Data processing addendum

1. Definitions
   1. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Those terms not defined herein or in the Agreement but defined in the GDPR shall have the same meaning as in the GDPR, except as modified by the UK GDPR, where that act applies herein.
      1. “Business Purpose” means the Services described in the Agreement or any other purpose specifically identified in the Agreement.
      2. “Data Subject” means an individual who is the subject of the Personal Data and to whom or about whom the Personal Data relates or identifies, directly or indirectly.
      3. ”Data Protection Laws” means all data protection or privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the (i) GDPR; (ii) UK GDPR; (iii) Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA); (iv) the Quebec Act Respecting the Protection of Personal Information in the Private Sector; (v) any national data protection laws made under or pursuant to the GDPR; and (vi) the EU e-Privacy Directive (Directive 2002/58/EC); in each case as may be amended, superseded or replaced.
      4. "GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC .
      5. ”Personal Data” means any information Field Effect processes for the Customer or Authorized Partner that (1) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Field Effect’s possession or control or that Field Effect is likely to have access to, or (2) the relevant Data Protection Laws otherwise define as protected personal data.
      6. ”processing, processes, and process” means any activity that involves the use of Personal Data, or as the relevant Data Protection Laws may otherwise define the terms processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.
      7. ”Security Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of, or access to, Personal Data on systems managed or otherwise controlled by Field Effect.
      8. “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
      9. ”Standard Contractual Clauses” or “SCC” means the European Commission’s standard contractual clauses between controllers and processors for the transfer of Personal Data from the European Union to third countries (Module Two), as set out in the Annex to Commission Decision (EU) 2021/914 of 4 June 2021, provided the conditions for the use of those standard contractual clauses are met.
      10. “Sub-processor” means any processor engaged by Field Effect or its affiliates to assist in fulfilling its obligations with respect to providing the Services. Sub-processors may include third parties or affiliates of Field Effect but shall exclude Field Effect employees, contractors, or consultants.
      11. “UK GDPR” means the GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018. 
   2. The terms “Controller” and “Processor” as used in this DPA have the meanings given in the GDPR irrespective of which Data Protection Laws apply.
2. Purpose and Scope
   1. Field Effect and Customer or Authorized Partner, as the case may be (each a “party” and together the “Parties”) have entered into this DPA in order to: i) acknowledge that Field Effect and/or its affiliates is a Processor of Personal Data under the Data Protection Laws; ii) acknowledge that Customer is a Controller of Personal Data under the Data Protection Laws; iii) acknowledge that Authorized Partner may act as Controller (both for its Personal Data and that of the Customer) or Processor of Customer’s Personal Data (in which context Authorized Partner will assume the rights and obligations of the Controller under this DPA and all references to “Customer” shall apply to Authorized Partner, as appropriate); iv) agree that each party will comply its legal obligations under Data Protection Laws with respect to processing of Personal Data.
   2. This DPA applies to the processing of Personal Data as specified in Annex I in conjunction with the Agreement between Customer and Field Effect. Annexes I to III are an integral part of this DPA. This DPA is without prejudice to obligations to which Customer or Authorized Partner is subject by virtue of the GDPR.
3. Personal Data Types and Processing Purposes.
   1. Field Effect is not a Controller of Personal Data it processes. The Controller of the Personal Data shall continue to be the Customer (or Authorized Partner, as applicable under s. 2.1) and such party, as applicable, retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Field Effect.
   2. Annex I describes the general Personal Data categories and Data Subject types Field Effect may process to fulfil the Business Purposes of the Agreement.
4. Field Effect’s Obligations, Customer Compliance and Instructions
   1. Field Effect will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services, as specified in Annex I, and in accordance with the Customer’s documented instructions, unless required to do so by applicable law to which Field Effect is subject (“Permitted Purpose”). In this case, Field Effect shall inform Customer of that legal requirement before processing, unless the applicable law prohibits this on important grounds of public interest. The parties agree that the Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Service (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to Field Effect in relation to the processing of Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. It is however agreed that Field Effect may generate anonymized data from Personal Data (and then use such anonymized data for its own purposes).
   2. Subsequent instructions may also be given by Customer throughout the duration of the processing of Personal Data. These instructions shall always be documented. Field Effect will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or Data Protection Laws. Field Effect must promptly notify the Customer if, in its opinion, instructions given by Customer infringe the GDPR.
   3. Field Effect will promptly comply with any Customer request or instruction requiring Field Effect to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized processing.
   4. Field Effect will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Laws, while also considering the nature of Field Effect’s processing and the information available to Field Effect.
   5. Field Effect shall only process the Personal Data for the duration specified in Annex 1.
   6. The Customer acknowledges that Field Effect is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Data other than as required under the Data Protection Laws.
   7. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Field Effect; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Field Effect to process Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to the Personal Data or other content created, sent, or managed through the Service.
   8. Customer will ensure that Field Effect’s processing of the Personal Data in accordance with Customer’s written instructions will not cause Field Effect to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Where Customer acts as a processor on behalf of a third-party controller (or other intermediary to the ultimate controller), Customer warrants that its processing instructions as set out in the Agreement and this DPA, including its authorizations to Field Effect for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant controller. Customer shall serve as the sole point of contact for Field Effect and Field Effect need not interact directly with (including to provide notifications to or seek authorization from) any third-party controller other than through regular provision of the Service to the extent required under the Agreement. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
5. Security
   1. Field Effect shall, taking into account the nature of the Personal Data and the risks involved in the processing of same, implement appropriate technical and organizational measures designed to safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access (“Security Measures”). The Security Measures will have regard to the state of the art, the cost of implementations and the nature, scope, context and purposes of the processing and are listed in Annex II.
   2. Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Service.
   3. Customer is responsible, for reviewing the information made available by Field Effect relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Field Effect may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
   4. Field Effect shall ensure that any persons authorized by Field Effect to process the Personal Data (including personnel, agents and subcontractors) shall be under the appropriate obligation of confidentiality (whether a contractual or statutory duty).
6. Security Breach and Personal Data Loss
   1. Upon becoming aware of a Security Breach concerning data processed by Field Effect, Field Effect shall: (i) notify Customer without undue delay; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Breach. Field Effect’s notification of or response to a Security Incident under this Section 6.1 shall not be construed as an acknowledgment by Field Effect of any fault or liability with respect to the Security Incident.
   2. Notwithstanding the above, Customer agrees that except as provided by this DPA and the Agreement, Customer is responsible for its secure use of the Service.
7. Documentation and Compliance
   1. Field Effect shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA, all subject to the limitations set out in this Article 7. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 7.1 and where applicable, the SCCs) and any audit rights granted by Data Protection Laws, by instructing Field Effect to comply with the audit measures described in Sections 7.2 and 7.3 below.
   2. Customer shall give Field Effect reasonable notice of any audit or inspection to be conducted and which will be conducted during Field Effect business hours. Customer shall make reasonable efforts to avoid or reduce disruption to Field Effect’s business operations during such audit activities. Customer shall comply with Field Effect's policies while onsite, including its safety and security policies. Any audits and inspections shall be limited to the documentation relevant to the processing of Personal Data by Field Effect on behalf of Customer in delivering the Services and Customer will not be entitled to access Personal Data or Confidential Information of Field Effect or any other customer of Field Effect, nor to direct access to any computer or storage system, unless explicitly required by a supervisory authority. Any information coming into Customer's possession as a result of such inspection or audit will be and remain the Confidential Information of Field Effect, and Customer will treat it accordingly. Customer shall be solely responsible for compliance with this s.7.2 by its auditors and other representatives. Customer may exercise this inspection and audit right no more frequently than once per calendar year, unless required by a supervisory authority. Customer will pay Field Effect's reasonable costs incurred as a result of any such inspection or audit, unless that inspection or audit shows Field Effect to be in breach of the Agreement.
   3. Customer acknowledges that Field Effect is regularly audited against ISO standards by independent third party auditors and internal auditors respectively. Upon written request, Field Effect shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”) to Customer, so that Customer can verify Field Effect’s compliance with the audit standards against which it has been assessed and this DPA.
   4. In addition to the Report, Field Effect shall respond to all reasonable requests for information made by Customer to confirm Field Effect’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request to security@fieldeffect.com provided that Customer shall not exercise this right more than once per calendar year. 
   5. The Parties shall make the information referred to in this Section 7, including the results of any audits, available to the competent supervisory authority/ies on request.
8. Sub-processors
   1. The Customer acknowledges and agrees that Field Effect may continue to use those Sub-processors already engaged as at the date of this DPA and may engage other Sub-processors in connection with the Services. Field Effect has or will enter into an agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
   2. The list of Sub-processors currently engaged by Field Effect to process Personal Data for the Services is available at https://fieldeffect.com/terms-data-processing-agreement/sub-processors (the “Sub-processor List”). Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Personal Data. At Customer’s written request, Field Effect will provide Customer with any intended changes of that list. Customer shall be deemed notified of any change of Sub-processors upon any change being made (the “Notice Date”) to the Sub-processor List and any change of Sub-processors' own sub-processors upon any addition or replacement being made to the lists of Sub-processors' own sub-processors as set out in the web pages indicated on the Sub-processor list.
   3. If the Customer objects, on reasonable grounds, to the use of a new Sub-processor, it must do so by notifying Field Effect promptly of such reasons in writing within thirty (30) days of the Notice Date. Field Effect will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Field Effect is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, such Order Form(s) with respect only to those Services which cannot be provided by Field Effect without the use of the objected-to new Sub-processor shall terminate upon Field Effect’s written notice to the Customer. In such case, termination will result in no further liability between the parties, except as otherwise provided in the Agreement.  
   4. Field Effect shall remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Field Effect to breach any of its obligations under this DPA. Field Effect is authorized to agree (or to have agreed to, in respect of any Sub-processor with whom it already contacted) to reasonable limitations and qualifications in respect of the rights set out herein, including in respect of inspections and audits in the premises of sub-processors, appointment of processors by the sub-processors, confidentiality of commercial terms and liability limitation clauses, including those contained in the business terms of the entity(ies) on the Sub-processor List.
   5. Customer acknowledges and agrees that, where applicable, Field Effect fulfills its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses by complying with this Section 8 and that Field Effect may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality restrictions but Field Effect shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-processor agreements.
9. International Transfers of Personal Data
   1. If, in the performance of the Services, Personal Data that is subject to the GDPR or UK GDPR is transferred to countries which do not ensure an adequate level of data protection within the meaning of the GDPR or UK GDPR, the mechanisms listed below shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the Data Protection Laws:
      1. where Customer is subject to the GDPR but the relevant Sub-processor is not established in the European Economic Area or a country or territory that ensures, at least for the sector in which it operates, an adequate level of protection within the meaning of Article 45 of the GDPR, entering into a data transfer agreement incorporating module 3 (processor-sub-processor) of the Standard Contractual Clauses for the transfer of Personal Data to third countries approved by the European Commission in its decision 2021/914 of 4 June 2021, provided the conditions for the use of those Standard Contractual Clauses are met; and/or
      2. where Customer is subject to the UK GDPR but the relevant Sub-processor is not established in the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018, entering into a data transfer agreement incorporating module 3 (processor-sub-processor) of the Standard Contractual Clauses for the transfer of Personal Data to third countries approved by the European Commission in its decision 2021/914 of 4 June 2021 together with the international data transfer addendum to the European Commission’s Standard Contractual Clauses for international data transfers (or alternatively the international data transfer agreement) issued under Section 119A of the UK's Data Protection Act 2018, provided the conditions for the use of said clauses are met.
   2. As of the version date of this DPA, Field Effect has no reason to believe that the laws and practices in any third country of destination applicable to its processing of the Personal Data as set forth in the Sub-processors List, including any requirements to disclose Personal Data or measures authorizing access by a public authority, prevent Field Effect from fulfilling its obligations under this DPA. If Field Effect reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, Field Effect shall use reasonable efforts to make changes to Customer’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Customer. If Field Effect is unable to make available such change promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by Field Effect in accordance with the Local Laws by providing written notice. In such case, termination will result in no further liability between the parties, except as otherwise provided in the Agreement.
10. Complaints and Data Subject Rights Requests
    1. Field Effect must notify the Customer immediately if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Laws. It shall not respond to the request itself, unless authorized to do so by Customer.
    2. Field Effect will assist Customer in fulfilling its legal obligations as Controller to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with 10.1 and 10.2, Field Effect shall comply with Customer’s instructions unless prohibited by Data Protection Laws. In addition, Field Effect shall provide reasonable additional assistance to the Customer, to the extent possible, to enable Customer (or its third-party controller) to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. Such assistance may also include:
    3. To the extent required under applicable Data Protection Laws, Field Effect shall (considering the nature of the processing and the information available to Field Effect) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. Field Effect shall comply with the foregoing by: (i) complying with Section 7 (Documentation and Compliance); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).
11. Term and Termination
    1. This DPA will remain in full force and effect so long as: (a) the Agreement remains in effect; or (b) Field Effect retains any Personal Data related to the Agreement in its possession or control.
    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
    3. In the event that Field Effect is in breach of its obligations under this DPA, Customer may instruct Field Effect to suspend the processing of Personal Data until the latter complies with the DPA, or the Agreement is terminated. Field Effect shall promptly inform Customer in case it is unable to comply with this DPA, for whatever reason.
    4. Customer shall be entitled to terminate the Agreement as provided therein if:
       1. the processing of Personal Data by Field Effect has been suspended by Customer pursuant to s. 11.3 and Field Effect has failed to correct its non-compliance within one month following suspension;
       2. Field Effect commits a material breach with respect to a material obligation under this DPA and does not remedy that breach within thirty (30) days after receiving written notice of the breach;
       3. Field Effect fails to comply with a binding decision of a competent court regarding its obligations pursuant to this DPA.
    5. Field Effect shall be entitled to terminate the Agreement in accordance with the Agreement where, after having informed Customer that its instructions infringe applicable Data Protection Laws, Customer insists on compliance with the instructions.
    6. If a change in any Data Protection Laws or either party’s circumstances prevents a party from fulfilling all or part of its Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Laws, they may terminate the Agreement upon written notice to the other party.
12. Data Return and Destruction
    1. At the Customer’s request, Field Effect will give the Customer a copy of, or access to, the Customer’s Personal Data in its possession or control, in the format and, to the extent that Field Effect is able to reasonably accommodate the request, on the media specified by the Customer.
    2. Upon termination or expiration of the Agreement, Field Effect shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Field Effect is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data the Field Effect shall securely isolate, protect from any further processing and eventually delete in accordance with Field Effect’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Customer Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Field Effect to Customer only upon Customer’s written request. For the avoidance of doubt, nothing herein prevents Field Effect from keeping and using anonymized data generated from such personal data or to keep evidence of performance of the Agreement that may incidentally contain processed personal data as necessary for Field Effect to be able to assert or defend its legal rights, until Field Effect is fully paid and the relevant limitation period for any claim for breach of contract against Field Effect has lapsed.
13. Records
    1. Field Effect will keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (the “Records”).
    2. Field Effect will ensure that the Records are sufficient to enable the Customer to verify Field Effect’s compliance with its obligations under this DPA.
14. Limitation of Liability
    1. Each party’s and all of its affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement. Any claims made against Field Effect or its affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
15. General Terms
    1. The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.
    2. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes. In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; (iii) the Annexes; and then (iv) the Agreement.
    3. Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA cannot be modified without both Parties' consent, without prejudice to the possibility for Field Effect to update the list of sub-processors in accordance with the terms of this DPA.
    4. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
    5. This DPA is governed by the laws governing the Agreement and the courts having exclusive jurisdiction over all matters arising out of or in connection with the Agreement and will have exclusive jurisdiction over all matters arising out of or in connection with this DPA unless required otherwise by applicable Data Protection Laws. This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.

ANNEX I

Description of Processing Activities

ANNEX II

Technical and organizational measures to ensure the security of the data.

This ANNEX II sets out the description of types of technical and organizational security measures that may be implemented by Field Effect in accordance Section 5 of this DPA:

1. Access control to premises and facilities
   1. Unauthorized access (in the physical sense) must be prevented.
   2. Technical and organizational measures to control access to premises and facilities, particularly to check authorization:
      1. Access control system ID reader, magnetic card, chip card
      2. Door locking (electric door openers etc.)
      3. Surveillance facilities Alarm system, video/CCTV monitor
2. Access control to systems
   1. Unauthorized access to IT systems must be prevented.
   2. Technical (ID/password security) and organizational (user master data) measures for user identification and authentication:
      1. Password procedures (incl. special characters, minimum length, change of password, the factor authentication)
      2. Automatic blocking (e.g., password or timeout)
      3. Encryption of data, while at rest and in motion
      4. Two-factor authentication
3. Access control to data
   1. Activities in IT systems not covered by the allocated access rights must be prevented.
   2. Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses:
      1. Differentiated access rights (profiles, roles, transactions and objects) limiting access on need to know principle
      2. Reports
      3. Use of professional and secure storage solutions
      4. Logging of access and (attempted) misuse
4. Disclosure control
   1. Aspects of the disclosure of personal data must be controlled: electronic transfer, data transport, transmission control, etc.
   2. Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:
      1. Encryption/tunneling (VPN)
      2. Electronic signature
      3. Logging
      4. Transport security
5. Input control
   1. Full documentation of data management and maintenance must be maintained.
   2. Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom
      1. Logging and reporting systems
6. Availability control
   1. The data must be protected against accidental destruction or loss.
   2. Measures to assure data security (physical/logical):
      1. Backup procedures
      2. Mirroring of hard disks, e.g. RAID technology
      3. Uninterruptible power supply (UPS)
      4. Remote storage
      5. Anti-virus/firewall systems
      6. Disaster recovery plan
7. Segregation control
   1. Data collected for different purposes must also be processed separately.
   2. Measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes:
      1. “Internal client” concept / limitation of use
      2. Segregation of functions (production/testing)