Technical and Organisational Measures (including measures to ensure the security of the data)

Controller-to-Controller (C2C) baseline measures

The data importer maintains a risk-based information security and privacy framework to ensure the confidentiality, integrity, availability and resilience of personal data, taking account of risks to individuals’ rights and freedoms. Where applicable, the framework aligns to recognised standards (e.g., ISO/IEC 27001/27701 and PCI DSS).

The following technical and organisational measures are in place:

  1. Governance, policies and risk management. Documented security and privacy policies are approved by senior management and reviewed at least annually. Risk and impact assessments are performed for material processing, new systems and significant changes. Roles, responsibilities and segregation of duties are defined for each application and IT systems.
  2. Data classification, minimisation and purpose limitation. Personal data are inventoried and classified. Processing is limited to defined purposes, using the minimum data required. Production personal data are not used in non‑production environments; testing uses synthetic or properly anonymised data.
  3. Access control and identity management. All application and IT system access follow least‑privilege and need‑to‑know principles with role‑based controls. Strong authentication (including MFA for privileged/remote/admin access) is enforced. Joiner–mover–leaver processes govern provisioning and revocation of any access rights; default credentials are changed or disabled; Application and IT system sessions are auto‑locked once not in use for more than 10 minutes.
  4. Encryption and key management. Personal data in transit and at rest are protected using current industry‑standard cryptography. Keys are generated, stored, rotated and retired under a documented key management process with restricted access controls.
  5. Network and infrastructure security. Networks are segmented to isolate environments and sensitive systems. Firewalls and access controls use deny‑by‑default rules. Remote administration is restricted to authorized personnel only. Wireless networks use strong encryption and are segregated from core systems. Industry benchmarked security baselines are applied to all network assets.
  6. Vulnerability and patch management. Vulnerabilities are identified, risk‑assessed, remediated and verified under a documented process. Systems are patched to severity‑based targets, with expedited treatment for critical issues. Regular scanning and periodic penetration testing are performed.
  7. Secure development and change management. Development follows a secure lifecycle (requirements, code review, dependency management and testing). Static/dynamic testing is applied wherever appropriate and applicable. Production changes follow formal change control with testing, approval and rollback planning.
  8. Logging, monitoring and threat detection. Security events are logged, time‑synchronised, protected and retained. monitoring detects anomalous activity. IDS/IPS and endpoint detection tools are used where appropriate, and alerts are triaged triggered and investigated as per incidents.
  9. Data lifecycle management and retention. Retention schedules govern storage periods. Personal data are securely deleted or irreversibly anonymised when no longer required. Backups are encrypted, tested and aligned to retention. Media are sanitised securely.
  10. Physical and environmental security. Facilities use layered physical controls (e.g., perimeter measures, badges, CCTV, controlled access). Access is logged and restricted. Environmental controls and backup power protect critical infrastructure. Equipment is securely stored and destroyed.
  11. Operational technology and building systems. OT systems (e.g., BMS, access control, CCTV, IoT) are inventoried, segmented, hardened and kept current. Default credentials are changed; remote/vendor access is restricted and monitored. Surveillance systems enforce access and retention controls.
  12. Backup, business continuity and disaster recovery. BCP/DR plans cover critical systems and processes. Backups are performed at defined intervals, encrypted, stored securely and tested to meet defined RTOs/RPOs. Alternate arrangements exist for major disruptions.
  13. Incident response and breach management. A documented incident response plan defines roles, escalation and investigation. Incidents are recorded, investigated and remediated. Breach processes support assessment and timely notifications whenever required. Post‑incident reviews drive improvements.
  14. Supplier and third‑party management. Third parties with access to personal data are subject to due diligence, contractual security obligations and oversight. Contracts require equivalent measures, audit and breach provisions. International transfers use appropriate safeguards. Support access is controlled and monitored.
  15. Training and awareness. Personnel receive onboarding and periodic training on security, data protection, acceptable use, phishing and incident reporting. Role‑specific training is provided for engineers, administrators and frontline staff who handle personal data.
  16. Privacy by design and default. New or changed processing evaluated for privacy risks and controls embedded by design. Defaults favor privacy consistent with purpose. Procedures support data subject rights within statutory timeframes.
  17. Data subject rights and requests. Procedures authenticate, log, assess and fulfil data subject requests, including coordination with the data exporter where it acts as controller. Mechanisms support preference management and suppression of marketing communications.
  18. Data transfer security. Personal data exchanged with the data exporter or onward recipients is encrypted in transit, with additional controls (e.g., mutual TLS, allow‑listing, file‑level encryption) wherever feasible. Transfer activity is logged and reviewed.
  19. Secure endpoints and mobile devices. Endpoints use anti‑malware, host firewalls, encryption and auto‑locking. Mobile device management enforces configurations, remote wipe and application controls. Access from unmanaged devices is limited based on risk.
  20. Audit, assurance and continuous improvement. Effectiveness is reviewed via audits, management reviews and, where appropriate, independent assessments. Findings are tracked to remediation. Metrics and threat intelligence drive continuous improvement.
  21. Compliance and record‑keeping. Records of processing, data flows, third parties, DPIAs and security incidents are maintained as required by law. Legal and regulatory changes are monitored and controls updated accordingly.
  22. Payment card data (where applicable). Cardholder data environments are segmented and PCI DSS controls applied. Payment applications and terminals are configured and maintained to applicable standards.
  23. Operational and sector specific measures. Operational systems (e.g., reservations, loyalty, property/tenant systems, POS, access control, kiosks) are subject to heightened access controls, segregation, monitoring and defined retention. Public‑facing systems are hardened and regularly inspected for consistency.
  24. Sensitive personal data (where applicable). Processing of special categories of personal data is strictly limited and subject to enhanced controls: restricted access with MFA, segregation, encryption in transit and at rest (including field‑level where appropriate), detailed logging with regular review, and minimal retention with priority deletion be practiced. DPIAs are performed where required.
  25. Government and law‑enforcement requests. Requests from public authorities are verified for legality and scope; only the minimum necessary information is disclosed where disclosure is legally required. The data exporter is notified without undue delay unless prohibited by law, unlawful or disproportionate requests are challenged, and all requests/disclosures are logged. No back‑door or direct access permitted; strong encryption and key management are maintained.

Additional measures for Controller-to-Processor (C2P) use

Where the data importer acts as a processor, the following additional measures apply in addition to the C2C baseline:

  • Instructions and purpose limitation. Processing is performed only on documented instructions from the data exporter, with controls to prevent unauthorised processing and access.
  • Personnel confidentiality. Personnel with access to personal data are subject to appropriate confidentiality obligations.
  • Data segregation. Personal data sets relating to different parties are logically segregated. Production personal data are not permitted in non‑production environments; test/development use only synthetic or properly anonymised data.
  • Return and deletion. On termination or completion, and subject to law, personal data are securely deleted or returned per the data exporter’s instructions, including deletion from backups at end‑of‑life. Where retention is required, data are isolated and protected.
  • Cooperation and assistance. Procedures support the data exporter with security, breach assessment, DPIAs, consultations and data subject rights, to the extent applicable.
  • Breach notification. The data exporter is notified without undue delay after becoming aware of a personal data breach affecting its data.
  • Audit facilitation. Records and evidence of these measures are maintained to facilitate audits in accordance with the SCCs, subject to reasonable confidentiality and safety controls.
  • Sub‑processor engagement. Sub‑processors are bound by written terms imposing equivalent measures and transfer safeguards; their access is controlled, time‑bound and monitored.

The data importer will maintain measures at least equivalent to those in the Agreement and any applicable data protection agreement. New or enhanced controls will be incorporated without reducing the overall level of protection for personal data.

Last updated December 2025