Appendices:
Appendix 1: Type and purpose of processing, type of data, group of data subjects
Annex 2: Technical and organisational measures
Taskworld Deutschland GmbH C/O. WeWork, Hermannstraße 13, 20095, Hamburg, Germany | Company Address |
Fred Mouawad | First and Last Name: |
Managing Director | Position: |
Date: 25th May, 2018 | Date: |
Appendix 1 - Type and purpose of processing, type of data, group of data subjects
Affected persons and groups of persons | Affected persons and groups of persons In particular:- Users of the software solution provided
- Contractual partners of the Client
- Employees of the Client
- Prospective clients.
|
Type of data or categories of data | Type of data or categories of data In particular:- Person master data
- Communication data (e.g. telephone, e-mail)
- Contract master data
- Contract billing and payment data
- Customer history
- Planning and control data.
|
Recipients | |
Type and purpose of processing | Provision of software with storage space via the Internet; provision of IT services, in particular support services |
Appendix 2 - Technical and organisational measures
Note: Taskworld Deutschland GmbH (hereinafter referred to as “Taskworld”) processes personal data within the scope of this contract exclusively for the fulfilment of service and support obligations arising from the service agreement. All data is stored on the Amazon Web Services platform (see clause 5.2 of the contract; hereinafter referred to as the “AWS platform”). Taskworld accesses the data via a laptop or desktop comput- er provided for this purpose through the employee entrusted with the service provision. A contract exists between Taskworld and Amazon Web Services, Inc. regarding the use of the Amazon Web Services service. Detailed information from Amazon, Inc. regarding Amazon, Inc.’s compliance with the data protection re- quirements can be found at https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls. In the following the technical and organizational measures of Taskworld are described.
- Confidentiality (Art. 32 para. 1 lit. b GDPR)
- Access control
No unauthorized access to data processing equipment:
- The only computer with access to the Client’s data shall be kept in locked rooms.
- Access to these rooms is only granted to the employee responsible for support as long as the computer is switched on.
- The computer is additionally secured by a Kensington lock.
- Only the employee responsible for support has a key to the Kensington lock.
- Data media control
No unauthorized reading, copying, modification or deletion of data media:
- External data media used for data backup are stored separately and secured by an additional lock.
- Only employees have the key to the data medium.
- Access, storage and user control
No unauthorized reading, copying, modification or deletion within the system:
- Only one computer shall be set up with access to the Customer’s data, which shall be used exclusively for the purpose of providing support services for the Contractor’s software solution.
- This computer is secured with a qualified password consisting of at least 8 characters, including at least one special character and one number.
- The password is changed every 2 months.
- If the employee is absent from the computer, the password lock is activated immediately.
- External backup copies on data media are also password protected.
- The same password must not be used for the computer and the data carrier.
- Access to data processing systems is permitted only to the employee responsible for support.
- This is ensured by a user profile with password protection.
- There are no further authorizations for accessing data processing systems.
- Separability
Separate processing of data collected for different purposes:
- The data of the client is accessed exclusively within the scope of the order and for the purpose of the support service.
- The Contractor’s employee providing support processes the Client’s data separately from other data. This is ensured by setting up client accounts.
- Integrity (Art. 32 para. 1 lit. b GDPR)
- Transport control
No unauthorized reading, copying, modification or removal during electronic transmission or transport:
- Date are transmitted/transferred exclusively encrypted and via German servers.
- A transmission/transfer to external data media is carried out exclusively via protected local connections.
- Each transmission of data is logged.
- A transmission/transfer is carried out only for the purpose of backup or for data processing in accordance with the order.
- Input control
Checks to determine whether and by whom personal data have been entered into the data processing systems, or modified, or removed:
- Only one employee of the Contractor is entrusted with the processing of personal data of the Client within the scope of support.
- The employee logs every data entry, change or removal.
- The logs are summarized for each support process and processed in a suitable manner for subsequent review.
- The processed logs are made available to the Client on request.
- Data integrity
No damage to data due to system malfunctions
- The integrity of the data is guaranteed by external backup copies on data media.
- Data processing systems shall be set up within the framework of technical facilities in such a way as to prevent damage to or loss of data.
- Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
- Availability control
Protection against accidental or deliberate destruction or loss:
- The computer used for the support services is equipped with virus protection and a firewall, which are constantly updated.
- To back up the data, a backup is created at regular intervals on an external data medium.
- The uninterruptible power supply to the computer and the availability of the data are ensured by using modern hardware, which is maintained regularly.
- Rapid recoverability (Art. 32 para. 1 lit. c GDPR);
- After a malfunction of the data processing systems, all system components are immediately checked for errors and it is determined whether data has been damaged.
- If the data has been damaged or lost, the data will be recovered from an external data carrier.
- A report on the extent and remedy of the failure will be prepared for future reference.
- Reliability
Availability of all functions of the system and error message:
- All data processing systems are regularly updated, checked for errors and maintained. There are regular checks whether the systems used correspond to the current technical standard.
- Procedures for Regular Review, Assessment and Evalu-ation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
- Data protection management:
- All employees of the contractor are informed about data protection topics and obliged to comply with data protection regulations.
- The Contractor’s management shall verify at regular intervals whether the internal procedures comply with data protection requirements and shall take appropriate measures to ensure this. The management is continuously advised by a lawyer on data protection aspects.
- Access to the Client’s data by the Contractor’s employees shall take place exclusively within Germany and via German servers.
- Incident-Response Management:
- In the event of a security incident that could affect the data processing systems, the Contractor’s management shall be informed immediately by their employees.
- A data backup is performed if a security incident is suspected on a separate data medium after each data entry or change.
- Data protection-friendly default settings (Art. 25 para. 2 GDPR)
- When selecting the hardware and software used, the Contractor shall ensure that they are compatible with the requirement of data minimisation.
- When software is installed, components which are not necessary for the use of the software and which can lead to an impairment of the Client’s data are not used.
- Order control
No order data processing within the meaning of Art. 28 GDPR without corresponding instructions from the Client:
- The Contractor’s employee shall be contractually obliged to process the data in accordance with the Client’s instructions.
- The powers of the Contractor shall be clearly and exhaustively regulated by contract.
- Orders and support requests are documented in text form in order to be able to trace the order situation later.
- The employee responsible for support maintains direct contact with the Client.