Additional Services

Technical and organizational measures (TOMs)

What are TOMs and why do I need them?

TOMs refer to security measures for the protection of processed personal data.

According to Article 32 of the GDPR, controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing of personal data.

The GDPR requires companies to have in place adequate TOMs to protect personal data from:

  • unauthorized access
  • disclosure
  • alteration
  • destruction
  • and other forms of unlawful processing.

What do I need to consider when selecting TOMs?

There are various ways in which TOMs can be implemented. A web service with ISO certification will require different measures than an on-premises server located in the company’s own server room.

The measures should take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the risks to individuals’ rights and freedoms.

Georgine Berger

"The selection of the right TOMs has immense legal implications. The same data processing activity may be lawful with appropriate TOMs, but illegal with inadequate TOMs."

Examples for TOMs

TOMs may include, but are not limited to:

  • voluntary appointment of a data protection officer
  • data protection training to staff members
  • setting up of procedures to manage access
  • establishment of an internal complaints handling mechanism
  • pseudonymization
  • encryption of personal data
  • access controls
  • backup and recovery systems
  • regular security assessments and audits

How do I implement TOMs in practice?

There are various ways to make TOMs part of your company’s culture.

Smart ways to transform theoretical TOMs into applied practice by employees and subcontractors include the following:

  • employment contract addendas
  • works agreements
  • non-disclosure agreements

Peter Harlander

"It is crucial to have verification mechanisms in place. TOMs must be implemented in practice. They are not meant to exist only in theory."

Privacy by design and privacy by default

Privacy by design and privacy by default are essential GDPR concepts. Organizations must consider privacy by design and privacy by default when implementing TOMs to protect personal data.

Privacy by design

Privacy by design means that data protection and privacy should be integrated into the design of products and systems from the outset, rather than added as an afterthought. This involves considering privacy and data protection implications throughout the entire development lifecycle, including planning, design, implementation, and maintenance.

Georgine Berger

"Data protection must be considered from the moment a product idea arises, not when the product is already developed."

Privacy by default

Privacy by default means that the highest level of privacy and data protection should be the default setting for any system, product or service. This means that privacy should be automatically enabled, and individuals should not have to take any specific actions to activate privacy measures.

Sebastian Riedmair

"Privacy settings should be set to the most secure and privacy-friendly options by default, and individuals should not have to take any specific actions to enable these settings."

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a key tool in ensuring that the TOMs are appropriate and in compliance with the GDPR.

DPIAs are mandatory in situations where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons.

What is the penalty for inadequate TOMs?

Failure to implement adequate TOMs can result in a data breach or other data protection violations, which may lead to high penalties under the GDPR.

For not having inadequate TOMs in place, the GDPR provides for an administrative fine of up to €10 million or 2% of the total worldwide annual revenue of the preceding financial year, whichever is higher.

The specific amount of the penalty depends on several factors, including the nature, gravity, and duration of the infringement, the level of responsibility of the data controller or processor, and any mitigating or aggravating factors.

Inadequate TOMs implementation can also result in reputational damage, loss of customer trust, and legal liability in case of a data breach.

Also, data subjects may pursue legal action against the company for failing to implement adequate TOMs and protect their personal data.

Additionally, regulatory bodies other than data protection authorities, such as consumer protection agencies, may also take action against the company.

Therefore, it is essential for organizations to implement appropriate and effective TOMs to ensure compliance with the GDPR and protect personal data.

FAQs

There are several TOMs that can be implemented, depending on a company’s specific needs and risks. It very much depends on what personal data is being processed. What kind of TOMs are suitable or necessary for the respective data processing activities must be assessed on a case-by-case basis.

In any case, the size of the company is not a suitable guide. For example, a bakery with 500 employees will most likely need fewer TOMs than a two-man company in the field of cyber security.

Our team will be happy to assist you in the in the selection of appropriate TOMs.

There are all kinds of TOMs. The following examples are the most commonly utilized:

  • voluntary appointment of a data protection officer
  • data protection training to staff members
  • setting up of procedures to manage access
  • establishment of an internal complaints handling mechanism,
  • pseudonymization
  • encryption of personal data,
  • access controls,
  • backup and recovery systems
  • regular security assessments and audits

TOMs stands for Technical and Organizational Measures and refers to the security measures that companies must take to protect personal data in accordance with the GDPR.

Failure to implement adequate TOMs can result in a data breach or other data protection violations, which may lead to high penalties under the GDPR.

For not having inadequate TOMs in place, the GDPR provides for an administrative fine of up to €10 million or 2% of the total worldwide annual revenue of the preceding financial year, whichever is higher.

There must be a general description of the TOMs in the RoPA. However, this description does not have to be detailed. A too detailed description of the TOMs in the RoPA is even counterproductive because it may lead to the disclosure of the security mechanism.

According to Article 13 and 14 GDPR, the controller must provide certain information to the data subject. A description of the TOMs is not required. However, your privacy policy should include information about how you ensure data privacy and what safeguards you have in place to protect the data. This will help you create transparency and trust in your privacy practice.

  • Access Control: Access control refers to measures taken to control physical or digital access to data processing facilities. It involves implementing systems and procedures to prevent unauthorized individuals from gaining entry to areas where personal data is stored or processed. This can include using electronic access systems, employing security personnel, or implementing access control mechanisms such as key cards or biometric authentication.
  • Similar to physical access control, digital access control focuses on preventing unauthorized individuals or entities from accessing data processing systems or networks. This involves implementing security measures such as encryption, strong authentication methods (e.g., multi-factor authentication), and robust password policies.
  • Disclosure Control: Disclosure control focuses on preventing the unauthorized disclosure or exposure of data. It involves implementing strong encryption techniques to protect data both at rest and during transmission.
  • Input Control: Input control involves monitoring and tracking all interactions with personal data. Also, input control can be used to ensure that only certain data can be edited. It includes implementing logging systems that record and track every access, modification, or deletion of data. By maintaining a detailed log of data activities, organizations can identify any unauthorized or suspicious activities and trace them back to specific users or processes.
  • Contract Control: Contract control refers to the establishment and enforcement of contracts or agreements, such as data processing agreements (DPAs), between data controllers and data processors. These agreements outline the specific responsibilities, obligations, and safeguards that the data processor must adhere to when processing personal data on behalf of the data controller. Contract control ensures that the processing of personal data is conducted in accordance with the requirements and instructions of the data controller, promoting transparency and accountability.
  • Availability Control: Availability control focuses on ensuring that personal data is available and accessible when needed. This involves implementing measures such as firewalls, intrusion detection systems, backup systems, and disaster recovery plans. By safeguarding against data loss, system failures, or malicious attacks, availability control ensures that personal data remains accessible and usable for legitimate purposes.
  • Separation Principle: The separation principle emphasizes the need to keep different types of data or data collected for different purposes separate and distinct. This ensures that data collected for a specific purpose is not used or processed for unrelated purposes.

Both, controller and processor must take appropriate TOMs to ensure a level of protection commensurate with the risk. This obligation applies to both equally. The controller and the processor must implement the TOMs autonomously and independently of each other, for the processing activities they perform.

When creating and selecting the TOMs, a person with both technical and legal affinity should be involved.

Our team, which consists of people from both areas, will be happy to assist you.

Yes, as controller you must review the TOMs of your processor and sub-processors.

No, the obligation to take appropriate TOMs is not subject to consent or waiver by the data subject.

For example, if a data subject wants his or her doctor to send health records (“sensitive data”) by e-mail, the doctor may only do so in the use of appropriate TOMs, such as encryption of the sensitive data, even if he has the consent of the data subject to send the data unencrypted.

Scroll to Top
legalweb.io
Privacy
Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Österreich. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd