Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Contains contact information of DC's and DP's Data Protection Officers (DPO).

Example:

Contact information of the DPO <GÉANT's DPO name> of the Data controller.

GÉANT Vereniging (Association) Hoekenrode 3, 1102BR Amsterdam, The Netherlands

DPO (24x7) <GÉANT's DPO 24x7contact number>

GDPR@geant.org


Contact information of the data protection officer of the Data processor.

<Data processor's DPO contact information (address, phone, email…)>

Annex 2 - list of personal data

Contains list of all personal data which will be processed and categories of Data subjects involved.

Example:

Personal data that will be processed for the purposes of providing technical support for the Service and solving technical problems.

  1. Given Name
  2. Middle Name
  3. Family Name
  4. Email
  5. Telephone number
  6. Postal addresses
  7. IP address
  8. Affiliation

Categories of data subjects: individuals from Research & Academia community using the Service.

Annex 3 - specific security measures

...

The following table shows some security measures, grouped be categories, which can be used as reminder. Chosen measures can be elaborated in more details in DPA, as appropriate. Table shows applicability of each security measure to different parts of data processor: organizational, system administration, network administration and application development. Which security measures and to which extend will be implemented is usually based on risk assessment. Table also shows which principle of Confidentiality, Integrity and Availability (CIA) of personal data is improved by each category of security measures.

Category with security measures

OrganizationSystem
admin.
Network
admin.
Applications
development
CIA
Security policy


achieved level n of GÉANT Security Baseline






appropriate security policy






Personnel management


personnel trained in (personal) data security






signed AUP or Statement of Confidentiality for (personal) data






Access management


role based access management






strong password or 2 factor authentication






logging of data modification






Access protection


network level (firewall, ACL, …)






server level






application or database level






Stored data protection


pseudonymisation






anonymisation






database encryption






hard disk and removable media encryption






other forms of data encryption






Data transfered protection


secure transport (IPsec, VPN, wireless, …)






secure remote system access (TLS, RDP, SSH, …)






secure remote application or database access (TLS, SSH, …)






Vulnerability management


timely patching






regular vulnerability scanning of applications or systems






regular penetration testing of applications and systems








Malware protection


end-station malware protection






email malware protection






education of personnel






Data leak protection


IDS/IPS






SIEM or continuous monitoring






removable media policy






personnel education






Backups


backup policy ensure regular backups






stored on safe place






backed up data are encrypted






restore is regularly checked






Incident management


incident response procedure






timely reporting all incident to data controller






(D)DOS protection


on network level








on system level






on application level






Annex 4 - data transfers outside EU

Description of personal data transfers outside EU during processing.

Example:

Transfers to countries outside the European Economic Area without a suitable level of protection for which the Data controller has granted its authorisation:

Not applicable.

DPA approval procedure

 Process of drafting, approving and signing of DPA is shown on the following figure.

...

  • Service support - WP5-T3.6 team which prepare initial agreed draft of DPA , finalize approved version adding reference number and store it to DPA store and update Confluence wiki.
  • Service owner - owner of GÉANT's service.
  • DPA manager - member of GÉANT, usually with legal background, who negotiate negotiates DPA with DP and approve approves final version.
  • Data processor - representative of DP, usually with legal background, who negotiate negotiates and agree agrees with DPA proposed by GÉANT.
  • GÉANT representative - representative of the GÉANT authorized to sign the DPA.
  • DP representative - representative of the DP authorized to sign the DPA.