Technical and Organizational Measures of Data Protection at AUTHMETRIK

AUTHMETRIK is aware that the processing of personal data is a major responsibility. Especially when this processing is performed by using new technologies with high computing power. That's why we at AUTHMETRIK take privacy very seriously.

In terms of new European General Data Protection Regulation (hereinafter GDPR), it is necessary to ensure data protection by selecting and implementing technical and organizational measures (hereinafter TOMs). The type and extent of the TOMs implemented depends on the state of art, the implementation costs and the nature, scope, circumstances and purpose of the processing, as well as the different likelihood and severity of the risk to the rights and freedoms of those concerned (Art. 32 GDPR).

The measures described hereinafter are subject to permanent change of technology and can be adjusted, if and insofar this will be required to ensure the security standards.

I. Confidentiality

  • Physical Access Control – All our data centers and office and other data processing facilities ensure that unauthorized physical access is restricted. Therefore, AUTHMETRIK implements personalized chip cards, electronic door openers, facility security services or entrance security staff, as well as alarm systems, video surveillance systems in all of our worldwide data processing facilities.

  • Electronic Access Control – AUTHMETRIK ensures only authorized use of data processing and data storage system by two-factor authentication, a password policy following BSI standards, automatic blocking and locking mechanisms as well as encryption of data carriers and storage media.

  • Internet Access Control (permission for user rights of access to and amendment of data) – AUTHMETRIK ensures permission for user rights of access to and amendment of data, such as no unauthorized reading, copying, changing or deletion of personal data with our IT systems, following a strict rights authorization concept with need based rights of access, and surveillance of by logging of system access events.

  • Isolation Control – AUTHMETRIK keeps data of different interests, clients and purposes strictly separated.

  • Pseudonymisation - AUTHMETRIK is aware of the principles of data minimization and data avoidance and takes measures of privacy by design and privacy by default, ensuring the processing of personal data in such method, that the data cannot be associated with a specific data subject without the assistance of additional key information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures, wherever such measures are applicable and sufficient.

II. Integrity

  • Data Transmission Control - AUTHMERIK ensures authorized reading, copying, changing or deletion of personal data by electronic transfer or transport implementing high standards of encryption, providing access to our server spaces for external environments only via Virtual Private Network (VPN).

  • Data Entry Control – All IT systems implemented at AUTHMETRIK guarantee verification, whether and by whom personal data is entered into a data processing system, is changed or deleted.

III. Availability and Resilience

  • Availability Control – The AUTHMETRIK Backup Strategy provides the prevention of accidental or willful destruction or loss of personal data, including state of the art virus protection, firewall, reporting procedures and contingency planning and a rapid recovery in emergency situations.

IV. Procedure for regular testing, assessment and evaluation

  • AUTHMETRIK implements a Data Protection Management System following the advice of our external legal experts from privacy and IT law.

  • Order or Contract Control - AUTHMETRIK requires a formalized order and contract management, ensuring that no third party data processing as per Article 28 GDPR takes place without consent and corresponding instructions from our clients, as well as strict controls on the selection of the service provider by pre-evaluating the technical and organizational measures of data protection and its security and supervisory of follow-up checks.