The JOUO TOMs explained

Here you can find out which extensions we are currently working on for JOUO

What is a TOM Report?

TOM = Technical and Organizational Measures

  • In JOUO you can document your TOMs (technical and organizational measures), which is mandatory according to GDPR (Article 32).

  • The TOMs always refer to one service provider. Usually there are several service providers, so that a TOM Report is made up of the TOMs of the various service providers.

  • In the end, you have a standardized PDF in which all TOMs for the various service providers are clearly listed.

What are Doc-Groups?

Why are the TOMs for IP addresses documented?

  • If you have a website, you usually use technical services such as web hosting, server infrastructure or maintenance. The people who do this for you are your service providers.
  • Your data from your customers or the company is stored on the servers of your service providers. These are located in buildings at various locations.
  • Your IP addresses can be used to determine which service providers (e.g. web host providers) you use.
  • TOMs are measures that are primarily intended to protect personal data.
  • These include, for example, access controls such as doors with keys or video surveillance.
  • Which measures are taken to protect personal data depends on your service provider (e.g. web hosting provider).
  • A service provider can also take different measures at different locations.
  • For example, some server farms may have video surveillance and others may not.
  • We therefore group your IP addresses by service provider and location for the documentation of the measures.
  • These are then the Doc-Groups.

So what do I have to select now?

  1. First select the service provider for whom you want to document the TOMs.
  2. If the service provider has the same TOMs at several locations, select these locations as well.
  3. Create a name for your Doc-Group that describes it as clearly as possible.
    Attention: This name will be used later in the generated PDF. Therefore, please choose a meaningful name.

What are measures?

The protection of personal data

Today, personal data must be protected, especially according to GDPR Article 32.

TOM = Technical and Organisational Measures

  • TOMs list all the precautions that a company takes to ensure the security of personal data.
  • In the case of your website, this includes precautions taken by your own company, but also those of your service providers (e.g. your web hosting provider).

Technical measures

  • are protective measures that are implemented with the help of hardware, software and physical security
  • such as encryption, firewalls, access controls or alarm systems

Organizational measures

  • are all non-technical regulations and specifications that organize the processes, responsibilities and conduct of the persons entrusted with data processing
  • such as the dual control principle, confidentiality obligations, training or clear process instructions

You should receive information about which measures your service provider is taking at which locations directly from your service provider.

The following controls are queried in the JOUO TOMs:

  • Access control (location)
  • Access control (system)
  • Access control (permissions)
  • Separation control
  • Pseudonymization
  • Tranfer control
  • Input control
  • Availability control
  •  Data protection management
  • Incident response management

  • Privacy friendly default settings

  • Order control (Outsourcing to third parties)
  • These areas come from official and publicly available templates that are based on the requirements of Article 32 of the GDPR.
  • We give you suggestions as to which measures may be taken. You can select these or enter your own.

How do I create a TOM in JOUO?

Prerequisite: your website must be registered in JOUO and your first security audit must have been completed.

Click on TOM Reports in the navigation to create a new TOM Report for your website.

Next, create a new Doc-Group.

Now you have to enter the technical and organizational measures for the various areas by selecting given measures in the list or adding your own.

All your details are saved automatically. You do not have to actively save your data and can therefore interrupt the TOM at any time and continue working on it at another time.

Repeat the 3rd step until you have documented all service providers.

Finally, you can generate a joint PDF from your documented measures, which you can download.

To do this, click on Export TOM Documentation at the bottom. There you select which Doc-Groups should be listed in the PDF - ideally all of them. As soon as you have clicked on Export and create PDF, the PDF should be automatically downloaded in your browser.

This TOM Documentation will then be locked, i.e. you will no longer be able to edit it after exporting.

What does GDPR and NIS2 mean?

GDPR

This is the EU's ‘General Data Protection Regulation’, which every EU member state has implemented. Sometimes you will also find the German term Datenschutz Grundverordnung (DSGVO).

Germany

The GDPR is implemented in Germany by the Federal Data Protection Act (BDSG) and the state data protection laws. JOUO covers both: GDPR and BDSG.

Swiss

The nDSG (‘new Data Protection Act’) differs from the European General Data Protection Regulation (GDPR) primarily in that private controllers can be fined up to CHF 250,000. The EU law does not provide for fines for private individuals. JOUO also covers the nDSG.

NIS2

The NIS2 Directive (Network and Information Security Directive) obliges the member states of the European Union to adopt a national cyber security strategy. With NIS2, mandatory security measures and reporting obligations in the event of security incidents apply to companies and organisations of medium size and above from 18 defined sectors. Service providers and suppliers of affected organisations are also obliged, even if they are based outside the EU, if they are active in the EU.