Don't know where to start? Watch our free starter videos and save lots of time and consultant fees

Templates Data Protection (GDPR) Templates

July 27, 2022

Template: Technical and Organizational Measures

Sven Piechottka

Template Download

This is a free template, provided by OpenRegulatory.

If you are a user of Formwork, our eQMS software, choose "QMS" on the top menu and "OpenRegulatory Templates" on the left menu, and then open the relevant folder to find this template ready to load into Formwork.

If, for some mysterious reason, you're using a different QMS Software, you can also simply download this template - specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don't remove the copyright at the bottom).

Download as Word File


Download as PDF


Copy-paste to Google Docs


Download as Markdown


Tired of copy-pasting? If you want to save time and edit these templates directly, you can use Formwork, our eQMS software. And if you're looking for step-by-step instructions for filling them out, check out our Wizard :)

Don't Miss Updates to This Template

Subscribe to our newsletter and we'll keep you posted on which templates we've changed.

Questions? Still Lost in Regulation?

Good news! Our goal is to provide lots of stuff for free, but we also offer consulting if you need a more hands-on approach. We get stuff done really fast. Have a look!

Template preview

<Product Name> - Technical and Organizational Measures

1. General Considerations

This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR to the extent applicable.

<enter company name> deals with three general categories of personal data:

  1. (…)
  2. (…)

The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.

2. Organization

<enter company name> appointed a data protection officer (DPO) who provides advice on data privacy issues, updates the team about changes in regulations and standards and, if required, supports with reviews and improvement of the measures. The DPO can be reached via <enter email address>.

In the future, the company is going to create data privacy guidelines documented in the form of standard operating procedures (e.g. DPR-SOP) and templates.

Reference here your Information-Security-Management-System (ISMS) in place.

3. Confidentiality

3.1 Entry Control

<enter company name> operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:

<enter company name> does not maintain servers or server rooms. (…)

If you operate your own server rooms, do your best at describing all security policies to prevent unauthorized people from entering here.

If you use a third party cloud provider, their policies here. Typically, they should provide you with loads of material that is helpful for this exercise.

If your users store data locally on their end devices - good for you. In that case, enter some description of that and outline that no data leaves the end device.

3.2 Access Control

The company has implemented the following measures for access to software systems:


Describe your access restrictions. Those are measures not only to prevent unauthorized people from entering your offices, but also to prevent unauthorized (electronic) access. Some example measures:

3.3 Usage Control

The company has implemented following measures when working within software systems:


What are your policies when working with your internal systems? Some typical examples:

3.4 Pseudonymization


This is often an overshoot, but think of scenarios in which identifiable data is really not that necessary. One common example:

3.5 Separation Control


This typically applies to companies managing large amounts of data from various customers:

4. Integrity

4.1 Transfer Control

Transfer control shall ensure that only authorized individuals can inspect personal data. Employee mobile devices must be encrypted if personal data is stored on them.


How do you keep data safe in transmission? Some example measures:

4.2 Input Control

The company has implemented the following measures for its software systems:

This applies to most cloud working environments (e.g. Google Drive, MS Sharepoint, Confluence, JIRA etc.). Any other measures to add in your context?

4.3 Availability and Reliability

Again, if you are using a large cloud provider, you can add more extensive policies and measures here, such as for example:

4.4 Product Development

4.4.1 Development Tools


As before, think about your own organizational setup. How do you ensure safe development? Some examples:

4.4.2 Privacy-Friendly Settings


4.6 Data Deletion

The company implemented the following concept for automatic data deletion:

Data category Retention period Responsible
User data <This period typically should be specified as part of the informed user consent>  
Customer data - Customer data after termination of contracts
- Lead contact data after 10 years of paused communication
Employee data Until end of employment  
Applicant data Until 6 months after hiring decision or longer in case of employment  
Website data Deleted after every session Automated

5. Employee Workplace

The company has implemented the following measures:

6. Procedure for Regular Review, Assessment and Evaluation

Data protection and IT security within the company is reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:

The company has implemented the following internal measures:

Template Copyright See template license.

Please don’t remove this notice even if you’ve modified contents of this template.

No QMS on this planet will save you from creating crappy software.