Data Processing Schedule – Security

Notwithstanding any additional measures agreed to in the Contract, Safecall ensures that at least the following technical and organisational measures are ensured:

1.  Confidentiality

1.1 Physical Access Control: No unauthorised access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems.

1.2 Electronic Access Control: No unauthorised use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media.

1.3 Internal Access Control (permissions for user rights of access to and amendment of data): No unauthorised reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events.

1.4 Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR): The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

2.  Integrity

2.1 Data Transfer Control: No unauthorised reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, virtual private networks (VPN), electronic signature.

2.2 Data Entry Control: Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g., logging, document management.

3.  Availability and Resilience

3.1 Availability Control: Prevention of accidental or wilful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning.

3.2 Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) and (Article 32 Paragraph 1 Point c GDPR).

4.  Third Party Processing

4.1 No third-party data processing without corresponding instructions from Safecall, e.g.: clear and unambiguous contractual arrangements, formalised order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.