1. General security rules

• 1.1 The data controller must specify internal rules in detail for security measures of the undertaking in order to elaborate on the rules laid down in this appendix. In particular, the rules must comprise organisational circumstances and physical security, including security organisation, administration of access control schemes, authorisation schemes as well as control of authorisations. Instructions that determine the responsibility for and describe the processing and destruction of input and output data material and the use of computer equipment are also to be established. Moreover, guidelines must be laid down for the supervision of compliance with the security measures laid down for the undertaking. The internal rules must be reviewed at least once a year for the purpose of ensuring that they are adequate and reflect the actual situation of the undertaking.
• 1.2 The data controller must give the necessary instructions to the employees who process personal data. The employees are to be informed of the rules established in accordance with section 1.1 above.
• 1.3 Measures are to be taken at locations where personal data are processed in order to prevent any third party from gaining access to the data.
• 1.4 Only external communication channels may be established if special measures are taken to ensure that no third party gains access to the personal data through said channels. Any transmission of sensitive personal data over the Internet must always be encrypted.
• 1.5 The necessary measures must be taken to ensure that section 41(3) of the Danish Act on Processing of Personal Data is observed in connection with any repairs and service of data equipment that contains personal data and in connection with any sale and discarding of any data mediums used. 

2. Authorisation and access control

• 2.1 Only authorised persons may have access to personal data. Any authorisations for access to personal data processed by IT equipment must specify the extent to which the user may make inquiries, register or delete personal data. The individual users may not be authorised for uses for which they have no need.
• 2.2 Only persons who are engaged in the purposes for which the personal data is processed may be authorised as well as any persons who need access to the data for the purpose of audit, operational or system engineering tasks.
• 2.3 It must be ensured that the authorised persons still fulfil the conditions specified in sections 2.1 and 2.2 above. Any monitoring of such fulfilment must be made at least once every six months.
• 2.4 Measures must be taken to ensure that only authorised users are able to get access to personal data and that they only are able to get access to the personal data and the use for which they are authorised.
• 2.5 All rejected attempts to gain access to computer systems containing personal data must be registered. If a specific number of consecutively rejected attempts to gain access are registered from the same workstation or with the same user identification, any further attempts must be blocked.

Read more about Plesner's Data Protection team