Teste Phrase jetzt 14 Tage kostenlos

Die Allgemeine Datenschutzverordnung der EU (GDPR) ist am 25. Mai 2018 in Kraft getreten und regelt seitdem die Verarbeitung personenbezogener Daten. Dies geschieht im Rahmen der Auftragsverarbeitung zwischen dir und Phrase, wie in diesem Auftragsverarbeitungs-Vertrag (AV-Vertrag) beschrieben. Sofern du eine von uns unterzeichnete Version deines Auftragsverarbeitungs-Vertrages benötigst, lade diese bitte nach Abschluss deiner Subscription unter "Plan & Abonnement" herunter und kontaktiere deine Ansprechperson im Account Management. Bei Fragen wende dich bitte an privacy@phrase.com.

Processing in accordance with Article 28 General Data Protection Regulation (GDPR):

Contract between the Controller – hereinafter referred to as the Client – and Memsource GmbH (formerly Dynport GmbH) for Phrase.com the Processor – hereinafter referred to as the Supplier.

1. Subject matter and duration of the Contract

(1) Subject matter

The Subject matter of this Contract results from the Phrase Plan booked by the Controller (hereinafter referred to as “Main Agreement”).

(2) Duration

The duration of this Contract corresponds to the duration of the Main Agreement.

2. Specification of the Contract Details

(1) Nature and Purpose of the intended Processing of Data

The Subject Matter of the processing of personal data comprises the following purposes:

1. Creating a company profile in the main database: Upon finalization of the account signup, the Client’s account information submitted to the Supplier when completing the account signup form will be processed in the Phrase main database. An account profile shall be set up containing Personal Master Data, Optional Personal Data, Contact Data, Contact Data for Contract Billing, Payment Data, Traffic Data related to the Client’s account;
2. Communicating with Phrase customer by email: The Supplier shall establish email communication with the Client as an essential part of the customer relationship. Email communication will mostly include sending updates about the platform and its services, released features and important information about the Supplier. This requires the processing of Client’s Personal Data and Contact Data;
3. Maintaining and providing customer support: The Supplier shall establish customer support for the Client as an essential part of the customer relationship. Customer support inquiries can either be sent by email or a chat widget. This requires the processing of Client’s Personal Data, Contact Data, Key Contract Data and System Data;
4. Hosting of Phrase platform and Phrase services: The hosted Phrase platform and all of its services for software translation and software localization for which the Client subscribed for are hosted on web server products provided by a hosting provider. These web servers are located in Ireland (a member state of the European Union) and they apply to the Technical and Organizational Measures the provider undertakes in order to provide security of all data processing on its web server products;
5. Processing of customer reviews: The Supplier shall regularly ask the Client to submit a quantified review for the Phrase platform (a rating between 1-10). Submitting a rating is always optional for the Client. When submitting such a rating, the Client will then be asked to provide a more detailed review by elaborating on the measurable rating. In this event, the Supplier will process the Client’s Personal Data and Contact Data from the review form;
6. Processing of customer feedback: The Supplier shall document customer feedback that is obtained through customer support, customer review or customer feedback channels in case the feedback is of special importance for further development of the Phrase platform and its services. The Supplier's feedback documentation requires the processing of Client’s Personal Data and Contact Data of users actively submitting feedback to the Supplier;
7. Managing Technical product issues: The Supplier shall manage reports of Technical product issues (“bugs”) submitted by Client in order to organize and execute its platform maintenance. This purpose requires the processing of Client’s Personal Data and Contact Data;
8. User engagement analysis of Phrase customers: The Supplier shall analyze user engagement of Phrase customers and their behaviour on websites of the Phrase domain. This requires the processing of Client’s Engagement Data;
9. User engagement analysis of Phrase features: The Supplier shall analyze user engagement of Phrase customers and their usage of features and services offered by Phrase. This requires the processing of Client’s Engagement Data;
10. Managing inbound marketing leads: The Supplier shall manage inbound marketing leads by identifying a potential customer at three touchpoints in chronological order as follows: Upon the first visit of the Phrase website, when filling the account signup form and upon finalization of the account signup. This requires the processing of Client’s Personal Data, Key Contract Data and Contact Data;
11. Integration of workflows across various platforms: The Supplier shall implement technologies that enable the integration of workflows across various platforms in order to improve internal processes. This may require the processing of Client’s Personal Data and Contact Data;
12. Processing credit card payments: The Supplier shall use technology from a payment provider in order to process payments made with the Client’s credit card. This requires the processing of Client’s Contact Data for Contract Billing;
13. Processing bank transfer payments: The Supplier shall process the Client’s Contact Data for Contract Billing in order to create invoices;
14. Over the Air: For the Over-the-Air Mobile SDk, the Supplier shall process the customer’s products’ users’ IP-addresses via hash pseudonymization for calculating the Phrase user fee as well as technical information such as the used operating system, the operating system version as well as device language.

The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled.

(2) Type of Data

The Subject Matter of the processing of personal data comprises the following data types and categories:

1. Personal Master Data (First name, last name, user name, nickname);
2. Optional Personal Data (Telephone number, job title);
3. Contact Data (Personal email address);
4. Contact Data for Contract Billing (Mailing address for invoice recipient, personal company email address for invoice recipient);
5. Payment Data (Payment terms, card holder name, dunning history);
6. Key Contract Data (Account Number, Contract Number, contractual Relationships, packages billed);
7. Engagement Data (Feature usage, Bug reporting, Website interaction, Number of web sessions);
8. Traffic Data (Logfiles, IP address, Passwords);
9. System Data (Browser type, Browser language, Browser version, OS type).

(3) Categories of Data Subjects

The Categories of Data Subjects comprise:

• The Client’s Employees and Partners when they are Users of the Supplier’s Service
• Subscribers
• Contact Persons for Contract Billing

3. Technical and Organizational Measures

(1) Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organizational Measures, set out in advance of the awarding of the Contract, specifically with regard to the detailed execution of the contract, and shall present these documented Measures to the Client for inspection. Upon acceptance by the Client, the documented Measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The Measures to be taken are Measures of data security and Measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [Details in Appendix 1]

(3) The Technical and Organizational Measures are subject to Technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate Measures. In so doing, the security level of the defined Measures must not be reduced. Substantial changes must be documented.

4. Rectification, restriction and erasure of data

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.
Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

(2) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.

5. Quality assurance and other duties of the Supplier

In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

1. Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR.
   • The Client shall be informed of his/her contact details for the purpose of direct contact. The Client shall be informed immediately of any change of Data Protection Officer.
   • The Supplier has appointed Mr Tobias Mauß, Mauß Datenschutz GmbH, phone: +49 40 99999520, email: datenschutz@datenschutzbeauftrager-hamburg.de, as Data Protection Officer. The Client shall be informed immediately of any change of Data Protection Officer.
   • His/Her current contact details are always available and easily accessible on the website of the Supplier.
2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
3. Implementation of and compliance with all Technical and Organizational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1].
4. The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
5. The Client shall be informed immediately of any inspections and Measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.
7. The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
8. Verifiability of the Technical and Organizational Measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract.

6. Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other Measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection Measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.

(2) The Supplier may commission subcontractors (additional data subprocessors) only (i) after prior explicit written consent or (ii) documented general consent from the Client pursuant to this subparagraph.

1. The Client agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR. Information about Subprocessors, including their functions and locations, is available at https://phrase.com/subprocessor-overview/ (as may be updated by Memsource from time to time in accordance with this Data Processing Addendum).
2. Outsourcing to subcontractors or changing the existing subcontractor are permissible when:
   • The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and
   • The Client has not objected to the planned outsourcing pursuant to No. 6 subsec. (3); and
   • The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.

(3) If the Client wants to object to the planned outsourcing, the Client may terminate the Main Agreement in writing or text form. The termination shall take effect either at the time determined by the client or at the time the planned outsourcing becomes effective; whichever is earlier. If the Client does not terminate the Main Agreement within a ten day period from the date of the Supplier’s notice, the Client is deemed to have accepted the planned outsourcing. Any termination under this subsection shall be deemed to be without fault by either party. The Client shall not be reimbursed by the Supplier for payments that have already been made.

(4) The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.

(5) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate Measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.

(6) Further outsourcing by the subcontractor is permissible when

• either the Supplier has given its prior express consent or
• alternatively, the Supplier and the subcontractor (i) have agreed on a procedure that corresponds to the procedure stipulated in Paragraph 6 (2) b) and (ii) have proceeded accordingly.

All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7. Supervisory powers of the Client

(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.

(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

(3) Evidence of such Measures, which concern not only the specific Order or Contract, may be provided by

• Compliance with approved Codes of Conduct pursuant to Article 40 GDPR;
• Certification according to an approved certification procedure in accordance with Article 42 GDPR;
• Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor)
• A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).

(4) The Supplier may claim remuneration for enabling Client inspections.

8. Communication in the case of infringements by the Supplier

(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

1. Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
2. The obligation to report a personal data breach immediately to the Client
3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
4. Supporting the Client with its data protection impact assessment
5. Supporting the Client with regard to prior consultation of the supervisory authority

(2) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. Authority of the Client to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).

(2) The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

---

Appendix Technical and Organizational Measures

1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by unauthorized disclosure or unauthorized access to data being processed in accordance with the Main Agreement shall be reduced.

Technical and Organizational Measures:

• Safety locks: The entry doors to the Supplier's workspace are entirely secured by safety locks.
• Office key regulations: An office key regulation system is active in order to strictly manage the distribution of office keys giving access to the Supplier's workspace. Office keys can only be received after personally signing the receipt of the effective handing over. Offboarding of employees leaving the Supplier can not proceed before office keys have been returned.
• Management of user permissions: A user permission management system is active in order to regulate the management of individual user permission, thereby regulating individual user access to data. The number of admins allowed to manage user permission is kept to a minimum. The user permission management system explicitly states how permission shall be distributed based on the individual user’s filled role within the Supplier's workspace, particularly in regard of data processing.
• Authentication with username and password: All data processed by the Supplier and all data processing services provided by Supplier's subcontractors require user authentication by username and password. Single sign on (SSO) is in use if possible.
• Password policy, including password length and password changes: A password policy is active at the Supplier's workspace in order to enforce password security. The password policy is communicated throughout the Supplier's workspace. Introducing and enforcing the password policy for new employees at the Supplier's workspace is incremental to standard onboarding processes.
• 2-Factor-Authentication: 2-Factor-Authentication is strictly enforced at the Supplier's workspace in order to secure user identification whenever data is processed or data processing services are accessed. Introducing and enforcing 2-Factor-Authentication for new employees at the Supplier's workspace is incremental to standard onboarding processes. Internal audits enforce a regular assessment of the effective implementation of 2-Factor-Authentication throughout the Supplier's workspace.
• Assignment of permissions to insert, update or delete data is based on an assignment concept: User permission is assigned in accordance with the user permission management system. Only admins can assign permission to insert, update or delete data. Admins are enforced to distribute permission in accordance with explicit instructions as stated in the user permission management system.
• Use of software firewall: All elements of the Supplier's IT infrastructure are deployed into a secure VPC. Firewall setup of the IT infrastructure and access is strictly regulated in the Software firewall concept.
• Selection of office cleaning services is due to a careful diligence process in respect of data privacy: Data privacy and confidentiality of data within the Supplier's workspace are incremental in the selection process for office cleaning service providers. The office cleaning services are informed about their rights and obligations when accessing the Supplier's workspace.

2. Integrity (Article 32 Paragraph 1 Point b GDPR)

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by unintended or unauthorized alteration of data being processed in accordance with the Main Agreement or by illegitimate or negligent acting shall be reduced.

Technical and Organizational Measures:

• Use of VPN technology: The Supplier's production environment is accessible by use of VPN technology only.
• Number of admins is reduced to a minimum: Access to the user permission management system is strictly limited to a minimum number of admins.
• Use of file shredders: Physical deletion of data by using file shredders is in effect. Employees at the Supplier's workspace are instructed to use file shredders to delete paperwork containing personal data.
• Recordings of inserting, updating and deleting data: A logging system is installed in order to record any inserting, updating and deleting of data.
• Overview of permissions and capabilities: Which applications can insert, update and delete which data: Writing access to the database is limited to the application that is subject to the Main Agreement between Client and Supplier. The application allows for inserting, updating and deleting of data both in the application frontend or backend. Permissions for inserting, updating and deleting of data are being distributed in accordance with the user permission management system. system.
• Diligence process with specific respect of data privacy is prior to selection of data subprocessor: The Supplier's evaluation when selecting data subprocessors as subcontractors shall be due to standard diligence processes as defined in the Data Privacy concept.
• Auditing and documenting of subcontractor’s Technical and Organizational Measures is prior to selection of data subprocessor: Standard diligence processes for data Supplier selection as defined in the Data Privacy concept include auditing the Technical and Organizational Measures prior to the selection of the data subprocessor. Technical and Organizational Measures shall always be documented in the Contractor management system.
• Subcontractors receive binding instructions from signed Data Processing Agreements: The Supplier shall sign Data Processing Agreements with all subcontractors as listed in 6. Subcontracting in order to direct binding instructions in regard of duties, obligations and Technical and Organizational Measures for compliant data processing to the subcontractor.
• Subcontractors and their activities are regularly audited: Standard processes including regular audits of the subcontractors and their activities are defined at the Supplier's workspace.
• Contractor management system: A Contractor management system is installed at the Supplier's workspace in order to manage all contracted service providers in regard of their data privacy duties and obligations, such as country of origin, postal address, Technical and Organizational Measures and signed Data Processing Agreements.

3. Availability (Article 32 Paragraph 1 Point b GDPR)

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by illegitimate or negligent acting or by non-availability of data being processed in accordance with the Main Agreement shall be reduced.

Technical and Organizational Measures:

• Data storage location is securely detached: Data storage is located in Ireland. Data storage is securely detached from data backup storage location and from Supplier's workspace.
• Concept for data backups and data recovery: Automated standard processes have been installed in order to provide data backups and comprehensive capabilities for data recovery. These standard processes are defined in the data backup concept.
• Testing of data recovery: The data backup concept is subject to regular internal audits.

4. Resilience (Article 32 Paragraph 1 Point b GDPR)

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by extermination, loss, alteration or unauthorized disclosure in consequence of system overload or system crash shall be reduced.

Technical and Organizational Measures:

• Technical and Organizational Measures from hosting provider: Technical and Organizational Measures from Amazon WebServices Inc. are in effect as the services supplied in accordance with the Main Agreement are hosted on web server products provided by Amazon WebServices Inc. The Technical and Organizational Measures comply with ISO27001 certification.
• Separation of production systems and testing systems: Production system and testing system are strictly separated. Testing will always be located on local servers only. Testing will never process any Client’s personal data.
• User rights management concept: The Supplier's management of access rights is formally stated in the user permission management concept.
• Assigning user rights for database access: Admission of user rights for accessing the main database are strictly regulated by the user rights management. Only administrators can enable access rights for users individually. Administrators shall enable access rights in accordance with the user rights management rules. Additionally, VPN technology in use allows to differentiate in enabling read-only access rights or write and read access rights.
• Virtualization: Virtualization is effective both for testing systems and feature deployments.
• Computing load balancing: Load balancing for computing is enabled by hosting provider Amazon WebServices Inc.

5. Pseudonymization

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by unauthorized disclosure or unauthorized access to data being processed in accordance with the Main Agreement shall be reduced.

Technical and Organizational Measures:

• Data processing of pseudonymized data: In order to provide secure credit card payments, Supplier will only process pseudonymized Billing Data submitted by the Client when opting for credit card payments as the preferred payment method. Pseudonymization of Billing Data is granted by the implementation of Checkout, a feature provided by the subcontracted payment service provider. Stripe’s Technical and Organizational Measures apply.

6. Encryption

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by unauthorized disclosure or unauthorized access to data being processed in accordance with the Main Agreement shall be reduced.

Technical and Organizational Measures:

• Data storage encryption: Processed data is fully encrypted by Technical and Organizational Measures that are in effect at the subcontracted hosting provider. Additionally, the Supplier runs SSL encryption on all of its owned domains and subdomains. Encryption of data processed in email conversation is granted by GPG which is used when highly sensitive data is being processed by sending emails. Data storage encryption is subject to a Supplier's company policy stating the demands and Technical requirements about encryption.
• Mobile data storage encryption: Mobile data storage carriers that are operational in the Supplier's workspace or in remote workspaces are always encrypted. Mobile data storage encryption is part of the Supplier's employee onboarding. Mobile data storage is subject to a Supplier's company policy stating the demands and Technical requirements about encryption.

7. Recovery practices of personal data access in effect of physical or Technical events

Controlled items: The risk of physical, tangible or intangible damage respectively the risk of impairing rights and obligations of those affected caused by illegitimate or negligent acting, by unauthorized access to data or by extermination, loss, alteration of data being processed in accordance with the Main Agreement shall be reduced.

Technical and Organizational Measures:

• Recovery concept with detailed instructions for system recovery: The recovery concept ensures that all entities crucial to the Supplier's IT infrastructure are included in the comprehensive recovery approach. The recovery concept follows a chronological order, therefore it can be executed by following accurate and precise checklist items. It is up to the top-level executive’s decision if he or she is to execute the recovery concept by himself/herself or if the task is assigned to team members in case the immediate capacity to act is uncertain.

Auditing practices for assessing and evaluating effectiveness of Technical and Organizational Measures

Controlled items: Processes of regular audits, assessments and evaluation about the effectiveness of Technical and Organizational Measures shall be in operation in order to ensure secure data processing.

Technical and Organizational Measures:

• Internal audits: The Supplier's Technical and Organizational Measures are audited internally on a regular basis. A standard process has been implemented in order to audit effectiveness of Technical Measures and Organizational Measures.
• External audits: The organization’s ISMS maintains an ISO/IEC 27001:2013 certification and its ISMS is audited by a certified ISO27001 auditor. The external subcontractors’ Technical and Organizational Measures are audited on a regular basis. A standard process has been implemented in order to audit effectiveness of Technical Measures and Organizational Measures.
• Regular security reviews:Security review meetings including top-level executives are being held regularly.

9. Documentation

Controlled items:Documentation of data privacy policies, standard processes and explicit assignments shall comprise the specific Technical and Organizational Measures Phrase undertakes in order to provide secure data processing.

Technical and Organizational Measures:

• Comprehensive Data Privacy concept: A comprehensive Data Privacy concept is at the center of the Supplier's documentation of Technical and Organizational Measures for secure data processing. The concept comprises the executive board’s strategy for data privacy and data processing at the Supplier. It provides detailed IT specifications about the systems and tools in use at the Supplier in order to provide full transparency and specialized knowledge for employees. Company policies about data privacy as well as explicit assignments and regular events for Company training about data privacy ensure a high qualification standard for all employees assigned with data processing.
• Data Privacy Policies: Data Privacy policies are formally stated within the Data Privacy concept. The policies follow directly from the Supplier's Data Privacy compliance, enforcing top-down communication about data processing.
• Data Privacy standard processes: Top-down communication about data processing is precisely stated in standard processes, including recurring tasks of internal and external auditing. These standard processes shall be executed by trained employees with accordingly assigned management rights to oversee and execute processes in order to secure Supplier's Data Privacy compliance.
• Assignments:Explicit working instructions about data processing are formally stated in the ‘Assignments’ section of the Supplier's Data Privacy documentation. These working instructions are binding for all employees.