Technical and organisational measures (TOM)

The contractor ensures for his area of responsibility the implementation of and abidance by technical and organisational measures agreed upon, according to this appendix. In particular, the contractor will design his internal organisation so as to be compliant with data protection requirements.

The contractor will implement appropriate technical and organisational measures to protect customer data from misuse or loss, according to the requirements of the GDPR.

This includes in particular:

1. Confidentiality (Article 32, paragraph 1, point (b) GDPR)

Access control

Objective: Denial of admittance to data-processing equipment for unauthorised persons

To enter CRIF premises, a key is needed. An additional security card or passive transponder system is installed. Turnstiles, an alarm system, a security service and camera systems are additional components that secure CRIF main entrances and technical rooms.

Visitors are welcomed at reception and are picked up by someone from the relevant department. Unauthorised persons are prohibited from walking through the premises on their own; however, they may be accompanied by a CRIF employee. Office areas are structured according to areas of responsibility

Access to engineering rooms

Engineering rooms are located inside our office build-ings and are secured by a chip card system and/or PIN key locks.

Access to the data centre

The Data centre premises are fenced; the lock gate can only be opened by a special chip card system. A camera system and our security service complete the security.

The entrance is secured by an alarm system, and the doors can only be opened with a chip card and a double PIN code. The special chip card is stored in a safe, and only authorised people from the IT operations department have access to it. Each removal of the chip card is documented. The list of authorised people is reviewed on a regular basis and updated in a timely manner. External maintenance personnel can only enter the DC in the company of an authorised person.

System access control

Objective: no access to data-processing systems by unauthorised persons

Without valid authentication and authorisation, no transaction is possible throughout the entire CRIF data-processing system. Access to all systems is secured by several security measures.

Systems can only be accessed by entering a username and password, whereby the password is subject to restrictions regarding length, special characters, etc.

User access data is allocated upon written application by the HelpDesk. After the first login, the password has to be changed by the user.

In addition, the password must be changed regularly by the user; repeated use of the same password is prevented by the system. Incorrect login attempts lead to the blocking of the user, who will only be unblocked after verification and by the simultaneous assignment of a new password from the HelpDesk.

The internal local area network (LAN) is divided into several segments by virtual local area network (VLAN) technology. The segments include production systems, test systems and office systems.

The gateways are protected by firewall systems and are monitored. Unused LAN ports are physically locked and only put into operation in a controlled manner.

The transition from the internal network to external networks (Internet, partner networks or customer networks) is only possible at central points, which are secured by a multilevel firewall system and monitored and regularly checked by both CRIF and third parties (e.g. Pentest).

Data access control

Objective: Limited access for authorised users; protection against unauthorised reading, copying, modification or deletion of data

All users are assigned certain necessary functions according to their activities, which are controlled via their username.

Users receive passwords from the HelpDesk for accessing the applications that process personal data. Throughout the CRIF system, no transaction is possible without valid authentication and authorisation.

The users of the applications have access to personal data only to the extent required for the specific role (need-to-know principle). In addition, data and documents are stored and transmitted in an encrypted form as far as necessary and technically possible.

This prevents unauthorised activities in CRIF systems outside of granted authorisations, and provides a demand-oriented design of the authorisation concept and the access rights, as well as their monitoring and logging.

Separation control

Objective: Ensuring the appropriateness of the data processing

Data access is only possible using authorisation concepts. Data access is only possible for the purposes required. The databases of the operated applications are operated separately so that one application cannot access other applications. Every external data input and each read-in data is clearly identifiable by a reference number. Every access to the data via the products is clearly identifiable and traceable. Transactions are logged separately.

Customer data is separated logically based on individual customer accounts. The multi-client capability of the IT systems used is mandated. The data collected for different purposes is also processed separately.

When operating a customer’s multi-credit-reporting strategy on the CRIF CSP platform:

• CRIF is able to answer a request at any time, even if an external source is not available.
• CRIF is able to provide inquiry information for any used data source separately because every source and/or inquiry is referenced.
• The origin of the data is traceable at any time, in particular when, why and by whom the data was collected and saved.
• Transaction data is kept separate from the personal data pool, and is not modified or used for another purpose.

Data belonging to CRIF and data provided by external information bureaus as part of the transaction data are at any time clearly identifiable.

2. Integrity (Article 32, paragraph 1, point (b) GDPR)

Transfer control

Objective: Protecting personal data from unauthorised reading, copying, changing or deletion, and ensuring traceability of data transfer operations

Access to the database is granted to the user via FTP (file transfer protocol) with tunnel/SFTP (secure file transfer protocol), or via Web services secured by HTTPS (Hypertext Transfer Protocol Secure). Both the authentication and the transmission of the data is saved. In consultation with the customers and depending on the protection requirements of the data, a variety of state-of-the-art encryption methods are offered.

Each request for information is logged in the system in such a way that it can be checked at any time what data has been stored, processed or transmitted by whom. Likewise, the recipient of a data transmission can be determined. When personal data is transferred via direct connection, it is encrypted as a general rule. As standard, communication with external clients is encrypted using HTTPS and/or VPN (virtual private network). The transmission of the data by email (SMTP) is PGP-encrypted. File transfer requires SFTP or file encryption.

Certified disposal operations destroy discarded computer hardware, data carriers and unnecessary documents and printouts of lists. The devices are carried away in a dedicated lockable data container and disposed of properly. The destruction is logged and the protocol is made available to CRIF.

Input control

Objective: Traceability of entries; changes to or deletion of data

Data is inputted via automated processes. These are checked in advance in test systems and are subject to a standardised approval process. In these processes, every automated input is logged and is traceable at any time by the unique process and transaction ID.

Using the input data log, it is possible to restore the original state at any time.

Based on a role and rights concept, CRIF employees are assigned different authorisations depending on their function and the data records to be processed. The processing of data by employees is logged.

Individual entries made manually are done through a program that logs the individual steps and activities of the specific user. The input program is also subject to the standardised approval process at CRIF.

The traceability and documentation of data management and maintenance is guaranteed. Measures for the subsequent verification of whether and by whom data has been entered, changed or deleted are in
place.

3. Availability and resilience (Article 32, paragraph 1, point (b) GDPR)

Availability control

Objective: Data loss prevention and data recovery in a timely manner

The availability of productive data is ensured by the operating techniques used (including storage area network (SAN), virtualisation and mirroring) and data backup.

Network components such as NICs or switches and carrier connectivity are configured redundantly, and supported by service level agreements (SLA/UC). Both components and connections are monitored by providers and by CRIF.

In production, all servers are available twice or more.In the event of a failure, the other server is automatically used. Virtualisation ensures fast deployment. The transaction log of the productive databases also allows for the recovery of the production system in the event of a failure with data loss.

In addition, data is backed up several times on magnetic tape drives. Tape cartridges are held both on-site and off-site, in secure locations. Restoring and retrieval are tested on a regular basis (spot checks, automated).

CRIF also runs an emergency data centre (geo-redundancy), where all production services are available.

Protective measures against damage caused by fire and water are installed in the decentralised technical rooms. All databases relevant to production are
stored centrally in the data centre.

4. Regular review, assessment and evaluation procedures (Article 32, paragraph 1, point (d) GDPR)

Order control

Objective: Exclusively order-related data processing

Orders placed and processed at CRIF use standard processes. The order processing relevant to the business areas ‘Risk’, ‘Solutions’ and ‘Recovery’ is documented in writing by CRIF as the processor.

Data collection

As part of the automated data collection, the orders (Einmeldungen) with a so-called processing status are delivered by files. The customer is clearly identifiable by reference. Each file and message receives a unique ID.

Depending on its processing status, the order represents a:

1. new entry,
2. an order to delete, or
3. an update.

The individual orders are stored in the history. Data is always stored in the tables provided for this purpose.

Provision of information

Inquiries from the customer are processed via products. The products are configured according to the contract with the customer. Each inquiry by the customer is made only within the customer context.

The data transmitted  from external credit bureaus will not be reused for any other provision of information.

Using a unique reference system in  the logs, it is possible to trace at any time what data was provided for which requests orders.

The processing of orders in accordance with instructions is guaranteed, and the measures (technical/organisational) to delimit the authorisations between the client and the contractor are mandated.

Miscellaneous

Monitoring by the supervisory authority

CRIF is subject to regular reviews by the competent authority due to its activity as a credit bureau. For CRIF, the Bavarian State Office for Data Protection Supervision is in charge.

Commitment of employees to data secrecy; security policy

The data protection officer trains and monitors employees for compliance with data protection regulations. All employees involved in data processing are informed about the data protection requirements. A formal commitment to data secrecy exists for each employee.

Furthermore, the employees of CRIF are bound by an internal security policy, which must be signed and adhered to, in accordance with internal security standards.