...
Contains contact information of DC's and DP's Data Protection Officers (DPO).
Example:
Contact information of the DPO <GÉANT's DPO name> of the Data controller. GÉANT Vereniging (Association) Hoekenrode 3, 1102BR Amsterdam, The Netherlands DPO (24x7) <GÉANT's DPO 24x7contact number> Contact information of the data protection officer of the Data processor. <Data processor's DPO contact information (address, phone, email…)> |
Annex 2 - list of personal data
Contains list of all personal data which will be processed by DP and categories of Data subjects involved.
Example:
Personal data that will be processed for the purposes of providing technical support for the Service and solving technical problems.
Categories of data subjects: individuals from Research & Academia community using the Service. |
Annex 3 - specific security measures
Besides general security measures defined in main part of DPA, specific security measures which should be applied by DP in order to ensure protection of personal data can be defined. When properly implemented they can provide assurance that DP can provide adequate protection of rights of data subjects. These security measures are service specific and depends on architecture, scope and other factors and those are chosen based on risk assessment. Here is list of some types of security measures . Risk assessment can be used to decide which measures should be implemented.
The following table shows some security measures, grouped be categories, which can be used as reminder. Chosen measures should can be elaborated in more details as appropriate.
- organization - appropriate security policy
- personnel - trained in data security; signed AUP or Statement of Confidentiality concerning personal data
- access management - strong password or 2-factor authentication are used for authorization; access to data and data modifications are logged
- access protection - firewall or ACL protection
- stored data protection - pseudonymisation; anonymisation; database encryption; hard disk and removable media encryption; other forms of data encryption
- data transfer protection - during transfer data are protected with secure versions of encryption methods such as TLS, VPN, SSH, secured wireless...
- vulnerability management - software are timely patched; regular vulnerability scanning or penetration testing of applications or systems
- malware protection - end-station malware protection; email malware protection; education of personnel
- data leak protection - IDS; continuous monitoring; removable media policy
- regular backups - stored on safe place; encrypted; restore regularly checked
- incident management - incident response; timely reporting all incident to data controller
- (D)DOS protection - on network, system or application level
Aim of applying security measures is to ensure Confidentiality, Integrity and Availability (CIA) of personal data. The following table shows in more details which principle of CIA is improved by each class of security measures. Also, it shows in DPA, as appropriate. Table shows applicability of each security measure to different parts of data processor: organizational, system administration, network administration and application development. Which security measures and to which extend will be implemented is usually based on risk assessment. Table also shows which principle of Confidentiality, Integrity and Availability (CIA) of personal data is improved by each category of security measures.
Category with security measures | C | I | A | Class of security measures | Security measure | Organization | System admin. | Network admin. | Applications development | security policyC | I | A |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security policy | ||||||||||||
| achieved level n of GÉANT Security Baseline | ||||||||||||
| appropriate security policy | ||||||||||||
| Personnel management | ||||||||||||
| personnel trained in (personal) data security | ||||||||||||
| signed AUP or Statement of Confidentiality for (personal) data | ||||||||||||
| Access management | ||||||||||||
| role based access management | ||||||||||||
| strong password or 2 factor authentication | ||||||||||||
| logging of data modificationaccess | ||||||||||||
| Access protection | ||||||||||||
| network level (firewall, ACL, …stored ) | ||||||||||||
| server level | ||||||||||||
| application or database level | ||||||||||||
| Stored data protection | ||||||||||||
| pseudonymisation | ||||||||||||
| anonymisation | ||||||||||||
| database encryption | ||||||||||||
| hard disk and removable media encryption | ||||||||||||
| other forms of data encryptiondata transfer | ||||||||||||
| Data transfered protection | ||||||||||||
| secure transport (IPsec, VPN, wireless, …) | ||||||||||||
| secure remote system access (TLS, RDP, SSH, …) | ||||||||||||
| secure remote application or database access (TLS, SSH, …)vulnerability | ||||||||||||
| Vulnerability management | ||||||||||||
| timely patching | ||||||||||||
| regular vulnerability scanning of applications or systems | ||||||||||||
regular penetration testing of applications and systems | ||||||||||||
| Malware protection | ||||||||||||
| end-station malware protection | ||||||||||||
| email malware protection | ||||||||||||
| education of personneldata | ||||||||||||
| Data leak protection | ||||||||||||
| IDS/IPS | ||||||||||||
| SIEM or continuous monitoring | ||||||||||||
| removable media policy | ||||||||||||
| personnel educationregular backups | ||||||||||||
| Backups | ||||||||||||
| backup policy ensure regular backups | ||||||||||||
| stored on safe place | ||||||||||||
| backed up data are encrypted | ||||||||||||
| restore is regularly checkedincident | ||||||||||||
| Incident management | ||||||||||||
| incident response procedure | ||||||||||||
| timely reporting all incident to data controller | ||||||||||||
| (D)DOS protection | ||||||||||||
on network level | ||||||||||||
| on system level | ||||||||||||
| on , system or application level | ||||||||||||
Annex 4 - data transfers outside EU
Description of personal data transfers outside EU during processing.
Example:
Transfers to countries outside the European Economic Area without a suitable level of protection for which the Data controller has granted its authorisation: Not applicable. |
DPA approval procedure
Process of drafting, approving and signing of DPA is shown on the following figure.
...
- Service support - WP5-T3.6 team which prepare initial agreed draft of DPA , finalize approved version adding reference number and store it to DPA store and update Confluence wiki.
- Service owner - owner of GÉANT's service.
- DPA manager - member of GÉANT, usually with legal background, who negotiate negotiates DPA with DP and approve approves final version.
- Data processor - representative of DP, usually with legal background, who negotiate negotiates and agree agrees with DPA proposed by GÉANT.
- GÉANT representative - representative of the GÉANT authorized to sign the DPA.
- DP representative - representative of the DP authorized to sign the DPA.