Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If GÉANT, as Data controller (DC), engage another organization as Data processor (DP) to process personal data on behalf of GÉANT, requirements defined in Article 28. of GDPR should be met and appropriate Data processing agreement (DPA) should be signed between GÉANT and DP.

Outline of DPA

Legal framework

DPA should contained common legal framework based on GDPR requirements.

Security measures (DRAFT)

DPA should define security measures in order to ensure protection of personal data. When properly implemented they can provide assurance that DP can provide adequate protection of rights of data subjects. Security measures are service specific and depends on architecture, scope and other factors. Here is list of some general security measures which can be used as reminder. Chosen and applicable measures should be elaborated in more details as appropriate.

  1. personnel - trained in data security, they signed AUP or Statement of Confidentiality concerning personal data
  2. access management - only authorized personnel can access data, strong password or 2-factor authentication are used for access, access to data are logged
  3. access protection - firwewall or ACL protection
  4. stored data protection - pseudonymisation, anonymisation, database encryption, hard disk and removable media encryption, data encryption
  5. data transfer protection - during transfer data are protected with secure encryption methods such as TLS, VPN, WPA2 for wireless, SSH
  6. vulnerability management - software are timely patched, regular vulnerability scanning or penetration testing of applications or systems
  7. malware protection - antivirus, email antimalware protection, education of personnel
  8. data leak protection - IDS, continuous monitoring, removable media policy
  9. regular backups - stored on safe place, encrypted, restore regularly checked
  10. incident management - quick incident response, timely reporting all incident to data controller
  11. DDOS protection - network or application

DPA approval procedure

 Process . Process of drafting, approving and signing of DPA is shown on the following figure.

Roles and their activities

There are several roles involved in this process and each of them perform the following activities:

...