Data protection has been a very high priority for all employees at target since the appointment of the data protection officer in 2016. As a contractor of project and maintenance services, target comes into contact with personal data in many cases. In the terminology of the General Data Protection Regulation (GDPR), we are therefore processors.
We want to and must continue to ensure a high level of data security when processing personal data in order to protect the trust that our customers place in us.
All employees at target are sensitised to the topic of data security through regular, mandatory training. In addition, we are audited annually by an independent body to determine whether the required standards are met.
The 2020 audit, which was delayed until the end of the year due to the pandemic, builds on the 2019 report and includes adjustments that have been implemented since that report. The current audit is valid until the end of 2021 and takes into account the audit of critical aspects of data security.
On the one hand, the role of target Software Solution GmbH as a processor was examined more closely. Thus, one focus was on the audit of the automated IT processes and their documentation.
In 2020, target is again independently certified as having a good result. It says: "... Essential requirements and suggestions for improving the individual points were examined and - where possible - implemented. Due to the implemented measures, a clear improvement of the rating was achieved. Individual areas have to be reviewed regularly due to the constant changes in the systems and will therefore be part of the audit again in the coming year (2021) ..."
Among other things, the technical organisational measures (TOM) were examined, in detail for the sub-areas of admission and entry control, access control, data carrier control, storage control, user control, transmission / transport control, input control, recoverability / reliability / availability, data integrity, order control and evaluation / monitoring and organisational control.
Measures were defined and implemented with our data protection officer for each of the aforementioned sub-areas of data security. Further contingency plans were developed and the directories of procedures were completed.
Another focus was the review of the contracts for commissioned processing with critical service providers and their TOM. A Controller Processor Agreement exists between these service providers and target in accordance with the current specifications of the Gesellschaft für Datenschutz und Datensicherheit e. V. (GDD). target ensures that the service providers are carefully selected with regard to data security. The data security measures of critical service providers are checked every 12 months at the latest, of other service providers every 24 months.
At target, data protection and data security is a topic that is treated with high priority and is continuously developed - depending on the technical possibilities.