Technical and organizational measures

This document describes the requirements and implementation of measures for secure and compliant processing of personal data. It considers Articles 24, 25, and 32 GDPR where applicable. 

1. Confidentiality

1.1 Entry control 

Requirements: Rooms in which personal data are processed or data processing systems are installed are not freely accessible. They are locked when employees are absent. Entry authorization is assigned on a need-to-know basis according to an established process and is reviewed for necessity at regular intervals. Rooms in which data processing systems are located (computing center, servers, network distributors, etc.) have special entry protections and may be accessible only to IT administration employees (possibly management). Devices must be stored in appropriately locked cabinets. Visitors and non-company persons must be registered through an appropriate and documented process and are monitored while in the office space. 

Integromat has implemented the requirements in the following manner:

Locked building 
Locked offices 
Electronic security locking system 
Mechanical security locking system
Documented key issuance 
Locked server rooms with entry control 
Locked server cabinets
Electronic entry control 
Visitor registration and monitoring 
Daily security service 

1.2. Access control

Requirements: For every IT Service or system user, a personally assigned user must be set up with at least a 10-character password including upper and lowercase letters, numbers, and special characters. The system must require users to change passwords at least every 120 days. The network users must agree in the documented form to comply with the user access guideline. A documented procedure is required when setting up, changing, and removing access authorization. All assigned access authorization must be documented and reviewed routinely regarding necessity. IT Service and System access to data must be monitored and logged, including any unsuccessful login attempts. The system must block any IT Service and System access automatically after no more than 10 failed login attempts.

Integromat has implemented the requirements in the following manner:

Complex passwords 
Central authentication 
Access blocked after too many incorrect password entries
Secure line connection for external access (VPN)
Use of an up-to-date firewall
Multifactor access control 

1.3 Usage control

Requirements: A documented, role-based authorization concept exists for use of personal data that limits use so that only authorized persons can use the personal data necessary for their job (minimization principle). The password rules from access control are also implemented for usage control. Administrative tasks must be limited to a small group of administrators. The tasks of administrators are monitored and logged to the extent technically feasible. 

Integromat has implemented the requirements in the following manner:

Role-based authorization process 
Application-specific authentication with username and password
Logging user access and data processing 
Allocation of authorizations only after approval by the data owner
Protected access to data storage media 
Destruction of paper documents in compliance with data protection law
Encryption of mobile data storage media 
Restriction of Admin users incl. appropriate documentation 

1.4 Separation control

Requirements: Personal data must be separated by means of various storage locations or client separation. 

Integromat has implemented the requirements in the following manner:

Separation of productive and test systems 
Logical client data separation within the data processing system 

2. Integrity

2.1 Transmission control

Requirements: During transmission control, it is necessary that only authorized persons can view personal data. For transmission by email, protective actions (e.g., encryption of communication between the email servers) are required. Mobile devices or mobile storage media must be encrypted if personal data are stored on them.

Integromat has implemented the requirements in the following manner:

Communication end-to-end encryption (e.g. TLS)
The use of private data storage media is prohibited
Special protection when physically transporting data storage media
A VPN Connection is needed when accessing system critical resources from outside of the corporate network

2.2 Input control

Requirements: It must be possible to assign the input, modification, and deletion of personal data to the employee performing the task. The system must limit the modification and deletion of datasets to effectively prevent accidental modification or deletion.

Integromat has implemented the requirements in the following manner:

Traceability when assigning, changing, and deleting user authorizations

2.3 Contractual order control

Requirements: In terms of contractual order control, it is necessary that the data processing procedures carried out on a subcontracted basis take place exclusively at the instruction of the Controller. To that end, the individuals involved in data processing must be trained and provided with instructions. Outsourced processing must be monitored through internal controls. The results of the controls are documented.

Subcontractors may be hired only on the basis of the rules agreed with the Controller. Transmission or use of personal data may only take place after the subcontractor has signed an outsourced processing agreement pursuant to Article 28 GDPR and has confirmed compliance with the rules of the data protection concept. The contractor’s duty to supervise its subcontractor is based on the outsourced processing agreement entered into with the Controller.

Integromat has implemented the requirements in the following manner:

Documentation of processing activities
Careful selection of processors (detailed assessment of provided guarantees)
Written agreement with the processor on the data protection minimum standard
Appropriate monitoring of the processor
Assuring compliant destruction or return of data upon completion of the assignment

3. Availability and reliability

Requirements: Personal data must be processed on data processing systems that are subject to routine and documented patch management. Systems may not be connected within the network that are outside the maintenance cycles of the manufacturers. Security-related patching must be initiated within 72 hours after they are released. Redundant storage media and backups must be used to ensure continuous availability of personal data based on the latest technical standards. Computing centres and server rooms must meet the technical standards (temperature regulation, fire protection, flooding, etc.). The servers must have an uninterruptible power supply (UPS) allowing a controlled shutdown without loss of data. 

Integromat has implemented the requirements in the following manner:

Regular patch management for servers
Regular patch management for end devices
Initiate security-critical patches within 72 hour
Uninterrupted power supply
Early fire detection in office buildings

4. Procedure for routine review, assessment, and evaluation

Requirement: A procedure must be implemented for monitoring data protection at the company. This procedure must include an agreement by employees to maintain data secrecy, training and education of employees, and routine auditing of data processing procedures. Likewise, the processing procedure carried out for the Controller must be documented before the start of data processing. A thorough reporting and management process must be introduced for data breaches and the protection of the rights of data subjects. This process must also include notification of the Controller. 

Regular documented training of employees involved in data processing
Documented procedure for introducing, modifying, and discontinuing procedures
Regular review of the latest technical standards pursuant to Article 32 GDPR

Popular use cases from our blog


How to Automate Data Collection - Part 5: CRM Systems


How to Automate Data Collection - Part 4: Chatbot Marketing


How to Automate Data Collection - Part 3: Paid Ads


How to Automate Data Collection - Part 2: Email Marketing Segmentation


5 Automated Solutions to Personalize Customer Experience


How to Automate Data Collection - Part 1: Online Forms

Didn’t find what you were looking for?


Find an expert

We feature a network of 450+ certified partners across the globe who are ready to help

Find an expert

Automate any workflow in your business

Sign up for a free account today. No credit card required, no time limits on free plan.