TOMs (Technisch-organisatorische Maßnahmen)

Technical and organizational measures (TOMs) is the data protection term for the entirety of security measures that a company implements to protect personal data. They are enshrined in Article 32 of the GDPR and must be in line with the state of the art and the risk to data subjects.

Legal Basis

Article 32 of the GDPR requires: > "The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

TOMs are not optional. If they are absent or insufficient, fines of up to €10 million or 2% of annual turnover may be imposed (Art. 83(4) GDPR).

Typical TOM Categories

Access Control: Unauthorized persons have no access to data processing facilities (locks, access systems, alarm systems)

Access Control: Unauthorized persons cannot use systems (password policies, MFA, screen lock)

Access control: Authorized users can only access the data they need to perform their tasks (RBAC, least privilege)

Segregation control: Data for different purposes is processed separately (client segregation, database schemas)

Pseudonymization and Encryption: Personal data is stored and transmitted in encrypted or pseudonymized form

Input Control: Traceability of who entered or modified which data and when (audit logs)

Transmission Control: Protection during data transmission (TLS, VPN, secure email)

Availability control: Protection against data loss (backup, redundancy, contingency plan)

Processor control: Verification and oversight of service providers during data processing

TOMs in practice

TOMs must be documented—data protection authorities require proof during audits or incidents. The documentation should:

• Describe each measure in detail
• Take into account the state of the art and the risk associated with the processing activity
• Be reviewed and updated regularly

An ISO 27001 certificate significantly simplifies TOM verification: The controls in Annex A largely cover the GDPR requirements.