment to role groups must be regulated separately. The IT system's rights management then ensures that access rights are implemented.

Since authorizations are each tied to a single person with an individual user ID or account, the use of group IDs or group passwords is not possible.

According to the need-to-know principle, access rights are to be assigned by distributing authorizations or assigning user roles only insofar as this is necessary for the task to be accomplished.

If a previously authorized person leaves the company or a specific area of activity, the access authorizations of all data processing systems and storage systems or those that fall within the area no longer being processed are immediately revoked. All affected departments must also be informed of any changes (esp. authorization management). This data must be retained for 6 months. 

D
No circumvention of access restrictions

The accumulation of roles and, linked to this, the accumulation of functions must be counteracted. It must be prevented that several roles of the access system are combined in one person and thus an individual obtains access possibilities which in an overall view result in a too powerful role, which in turn can lead to a danger for effective control. For example: If an application user simultaneously acts as the administrator of the database system and misuses this information in the course of transactions or can access data that does not correspond to his authorization. In particular, logging administration with regard to access to personal data must not coincide with an application user role due to a possible conflict of interest, where unauthorized access may occur.

E
Access recording

A record must be made of all read, input, change and delete actions, from which at least the respective system user and the corresponding transaction can be identified. The recorded data must be stored in an audit-proof manner for 3 months, unless otherwise agreed. Random checks and, if there is reason to do so, evaluations must be carried out by means of suitable processes coordinated with data protection.

IV.

Transfer control
Rules shall be established to ensure that personal data cannot be read, copied, modified or removed without authorization during transmission, whether electronically or by other means. In addition, documentation shall be established to record to whom or which entities a transfer of personal data has taken place and from which entity it originated.

A
General requirement for the disclosure of data

Recording of the transfer of personal data, be it an IT system or NT system, must be ensured. The extent of recording is determined on the basis of the reasonableness of the effort involved, as well as on the basis of between whom the data is sent or how the data is sent. This shall be used to determine whether the transmission is documented in full or only on the basis of indicators (such as type of data; sender; recipient). The recorded data must be stored in an audit-proof manner for 3 months, unless other periods have been defined. Random checks and, if there is reason to do so, evaluations must be carried out by means of suitable processes coordinated with data protection.

Abroad, the collection or processing of data is only possible after obtaining the client's approval in writing.

B
Safe transport via networks

Since personal data is mainly transmitted in networks, the security of transmissions and protection against unauthorized copying or modification must be enhanced by authentication, encryption and an appropriate network architecture. These measures must always be based on the state of the art.

State-of-the-art encryption must be used between client and server in the course of data transmissions, for example by encrypting the transmission path.

Encryption must always be used when personal data is transported to a third-party system.

Upon request, the Customer shall be provided with information about the type of encryption.

C
Transfers in the backend

It must be checked separately how a transfer of personal data within the backend between individual systems can be secured against unauthorized access. If the transfer takes place within the same data center and the administration of the network infrastructure cannot access transferred data, encryption is not required for the exchange of data with normal, non-enhanced protection requirements. However, if the transfer takes place over longer distances, especially between different data centers, encryption must always be used.

D
Subdivision of the systems

To increase security, the logical access of the system must be reduced to a minimum. In particular, communication relationships must be reduced to the bare minimum and monitored.

IT systems must be separated by network segments to protect them from unauthorized access when transferring personal data in the network. These can be set up using switches or routers. The purpose of these segments is to ensure that data packets reach or leave the IT systems exclusively via interfaces, from which the transfer of data can be checked. At the very least, the minimum requirement is segmentation between the front-end and back-end systems. However, further subdivision in the backend is also strongly recommended to increase the security level.

E
Systems protection

In order to counteract the risk of unauthorized access or data flows, whether from the company's own network or from a third-party network, state-of-the-art devices must be installed, in particular firewalls on IT/NT systems. These firewalls must be kept in an active state at all times, regardless of whether they are operated on the hardware, the network or host-based. It must be ensured that it is not possible for the users of the systems to deactivate or bypass them. If communication relationships have not been active for some time, they must be automatically blocked if they are not currently required for tasks.

To effectively counter potential intrusion points of unauthorized access, the backend systems must be hardened to protect personal data in accordance with the state of the art.

F
Logging regarding interfaces

A record of all interfaces to other IV procedures must be kept including the following information: Types of personal data; Direction of data transmission (received / sent); Purpose of transmission; Export destination of data (IV procedure or interface); Authentication procedure of the interface; Transmission protection (e.g. encryption).

In particular, import and export interfaces from and to files must be documented, as well as their technical and organizational protection during use. At the same time, data migrations must also be recorded as interfaces.

G
System identifiability

Ensure that each IT/NT system is provided with an assignable and traceable identifier to prevent personal data from being received by unauthorized systems acting as a substitute, in particular by only faking their authorization.

H
Secure data storage

Secure data storage facilities for personal data with a high level of protection must be set up. These and corresponding backups must be encrypted.

I
Preferences regarding caching

If temporary caches are present (especially browser caches or TEMP folders in the operating system), they must be set up so that they are automatically deleted either immediately after closing or before the application or operating system is executed again. The same applies to any screen data or browser cookies, which must be deleted at least every 24 hours.

J
Access to local caches

It must be prevented that an access to customer data, which is located on local temporary storage devices or databases of the customer, takes place with an objective or application not approved by the customer. If possible, this must also be ensured technically.

K
Use of mobile data carriers

With regard to the frequent loss of mobile data carriers, their use must be avoided. If it is nevertheless necessary, the scope of use must be defined and technical encryption of the personal data must be ensured. As soon as the data is no longer required for processing, it must be deleted from the mobile data medium without delay. In addition, mobile data carriers must be protected against possible loss, including by criminal means (lockable containers, cable locks, etc.).

L
Logging & storage of mobile data media

Qualified management of the mobile data carriers shall ensure that a log is kept of the number, the scope of tasks and the processing of personal data carried out in each case. In addition, care must be taken to ensure safekeeping until destruction, and the general inventory must be checked. The necessary safeguarding of the storage in a monitored area shall be ensured. If the fulfillment of tasks makes this necessary, security cabinets are to be used for secure storage (e.g., data safes). Any duplication made must be recorded and stored in an audit-proof manner for up to 3 months after completion of the task.

M
Shipping of mobile data carriers

Procedures on packaging and shipping in the course of a transport of personal data via mobile data carriers shall be established. The security requirements of the data being sent must be taken into account. In any case, personal data must be encrypted before being sent. In addition, persons who are authorized to send personal data shall be designated. The dispatch is always prepared and documented by two persons together. If shipping companies are used, they must first be approved by the client. Exceedingly large amounts of personal data in the context of more than 250,000 data records must be tracked in the course of the transport. In general, the handover to the transport company must be recorded. After the shipment has been carried out, the data sets must be checked for completeness and integrity.

N
Collecting and deleting mobile data or information carriers

For data carriers that contain personal data or information carriers in paper form, a procedure must be set up that records their collection, disposal and destruction or deletion. This procedure contains explicit instructions on how a secure collection is to be set up and how internal holding, storage, transport and destruction are to be carried out. With regard to deletion, rapid measures are to be taken, if possible still at the workplace itself, so that there is no further intermediate storage, which in turn reduces the group of people coming into contact with the data and thus the risk of unauthorized access. Employees should be made familiar with the above procedure as emphatically as possible.

O
data protection-

compliant deletion & its recording

If data carriers have not been encrypted but are still intended for internal use or are to be transferred to a third party, they must first be deleted in accordance with data protection requirements. Formatting alone is not a sufficient means of doing this. Alternative procedures for the complete deletion of the data carriers must be used, which make it impossible to recover the deleted data or only possible under the most difficult circumstances.

If personal data or data carriers containing such data are permanently deleted in accordance with the above rules, this must be recorded and kept available for review for a period of at least 3 months.

V.

Input control
It must be possible to subsequently trace the entry, modification or removal of personal data in the systems and the persons responsible for this.

A
Input authorization &

-logging

Entries in data processing systems may only be made by persons authorized to do so. It must be recorded who is authorized to make entries and who bears responsibility.

All entries into the systems must be recorded and kept in an audit-proof manner for up to 3 months.

VI.

Order control
In order to ensure that personal data is only used in accordance with the client's specifications when executing an order, an order control must take place.

A
Instructions to contractors

In order to enable the Client to issue instructions, the persons designated to receive or implement such instructions on the part of the Contractor shall be specified and, if necessary, illustrated on the basis of the Contractor's hierarchy of responsibilities. Before the start of the order or in case of changes on the part of the Contractor, the Customer shall be informed of the (new) person authorized to receive such instructions. The person designated by the Contractor shall present the Client with the authorization to receive instructions. The same applies in principle during the implementation of the instructions.

B
Execution of the order & its logging

During the execution of the order, the stipulated specifications must be adhered to. For further contractually binding extensions of the original order, the text form (written, fax, email and ticket system) is to be provided. Verbal agreements are invalid. As a matter of principle, a schedule of the order shall be drawn up in cooperation with the client prior to the start of the execution. If there are any disruptions in the execution of the order, whether due to interruptions in the operational process, indications of a violation of the data protection requirements or other errors or peculiarities with regard to personal data, the Customer shall be notified thereof as soon as possible and the Contractor shall be obligated to remedy the same.

After completion of the order, an orderly transfer of the results as well as the proper handling of data or documents exchanged in the meantime shall be ensured.

It must be ensured on the basis of the contractor's records that the client can follow up the execution of the order and check the necessity of individual steps as well as the actions taken in accordance with the client's specifications. In any case, the client or customer, the respective process including exact specifications regarding the processing of data, the executing processors as well as the schedule must be recorded.

C          
Concrete behavioral requirements for contractors

In principle, the Contractor is obliged to ensure the level of data protection security required by the General Data Protection Regulation in the course of the order. The Contractor shall not perform any unsupervised maintenance or support. He shall be allowed access to the respective system via activation by the Customer. In doing so, the client must be enabled to control the execution of the order via its monitors (client view). META data of the order execution must be logged. Customer data may not be created by the client either directly or as an image file or similar recordings of data to which he has access.
 

D
Control by client

The Customer shall be authorized to check the Contractor's compliance with the requirements described in this catalog of measures after prior notice, which must always be given a reasonable period of time in advance.

VII.

Availability control

Protection against accidental destruction or loss must be ensured.

A
Recovery option

Data shall be backed up at specified intervals to prevent its sudden loss. For this purpose, the Customer shall appoint a person who, by means of a backup concept, shall create the possibility of restoring lost data after their loss with a proportionate expenditure of time.

B
Emergency arrangements

If there is an internal or external, intended attack on personal data or a suspension of data processing, the Client must be informed of this as soon as possible. In order to minimize or completely avert possible damage, an emergency plan must be followed if there are indications of a threat. This plan must specify how to proceed in this situation and which departments at the Customer must be informed.

In order to be able to guarantee data security in emergency situations, existing emergency power generators or surge protection devices must be checked on a regular basis. In addition, general parameters for the operation of the systems must be constantly monitored.

Backups must be stored in special data security cabinets protected against fire and water damage.

VIII.

Separation requirement
Where data have been collected for different purposes, it must be possible to process them separately.commandment.

A
Scope of data collection

Data shall only be collected to the extent necessary for the objective of the order or an individual part of the order. The same applies to storage and processing. Even after the above steps have been taken, the objective of handling personal data will always be to fulfill the order.

B  
Separation processing / storage

It must be stipulated that the storage, modification, deletion or transfer of data must be separated from the storage of data or data carriers.

IX.

Organization Control
Fundamentally, data protection in the company must be integrated into the organization as such as follows

A
Procedure regarding processing

Procedures for the processing of data must be described, applied and controlled with regard to processing.

B
Trainings

The personnel who come into contact with personal data or are otherwise involved in the order must be trained. The following subject areas of data protection must be covered.

 - The fundamental importance of data protection in the company and the implementation of technical and organizational measures.

1. the obligation to maintain data secrecy and to maintain silence about company or business secrets.
2. The need for considerate and dutiful handling of the personal data received or associated data carriers.
3. Secrecy of telecommunications §88 TKG
4. if given, stricter obligations with regard to Confidentiality
5. If applicable, stricter obligations with regard to other regulations concerning the handling of personal data from the contract or this requirement.

Training shall be conducted at intervals of no more than 2 years and through supportive measures commensurate with the importance of the assignment.

C
Tasks/

Separation of roles

A distinction must be made between two types of roles in the execution of the order or data processing/IT use. On the one hand, the order execution or IT use must be prepared or accompanied (work preparation, data follow-up, operating, programming, network administration, rights management, auditing), and on the other hand, the previously provided applications must be used for execution (e.g., specialist responsible, IT application supervisor, data entry clerk, clerk, payment order authorizer, ...). These two tasks must not be occupied by the same person in the distribution of tasks.
Following the allocation of tasks, roles must be designed in such a way that it is clear which subtasks may not be occupied by the same person. As a rule, this follows from the activity as such, the requirements of this catalog and other requirements of the legislator. As a rule, it is not possible to combine operational and control roles. Based on this separation of roles, the roles must be assigned to individual persons. The role assignment must also include provisions for situations in which persons must be represented.

D
External

The above measures must be applied without restriction to external persons. They must observe the requirements regarding access to rooms with data processing equipment. They must be made aware of their obligation to maintain data and telecommunications secrecy and confidentiality. This must be done in the course of training external personnel. Anyone who only comes into the vicinity of the data or data processing systems at random is considered to be external. In contrast, subcontractors or other persons who are to have contact with personal data must be obligated to comply with these regulations.

E
Control of accesses via audits

The Contractor shall use internal audits to check the documentation of access to personal data at intervals of no more than two months. If irregularities occur, the client must be informed and the documentation must be stored in an audit-proof manner for 12 months after completion of the order.