Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

TOM Technical and Organisational Measures - GDPR Article 32 

Public or private bodies that collect, process or use personal data, either themselves or on behalf of others, must take the technical and organisational measures necessary to ensure compliance with the provisions of this Act, in particular the requirements set out in the Annex to this Act, taking into account the "state of the art". Measures are only necessary if the effort involved is proportionate to the intended purpose of protection.

In addition to data protection, data security must also be guaranteed at all times. This means that personal data must be protected by appropriate measures. In particular, the measures must ensure that personal data is not made accessible to an indeterminate number of natural persons by default settings without the intervention of the person. Accountability for measures in accordance with Art. 5 (2) GDPR is also required.

Appropriate measures Art. 32 GDPR

The regulation obliges "data controllers" (those who ultimately decide how the data is used) to take "appropriate Technical and Organisational Measures (TOM) to protect personal data".

Article 32 GDPR: "Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk..."

The person responsible makes the decision at the time the funds are set aside and at the time of processing.

  • appropriate technical and organisational measures,
  • designed to implement the data protection principles and
  • the necessary guarantees in the processing
to ensure a level of protection appropriate to the risk.

 

IT security/protection objectives

The term "technical and organisational measures" is used 21 times in the GDPR. The regulation cites the rather amorphous "ability to ensure the confidentiality, integrity, availability (CIA) and resilience of systems..." and the more concrete "encryption" (pseudonymisation) as well as the ability to "rapidly restore the availability of personal data and access to it in the event of a physical or technical incident" as examples in this context.

  • VIV Vertraulichkeit-Integrität-Verfügbarkeit
  • CIA Confidentiality-Integrity-Availability

The principle of integrity and confidentiality from Art. 5 para. 1 lit. f GDPR, which requires an appropriate level of security for personal data (also from the perspective of the data subject, not just from the perspective of the controller), is implemented in particular with the provisions in Art. 24, Art. 25 and Art. 32 GDPR.


Important note
The information in this document is only an extract from the GDPR, does not claim to be complete and does not replace the laws, regulations, standards and rules for implementing the GDPR. Rather, it is intended as a guide.