Data security (Art. 32 EU GDPR)

We have taken comprehensive measures to guarantee the protection of your personal data.

Technical and organizational measures

Hier können Sie sich einen Überblick verschaffen, welche technischen und organisatorischen Maßnahmen wir zum Schutz Ihrer Daten getroffen haben.

1. Confidentiality

a) Physical access control

Physical access to data processing equipment, which is used to process or use personal data, shall be denied to unauthorized persons.

  • There shall be permanent physical access control to the office buildings by colleagues sitting in the reception area. Physical access control to all other rooms is carried out by colleagues sitting in the wing of the building.
  • Specified access rules allow employees to only access specific parts of the company’s premises.
  • Access is denied at all times to unauthorized and external persons. Access can only be granted after explicit approval by an employee along with providing the reason for such access.
  • There are security locks as well as a specific regulation for the provision of keys.
  • The servers are located in locked rooms.
  • Data backups on portable backup media (e.g. CD/DVD, tapes) are stored in access-controlled areas.
  • Buildings and premises are protected by an alarm system, video surveillance, motion detectors and lighting.

REFERENCE TO THE RIGHTS OF THE DATA SUBJECTS REGARDING VIDEO SURVEILLANCE

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the contents of Article 15 GDPR.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and (if applicable) to have incomplete personal data completed (Article 16 GDPR).

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds stipulated in Article 17 GDPR applies, e.g. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (right to erasure).

The data subject shall have the right to obtain from the controller restriction of processing where one of the requirements stipulated in Article 18 GDPR is met, e.g. when the data subject has objected to processing for a period enabling the controller to verify the accuracy of the personal data.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The controller shall then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR (Article 77 GDPR). The data subject can assert this right with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

The contact data of the responsible supervisory authority are:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Ms. Helga Block
Kavalleriestraße 2 - 4
40213 Düsseldorf
Germany

T +49 211 38424 -0
F +49 211 38424 -10
E-Mail: poststelle@ldi.nrw.de

b. System access control

System access and therefore use of the data processing systems shall be denied to unauthorized persons.

  • Individual login data such as user name and password are required to use the systems.
  • A password policy is in place.
  • System access authorizations that are no longer needed will be revoked promptly.
  • Logs of all user logins are created.
  • All workstation computers are protected by an antivirus software.
  • The cleaning staff is selected with care and required by the employer to adhere to all data protection rules.

c. Data access control

Measures ensuring that persons authorized to use a data processing system can only access data covered by their data access permission and that no personal data can be read, copied, altered or removed by unauthorized persons while they are processed, used and after they were stored.

  • Permission to read, copy, alter or delete data is only granted to persons entrusted with the task to collect, use and process this data within the framework of the agreed order processing. Clearly specified rules apply for granting data access permissions in this context that include a differentiated data access (read, alter, delete) and regulate data access on different levels.
  • Lockable cabinets or drawers can be used to secure printed documents against unauthorized reading or access after an employee has left the workplace.
  • A firewall protects your data against access from untrustworthy networks (e.g. the internet).
  • These safety devices are regularly examined for their effectiveness.
  • Printed documents and mobile data storage media are stored in lockable cabinets, cupboards or drawers ("clean desk" principle).

d. Data separation control

Measures ensuring that data collected for different purposes can be processed separately.

  • A logical separation of data is carried out with regard to personal data of different principals (client principle).

2. Integrity

a. Transmission control

Measures ensuring that personal data cannot be read, copied, altered or removed during electronic transmission or during transport or storage on data carriers by unauthorized persons and that it can be checked and verified to whom a transmission of personal data through data transmission devices is intended.

  • The use of external data carriers (USB sticks, external hard drives, CDs, DVDs) outside the protected company's premises is not permitted.
  • Data destruction in accordance with data protection regulation is ensured. In case of paper documents, destruction is ensured by the use of a shredder in accordance with the required level of protection. Data carriers (e.g. defective hard discs) shall be physically destroyed.

b. Data input control

Measures ensuring that it can be subsequently checked and verified whether and by whom personal data were entered, altered or removed in/from data processing systems.

  • Records are kept to ensure that it can be subsequently checked and verified whether and by whom personal data were entered, altered or removed in/from data processing systems.
  • Records are also kept on administration activities.
  • Write protection prevents overwriting of data.

3. Availability and robustness

a. Availability control

Measures ensuring that personal data are protected against accidental destruction or loss.

  • If contractually agreed, data is protected against accidental destruction or loss.
  • A backup and recovery concept is in place.
  • Regular testing takes place to see whether it is possible to seamlessly restore data on the backups.
  • Regular emergency drills are held where emergency situations (e.g. fires) are simulated and the restoration of data is practiced.

b. Immediate recoverability

Measures ensuring that personal data can be immediately recovered in case of a physical or technical incident.

  • A concept for the recovery of operations after an emergency is in place.

4. Procedure for regular review, assessment and evaluation

a. Data protection management

  • A data protection and security concept, which is reviewed at regular intervals, is in place.
  • The data protection and security concept shall be adapted to changing conditions.

b. Order control

Measures ensuring that personal data, which is processed on order, can only be processed in accordance with the principal’s directives.

  • The service description agreed on as the basis of the order processing between contractor and principal unequivocally determines the nature, extent and purpose of the data processing.
  • All employees responsible for the execution of the order processing are informed about the range of services.
  • Cloud solutions are applied, where applicable, for the agreed order processing. The computer centers used are located in the EU. All data communication via cloud is encrypted.
  • The contractor has appointed a data protection officer.

Encryption of personal data

All information that you provide to DR-WALTER GmbH (DR-WALTER) by using our services or by filling in forms, thereby declaring your consent to the collection, processing and use of said data, are encrypted and sent to our servers across a secure connection, where they are saved and secured. For this purpose, we use the state-of-the-art technology Secure Sockets Layer (SSL). This procedure encrypts the entire data transfer between your browser and the servers used by DR-WALTER, thereby protecting your data from manipulations and unauthorized access by a third party during the submission.

Exception: You use your email program.

Emails that you send us through your email program are not encrypted. People with a certain technical know-how can therefore always intercept and read other people’s emails. To avoid that from happening, please always use our contact forms or give us a call.

Emails sent by us can also be intercepted. Therefore, we transmit sensitive information not by email but by regular mail or by calling you directly.

In accordance with Article 28 Paragraph 3 EU GDPR, DR-WALTER guarantees that all employees who are authorized to process personal data engage themselves to confidentiality.

If you have any questions or comments, please contact our Data Protection Officer directly:

Bianca Mahlberg
DR-WALTER
Eisenerzstr. 34
53819 Neunkirchen-Seelscheid
Germany

E-Mail: datenschutz@dr-walter.com
T +49 2247 9194-822
F +49 2247 9194-40

Bianca Mahlberg