Last updated 31 May 2026
Data Processing Agreement
Between the Parties
The Customer who is the Data Controller (the “Controller” or “Customer”)
Blossom Educational Limited (trading as Ovivio) incorporated and registered in UK with company number 09942836 whose registered office is at 30 Upper High Street, Thame, Oxfordshire, England, OX9 3EZ who is the Data Processor (the “Processor” or “Ovivio” or “Blossom”)
The Agreement
Regarding the processing of personal data on behalf of a Data Controller in accordance with Article 28 (3) of the UK General Data Protection Regulation ( “UK GDPR”)
Background
The Controller and the Processor entered into this Agreement (the “Agreement”) upon the Controller’s requirement to input and populate the Ovivio software platform and application (the “Platform”) with Personal Data which includes Special Category data regarding children (“Personal Data”) as outlined in Annex A and for the Processor to process such Personal Data on behalf of the Controller.
In circumstances where instructions from the Controller to the Processor include the direct input of data subject information, Personal, and Special Category data into the Platform, the Controller retains all compliance obligations under the UK GDPR as a Data Controller, and as set out in clause 1.1 of this Agreement.
The Agreement sets out the terms, requirements and conditions on which the Processor will process Personal Data when providing services to the Controller. The Agreement contains the mandatory clauses required by Article 28(3) of the UK GDPR for contracts between controllers and processors.
Its regulations shall apply to any and all activities associated with the Agreement, in whose scope the Processors employees or agents process the Controller’s personal data.
1. Roles and Responsibilities
1.1 The parties agree that the Customer is the Controller of the Personal Data and Ovivio is the Processor of the Personal Data, except where Ovivio acts as a Controller in accordance with clause 1.3.
1.2 The Customer as Controller instructs Ovivio to perform the processing activities detailed in this Agreement. In circumstances where instructions from the Customer to Ovivio include the direct input of data subject information, Personal, and Special Category data into the Platform, the Customer retains all compliance obligations under the UK GDPR as a Data Controller, and as set out in clause 1.1 of this Agreement.
1.3 Ovivio may process some Personal Data for its own legitimate business purposes, as an independent Controller, solely when the processing is strictly necessary and proportionate, for one of the following purposes:
- 1.3.1 Invoicing, managing the Customer relationship and corresponding with the Customer;
- 1.3.2 Monitoring, preventing and detecting misuse of fraudulent activity on the platform;
- 1.3.3 Analysing, developing and improving the Platform and services for the benefit of both the Customer and Ovivio, and collecting benchmarking data to provide insight into the usage of the Platform (data will be aggregated and pseudonymised, or anonymised where possible);
- 1.3.4 Where we have a legal obligation to do so, such as if data is requested under court order; or
- 1.3.5 Where a Controller is no longer present to fulfil a Data Subject Request.
2. Contract Processing of Data and Duration
2.1 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the UK GDPR, including provision of required privacy notices to data subjects and lawful basis of processing (including consent).
2.2 The details set out below in this clause describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and data subject types in respect of which the Processor may process to fulfil the business purposes of the Agreement.
2.3 The lawful basis for the processing of the personal data under UK GDPR is the performance of a contract between the Controller and the Processor (UK GDPR Article 6.1(b)).
2.4 The duration of processing shall at a minimum be for the duration of the Agreement between the Processor and the Controller. Data will be stored inline with the Processor’s Data Retention Policy other than where the Processor may have a legal obligation to maintain and process data after the Agreement is completed. Data that is deleted by the Processor will be irreversibly deleted and cannot be retrieved.
2.5 The business purposes of the processing include as a minimum:
- To register new clients
- To manage the relationship between parents (guardians of the children) and nurseries (Customers)
- To provide nursery and childcare services to the child and parents through the Platform
- To deliver relevant content to parents regarding their children through the Platform
- To allow parents to manage their children’s nursery care through the Platform
2.6 The Personal Data Categories being processed will include the following:
- Identity Data: includes images, first name, maiden name, last name, username or similar identifier, marital status, title, job title, date of birth and gender
- Contact Data: includes billing address, delivery address, email address and telephone numbers
- Financial Data: includes bank account
- Transaction Data: includes details about payment
- Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this application
- Activity Data: includes attendance records, child’s activities during nursery attendance, performance
- Profile Data: includes username and password and preferences
- Usage Data: includes information about how Parents and Customers uses our application
2.7 The special categories of Personal Data being processed will include the following data about children:
- Health data
- Ethnicity
- Genetic data
- Dietary data
- Any data regarding welfare needs or requirement
3. Scope of application and responsibilities
3.1 The Controller’s data processing instructions shall be as detailed in this Agreement. The Controller shall be entitled to apply to modify, amend or provide individual processing instructions by proposing in writing such instructions to the Processor. Such amendments or additional to processing instructions shall be treated as requests for changes to this Agreement and will only apply if agreed and signed off by both parties.
3.2 Where the Processor believes and can substantiate that any data processing activities detailed in this Agreement, or activity, services, or processes undertaken by the Controller do not comply with data protection and the UK GDPR, it may detail these concerns in writing to the Controller to enable an agreed remedy and schedule. Should agreed remedial actions not be taken by the Controller, and the Processor remains concerned that the Controller does not comply with data protection and the UK GDPR, the Processor may withhold or cease use of the Platform with immediate effect to the Controller until such time as appropriate and sufficient action is taken to remedy the data protection issues.
3.3 Both parties will undertake to complete an enhanced Disclosure and Barring Service (DBS) check for necessary staff and employees who will have involvement with, or undertake processing of, Personal Data in line with this Agreement.
4. The Processor’s obligations
4.1 Except where expressly permitted by the Applicable Data Protection Laws or as otherwise required by law, the Processor shall process data subjects’ data only within the scope of the Agreement and the written instructions issued by the Controller. Where the Processor believes that an instruction would be in breach of applicable law, the Processor shall notify the Controller of such belief without undue delay. The Processor shall be entitled to suspend performance on such instruction until the Controller confirms or modifies such instruction.
4.2 The Processor shall organise its internal organisation (within its scope of responsibility) so that it satisfies the specific requirements of data protection. The Processor shall implement technical and organisational measures to ensure the adequate protection of the Controller’s data, which measures shall fulfil the requirements of the UK GDPR and specifically its Article 32. The Processor shall implement technical and organisational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. The Controller is familiar with these technical and organisational measures, and it shall be the Controller’s responsibility that such measures ensure a level of security appropriate to the risk. The Processor reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon. Details of the technical and organisational measures can be found in Annex B.
4.3 The Processor shall provide all reasonable support to the Controller in fulfilling data subjects’ requests and claims (DSAR’s) taking into account the time limits for reply to DSAR’s as laid out in the UK GDPR.
4.4 The Processor will ensure that all its employees are informed of the confidential nature of the Personal Data (including the additional requirement for Special Category data) and are bound by confidentiality obligations and user restrictions in respect of the Personal Data.
4.5 The Processor will ensure all its employees have undertaken training on the requirements of the UK GDPR relating to handling Personal Data and how it applies to their particular duties, and are aware both of the Processor’s duties and their personal duties and obligations under the UK GDPR and this Agreement.
4.6 The Processor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to any third party unless the Controller or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor must first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4.7 If the Processor becomes aware of any breach of Personal Data within the Processor’s scope of responsibility, the Processor shall notify the Controller without undue delay (not longer than 72 hours’ notice). The Processor shall implement all available measures necessary for securing Personal Data, for containing the breach and situation, and for mitigating any potential negative consequences for the data subjects in question. The Processor shall coordinate such efforts with the Controller.
4.8 The Processor will ensure notification to their Data Protection Officer (“DPO”) of all breaches – and will discuss and agree whether the breach requires subsequent reporting to the ICO. Should a breach require a report, the Processor and the DPO will agree the action required to generate the report to the ICO. All data breaches require the Processor to record the breach on their data breach form, and to log it in their data breach log.
4.9 The Controller should be notified of the point of contact for any issues related to data protection arising out of or in connection with the Agreement.
4.10 If instructed by the Controller and were covered by the scope of the instructions in this Agreement, the Processor will delete Personal Data from the Platform. Where a data deletion (consistent with UK GDPR data protection requirements) or a corresponding restriction of processing is impossible, the Processor shall, based on the Controller’s instructions, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to the Controller.
4.11 Upon termination of data processing under this Agreement the Processor shall return all Personal Data, carrier media and other materials to the Controller or delete the same. In the case of testing and discarded material, no instruction shall be required.
4.12 Where a data subject asserts any claims against the Controller in accordance with Article 82 of the UK GDPR, the Processor shall where possible support the Controller in defending against such claims.
4.13 Where the Controller elects to use AI Services, the Processor will process text input provided by the Controller’s Users for the sole purpose of generating or optimising observation or activity records. This processing is transient—input and output are not stored, logged, or used to train AI models, nor is any model fine-tuning enabled.
5. The Controllers obligations
5.1 The Controller will at all times comply with all applicable requirements of the relevant data protection legislation. The controller maintains responsibility to provide the Data Subjects whose data is held within the platform (Parents, Guardians, Children and Employees) with all necessary privacy notices and consents, privacy and data protection information, rights and obligations under the UK GDPR, and to ensure that these are maintained and remain up to date.
5.2 The Controller must maintain a record of consent gained for data processing from all Data Subjects for processing of Special Category as required under UK GDPR Article 9.
5.3 If the Controller detects any defect or irregularity with regards to data protection or compliance to the UK GDPR from the Processors provision of the work and services provided by them in this Agreement, the Controller shall notify the Processor without undue delay, stating the exact nature of the concern and requesting measures to be taken to rectify such defects or irregularities.
5.4 Under its obligations to this Agreement, the Controller must maintain robust and appropriate technical and organisational measures within its IT management to ensure data protection is maintained at an appropriate level compliant with the UK GDPR.
5.5 The Ovivio platform is developed with in-built technical and organisational measures for data protection (as required by the UK GDPR) only on the basis of use as an online cloud-based SaaS. Data storage on local devices, such as when Personal Data is downloaded from the Platform, or the use of any offline mode that would require storage of personal data and/or special category data on local devices, may negate the built-in technical and organisation measures. Where the client chooses to store Personal Data offline and/or on local devices, the Customer acts as Data Controller for such data and takes full responsibility for implementing all measures required to ensure adequate and compliant data privacy and protection. Ovivio will accept no responsibility for the protection and privacy of such data, and therefore will accept no liability for any claim, damages or action relating to or arising from this data.
5.6 The Controller must notify the Processor of the point of contact for any issues related to data protection, and maintain the point of contact as up to date at all times.
5.7 The Controller shall provide all reasonable support to the Processor in fulfilling data subjects’ requests and claims (DSAR’s) taking regarding of the time limits for reply to DSAR’s as laid out in the UK GDPR.
5.8 The Controller will ensure relevant employees have undertaken training on the requirements of the UK GDPR relating to handling Personal Data and Special Category data and how it applies to their particular duties, and their personal duties and obligations under the UK GDPR and this Agreement. The Controller will ensure that its employees are informed of the confidential nature of the Personal Data (including the additional requirement for Special Category data) and are bound by confidentiality obligations and user restrictions in respect of the Personal Data.
5.9 If the Controller becomes aware of any breach of Personal Data within its scope of responsibility, the Controller shall notify the Processor without undue delay (not longer than 72 hours’ notice). The Controller shall implement all available measures necessary for securing Personal Data, for containing the breach and situation, and for mitigating any potential negative consequences for the data subjects in question. The Controller shall coordinate such efforts with the Processor without undue delay.
6. Enquiries by data subjects, complaints and third-party rights
6.1 Where a data subject makes a claim for rectification, erasure or access directly with the Processor, and where the Processor is able to identify the Controller based on the information provided by the data subject, the Processor shall refer the data subject directly to the Controller without undue delay. The Processor shall not be liable in cases where the Controller fails to respond to the data subject’s request in total, correctly, or in a timely manner.
6.2 The Processor will give the Controller its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
6.3 The Processor must not disclose the Personal Data to any Data Subject or to a third party other than at the Controller’s request or instruction, as provided for in this Agreement or as required by law.
7. Audit and review
7.1 The Processor will conduct a regular audit of the security of the computers and computing environment that it uses in processing the Controller’s personal data when performing services. The Processor shall document its compliance with the technical and organisational measures agreed upon in this Agreement by appropriate measures. If requested the Processor will provide the Controller a summary of the technical and organisational measures in place to enable the Controller to verify the Processor’s compliance with the security obligations under this Agreement.
7.2 If the Controller reasonably concludes and communicates that an onsite audit is necessary to monitor the compliance with the technical and organisational measures in an individual case, the Controller shall also have the right to carry out respective onsite inspections in individual cases or to have them carried out by an auditor (that is not a competitor of the Processor) provided that such audits and inspections will be conducted:
- during regular business hours
- without interfering with the Processor’s business operations
- upon prior notice (observing an appropriate notice period) and further consultation with the Processor
- all subject to (if not covered already by the Agreement) the execution of a confidentiality undertaking, in particular to protect the confidentiality of the technical and organisational measures and safeguards implemented.
7.3 In case of an onsite audit the Controller will bear its own expenses and compensate the Processor the cost for its internal resources required to conduct the onsite audit (based on time and material according to the then current price list), the latter only if the audit does not reveal that the Processor has in fact breached its obligations under the Agreement (in that case the Processor will promptly remedy the breach at its own cost).
8. Sub-processors
8.1 The Controller acknowledges that the Processor uses subcontractors that act as Sub-Processors on behalf of the Customer.
8.2 The Controller agrees that the Sub-Processors as laid out in the List of Sub-Processors (found at https://Ovivio.com/uk/legal/sub-processor/) are authorised for the purposes of the processing of the Personal Data under this Agreement.
8.3 The Processor may only authorise a third party (Sub-Processor) to process the Personal Data if:
- The Processor enters into a written contract with the Sub-Processor that contains terms substantially the same and with the same meaning and obligations as those set out in this Agreement. In particular in relation to requiring appropriate technical and organisational data security measures.
- The Sub-Processor agrees and adheres to the Processor’s policies in relation to data protection and data security measures.
- The Processor maintains all responsibility for all Personal Data as laid out in the Agreement (Annex A), and maintains control over all Personal Data it entrusts to the Sub-Processor.
8.4 If you subscribe to email notifications at the Ovivio Service Providers List (https://Ovivioeducational.com/sub-processor/) then Ovivio will notify you via email of any changes Ovivio intends to make to the Sub-Processors at least 30 days before the changes take effect. The Controller shall be entitled to reasonably challenge any change notified by the Processor promptly in writing within ten (10) days after receipt of the Processor’s notice, provided that such objection is based on reasonable grounds relating to data protection. The Processor will evaluate the concerns and discuss with the Controller possible resolutions. If these resolutions are reasonably not possible (the feasibility of which will be at the Processor’s discretion) and the Controller continues to veto the nominated Sub-Processor change (such approval may not be unreasonably withheld), the Controller may terminate the Agreement upon fourteen (14) days written notice after having received the Processor’s aforementioned decision. If the Controller does not terminate the Agreement within this timeframe, the Controller is deemed to accept the nominated Sub-Processor. The Controller shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated services. No other claims of the Controller against the Processor and of the Processor against the Controller may be based on reason of such termination.
8.5 In cases outside of the Processor’s reasonable control, the Controller accepts that an exchange of a Sub-Processor may be required (emergency replacement). The Processor will notify the Controller of any such exchange. If the Controller reasonably objects to the use of this SubProcessor, the Controller may exercise its right to terminate the Agreement as described above, only after providing the same conditions for resolutions as in clause 8.4
8.6 The Processor shall be responsible for ensuring that its obligations on data protection resulting from the Agreement remain valid and binding upon commissioning Sub-Processors.
8.7 For the avoidance of doubt, the approval requirements under this Agreement shall not apply in cases where the Processor or Sub-Processors further subcontract ancillary services or deliverables from third parties which are not specific to the provision of the services. Such ancillary services or deliverables may include (but not be limited to) general infrastructure services like telecommunications services or facility management services. The Processor and Sub-Processors shall nevertheless conclude with such third parties the contracts or agreements necessary to ensure applicable data protection standards.
9. Location of Personal Data and Transfer to Third Countries
9.1 Subject to Authorised Sub-Processors, the Controller will not transfer the Personal Data outside the EEA without following the notification and object process set out in clause 8.4.
9.2 The Controller may not transfer Personal Data outside the EEA unless adequate protection of the Personal Data in the receiving country is secured. In the absence of an adequacy decision pursuant to Applicable Data Protection Laws, adequate protection in the receiving country (“third country”) shall be secured following the undertaking by the Controller of a transfer risk assessment/transfer impact assessment (under UK/EU law as applicable to the Controller), through the implementation, and negotiation if applicable, of an agreement incorporating the appropriate Transfer Mechanism. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, supplementary measures will be implemented to ensure the Personal Data is protected to the same standard as required under the applicable Data Protection Laws.
10. Personal Data Breach
10.1 The Processor will promptly and without undue delay notify the Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor will restore such Personal Data at its own expense. The Processor will within 24 hours and without undue delay notify the Controller if it becomes aware of any accidental, unauthorised or unlawful processing of the Personal Data or any Personal Data Breach.
10.2 Where the Processor becomes aware of any incident as outlined in clause 8.1 it shall without undue delay provide the Controller with the following information:
- description of incident
- categories and approximate number of both Data Subjects and Personal Data records concerned
- potential consequences
- description of the measures taken or proposed
Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Processor will reasonably co-operate with the Controller, including:
- assisting with any investigation
- providing the Customer with physical access to any facilities and operations affected
- facilitating interviews with the Processor’s employees, former employees and others involved in the matter
- making available all relevant records, logs, files, data reporting and other materials required to comply with all UK GDPR or as otherwise reasonably required by the Controller
- taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing
The Processor will not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, except when required to do so by law.
The Processor agrees that the Controller has the sole right to determine:
- whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
- whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy
11. Obligations to inform, mandatory written form, choice of law
11.1 Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in the Processor’s control, the Processor shall notify the Controller of such action without undue delay. The Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in the Controller’s sole property and area of responsibility, that data is at the Customer’s sole disposition, and that the Controller is the responsible body in relation to the GDPR.
11.2 No modification of this Agreement and/or any of its components – including, but not limited to, the Processor’s representations and warranties, if any – shall be valid and binding unless made in writing, and furthermore only if such modification expressly states that such modification applies to the regulations of this Agreement.
11.3 In case of any conflict, the data protection regulations of this Agreement shall take precedence over the regulations of any other arrangement between the Processor and the Controller. Where individual regulations of this Agreement are invalid or unenforceable, the validity and enforceability of the other regulations of this Agreement shall not be affected.
- This Agreement is subject to the laws of the UK
- Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the DPO (expressed below)
- Any notice or other communication given to the Processor under or in connection with this Agreement must be in writing and communicated to:
Email: privacy@ovivio.com
Phone: 01923 545200
12. Records
The Processor will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred in this Agreement.
The Processor will ensure that the Records are sufficient to enable the Controller to verify the Processor’s compliance with its obligations under this Agreement and the Processor will provide the Customer with copies of the Records upon request.
The Controller and The Processor must review the information listed in the Annexes to this Agreement to confirm its current accuracy and update it when required to reflect current practices.
13. Liability and damages
The regulations on the parties’ liability shall be valid also for the purposes of Contract Processing, unless expressly agreed upon otherwise.
The Processor agrees to indemnify, keep indemnified and defend at its own expense the Controller against costs and claims incurred by the Controller or for which the Controller may become liable due to any failure by The Processor or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the UK GDPR.
14. Agreement
Signed and agreed by the authorised name and signatory below:
| Controller | Processor |
|---|---|
| Company: | Company: |
| Name: | Name: |
| Job Title: | Job Title: |
| Signed……………………………………………………………. | Signed……………………………………………………………. |
| Date: | Date: |
Attachments
ANNEX A: Data Classification Standards
ANNEX B: Technical and Organisational Measures (TOM’s)
ANNEX A
Data Classification Standards
The follow classification of data is being processed:
- Name
- Home Address
- Mobile Telephone
- Home Telephone
- Email Address
- Gender
- Date of Birth
- Bank
- Bank Account Number
Special Category Data:
- Ethnicity
- Country of Birth
- Language
- Health details or disabilities
- Name of children
- Age of children
- Health details regarding children
- Disabilities regarding children
- Dietary requirements
ANNEX B
Technical and Organisational Measures (TOM’s)
Ovivio
Technical and Organisational Measures
Content
- Physical Access Controls
- Logical Access Control
- Data Access Control
- Storage Device Control
- Communication Control
- Transmission Control
- Service Provider Control
- Storage Control
- Availability control
- Reliability
- Separation of personal data
Introduction
This document describes the binding technical and organisational measures in connection with the processing activities carried out between the data controller and processor. The measures described in this document describe the data protection and data security concept at the site.
Data protection and data security concept
The following catalogue of measures describes the individual technical and organisational measures to be taken within the scope of the processing activities pursuant to Art. 24(1) UK GDPR. The UK GDPR requires companies to secure the processing of personal data by appropriate technical and organisational measures and to anonymise or pseudonymise personal data wherever possible. The measures taken must take into account the risk of the respective data processing activities and correspond to the current state of the art. The controller meets these requirements through the effective interaction between data protection management and information security management and has taken appropriate measures to safeguard the processing of personal data. These data protection principles should also be carefully considered: availability, confidentiality, integrity and resilience. The data protection principles are based on the following definitions relevant to information security:
- Confidentiality: Data, information and programs shall be protected from unauthorised access and disclosure.
- Integrity: The term integrity refers to the correctness of the information and data processed.
- Availability: The term availability refers to information, data, applications and systems and refers to their functionality and retrievability.
- Load-bearing capacity: As a special aspect of availability, load-bearing capacity requires systems to be designed to be as robust as possible, even in the event of a malfunction, failure or high load.
Physical Access Controls
Unauthorised persons must be denied physical access to data processing equipment with which personal data are processed or used.
- Access Control System:
- A centrally managed access control system is used for the company.
- Access Control System – Administration:
- The access control system is managed in the following way:
- – Electronic
- Access Control System – Technical means:
- The access control system is based on the following technical means:
- – Key
- – Chip card
- Access Control System – Visitor Registration:
- The presence of visitors is registered in the following way:
- – Visitor book
- Securing the premises / buildings of the company:
- The company premises / building is secured from public ground by:
- – Office in a larger building complex
- – Lockable door
- Security at the Company Premises – Alarm System:
- The company premises or parts of it are safeguarded by an alarm system:
- Security at the Company Premises – Security Guard:
- The company premises or parts of it are guarded by a security guard:
- Security at the Company Premises – Time Period:
- The company premises or parts of it are guarded by a security guard during the following times:
- – Permanently during working hours
- – Sporadic inspections outside working hours
- Server – External Use:
- No external servers were rented in the company.
- Server – Internal Use:
- No servers are used on the company premises.
Logical Access Control
Unauthorised persons shall be denied access to data processing equipment with which personal data are processed or used.
- Password Manager:
- A password manager is used in the company.
- The following password manager is used:
- Password Manager – Access Control:
- The used password manager offers sufficient access control and encrypted storage.
Data Access Control
It must be ensured that persons authorised to use a data processing system can only access the data according to designated access permissions.
- Allocation of Access Authorisations:
- The assignment of access authorisations in the company is based on the functions of the authorised users.
- It Security – Firewall:
- One or more firewalls are used against unwanted network access in the company.
- Temporary Withdrawal of Access Authorisations:
- Access authorisations are temporarily blocked in the company during longer absences.
Storage Device Control
Storage devices should not be read, copied, changed or removed without authorisation.
- Storage Device Management – Inventory List:
- Inventories for the following storage devices are kept in the company:
- – Laptops
- – Mobile phones
- – Tablets
- Storage Device Management – Secure Deletion:
- Electronic storage devices are securely deleted in the company.
- Workplace – Sealable Containers:
- There are lockable containers available at every workplace to securely store documents and storage devices in the company.
Communication Control
It must be possible to determine and establish where personal data can be transmitted by data transmission equipment.
- Connection to the Telecommunications Provider:
- The following method is used to connect to the telecommunications provider:
- – Regular DSL/fibre optic connection
Transmission Control
It is necessary to prevent unauthorised reading, copying, modification or deletion of data during the transfer of personal data or during the transport of data carriers.
- Data Transmission – Storage Devices:
- No storage devices containing personal data are used in the company.
Service Provider Control
It must be ensured that personal data processed under contract can only be processed according to the instructions of the client.
- External Service Provider – Remote Maintenance:
- No remote maintenance is carried out by the company.
- External Service Providers :
- The company works with external service providers.
Storage Control
Unauthorised entry into storage systems as well as unauthorised access to, modification or deletion of stored personal data shall be prevented.
- Camera Images – Access:
- The following positions have access to the images:
- – Management
- Encryption of Camera Images on the Server:
- The camera images on the server are stored encrypted.
- The following procedure is used to encrypt the camera images on the server:
- – Please confirm
- Measures for Data Locking and Data Deletion:
- Data locking/deletion measures are in place, meaning data can easily be locked/deleted in all systems upon request.
- Password Protection – Password List:
- No unencrypted password list is kept.
- User Authentication IT Systems:
- The following procedures are used for user authentication in IT systems:
- – Password
Availability control
It must be ensured that personal data is available at all times and is protected against accidental destruction or loss.
- Archiving Concept – Legal Retention Obligation:
- There is no legal storage obligation for the archived documents.
Reliability
It must be ensured that personal data is secured against accidental loss or destruction.
- Camera Software Updates:
- The camera software is updated regularly.
- Penetration Tests:
- In order to test the resilience of the IT systems, regular penetration tests on IT-systems that simulate high loads have been carried out in the company.
- Software Updates:
- Updates are implemented in the following:
- – Automated
Separation of personal data
It is necessary to ensure that sensitive personal data is physically protected and restricted in access from other categories of personal data.
- IT Security – Particularly Sensitive Personal data:
- A dedicated and separated network is used for particularly sensitive categories of personal data.
