Krämer - Your independent field service provider

The data protection concept of Krämer Marktforschung

Introduction

Krämer Marktforschung GmbH is a member of the following associations which issue guidelines for market research institutes: Arbeitskreis Deutscher Markt- und Sozialforschungsinstitute e.V. (ADM), Berufsverband Deutscher Markt- und Sozialforscher e.V. (BVM) and the European Society for Opinion and Marketing Research (ESOMAR). We are bound by the guidelines of the aforementioned associations and by the provisions of the German Federal Data Protection Act [Bundesdatenschutzgesetz] (BDSG). The company’s Data Protection Officer is Silke Schulte-Uhr (s.schulte-uhr@kraemer-germany.com; 02501-802207).


 

Fulfilment of duties pursuant to Section 9 of the Federal Data Protection Act (BDSG)

1. Access control

Preventing unauthorized persons from gaining access to data processing systems with which personal data are processed. The building is secured by an alarm system. Reception is staffed between 08:00 and 17:30 on working days. The central entrance door is locked by default between 17.30 and 08.00. The locking system is locked by means of individualised keys, and every time it is locked this is logged. There is a list of keys, and when an employee leaves the company we use a control sheet to check that all keys, IDs and passwords have been cancelled. The different parts of the building are secured by individual electronic protection against unauthorized access by persons not entitled to enter the building. Employees are only cleared to enter the building areas that are relevant to them. The servers for the entire network are in a locked server room (code lock), and this room can only be accessed using a separate code. The server console is in the server room, and administration can only be undertaken by means of a password-protected login. Only the administrators have access to the server room. For other rooms a time recording system is in place. The cleaning personnel do not have access to the server room. Non-authorized employees and people from outside the company (for example technicians or tradespeople) only have access to the server room when supervised by an authorized employee. Maintenance works on the installed systems by external companies are only undertaken in the presence of authorized KMF employees. No remote maintenance of the systems takes place. Project staff are not able to access the servers from home; only the IT administration personnel are authorized to do so. The office rooms can only be entered when accompanied by an authorized employee.


2. Storage media control

Preventing storage media from being read, copied, modified or removed without authorization. The Windows system is only accessible by means of a password when logging in; project-specific user groups are set up by the administrator and are allocated appropriate rights. The passwords for the internal databases have to be changed every 4 weeks. Access is blocked after 3 failed attempts to log in. A folder with separate access rights is set up for every project, and only authorized persons have access to this (administrator and project manager). Administrator passwords are stored in the safe. Access to the systems/applications from outside the company is only possible in the form of access to survey templates (telephone studio). The call centre agents’ computers are secured by means of a double login procedure. All agents have only limited rights, both on their computer and on the network. For the above reasons, the policy procedure is simplified. The computer passwords are changed only by the administrators and supervisors at regular intervals (every 4 weeks). To obtain access to the survey software, agents also have to be separately cleared for every assignment/every shift by the supervisors via an in-house tool. Logging of access to applications and systems by means of a dedicated line, participant identification, functional allocation to individual data end devices, logging of system use and log analysis (only in suspicious cases). Only the administrator has access to these logs. The systems/applications are protected against unauthorized access by means of a firewall. An automated virus scanner is in use and is updated continuously. All employees working with personal data have signed a confidentiality agreement. Data storage media are always encrypted in accordance with the instructions from the respective client.


3. Memory control

Preventing unauthorized input into the memory and the unauthorized examination, modification or erasure of stored personal data. Access to the different data areas is differentiated by allocating rights; only the administration has full access to all systems. Individual roles and rights are allocated according to functions. There are differentiated authorizations for read and write (changing/deleting data) access, and application-specific user rights are allocated. The storage media that are not currently in the system are stored in the safe. Data is generally stored in an SQL database on a redundant server with RAID 5 hard disks against data loss. Data backups take place overnight. There are 2 safes. The survey and address data from every study is completely deleted after all checks have been concluded, but at the latest 6 weeks after the end of the survey. Data that is no longer required is professionally deleted or destroyed. The destruction of files containing personal data is undertaken by certified companies which provide confirmation that this has been done. Magnetic data media are erased by being overwritten or are physically destroyed.


4. User control

Preventing the reading, copying, modification or removal of personal data during electronic transmission / transport / storage. Data transfers, and as the case may be the issuing or sending of data media, take place strictly in accordance with the instructions of the respective client. Address and survey files are not sent to third parties, nor is the data used outside the prescribed project. Data is sent via LAN (only for our branches or local//tunnel connection), Internet/Web, email, FTP, post, courier or fax depending on the instructions from the respective client. Encryption of data, transport protocols etc. is undertaken at the request of the individual client, and in accordance with the respective regulations.


5. Input control

Ability to check subsequently whether and by whom personal data is entered in data processing systems / modified / removed. Only employees working on the project have the right to modify date. Access rights and allocation to user groups are carried out by the project management; they are set up and monitored by the administrator.


6. Order control

Ensuring that the processing of personal order data only takes place according to the client’s instructions. Every order is processed, logged and administered in strict separation from other orders. Orders are implemented in separate directories. There is a formal process for placing and processing orders. Control of the work steps and the results.


7. Availability control

Protecting personal data against accidental destruction or loss Appropriate backup and security procedures are in place for all relevant systems/applications (backup procedures, hard drive mirroring (RAID), fire protection systems, climate control). USP protection (uninterruptible power supply) is in place. The relevant security patches are regularly applied to all work computers and servers. Data backups are carried out as required daily, weekly and monthly (up to 6 months). A continuously updated virus scanner is in use. Backup and restart tests are undertaken regularly. There is guaranteed virus protection. There are fire extinguishers in the server room and working areas, as well as smoke detectors and fire alarms; the building has fire protection doors in some areas.


8. Separation rule

Ensuring separate processing of personal data collected for different purposes. Every time personal data is processed, the purpose of this has to be specified. Every order is processed, logged and administered in strict separation from other orders. Orders are implemented in separate directories. There is a formal process for placing and processing orders. The technical and organisational measures are subject to technical progress and further development. Krämer Marktforschung GmbH regularly implements alternative adequate measures provided these are subject to technical progress and do not fall short of the security level of the measures described above.