Technical and Organizational Measures (TOMs)

Definition

Technical and Organizational Measures (TOMs) are security safeguards that controllers and processors must implement under Article 32 of the General Data Protection Regulation (GDPR) to ensure a level of security appropriate to the risk of processing personal data. Technical measures concern the IT infrastructure and systems (e.g., encryption, firewalls, access controls), while organizational measures encompass processes, policies, and training (e.g., authorization concepts, data protection policies, employee training).

Article 32 GDPR explicitly identifies four protection objectives: confidentiality, integrity, availability, and resilience of systems and services. Additionally, the ability to restore the availability of personal data in a timely manner following an incident must be ensured. The specific measures depend on the state of the art, implementation costs, the nature and scope of processing, and the likelihood and severity of the risk.

Simply Explained

Think of a company building: the technical measures are the lock on the front door, the alarm system, and the security cameras. The organizational measures are the rules about who gets a key, when the building is locked, and who is allowed to review the camera footage.

It works the same way in the digital world: technical measures are the digital locks and alarm systems, namely encryption, firewalls, and access controls. Organizational measures are the rules and processes, such as who can access which data, how passwords must be created, and what to do in case of a security incident. Together, they form a shield around your data.

Why Does It Matter?

Technical and organizational measures are the cornerstone of any data protection strategy. Without them, even the best privacy policies remain ineffective:

• Legal Obligation: Article 32 GDPR requires every company that processes personal data to implement appropriate TOMs. Appropriateness depends on the risk level of the processing.
• Documentation Requirement: Companies must document their TOMs and present them to supervisory authorities upon request. Within a Data Processing Agreement, TOMs must be disclosed to the controller.
• Liability Reduction: Appropriate TOMs can reduce a company's liability in the event of a data breach. Companies that can demonstrate all reasonable measures were taken are in a better position than those without documented safeguards.
• Customer Trust: Business partners and clients increasingly expect service providers to disclose their TOMs. In regulated industries, this is a decisive criterion in vendor selection.
• Prevention: TOMs are primarily preventive measures. They stop data protection violations before they occur rather than merely reacting after the fact.

Practical Example

A mid-sized engineering firm regularly exchanges construction drawings and project documents with clients. The documents contain names and contact details of project participants, which constitute personal data. Until now, files were exchanged through an unsecured FTP server.

After an internal security review, the company identifies that essential TOMs are missing:

• No encryption of data transfers
• No authorization concept (all employees have full access)
• No logging of access
• No regular security updates for the server
• No employee data protection training

The firm then implements a comprehensive TOM framework: encrypted file transfer via a secure platform, role-based access control, complete logging of all access, automatic security updates, and annual data protection training for all employees.

How SendMeSafe Implements This

SendMeSafe implements a comprehensive set of technical and organizational measures that meet GDPR requirements:

• Encryption: All files are stored with AES-256 encryption and transferred over TLS 1.3 encrypted connections. Learn more about encryption.
• Access Controls: Role-based permission system with Owner, Admin, and Member roles. Upload links can additionally be password-protected.
• Audit Trail: Every upload, download, and access is logged with timestamp, user, and IP address.
• Hosting in Germany: All data is stored on Hetzner Cloud servers in Germany. No data transfer to third countries takes place.
• Automatic Deletion: Files and links can be configured with expiration dates that trigger automatic deletion after defined periods.
• Secure Authentication: Password policies, session management, and optional two-factor authentication protect user accounts.
• Data Backup: Regular backups of the database and file storage ensure availability even after incidents.
• Documentation: All TOMs are described in a separate TOM document, which is provided as part of the DPA.

Frequently Asked Questions

Which TOMs are mandatory for my business?

The GDPR does not prescribe a fixed list of measures but requires a level of security appropriate to the risk. The more sensitive the data processed and the higher the risk, the more extensive the TOMs must be. For file transfers, this means at minimum: encryption of transmission, access controls, logging, and a deletion policy. A Data Protection Officer can assist with the specific implementation.

Do I need to document my TOMs?

Yes, documentation is mandatory. Companies must be able to demonstrate what measures they have taken to protect personal data. This documentation is a component of every Data Processing Agreement and must be available for presentation to supervisory authorities upon request. Documentation should be reviewed and updated regularly.

What happens if my TOMs are insufficient?

Insufficient TOMs constitute a violation of Article 32 GDPR. Supervisory authorities can impose fines and issue orders for remediation. In the event of a data breach, insufficient TOMs can significantly increase a company's liability, as it has failed to meet its duty of care.

How often should I review my TOMs?

The GDPR requires that TOMs be reviewed regularly and updated as needed. In practice, an annual review is recommended, along with event-driven reviews following significant changes to IT infrastructure, new processing activities, or after security incidents.