TOMs the underestimated topic

TOMs (technical and organizational measures) are an often underestimated topic in the context of the GDPR, especially in relation to the complete DPA cascade (processing chain with multiple service providers). It is not enough to write blanket phrases in the contract; TOMs must be described precisely and individually for each stage and each service provider involved.

Importance and requirements of TOMs in the DPA cascade
Legal obligation: Art. 28 and Art. 32 GDPR oblige the client to document and review all service providers used (processors and any subcontractors) in detail and across all levels with regard to their technical and organizational measures.

Individual design: Each party involved (main contractor and subcontractor) must formulate its own specific TOMs. It is not sufficient to refer vaguely to "appropriate measures".

Description instead of enumeration: TOMs must be described as specifically as possible for the respective service provider, e.g. "password protection with MFA" or "encryption of backup data", not just "data is backed up".

TOMs are less an annoying part of existing data protection regulation and more an important tool for obtaining a well-documented overview of your own infrastructure.

With our JOUO product, we bring light into the darkness of your infrastructure. You can then use our TOM Wizzard to create systematic documentation for all service providers and archive it in an audit-proof manner. From this moment on, you can update your TOMs at regular intervals with a click of the mouse.

Why is this important?

It is not enough to document TOMs for the "head" service provider. Sub-processors must also be described separately (keyword: DPA cascade).

The measures must be differentiated according to the protection requirements and use of the service providers: A hoster must demonstrate different TOMs than a call center.

The documentation should be maintained on an ongoing basis and reviewed at least annually (preferably monthly) and in the event of changes. With JOUO, you can complete this task in future with just a few mouse clicks.

Here is another urgent warning!

Anyone who neglects TOMs as part of a DPA cascade (e.g. works with vague text modules or ignores subcontractors) risks fines and can be held liable for data protection violations. The decisive factor is an individually comprehensible list and description of the TOMs for every single point in the processing chain, including all service providers and sub-processors.

TOMs are mandatory - and one of the most important building blocks for effective, GDPR-compliant order processing.