Technical and organisational measures to ensure a level of security appropriate to the risk when processing personal data. Duty under Art. 32 GDPR, applicable to every controller and processor in the EU.

Art. 32 GDPR names four example areas: pseudonymisation and encryption, confidentiality/integrity/availability/resilience, restorability, regular evaluation. State of the art, cost of implementation, nature/scope/context/purposes of processing and risks are explicitly named as benchmarks.

Structuring: TOMs are usually documented by category (entry, access, use, transfer, input, processing, availability, separation control plus organisational measures such as training, confidentiality agreements, emergency management). Template structures are provided by German state data protection authorities and associations such as BvD or GDD.

Audit relevance: TOMs are a mandatory annex to data processing agreements under Art. 28 GDPR. Supervisors (federal and state data protection authorities) examine TOMs by sampling, systematically when an Art. 33 notification arrives. Generic TOM lists without specificity for the actual processing are a common deficiency example in supervisory publications.

GDPR Art. 32 TOMs

Related terms