1. Introduction
1.1 Controller
The controller according to Art. 4 No. 7 EU General Data Protection Regulation (DSGVO) is Dealcode GmbH, Ludwig-Erhard-Strasse 18, 20459 Hamburg, Germany, e-mail: datenschutz@dealcode.ai. We are legally represented by Alexander Weltzsch (CEO) and Dennis Hilger (COO).
1.2 Data protection officer
Our Data Protection Officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, e-mail: datenschutz@heydata.eu.
1.3 Subject of the document
This document summarizes the technical and organizational measures taken by the controller within the meaning of Article 32 (1) of the GDPR. These are measures with which the controller protects personal data. The purpose of the document is to support the controller in fulfilling its accountability obligations under Art. 5 (2) GDPR.
2. Confidentiality (Art. 32 para. 1 lit. b DSGVO)
2.1 Physical access control
The following implemented measures prevent unauthorized persons from gaining access to the data processing facilities:
- Automatic access control system
- Chip card/transponder locking system
- Manual locking system (e.g. key)
- Security locks
- Video surveillance of the entrances
- Bell system with camera
- Personal control at the gatekeeper or reception
- Key regulation / key book
- Visitors only accompanied by employees
- Careful selection of cleaning personnel
- Instruction to employees not to work in premises open to the public (e.g. cafés)
- Work in the home office: unauthorized persons have no access to the employee's residence
- Work in home office: instruct employees, if possible, to work in study separate from living quarters
2.2 Data access control
The following implemented measures prevent unauthorized persons from accessing the data processing systems:
- Authentication with user and password
- Use of anti-virus software
- Firewall deployment
- Encryption of data carriers
- Automatic desktop lock
- User Permissions Management
- Create user profiles
- Use of 2-factor authentication
- Personal control at the gatekeeper or reception
- General corporate policy on data protection or security
- Corporate policy for secure passwords
- Company policy "Delete/Destroy
- Cleandesk" company policy
- General instruction to manually lock desktop when leaving workstation
2.3 Data usage control
The following implemented measures ensure that unauthorized persons do not have access to personal data:
- Use of an authorization concept
- Number of administrators is kept as small as possible
- Instruction to employees that only absolutely necessary data is printed out
- Instruction to employees that data will only be deleted after consultation
2.4 Separation control
The following measures ensure that personal data collected for different purposes are processed separately:
- Separation of productive and test system
- Logical client separation (on the software side)
- Creation of an authorization concept
- Setting database rights
3. Integrity (Art. 32 para. 1 lit. b DSGVO)
3.1 Transfer control
It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:
- Logging of accesses and retrievals
- Provision of data via encrypted connections such as SFTP or HTTPS
- Home Office: Employer's Remote Deletion Right
3.2 Input control
The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:
- Logging of the entry, modification and deletion of data
- Traceability of data entry, modification and deletion through individual user names (not user groups)
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- Clear responsibilities for deletions
- Instruction to employees to delete data only after consultation
4. Availability and resilience (Art. 32 para. 1 lit. b DSGVO)
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:
- Regular backups
- Creation of a backup & recovery concept
- Keeping data backup in a secure, off-site location
- Hosting (at least of the most important data) with a professional hoster
5. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
5.1 Data protection management
The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:
- Using the heyData platform for data protection management
- Appointment of the data protection officer heyData
- Obligation of employees to data secrecy
- Regular training of employees in data protection
- Keeping an overview of processing activities (Art. 30 GDPR)
5.2 Incident response management
The following measures are intended to ensure that notification processes are triggered in the event of data privacy breaches:
- Data breach notification process pursuant to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
- Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
- Involvement of the data protection officer in security incidents and data breaches
- Use of anti-virus software
- Firewall deployment
5.3 Data protection-friendly default settings (Art. 25 (2) GDPR)
The following implemented measures take into account the requirements of the principles "Privacy by design" and "Privacy by default":
- Training of employees in "Privacy by design" and "Privacy by default".
- No more personal data is collected than is necessary for the respective purpose.
5.4 Order control
The following measures ensure that personal data can only be processed in accordance with the instructions:
- Written instructions to the contractor or instructions in text form (e.g. by data processing agreement)
- Ensuring the destruction of data after completion of the order, e.g. by requesting appropriate confirmations
- Confirmation from contractors that they commit their own employees to data secrecy (typically in the data processing agreement)
- Careful selection of contractors (especially with regard to data security)
