OpenRegulatory Template

<Product Name> - Technical and Organizational Measures

1. General Considerations

This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR to the extent applicable.

<enter company name> deals with three general categories of personal data:

  1. (…)
  2. (…)

The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.

2. Organization

<enter company name> appointed a data protection officer (DPO) who provides advice on data privacy issues, updates the team about changes in regulations and standards and, if required, supports with reviews and improvement of the measures. The DPO can be reached via <enter email address>.

In the future, the company is going to create data privacy guidelines documented in the form of standard operating procedures (e.g. DPR-SOP) and templates.

Reference here your Information-Security-Management-System (ISMS) in place.

3. Confidentiality

3.1 Entry Control

<enter company name> operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:

<enter company name> does not maintain servers or server rooms. (…)

If you operate your own server rooms, do your best at describing all security policies to prevent unauthorized people from entering here.

If you use a third party cloud provider, their policies here. Typically, they should provide you with loads of material that is helpful for this exercise.

If your users store data locally on their end devices - good for you. In that case, enter some description of that and outline that no data leaves the end device.

3.2 Access Control

The company has implemented the following measures for access to software systems:


Describe your access restrictions. Those are measures not only to prevent unauthorized people from entering your offices, but also to prevent unauthorized (electronic) access. Some example measures:

3.3 Usage Control

The company has implemented following measures when working within software systems:


What are your policies when working with your internal systems? Some typical examples:

3.4 Pseudonymization


This is often an overshoot, but think of scenarios in which identifiable data is really not that necessary. One common example:

3.5 Separation Control


This typically applies to companies managing large amounts of data from various customers:

4. Integrity

4.1 Transfer Control

Transfer control shall ensure that only authorized individuals can inspect personal data. Employee mobile devices must be encrypted if personal data is stored on them.


How do you keep data safe in transmission? Some example measures:

4.2 Input Control

The company has implemented the following measures for its software systems:

This applies to most cloud working environments (e.g. Google Drive, MS Sharepoint, Confluence, JIRA etc.). Any other measures to add in your context?

4.3 Availability and Reliability

Again, if you are using a large cloud provider, you can add more extensive policies and measures here, such as for example:

4.4 Product Development

4.4.1 Development Tools


As before, think about your own organizational setup. How do you ensure safe development? Some examples:

4.4.2 Privacy-Friendly Settings


4.6 Data Deletion

The company implemented the following concept for automatic data deletion:

Data category Retention period Responsible
User data <This period typically should be specified as part of the informed user consent>
Customer data - Customer data after termination of contracts
- Lead contact data after 10 years of paused communication
Employee data Until end of employment
Applicant data Until 6 months after hiring decision or longer in case of employment
Website data Deleted after every session Automated

5. Employee Workplace

The company has implemented the following measures:

6. Procedure for Regular Review, Assessment and Evaluation

Data protection and IT security within the company is reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:

The company has implemented the following internal measures:

Template Copyright See template license.

Please don’t remove this notice even if you’ve modified contents of this template.