Contractual standards for Data Processing on Behalf, last revised December 8, 2014 b) What action is taken to implement access control (user rights) and who carries out this action? (Please select appropriate answers and mark with a cross, as applicable) Co Pr • Authorization and roles concept implemented for applications .................................... ☐ ☐ • Rules and regulations for authorizing users and data access implemented .................. ☐ ☐ • Regular review of authorizations .................................................................................. ☐ ☐ • Functions restricted (in terms of function and time)..................................................... ☐ ☐ • Access restrictions imposed (based on principles of need-to-know and least privilege) ☐ ☐ • Encrypted storage of personal data ............................................................................. ☐ ☐ • Logging o Read-access logged ....................................................................................... ☐ ☐ o Write-access logged ...................................................................................... ☐ ☐ o Unauthorized access attempts logged ........................................................... ☐ ☐ o Regular analyses carried out .......................................................................... ☐ ☐ o Ad hoc analyses carried out ........................................................................... ☐ ☐ • Implementation of retention periods for data .............................................................. ☐ ☐ • Rules and regulations on handling digital storage media implemented ......................... ☐ ☐ • Rules and regulations on disposing of storage media implemented ............................. ☐ ☐ • Integrity checks carried out .........................................................☐ ☐ • Separation of test and productive environment ............................................................ ☐ ☐ c) Please use the following field (free text) for details of additional or other measures you have implemented or if you would like to provide more specific information on the above items: (Please use additional sheet if necessary.) Page 11 of 20