Joint Data Processing – Technical and Organizational Measures

Where AMBOSS SE (“AMBOSS”) processes personal data as a joint controller together with an institution (“Institutional Partner”, AMBOSS and the Institutional Partner individually “Party” and collectively “Parties”), the Parties implement the following technical and organizational matters to ensure a level of protection appropriate to the risk to the rights and freedoms of the users concerned. The Parties may introduce alternative measures insofar as the change does not fall below the level of protection of the measures specified below.

1. Technical and Organizational Measures of the Institutional Partner

The Institutional Partner ensures that the access data provided to its employees in accordance with Art. 32 para. 1 lit. b GDPR cannot fall into the hands of unauthorized persons and implements a suitable authorization concept for this purpose. In addition, the Institutional Partner obliges its employees/educators who receive access to personalizes usage data to comply with the joint controllership agreement, in particular with regard to the limitations on usage purposes.

2. Technical and Organizational Measures of AMBOSS

This section summarizes the technical and organizational measures taken by AMBOSS within the meaning of Art. 32 para. 1 GDPR with regard to personalized usage data. These are measures with which AMBOSS protects personal data in this context. AMBOSS’ data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, email: datenschutz@heydata.eu.

a) Pseudonymization and Encryption (Art. 32 para. 1 a GDPR)

The following implemented measures protect personal data from unauthorized access:

  • Provision of data via encrypted connections such as SFTP or HTTPS
  • Pseudonymization of personal data after expiry of the statutory deletion period or in the event of disclosure

b) Confidentiality (Art. 32 para. 1 lit. b GDPR)

aa) Access control to systems

The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:

  • Authentication with user name and password
  • Use of anti-virus software
  • Use of firewalls
  • Use of mobile device management
  • Use of VPN technology for remote access
  • Encryption of data carriers
  • BIOS protection (separate password)
  • Automatic desktop lock
  • Encryption of notebooks/tablets
  • Central password rules
  • Use of 2-factor authentication
  • General company policy on data protection or security
  • Company policy for secure passwords
  • Company policy on the use of mobile devices
  • General instruction to lock the desktop manually when leaving the workstation

bb) Access control to data

The following implemented measures ensure that unauthorized persons have no access to personal data:

  • Physical deletion of data carriers before they are reused
  • Logging the destruction of data
  • Logging of access to applications (in particular when entering, changing and deleting data)
  • Use of an authorization concept
  • Number of administrators is kept as small as possible
  • Management of user rights by system administrators

b)Separation control

The following measures ensure that personal data collected for different purposes is processed separately:

  • Separation of production and test system
  • Logical client separation (on the software side)
  • Establishment of an authorization concept
  • Definition of database rights

c) Integrity (Art. 32 para. 1 lit. b GDPR)

aa) Transfer control

It is ensured that personal data cannot be read, copied, changed or removed without authorization during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures have been implemented to ensure this:

  • Setting up VPN tunnels
  • Wi-Fi encryption (WPA2 with strong password)
  • Provision of data via encrypted connections such as SFTP or HTTPS
  • Ban on uploading company data to external servers

bb) Input control

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

  • Logging the entry, modification and deletion of data

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

  • Logging the entry, modification and deletion of data
  • Manual or automatic control of the logs
  • Create an overview of which applications can be used to enter, change and delete which data
  • Traceability of data entry, modification and deletion through individual user names (not user groups)
  • Assignment of rights to enter, change and delete data on the basis of an authorization concept
  • Clear responsibilities for deletions

cc) Order control

The following measures ensure that personal data can only be processed in accordance with the instructions:

  • Written instructions to the contractor or instructions in text form (e.g. through a data processing agreement)
  • Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations
  • Confirmation from contractors that they commit their own employees to data secrecy (typically in the data processing agreement)
  • Careful selection of contractors (especially with regard to data security)

d) Availability and Resilience (Art. 32 para. 1 lit. b GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available:

  • Hosting with a professional hoster
  • Regular data recovery tests and logging of the results
  • Regular backups

e) Ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident (Art. 32 para. 1 lit. c GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

  • Hosting (at least of the most important data) with a professional hoster. The hoster is Amazon AWS. AWS supports 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2 and NIST 800-171. AWS also has certification for compliance with ISO/IEC 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 20000-1:2018, 9001:2015 and CSA STAR CCM v4. This ensures rapid recovery of data processing systems.

f) Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

aa) Data protection management

The following measures shall ensure that the organization meets the basic requirements of data protection law:

  • Use of the heyData platform for data protection management
  • Appointment of the data protection officer heyData
  • Obligation of employees to maintain data secrecy
  • Regular data protection training for employees
  • Maintaining an overview of processing activities (Art. 30 GDPR)
  • A procedure is in place to regularly review, assess and evaluate the effectiveness of technical and organizational measures to ensure the security of processing

bb) Incident response management

The following measures shall to ensure that reporting processes are triggered in the event of data breaches:

  • Reporting process for personal data breaches according to Art. 4 (12) GDPR to the supervisory authorities (Art. 33 GDPR)
  • Notification process for personal data breaches in accordance with Art. 4 (12) GDPR to the data subjects (Art. 34 GDPR)
  • Involvement of the data protection officer in security incidents and data breaches
  • Use of anti-virus software
  • Use of firewalls

cc) Data protection-friendly default settings (Art. 25 para. 2 GDPR)

The following implemented measures take into account the requirements of the principles of "privacy by design" and "privacy by default":

  • Training of employees in "privacy by design" and "privacy by default"
  • No further personal data is collected than is necessary for the respective purpose