AS-S3C
Basics & self-perception

On what basis do we act?

The Act on the Protection of Business Secrets (GeschGehG) states under § 9 (2) Exclusion of claims in case of unreasonableness:
The claims ... are excluded if fulfilment would be disproportionate in the individual case, taking into account in particular:
the confidentiality measures taken
The GDPR mentions the need for TOMs (technical and organisational measures) in various places and speaks of "appropriate safeguards" for the processing of personal data when transferring data to third countries. Recital (91) also refers to the "state of the art".
The new Federal Data Protection Act (BDSG) also refers to the "state of the art" and due to the discontinuation of the appropriate "Privacy Shield" guarantee, new standard contractual clauses or Standard Contractual Clauses (SCC) have been published, which now require an assessment of the adequacy of legislation in third countries within the framework of a TIA (Transfer Impact Assessments).
What is to be understood by "state of the art" in case of doubt has been laid down by the ENISA (European Network and Information Security Agency) and Teletrust (Bundesverband IT-Sicherheit e.V., TeleTrusT) in the "State of the Art" handout (last update 2021).

Our self-perception: absolute reliability

We have drawn up our Code of Conduct (PDF file) for cooperation in a spirit of partnership, which sets out our self-erception of cooperation based on trust.

Establish compliance for Office 365

It is extremely time-consuming and therefore costly to establish data protection compliance for Office 365 with in-house resources. The necessary know-how is also not always available. If required, AS-S3C can take over the entire documentation process for you and ensure data protection compliance for your company in this area.

Data protection: Only a minimal extract of the requirements

Gain an overview of the types of personal data stored, including their locations.
Prevent data breaches Implement protection measures for personal data - incl. monitoring logging, data loss prevention, protection against the most common attack vectors.
Apply ongoing governance programmes for personal data - incl. ensuring compliance with corporate policies, implementing data retention policies.
Carry out a data protection impact assessment (DPIA) - including a risk assessment for the rights and fundamental freedoms of natural persons and an assessment of the necessity and proportionality of the data processing with regard to the DPIA.
Organise information security for clients - including definition of responsibilities within his organisation regarding security and protection of personal data.
Comprehensive lists of the requirements and efforts (see below) for establishing compliance with Office 365 without AS-S3C.

Compliance requirements without AS-S3C support

Using Office 365 as an example, we have explained the time-consuming and cost-intensive efforts required to prove compliance.

GDPR action plan for Microsoft 365: key priorities for the first 30 days, 90 days and beyond
https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-action-plan
Data protection impact assessments under the GDPR
https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-impact-assessments
Checklist on responsibilities for the GDPR for Microsoft 365
https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-arc-office365
Data protection impact assessments
https://www.microsoft.com/de-de/trust-center/privacy/gdpr-dpia
https://download.microsoft.com/download/7/2/0/72034519-c38d-4a2c-9ecf-2d37080d0632/customizable-dpia-document-final-11-2020.docx

How to contact us

AS-S3CBasics & self-perception