Privalexx Ukraine

DATA PRIVACY EXPERTS

📞
Call Support
+49 3843 229 133
✉️
Email Support
info(at)privalexx.com.ua
Make Appointment

Technical and organisational measures in accordance with the GDPR

Technical and organisational measures

Technical and organisational measures are a key concern for international companies that process the personal data of EU citizens. The requirements of the GDPR presuppose structured data protection and data security. Key questions arise, especially for non-EU companies: What measures are considered appropriate? How can you fulfil your accountability obligations and provide GDPR-compliant proof? What does complete TOM documentation mean – especially with regard to risk analysis and legally compliant processes? Answering these questions is crucial to prevent data protection violations and sanctions and to gain the trust of business partners and customers in the EU market. Our consulting services are aimed specifically at small and medium-sized companies without their own location in the EU that want to organise their solutions efficiently, legally compliant and comprehensible.

TOM: What you should bear in mind

Non-EU companies face the challenge of implementing all GDPR-compliant requirements, even without a direct location in the EU. Technical and organisational measures (TOM) form the basis for effectively protecting personal data. These include both technical protection mechanisms – such as encryption and access controls – as well as organisational processes such as binding guidelines and regular employee training. It is essential to systematically assess the risk of data breaches and to permanently document all measures. In practice, this means that companies must be able to document that their data protection concepts are effective, up-to-date and appropriate when requested by the relevant data protection authorities. Clearly defined processes and structured TOM documentation help to minimise liability risks and create control over the entire life cycle of data processing.

The basics of TOM and legal requirements

The General Data Protection Regulation (GDPR) obliges all companies – even those without a branch within the EU – to implement effective technical and organisational measures (TOM). The core objective is to ensure data security in all areas of processing and to continuously improve the level of data protection. The main requirements are

  • Art. 32 GDPR: Measures to ensure confidentiality, integrity, availability and resilience of systems (e.g. firewall, access restrictions, backup solutions).
  • Seamless documentation: TOMs must be described in a comprehensible form, reviewed regularly and adapted if necessary.
  • Clarify responsibilities: Clearly assign responsibilities for data protection and data security.
  • Risk analysis: Identify potential risks to personal data and define appropriate countermeasures.
  • Training and sensitising employees.

The requirements for technical and organisational measures depend on the scope, context and sensitivity of the processed data. In practice, this means for non-EU companies: Without adequate TOM, there is a risk of data protection breaches, fines and reputational damage. Working with an EU representative makes it easier to comply with and document these obligations, as they act as an interface with authorities and data subjects and monitor compliance with data security and data protection requirements.

Solutions: Practical tips for GDPR-compliant TOM documentation

A systematic approach is recommended to ensure that your technical and organisational measures do not just exist on paper, but actually contribute to effective data security. Practical, fully comprehensible TOM documentation takes centre stage.

  1. Initial risk analysis: Carry out a thorough assessment of your data processing:
    • What personal data is being processed?
    • Where are the weak points?
    • How high are the risks for data subjects?
    • Result: Qualified decision-making basis for the selection of specific TOMs.
  2. Structured recording of technical measures: The classic measures include
    • Encryption of sensitive data during transmission and storage
    • Implementation of modern firewalls and intrusion detection systems
    • Access control through authentication requirements and user rights
    • Regular system and security updates
    • The documentation should clearly describe how and why the measures were selected and which systems are affected.
  3. Document organisational measures: These include
    • Internal data protection guidelines (e.g. handling of emails, password management)
    • Training and awareness programmes for employees
    • Definition of responsibilities, emergency plans and reporting channels
    • Regular review of all processes through audits
    • Structured process documentation supports transparency and traceability vis-à-vis authorities or in the event of a data protection incident.
  4. Ongoing review and adaptation: Data protection is subject to constant technological and regulatory change. You should therefore plan regular reviews and adjustments to your TOM. Keep all changes up to date and document them comprehensibly in your TOM directory.
  5. Collaboration with experts and EU representatives: For non-EU companies in particular, it is worth working with an experienced data protection consultant or EU representative to ensure seamless, GDPR-compliant implementation. Experts offer templates, tools and targeted advice on all aspects of TOM, data security and documentation.
  6. Use templates and best practices: You can use standardised templates and checklists as examples for TOM documentation. These should be customised and constantly kept up to date.

Conclusion

With sound, complete TOM documentation, you not only fulfil your legal obligations, but also create the highest level of data security and trust for your company and your business partners. This turns data protection and GDPR compliance into sustainable competitive advantages.

Summary

Technical and organisational measures are essential for non-EU companies to process personal data in compliance with the GDPR. Transparent and up-to-date TOM documentation forms the basis for effective data security and fulfils the requirements of authorities and business partners. Our consulting services provide you with targeted support in analysing, implementing and documenting your TOM so that you can minimise risks, ensure data protection and successfully serve the EU market. Rely on sound solutions and secure professional support for the GDPR-compliant design of your data protection management.

Technical-organizational measures (TOM) are protective measures that companies must implement in accordance with the GDPR to safeguard personal data. These include both technical measures such as encryption, firewalls, and access restrictions, as well as organizational measures such as internal policies, responsibility assignments, and employee training. The goal of TOM is to ensure an appropriate level of data protection and security and to comply with GDPR requirements. TOM must be tailored to the company’s size and risk situation and regularly reviewed.

Technical measures within the scope of TOM include, among others, encryption technologies, firewalls, access restrictions, two-factor authentication, regular software updates, and secure passwords. Securing networks, automated data backups, and the physical protection of server rooms and IT infrastructure are also essential. These measures ensure effective protection of personal data against unauthorized access, data loss, or manipulation, thereby sustainably securing data security.

Organizational measures include the introduction and implementation of internal data protection policies, clear assignment of responsibilities, regular employee training, and the monitoring and documentation of data protection processes. The management of data processing agreements and the performance of data protection impact assessments are also part of these measures. The goal is to ensure compliance with data protection requirements in daily business operations and to guarantee GDPR-compliant processes.

To implement TOM in a GDPR-compliant manner, companies should first conduct a risk analysis, define relevant protective measures, and implement them based on the specific risk situation. Clear documentation of all measures, regular review of their effectiveness, and continuous adaptation to new technical and legal developments are also crucial. Employee awareness and training are central to sustainably embedding data protection and security in the company.

The GDPR requires companies to thoroughly document all technical-organizational measures. The documentation must detail the state of the art, protection objectives, responsibilities, and review intervals. These records must be presented upon request by European data protection authorities. Comprehensive documentation serves as proof that the company has fulfilled its accountability obligations and ensures GDPR-compliant implementation of data security.

The proportionality principle states that the scope and intensity of technical-organizational measures must be adapted to the nature, scope, context, and purposes of data processing, as well as the risks to the rights of affected individuals. Companies must select measures that adequately and economically ensure the protection of personal data. Excessive or insufficient measures should be avoided to achieve efficient and risk-oriented data security.

A risk analysis evaluates potential threats and risks in the processing of personal data. Companies should analyze which data is processed, how sensitive it is, and what potential threats exist. Based on this assessment, appropriate technical-organizational measures are selected to minimize the identified risks. The risk analysis should be repeated regularly, especially when there are changes in data processing or business operations.

The responsibility for implementing and monitoring TOM lies with the company’s management. Often, a data protection officer is appointed to coordinate and oversee GDPR-compliant measures. Individual departments should also be involved in the implementation to ensure comprehensive data security. Ultimately, the management is accountable to supervisory authorities and must ensure the proper implementation of data protection measures.

9. What are the consequences of violating technical and organizational measures?

A violation of the obligation to implement appropriate technical-organizational measures can result in significant fines. The GDPR provides for penalties of up to 20 million euros or 4% of global annual revenue. Additionally, reputational damage, liability claims, and loss of customer trust may occur. Therefore, it is essential to consistently implement data protection and security in the company and verifiably comply with all requirements.

Examples of technical measures include data encryption, firewalls, access controls, antivirus programs, and secure Wi-Fi networks. Organizational measures include establishing clear access rights, conducting data protection training, creating emergency and deletion plans, and regularly auditing existing measures. Together, these measures enable companies to effectively and sustainably meet GDPR requirements and ensure a high level of data protection.