"1: Objective"
“The purpose of the data protection policy is to consolidate the legal aspects regarding data protection into a single summary document. It can also serve as a basis for legal inspections related to data protection, for example, by clients in the area of commissioned processing. This is not only to ensure compliance with the General Data Protection Regulation (GDPR) but also to provide proof of compliance.”
2: Preamble
A brief description of the company and the motivation to uphold data protection.
3: Security Policy and Company Responsibilities
- For a company, in addition to existing corporate objectives, the highest data protection objectives must be defined and documented. Data protection objectives are based on data protection principles and should be individually tailored for each company.
- Determining roles and responsibilities (e.g., company representatives, operational data protection officers, coordinators or data protection teams, and operational managers).
- Commitment to the continuous improvement of a data protection management system.
- Training, awareness, and obligation of employees.
4: Legal Framework within the Company
- Legal or industry-specific rules for handling personal data.
- Requirements of internal and external parties.
- Applicable laws, possibly with special local regulations.
5: Documentation
Conducted internal and external audits.
The necessity of data protection: determining the need for protection regarding confidentiality, integrity, and availability.”
6: Existing Technical and Organizational Measures
Appropriate technical and organizational measures that must be implemented and justified, considering, among other factors, the purpose of processing, the state of technology, and the implementation costs.
The description of the implemented technical and organizational measures can be based, for example, on the ISO/IEC 27002 framework, taking into account ISO/IEC 29151 (guidelines for the protection of personal data). The respective chapters should be justified by referencing existing guidelines.
Examples of such guidelines include:
- Guidelines on the rights of data subjects
- Access control
- Information classification (and handling)
- Physical and environmental security for end users, such as:
- Permitted use of assets
- Guidelines for information transfer based on the working environment and screen locking
- Mobile devices and telecommunications
- Restrictions on the installation and use of software
- Data backup
- Information transfer
- Protection against malware
- Addressing technical vulnerabilities
- Cryptographic measures
- Communication security
- Confidentiality and protection of personal information
- Supplier relationships: Note inspection and periodic assessment of data processing, particularly the effectiveness of implemented technical and organizational measures.