Appendix Technical and Organisational Measures Littlebit Technology B.V.

1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)

Physical Access Control

No unauthorised access to Data Processing Facilities:

  • Magnetic or chip cards
  • Video/CCTV Systems

Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems:

  • (Secure) passwords
  • Automatic blocking/locking mechanisms

Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorised Reading, Copying, Changes or Deletions of Data within the system:

  • Rights authorisation concept
  • Need-based rights of access

  • Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

    The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures

    • Using Identification number

    2. Integrity (Article 32 Paragraph 1 Point b GDPR)

    Data Transfer Control

    No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport:

    • Encryption
    • Virtual Private Networks (VPN)

    Data Entry Control

    Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted:

    • Logging

    Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

    Availability Control

    Prevention of accidental or wilful destruction or loss:

    • Backup Strategy (online/offline; on-site/off-site)
    • Virus protection
    • Firewall

    Rapid Recovery (Article 32 Paragraph 1 Point c GDPR)

    4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

    Data Protection Management

    Incident Response Management

    Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)

    Order or Contract Control

    No third party data processing as per Article 28 GDPR without corresponding instructions from the Client:

    • Clear and unambiguous contractual arrangements