Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Access authority specified and checked ...................................................................... ☐ ☐ • Authentication procedure based on required level of protection for the information (classification) ............................................................................................................. ☐ ☐ • Appropriate password protection (binding requirements, encrypted storage) .............. ☐ ☐ • Special security software (e.g. anti-malware, VPN, firewall) ......................................... ☐ ☐ • Rules and regulations for visitors in place .................................................................... ☐ ☐ • Access function using tokens ....................................................................................... ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If systems access control is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 3. Access control (user rights) Definition: Access control (user rights) comprises the action taken to ensure that the persons authorized to use a data processing system can only access the data corresponding to their access authorization and that personal data cannot be read, copied, amended, or removed without authorization during processing or use, or after the data has been saved. a) Who holds overall responsibility for implementing and ensuring compliance with access control (user rights)? Controller Processor Page 10 of 20