Notwithstanding any additional measures agreed to in the Contract, Safecall ensures that at least the following technical and organisational measures are ensured:
1.1 Physical Access Control: No unauthorised access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems.
1.2 Electronic Access Control: No unauthorised use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media.
1.3 Internal Access Control (permissions for user rights of access to and amendment of data): No unauthorised reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events.
1.4 Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR): The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
2.1 Data Transfer Control: No unauthorised reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, virtual private networks (VPN), electronic signature.
2.2 Data Entry Control: Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g., logging, document management.
3. Availability and Resilience
3.1 Availability Control: Prevention of accidental or wilful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning.
3.2 Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) and (Article 32 Paragraph 1 Point c GDPR).
4. Third Party Processing
4.1 No third-party data processing without corresponding instructions from Safecall, e.g.: clear and unambiguous contractual arrangements, formalised order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.