07.07.21 / Version 2.1

Technical and organisational measures (TOM) within the meaning of Art. 32 GDPR


The Locaboo GmbH web server is located in a data centre of Hetzner Online GmbH in Gunzenhausen (Germany). The documentation of the technical and organisational measures (TOM) for the web server can be found in the document "Technical and organisational measures" from Hetzner.

1. access control

Deny unauthorised persons access to data processing equipment with which personal data are processed or used or in which personal data are stored.

Implementation of the measure:

  1. The premises of Locaboo GmbH in which customer data is collected, processed and/or used shall be used and entered exclusively by employees and contractual partners of Locaboo GmbH who are bound by these provisions. Excluded from this are persons who have to be on the premises in order to fulfil the obligations arising from the framework agreement and who are accompanied throughout their stay by persons authorised to enter within the meaning of sentence 1 of this clause 1.1.

  2. The entrances to the premises are secured with security keys against access by unauthorised persons.

  3. Doors, gates and windows are firmly locked outside operating hours; the entrance door on the ground floor and all other easily accessible entrances to the rooms are secured in such a way that they are only accessible to unauthorised persons with considerable difficulty.

  4. The allocation of access authorisations and keys is documented in a comprehensible manner. Access to the premises shall be recorded immediately upon entry and for a period of one month after entry.

  5. Data backups are permanently stored in locked backup cabinets. Access is only possible for the employees of Locaboo GmbH deployed for the purpose of fulfilling the contract.

  6. Web server, see "Technical and organisational measures" by Hetzner.

2. access control

Prevent data processing systems from being used by unauthorised persons.

Implementation of the measure:

  1. Protection through authentication and authorisation systems; we use user IDs and complex passwords, as well as graduated access rights.

  2. Access to the collection, processing and use of customer data with the systems used only to the employees deployed to provide the service and only for the scope required.

  3. Person-specific user access.

  4. Technical restriction for use by third parties, e.g. for technical maintenance. No access to client data by third parties without written permission from the client.

  5. Every allocation of access and access authorisations is documented.

  6. Password rule: Secure passwords with special characters and at least 8 characters.

  7. Passwords change by the user himself every 3 months.

  8. Passwords are stored securely and are not passed on to third parties.

  9. Transmission of passwords encrypted if possible and only to authenticated authorised recipients.

  10. Web server, see "Technical and organisational measures" by Hetzner

3. access control

It must be ensured that those authorised to use a data processing system can only access the data subject to their access authorisation, and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.

Implementation to the measure:

4. transfer control

Ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

Transposition to measure:

5. input control

It must be ensured that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems.

Implementation of the measure:

6. order control

It must be ensured that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.

Implementation of the measure:

7. availability control

Ensure that personal data is protected against accidental destruction or loss.

Implementation to the measure:

8. separation control

Ensure that data collected for different purposes can be processed separately.

Transposition to the measure:

9. encryption and pseudonymisation

Ensure that sufficient procedures for encryption and pseudonymisation are applied if this is required due to the activity.Implementation on the measure:

10. procedures for regular review, assessment and evaluation (data protection management system).

List the measures implemented to ensure a continuous improvement process: