...

Contains contact information of DC's and DP's Data Protection Officers (DPO).

Example:

Annex 2 - list of personal data

Contains list of all personal data which will be processed by DP and categories of Data subjects involved.

Example:

Annex 3 - specific security measures

...

Besides general security measures defined in main part of DPA, specific security measures which should be applied by DP in order to ensure protection of personal data can be defined. When properly implemented they can provide assurance that DP can provide adequate protection of rights of data subjects. These security measures are service specific and depends on architecture, scope and other factors and those are chosen based on risk assessment. Here is list of some types of security measures . Risk assessment can be used to decide which measures should be implemented.

The following table shows some security measures, grouped be categories, which can be used as reminder. Chosen measures should can be elaborated in more details in DPA, as appropriate. Table shows applicability of each security measure to different parts of data processor: organizational, system administration, network administration and application development. Which security measures and to which extend will be implemented is usually based on risk assessment. Table also shows which principle of Confidentiality, Integrity and Availability (CIA) of personal data is improved by each category of security measures.

Category with security measures	Organization	System admin.	Network admin.	Applications development	C	I	A
Security policy
achieved level n of GÉANT Security Baseline
appropriate security policy
Personnel management
personnel

...

trained in (personal) data security

...

signed AUP or Statement of Confidentiality

...

for (personal) data
Access management
role based access management

...

strong password or 2

...

factor authentication

...

logging of data modification
Access protection
network level (firewall, ACL, …)
server level
application or database level
Stored data protection
pseudonymisation
anonymisation
database encryption

hard disk and removable media encryption

...

other forms of data encryption

...

Data transfered protection
secure transport (IPsec, VPN, wireless, …)
secure remote system access (TLS, RDP, SSH, …)
secure remote application or database access (TLS, SSH, …)
Vulnerability management
timely patching
regular vulnerability scanning of applications or systems
regular penetration testing of applications and systems
Malware protection

end-station malware protection

...

email malware protection

...

education of personnel

...

Data leak protection

...

IDS/IPS
SIEM or continuous monitoring

...

removable media policy
personnel education
Backups
backup policy ensure regular backups

...

stored on safe place

...

backed up data are encrypted
restore is regularly checked

...

Incident management

...

incident response

...

procedure
timely reporting all incident to data controller
(D)DOS protection

...

on network

...

level
on system level
on application level

Annex 4 - data transfers outside EU

Description of personal data transfers outside EU during processing.

Example:

DPA approval procedure

 Process of drafting, approving and signing of DPA is shown on the following figure.

...

• Service support - WP5-T3.6 team which prepare initial agreed draft of DPA, finalize approved version adding reference number and store it to DPA store and update Confluence wiki.
• Service owner - owner of GÉANT's service.
• DPA manager - member of GÉANT, usually with legal background, who negotiate negotiates DPA with DP and approve approves final version.
• Data processor - representative of DP, usually with legal background, who negotiate negotiates and agree agrees with DPA proposed by GÉANT.
• GÉANT representative - representative of the GÉANT authorized to sign the DPA.
• DP representative - representative of the DP authorized to sign the DPA.