Anyone who handles data needs technical and organizational measures (TOMs). Startups, sole proprietors, small businesses, the handyman next door - when it comes to personal data, TOMs are indispensable. In the digital world, it's security first, no matter how big the company!

Technical and organizational measures (TOMs) must provide companies and controllers with comprehensive information on how the security of personal data is ensured.

To that end, TOMs should include the following information:

• The body responsible for the implementation and monitoring of the TOMs
• Type and purpose of technical measures (e.g. encryption, firewall)
• Type and purpose of organizational measures (e.g. training, access rights)
• Procedure for regular review and updating
• Contingency plans in the event of data breaches
• Measures for the physical security of data storage locations
• Pseudonymization and anonymization strategies
• Security incident reporting and remediation processes
• Documentation and logging procedures
• Regulations for commissioned data processing

TOMs must be precise, transparent, and in clear and simple language so that internal employees as well as external partners and regulators can understand how data security is ensured.

Creating technical and organizational measures (TOMs) for a company is no walk in the park, but requires careful planning and constant monitoring.

1. As-is analysis: Where do you currently stand in terms of data security?
2. Risk analysis: What potential data dangers are lurking?
3. Define technical & organizational measures: From encryption to employee training.
4. Documentation: Putting everything in writing - no easy undertaking!
5. Implementation: Putting theory into practice, often a real challenge.
6. Constant monitoring: Nothing remains constant. Regularly check, adjust and optimize.
7. Use feedback: Learn from every incident.

The creation of TOMs can turn out to be a real mammoth project, requiring attention to detail and perseverance. Professional advice can be worth its weight in gold here.

When DIETER creates technical and organizational measures, all the necessary information is collected by asking simple questions.

In concrete terms, this means: You click your way step-by-step through questions that can be answered with yes or no in most cases. For example: Do you offer a newsletter?

By asking clever questions and offering a wide range of predefined services, presents DIETER ensures that all mandatory information is included in the TOMs.

No specialized or prior knowledge is necessary to answer the questions.

The result is a complete document that contains all the necessary information and can be directly integrated into the website.

The TOMS can always be adapted and thus react flexibly to actual or technical changes. DIETER itself always keeps an eye on legal changes and always provides you with the latest legally compliant version.

We generally recommend having TOMs prepared by an expert. Formal requirements for the author do not exist, however.

The creation requires a high degree of accuracy and requires that thought be given to numerous different factors. In addition, current technological developments must be tracked in order to correctly capture the dynamic and highly competitive environment of the service providers and adequately reflect it in the TOMs.

The absence of TOMs or the existence of insufficient TOMs can have serious consequences. This is a violation of applicable data protection regulations (in Germany, in addition to the GDPR, the BDSG is particularly worth mentioning), which can be punished with a fine of up to 20 million euros or 4% of the annual revenue generated worldwide - whichever is higher.

All companies must comply with the requirements of the GDPR. This applies regardless of the number of employees and thus even to sole proprietors and solo self-employed. With Dieter, you don't have to worry anymore. We take care of everything you need to fulfill your legal obligation.

Warning letters due to GDPR violations have increased steadily in recent years. This is exemplified by the numerous warnings for the GDPR-compliant use of Google Fonts in the summer of 2022. Irrespective of the fact that some of these warnings were not lawful, they were based on a decision by the LG Munich in January 2022. In addition, the European Court of Justice (ECJ) ruled at the end of 2022 that consumer associations are generally entitled to issue warnings for a GDPR violation. These (and other) court decisions suggest further waves of warning letters. These can affect all companies that do not take care of their legal obligations.

A GDPR-compliant website is the first step in effectively protecting yourself from warning letters. In 2022, there were already countless warnings due to the unlawful use of Google fonts. Dieter not only takes care of your data protection concerns, but also creates your Legal notice.

In Germany, around 85% of all German companies were victims of a cyber attack in 2022. Each affected company incurred average costs of around €20,000 per incident. In addition, around 20% of customers terminate their contracts with affected companies or delete their accounts. Implementing mandatory technical and organizational measures (TOMs) alone significantly reduces the risk of being affected.

Almost all German companies use services from companies (Google, Microsoft, Meta, Amazon, etc.) with which an international data protection contract (SCC/JC) must be concluded. In addition, digital service providers necessarily "receive" personal data from their clients for the service they offer. In these cases, it is imperative to check whether and with whom so-called order processing agreements (AVVs) must be concluded. Dieter takes over this check and also always provides the correct contract.

79% of Internet users are afraid of "data misuse". And quite rightly so! Because since 2022, personal data has been legally equivalent to a currency. Awareness of this is growing all the time. This data should be just as secure as a bank account. And that is what the implementation of the GDPR ensures.

More than 2/3 of the participants in a study on "Consumer data and data protection" (commissioned by McKinsey & Company) stated that they would no longer want to be a customer of or work with a company that does not protect their data or passes it on without a legal basis. It also proves that responsible handling of personal data and compliance with all legal obligations is a clear competitive advantage.

It refers to the fact that every person has the right to determine for themselves what personal (and therefore very private) data about them is collected, stored and used. It also provides the opportunity to prevent abuse, fraud and discrimination. Data protection is thus an essential component of the (fundamental) right to informational self-determination under the German Basic Law. This right protects the privacy, identity and freedom of every person and is therefore essential for a democratic society. Respecting it should be a matter of course for every company.