When GÉANT, as Data controller (DC), engage another organization as Data processor (DP) to process personal data on behalf of GÉANT, requirements defined in Article 28. of GDPR should be met and appropriate Data processing agreement (DPA) should be signed between GÉANT and DP.

Outline of DPA

Main part

Main part of DPA contains legal framework based on GDPR requirements which is common for all services. Regarding security of processing the following general security measures are defined:

  1. measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex 2 of this Data Processing Agreement;
  2. In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
  3. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  4. measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data controller;
  5. measures to identify malicious activity or breach;
  6. measures to audit access control and privileges;

More specific security measures are defined in Annex 3.

Annex 1 - contact information

Contains contact information of DC's and DP's Data Protection Officers (DPO).

Annex 2 - list of personal data

Contains list of all personal data which will be processed and categories of Data subjects involved.

Annex 3 - specific security measures

Besides general security measures defined in main part of DPA, specific security measures which should be applied by DP in order to ensure protection of personal data can be defined. When properly implemented they can provide assurance that DP can provide adequate protection of rights of data subjects. These security measures are service specific and depends on architecture, scope and other factors and those are chosen based on risk assessment. Here is list of some types of security measures which can be used as reminder. Chosen measures should be elaborated in more details as appropriate.

  1. organization - appropriate security policy
  2. personnel - trained in data security; signed AUP or Statement of Confidentiality concerning personal data
  3. access management - strong password or 2-factor authentication are used for authorization; access to data and data modifications are logged
  4. access protection - firewall or ACL protection
  5. stored data protection - pseudonymisation; anonymisation; database encryption; hard disk and removable media encryption; other forms of data encryption
  6. data transfer protection - during transfer data are protected with secure versions of encryption methods such as TLS, VPN, SSH, secured wireless...
  7. vulnerability management - software are timely patched; regular vulnerability scanning or penetration testing of applications or systems
  8. malware protection - end-station malware protection; email malware protection; education of personnel
  9. data leak protection - IDS; continuous monitoring; removable media policy
  10. regular backups - stored on safe place; encrypted; restore regularly checked
  11. incident management - incident response; timely reporting all incident to data controller
  12. (D)DOS protection - on network, system or application level

Aim of applying security measures is to ensure Confidentiality, Integrity and Availability (CIA) of personal data. The following table shows in more details which principle of CIA is improved by each class of security measures. Also, it shows applicability of each security measure to different parts of data processor: organizational, system administration, network administration and application development. Which security measures and to which extend will be implemented is usually based on risk assessment.


CIA

Class of security

measures

Security measureOrganizationSystem
admin.		Network
admin.		Applications
development



security policyappropriate security policy






personneltrained in (personal) data security







signed AUP or Statement of Confidentiality for (personal) data






access managementstrong password or 2 factor authentication







logging of data modification






access protectionfirewall, ACL, …






stored data protectionpseudonymisation







anonymisation







database encryption







hard disk and removable media encryption







other forms of data encryption






data transfer protectionsecure transport (IPsec, VPN, wireless, …)







remote system access (TLS, RDP, SSH, …)







remote application access (TLS, SSH, …)






vulnerability managementtimely patching







regular vulnerability scanning of applications or systems







regular penetration testing of applications and systems








malware protectionend-station malware protection







email malware protection







education of personnel






data leak protectionIDS







continuous monitoring







removable media policy







personnel education






regular backupsbackup policy







stored on safe place







encrypted







restore regularly checked






incident managementincident response procedure







timely reporting all incident to data controller






(D)DOS protectionon network, system or application level




Annex 4 - data transfers outside EU

Description of personal data transfers outside EU during processing.

DPA approval procedure

 Process of drafting, approving and signing of DPA is shown on the following figure.

Roles and their activities

There are several roles involved in this process and each of them perform the following activities: