Agreement regarding Commissioned Data Processing

Annexe 1: technical and organisational measures

Within its sphere of responsibility, DHL Paket GmbH takes the following technical and organisational measures when processing personal data.

Objective: Prevent unauthorised people from gaining access to the data processing equipment by means of which personal data is processed or used.

Principles:
  • Establishment of various security zones (SK1 - SK4). A distinction is generally made between public areas, office space and technical space (data centres, network rooms).
  • Appropriate measures are in place for controlling physical access between security zones with different security classifications.
  • A formal procedure for assigning/changing/revoking access authorisation is in place.
  • A formal procedure for escorting visitors and external personnel is in place.
Measures:
  • Monitored personal interlocks to the security areas
  • Security areas have been defined
  • People authorised to access those areas are identified by means of machine-readable IDs.
  • Locking policy according to company rules
  • Wearing of company badges is monitored constantly by security personnel.
  • Outer perimeter secured by special structural measures, alarm systems, burglar alarm system, watch guards.
  • Entries and exits are logged.

Objective: Prevent data processing systems from being used by unauthorised people.

Principles:
  • Users must always identify themselves individually.
  • Authentication, i.e., verification of the presented identification, is password-based, at a minimum.
  • The quality (structure, length etc.) of passwords and the basic conditions for their use (storage, transfer etc.) comply with the applicable security standards.
  • System and data access authorisation are checked periodically, at least once a year, to ensure they are up to date and valid. Audit-compliant event logs are kept.
  • Operating processes have been established to create, revoke or change access authorisation.
Measures:
  • Transmission lines secured by special structural measures.
  • User and access control measures are in place for all parts of the enterprise.
  • The network is secured by means of firewall systems with regard to the internet and other networks.
  • Password procedure is in place for secure identification with subsequent user authentication.
  • Policy-enforced locking of workstations upon leaving the workplace (e.g., password or screen lock)
  • User administration with authorisation levels
  • Policy-enforced process for assigning, checking and revoking access authorisation.
  • Administrative access to systems is secured at the network level.

Objective: Ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, altered or removed without authorisation during processing, use and after storage.

Principles:
  • The standard user has no write access to system files and no administrator privileges.
  • Where technically feasible, central user administration is installed.
  • Administrator accounts such as root and DBA are personalised. If this is not possible with the objects used, suitable processes or tools such as sudo with Unix are used.
  • Administrator access to systems in customer environments is secured at the network level by appropriate security mechanisms.
Measures:
  • Defined, audit-compliant authorisation concepts for system, database and application level
  • Authorisation concepts include, inter alia, the process description of the assignment and revocation of rights based upon the dual control principle and the 'need to know' principle for access to resources and information
  • Differentiated access authorisation (profiles, roles)
  • Policy-enforced process for assigning, checking and revoking access authorisation
  • Identification and authentication of users in accordance with the authorisation concepts and process flows for changing authorisation concepts. Identification and authentication of system and database administrators
  • Password policy with defined validity periods and documentation of password history
  • Logging of authorised users and their login/logouts
  • Encryption of files where necessary

Objective: Ensure that personal data cannot be read, copied, altered or removed without authorisation when being transferred electronically, transported or stored on data storage media and that it is possible to check and ascertain at which point personal data are to be transmitted by data communication equipment.

Principles:
  • Safety-relevant system-related events and accesses to the system are logged (system log) and transaction logs are retained for ninety days. No user activities beyond this are logged.
  • Transaction logs are analysed on a case-by-case basis, taking into account legal requirements.
  • Transaction logs are backed-up using the regular backup procedure. Transaction logs are only restored using the established change procedure.
  • The encryption technologies used are based upon proven and recognised standard procedures and proposed minimum key lengths.
  • The application must be able to take into account a change in the key length.
  • Confidential data may only be stored on mobile data storage media in encrypted form.
Measures:
  • Data storage media are sent in sealed transport containers.
  • Secure or encrypted transmission channels
  • Logging by active network components and, if necessary, analysis by the network centre
  • Controlled destruction of data storage media
  • State-of-the-art encryption technology

Objective: Ensure that it is possible after the fact to check and ascertain whether and by whom personal data have been entered, changed or removed in data processing systems.

Principles:
  • For the secure operation of an application, a security concept is available that includes at least the following points:
    - An authorisation concept has been created and a corresponding user administration has been set up.
    - User accounts in the application do not use hard-coded passwords or hard-coded user IDs.
    - Passwords are stored and transferred in cryptographically encrypted form.
  • Security features of the respective programming languages and tools must be used and may not jeopardise or influence the security of the underlying system.
  • All development and test-specific logging processes are deactivated or removed before the software is released into the operating process.
  • Safety-relevant system-related events and accesses to the system are logged (system log) and transaction logs are retained for ninety days. No user activities beyond this are logged.
  • Transaction logs are analysed on a case-by-case basis, taking into account contractual and legal requirements.
  • Transaction logs are backed-up using the regular backup procedure. Transaction logs are only restored using the established change procedure.
Measures:
  • Proof of organisationally defined input responsibilities
  • Identification and authentication of users in accordance with the authorisation concepts
  • Authentication concept
  • Logging and log analysis
  • Secure log files against unauthorised use and modification

Objective: Ensure that personal data processed on behalf of a customer may only be processed in accordance with the customer's instructions.

Principles:
  • Pursuant to Article 28 of the GDPR, the Processor collects, processes and uses personal data solely on instructions of the customer. Apart from instructions, the Processor does not use the data provided for collection, processing or use for its own purposes or for the purposes of third parties (principle of purpose limitation). If the Processor is of the opinion that an instruction breaches data protection provisions, the Processor must advise the customer thereof in writing.
  • The Processor only uses staff who have signed appropriate confidentiality agreements and have committed to postal secrecy pursuant to section 39 of the Postgesetz (PostG - German postal act) and to telecommunications secrecy pursuant to section 88 of the Telekommunikationsgesetz (TKG - German telecommunications act) (within the scope of the TKG). The original undertakings will be submitted as templates on request for audit purposes during audits.
  • The Processor informs the customer in writing of any disruptions to processing, suspected data breaches and other irregularities in the processing of the customer's personal data.
  • The customer has the right to verify compliance with the applicable data protection regulations and data security measures with regard to the processing of its data after prior consultation with the Processor's data protection officer.
  • The Processor engages suppliers to collect, process or use personal data exclusively within the scope of an agreement for commissioned data processing in accordance with Article 28 of the GDPR.
  • Job control takes place on the basis of an established framework at the Processor for implementing the statutory and group requirements in the context of commissioned data processing.
Measures:
  • Application ensures that personal data are collected, processed and used exclusively within the Controller's sphere of control
  • Formalised commissioning process
  • Measures to monitor proper performance of the agreement

Objective: Ensure against accidental loss or destruction of personal data.

Principles:
  • Data storage media are stored exclusively in the robotic system or in the security archive.
  • All incoming and outgoing data storage media are stored in the security archive.
Measures:
  • A data backup concept has been established.

Objective: Ensure that data collected for different purposes can also be processed separately for the respective purpose.

Principles:
  • Every newly developed system or application must undergo the Privacy & Security Assessment (PSA) procedure. All changes must be considered in the PSA review.
  • Approval procedures for transfer to production are used.
  • Development is carried out on standard systems with current patch versions and standard security settings, if technically feasible and approved by the customer.
  • Dependencies to the operating system and the middleware used are co-ordinated and documented.
  • Application-specific security-relevant settings are documented accordingly in the application's security concept.
  • Development, testing and acceptance systems are operated in independent network segments insofar as this is technically feasible and contractually stipulated.
  • Testing and production data are segregated.
  • Personal data will be anonymised or pseudonymised prior to use as test data, insofar as this is possible according to the intended purpose and does not require disproportionate effort in relation to the envisaged protective purpose.
Measures:
  • Logical segregation of the database
  • Physical segregation of the storage media
  • Anonymisation or pseudonymisation of test data
  • Segregation of testing, development and production environments
  • Guidelines and work instructions for development and operation