Contractual standards for Data Processing on Behalf, last revised December 8, 2014 • Regular checks carried out to ensure fully compliant use of information and IT systems .................................................................................................................. ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) d) If the segregation principle is not relevant to the services subject to this Agreement, please briefly state the reasons below: (Please use additional sheet if necessary.) 9. Organizational security criteria Definition: The organizational security criteria are the rules and processes used to protect personal data. a) Who holds overall responsibility for implementing and ensuring compliance with the organizational security criteria? Controller Processor b) What action is taken to implement the organizational security criteria and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Data protection responsibilities fixed in writing ............................................................ ☐ ☐ • Information security responsibilities fixed in writing ..................................................... ☐ ☐ • Appropriate information security management system in place ................................... ☐ ☐ • Appropriate incident management system in place ...................................................... ☐ ☐ • Information classification system implemented ........................................................... ☐ ☐ Page 17 of 20