LoyJoy

Technical and Organizational Measures Article 32 GDPR

LoyJoy GmbH implements the following technical and organizational measures (TOMS) to ensure compliance with the provisions of the General Data Protection Regulation (GDPR). Annex 1 to the DPA.

Confidentiality (Art. 32(1)(b) GDPR)

Physical access control

Measures suitable to prevent unauthorized persons from gaining access to data processing facilities where personal data are processed or used.

Technical measures

  • Manual locking system
  • No operation of own data centers

Organizational measures

  • Key management / key register
  • Visitors accompanied by employees

System access control

Measures suitable to prevent data processing systems (computers) from being used by unauthorized persons. System access control refers to preventing the unauthorized use of facilities.

Technical measures

  • Login with email address and access token
  • Login with a security key in the FIDO2 standard
  • Firewall
  • Encryption of storage media
  • Encryption of smartphones
  • Automatic desktop lock
  • Encryption of laptops/tablets
  • Management of endpoints via Mobile Device Management
  • Blocking access to the LoyJoy Platform after too many failed attempts

Organizational measures

  • Managing user permissions
  • Creating user profiles
  • “Clean desk” policy
  • Visitors accompanied by employees
  • General data protection and/or security policy
  • Instruction: “manual screen lock”
  • Use of external storage media prohibited by policy

Data access control

Measures to ensure that persons authorized to use a data processing system can access only the data that are subject to their access authorization, and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage.

Technical measures

  • Logging of access to applications, specifically on input, modification, and deletion of data

Organizational measures

  • Use of authorization concepts
  • Process for granting and revoking permissions
  • Minimal number of administrators
  • Administration of user rights by administrators

Separation control

Measures to ensure that data collected for different purposes can be processed separately.

Technical measures

  • Separation of production and test environments
  • Physical separation (systems / databases / data carriers)
  • Multi-tenancy capability of relevant applications incl. service providers

Organizational measures

  • Control via authorization concept
  • Definition of database rights

Pseudonymization (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)

Processing personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.

Technical measures

  • Pseudonymization: separation of mapping data and storage in a separate and secured system

Organizational measures

  • Internal instruction to anonymize/pseudonymize personal data, where possible, in the event of disclosure or after expiry of statutory retention/deletion periods

Integrity (Art. 32(1)(b) GDPR)

Transfer control

Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport or during storage on data carriers, and that it can be verified and established to which entities a transmission of personal data is envisaged via data transmission facilities.

Technical measures

  • Logging of access and retrievals
  • Provision via encrypted connections such as sFTP, HTTPS
  • Patches and updates are applied automatically to the LoyJoy infrastructure. Automated updates are enabled on employees’ devices. Effectiveness is reviewed regularly.
  • Only encrypted Wi-Fi networks (at least WPA2) are used.
  • Use of encryption to ensure the integrity of data, software, and IT systems in accordance with the state of the art.

Organizational measures

  • Use of external storage media (e.g. USB drives, external hard drives) is prohibited by internal policy.
  • Use of unauthorized file sharing platforms and cloud storage services is prohibited by internal policy. Data exchange is conducted exclusively through company-approved and encrypted channels.

Input control

Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered into, modified in, or removed from data processing systems.

Technical measures

  • Technical logging of the entry, modification, and deletion of data

Organizational measures

  • Traceability of entry, modification, and deletion of data through individual user IDs
  • Assignment of rights to enter, modify, and delete data based on an authorization concept

Availability and resilience (Art. 32(1)(b) GDPR)

Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

Technical measures

  • Fire and smoke detection systems
  • Automatic availability monitoring with notification in case of unavailability
  • All company computers are equipped with malware protection

Organizational measures

  • No operation of own data centers
  • Documented backup & recovery concept
  • Storage of backup media in a secure location outside the server room
  • Emergency plans

Rapid recoverability (Art. 32(1)(c) GDPR)

Rapid recoverability is ensured through the comprehensive measures of our sub-processors in line with current technical standards.

In the event of a permanent unavailability of a sub-processor, the processor would, after a reasonable period, switch operations to an alternative cloud service provider. If the processor is responsible for the unavailability, mitigation measures are initiated without delay.

Technical measures

  • Automated, regular backups of databases and application data
  • Geo-redundant data storage across multiple availability zones of the cloud provider
  • Monitoring and automated alerting in case of disruptions

Organizational measures

  • Business continuity plans with defined responsibilities and escalation procedures
  • Regular review of sub-processors regarding their recovery capabilities

Procedures for regular review, assessment, and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

Data protection management

Technical measures

  • A review of the effectiveness of the technical protective measures is conducted at least annually
  • Our infrastructure provider, Google Cloud EMEA, holds ISO 27001 and PCI DSS certifications.

Organizational measures

  • Employees are trained and bound to confidentiality/data secrecy
  • Regular employee awareness-raising, at least annually
  • Data Protection Impact Assessments (DPIAs) are carried out as needed
  • The organization complies with the information obligations under Art. 13 and 14 GDPR
  • A formalized process for handling data subject access requests is in place

Incident response management

Support in responding to security breaches.

Technical measures

  • Use of a firewall and regular updates
  • Use of a spam filter and regular updates

Organizational measures

  • Documented process for detection and reporting of security incidents/data breaches (including reporting obligations to supervisory authorities)
  • Documented procedures for dealing with security incidents
  • Documentation of security incidents and data breaches, e.g., via a ticket system
  • Formal process and assigned responsibilities for the follow-up of security incidents and data breaches

Privacy-friendly default settings (Art. 25(2) GDPR)

Technical measures

  • No more personal data are collected than are required for the respective purpose
  • Easy exercise of the data subject’s right of withdrawal through technical measures

Processor control

Measures to ensure that personal data processed on behalf of a controller are processed only in accordance with the controller’s instructions.

Technical measures

  • Technical enforcement of tenant-specific permissions, ensuring that access to personal data is limited to the scope of the respective processing order
  • Technical implementation of automated deletion routines after expiry of defined retention periods
  • API-based data exchange with controllers exclusively through authenticated and encrypted interfaces

Organizational measures

  • Prior review of the security measures implemented by the processor and documentation thereof
  • Selection of the processor with due diligence (especially regarding data protection and data security)
  • Conclusion of the necessary data processing agreement and/or EU Standard Contractual Clauses
  • Commitment of the processor’s employees to confidentiality
  • Obligation for the processor to appoint a Data Protection Officer where required
  • Ensuring the destruction of data after the end of the engagement