Contractual standards for Data Processing on Behalf, last revised December 8, 2014 PART 2: DATA PROTECTION AND INFORMATION SECURITY MEASURES This section must be used to document the technical and organizational measures implemented in order to safeguard the security of data processing activities. It must be clearly stated whether the action concerned is taken by Controller (Co) or by Processor (Pr). There is no requirement to implement all the action points listed below; the parties need to ensure that there is an appropriate level of protection from an overall perspective in each case. Completion of this section may be replaced by documentary evidence of suitable certification (for example, in accordance with ISO 2700x) provided that the certification covers the services involved. In this case, a copy of the certification must be attached to the Agreement documents. 1. Access control (physical) Definition: Physical access control means the action taken to deny unauthorized persons physical access to data processing systems in which personal data is processed or used. b) Who holds overall responsibility for implementing and ensuring compliance with physical access control? Controller Processor c) What action is taken to implement physical access control and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Specification of authorized persons, including scope of authority ................................ ☐ ☐ • Admittance authorization IDs issued ............................................................................ ☐ ☐ • Rules and regulations for visitors in place .................................................................... ☐ ☐ • Rules and regulations governing keys implemented ..................................................... ☐ ☐ • All individuals recorded in and out ............................................................................... ☐ ☐ • Physical protection measures in place and regularly checked: o Secure entrance (e.g. locking system, ID readers) ......................................... ☐ ☐ o Burglar-resistant windows.............................................................................. ☐ ☐ o Equipment secured against theft, manipulation, damage ............................... ☐ ☐ o Surveillance installation (e.g. alarm system, CCTV)........................................ ☐ ☐ o Separation system (e.g. turnstiles, double-door system) ............................... ☐ ☐ Page 8 of 20