Access control comprises all organisational and technical measures used to define, grant and enforce permissions on IT systems, applications and data,

The obligation of the controller to not only comply with all GDPR principles, but to be able to actively demonstrate that compliance — Art. 5(2) GDPR.

Accuracy is the GDPR principle requiring personal data to be correct and, where necessary, kept up to date; inaccurate data must be erased or

The acknowledgement of receipt is the reporting channel's confirmation to the whistleblower that their report has been received; under the German

An adequacy decision is a formal decision by the European Commission certifying that a third country, territory or sector ensures a level of data

An administrative fine under Art. 83 GDPR is a monetary penalty imposed by a supervisory authority for data protection breaches, reaching up to EUR 20

Anonymisation is the irreversible alteration of personal data so that the data subject can no longer be identified with reasonable effort, with the

A report submitted without disclosing the reporter's identity, so that neither the reporting channel nor the affected organisation can identify the

Asset management is the systematic identification, classification and maintenance of all of an organisation's information assets and thereby forms the

A systematic, independent examination to determine whether processes and measures comply with defined requirements.

A decision based solely on automated processing, including profiling, that produces legal effects concerning the data subject or similarly

Availability is the information security objective ensuring that systems, applications and data are usable by authorised users whenever needed, in the

A backup is the regular, planned creation of copies of critical data and systems so they can be restored after loss, corruption, or a security

BAFA reporting requires companies within the scope of the German Supply Chain Due Diligence Act to report annually on how they fulfil their

The balancing test is the three-step assessment required under Art. 6(1)(f) GDPR in which a controller's legitimate interest is weighed against the

Binding corporate rules (BCR) are legally binding internal data protection rules that are approved by a supervisory authority under Art. 47 GDPR and

A breach of confidentiality refers to the narrowly defined exceptions under the German Whistleblower Protection Act (HinSchG) in which the identity of

A comprehensive information security framework developed by Germany's Federal Office for Information Security (BSI) for systematic IT protection.

A management process that ensures an organization can continue delivering critical services during and after disruptive incidents.

A business impact analysis (BIA) systematically assesses the consequences of disruptions to critical business processes and derives recovery times and

The total amount of greenhouse gas emissions caused directly and indirectly, often broken down into Scope 1, 2, and 3.

Carbon offsetting is the compensation of unavoidable greenhouse gas emissions by purchasing credits from verified climate protection projects that

Case closure is the formal conclusion of processing a report by the reporting channel, including the final assessment, the decision on follow-up

Case handling covers all process steps a reporting channel performs for an incoming report, from receipt through acknowledgement, plausibility review

A case management system is software used by an internal or external reporting channel to receive reports confidentially, process them in a structured

The catalogue of reportable breaches under the German HinSchG defines conclusively in Section 2 which legal violations may be reported and thus

The choice of reporting channel is the right of whistleblowers under the German Whistleblower Protection Act (HinSchG) to decide freely whether to

A 12-step information security model designed as an accessible entry point for smaller organizations, particularly municipalities and SMEs.

Climate neutrality describes a state in which the greenhouse gas emissions attributable to a company, product or process are reduced and offset so

A climate transition plan is a strategic roadmap setting out how a company will shift its business model towards a low-carbon economy in line with the

The CO2 equivalent (CO2e) is a comparison unit that converts the climate impact of different greenhouse gases into the impact of carbon dioxide via

Compensation under the German Whistleblower Protection Act (HinSchG) is a whistleblower's statutory claim to be reimbursed for the damage suffered as

A systematic approach to ensuring that an organisation adheres to legal, regulatory, and internal requirements.

The confidentiality obligation requires employees entrusted with processing personal data to keep it confidential, prohibiting them from processing or

The confidentiality requirement obliges internal and external reporting channels to keep secret the identity of the whistleblower, the persons

A conflict of interest at the reporting office exists when a person tasked with handling a report can no longer decide impartially because of their

A freely given, specific, informed, and unambiguous indication of a data subject's wishes, as required by Art. 7 GDPR.

Consent management covers all processes through which controllers lawfully obtain, document, demonstrate and enable the withdrawal at any time of data

The consistency mechanism is the coordination procedure enshrined in the GDPR through which the supervisory authorities of EU member states reach a

The controller is the natural or legal person, public authority or body that, alone or jointly with others, determines the purposes and means of the

Cookie consent is the prior, informed and freely given approval of the user that, under Section 25 TTDSG, must be obtained before non-essential

The CSDDD requires large companies to conduct human rights and environmental due diligence along their chain of activities and to adopt a climate

Critical infrastructure (KRITIS) refers to facilities and systems in supply-relevant sectors whose failure would cause significant supply shortages or

Cryptography is the science of encrypting and securing information using symmetric and asymmetric methods as well as hash functions, in order to

A Computer Security Incident Response Team (CSIRT) is a specialised team that receives, analyses, coordinates and resolves security incidents and

The EU directive 2022/2464 that introduces expanded sustainability reporting requirements for companies above certain thresholds.

The CSRD scope uses size thresholds to determine which companies must prepare an ESRS-compliant sustainability report and have it assured, and from

A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data, reportable to

A systematic plan for the timely deletion of personal data once the purpose for which it was collected has ceased to apply, as required by Art. 17

Data minimisation requires that personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which they are

A contractual arrangement required by Art. 28 GDPR whenever a service provider processes personal data on behalf of a controller.

The totality of measures taken to comply with data protection legal requirements, in particular the GDPR.

A data protection coordinator is a decentralised privacy contact within a department, site or group company who supports the practical implementation

A structured risk analysis required by Art. 35 GDPR before processing activities that are likely to result in a high risk to the rights of data

The person designated under Art. 37 GDPR to oversee data protection compliance within an organisation.

The rights of natural persons to access, rectify, erase, restrict, port, and object to the processing of their personal data under Art. 15–21 GDPR.

The broad definition of employee under the German Whistleblower Protection Act (HinSchG) covers not only employees but also job applicants, temporary

The designated case handler is the competent and independent person or unit responsible for operating the internal reporting channel, receiving and

Digital forensics is the methodical, evidentially sound identification, preservation, analysis and documentation of digital traces following a

Direct marketing is the targeted, personalised promotional contacting of individuals (by post, email, phone or digital channels) that is permitted

Disaster recovery refers to the set of technical and organisational measures used to systematically restore IT systems, applications and data after

The DNSH criterion (Do No Significant Harm) requires that an economic activity classified as environmentally sustainable does not significantly harm

The duty of a reporting channel under the German Whistleblower Protection Act to record incoming reports and every procedural step in a permanent,

EU Regulation 2022/2554 establishing ICT risk management, incident reporting, and resilience testing requirements for the financial sector.

The analysis of both how sustainability topics affect the company and how the company's activities affect the environment and society.

The duty to inform about reporting channels requires employers to clearly and comprehensibly tell their staff how to use the internal reporting office

Emergency management covers all organisational and technical arrangements for being prepared for emergencies and crises, managing them effectively,

An emission factor is a conversion value that translates activity data such as energy consumption or distance travelled into a quantity of greenhouse

Employee data protection refers to safeguarding the personal data of employees within the employment relationship, governed in Germany primarily by

The employee threshold determines the number of employees from which a company is obliged under the German Whistleblower Protection Act (HinSchG) to

Employers are companies and public-sector legal entities that, under the German Whistleblower Protection Act (HinSchG), are required to set up and

Encryption is a cryptographic process that uses keys to transform data into an unreadable format, protecting it against unauthorised access both while

End-to-end encryption (E2EE) protects data continuously from sender to recipient, so that only these two endpoints can see the plaintext and no

Endpoint detection and response (EDR) is a security technology that continuously records activity on endpoints such as laptops and servers, detects

The European Single Electronic Format (ESEF) requires listed companies to prepare their annual financial reports, including sustainability

The framework for evaluating companies based on environmental, social, and governance criteria.

An ESG rating is the assessment of a company's sustainability performance across the dimensions environment, social and governance, carried out by an

The standards developed by EFRAG that CSRD-obligated companies must use to prepare their sustainability reports.

ESRS 2 is the mandatory cross-cutting standard of CSRD reporting that defines overarching disclosures on governance, strategy, the materiality process

ESRS data points are the standardised individual disclosures defined in the European Sustainability Reporting Standards that companies must report

ESRS E1 is the topical EU reporting standard that requires companies under the CSRD to disclose their climate change mitigation, a transition plan

ESRS E2 is the topical CSRD reporting standard requiring disclosures on the pollution of air, water and soil as well as on substances of concern,

ESRS E3 is the topical European reporting standard that requires companies to disclose their impacts, risks and opportunities related to water

ESRS E4 is the topical EU reporting standard that requires companies to disclose their impacts, risks and opportunities relating to biodiversity,

ESRS E5 is the topical CSRD standard on resource use and circular economy, requiring disclosures on resource inflows and outflows, material flows, and

ESRS G1 is the topical CSRD standard for governance and business conduct; it governs disclosures on business ethics, anti-corruption and anti-bribery,

ESRS S1 is the topical social standard of CSRD reporting that requires disclosures on the working conditions, wages, equal treatment and rights of a

ESRS S2 is the topical social standard under the CSRD that governs the reporting obligations relating to a company's impacts on workers in its

ESRS S3 is the social standard of CSRD reporting that discloses a company's material impacts, risks and opportunities affecting local communities

ESRS S4 is the topical social standard of CSRD reporting that requires disclosures on a company's impacts on consumers and end-users, in particular

Essential and important entities are the two central entity categories of the NIS2 Directive, which determine the scope of cybersecurity obligations

The European Commission's legislative package of February 2025 that bundles, simplifies and postpones the sustainability obligations under the CSRD,

The EU classification system for defining environmentally sustainable economic activities.

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, which all EU member states were required to transpose by 17

The EU-US Data Privacy Framework (DPF) is the adequacy decision adopted by the European Commission in July 2023 that permits transfers of personal

The European Data Protection Board (EDPB) is the independent EU body comprising all national supervisory authorities that ensures consistent

An external reporting channel is a state-run reporting body independent of the employer under the German Whistleblower Protection Act (HinSchG), which

Fairness is the data protection principle requiring that personal data be processed lawfully, fairly and in a transparent manner that is

The German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) is Germany's national data protection law that supplements and specifies the

The federal external reporting office is the central state body established at the Federal Office of Justice to which whistleblowers may turn under

Feedback is the information that must be given to the reporting person within three months of the acknowledgement of receipt about the follow-up

Financial materiality (outside-in) refers to the materiality of sustainability matters that are expected to have, or could reasonably be expected to

A firewall is a security component that monitors, filters and controls network traffic based on defined rules in order to prevent unauthorised access

Follow-up contact describes the communication channel through which the reporting office can put questions to the whistleblower during case handling

Follow-up measures are the steps a reporting channel must take under Section 18 HinSchG to assess, investigate and address a reported breach.

The BSI is Germany's national cybersecurity authority and the competent supervisory body for implementing the NIS2 Directive, as well as the central

The German law on human rights and environmental due diligence obligations in global supply chains.

In whistleblower protection law, good faith means the requirement that, at the time of reporting, the reporting person had reasonable grounds to

The integrated approach to managing corporate governance, risk management, and compliance adherence.

The EU Green Claims Directive is a proposed EU framework requiring companies to substantiate explicit environmental claims with scientific evidence

A greenhouse gas inventory captures and calculates all of a company's climate-relevant emissions, structured into Scope 1, 2 and 3, and forms the data

The Greenhouse Gas Protocol is the world's leading standard for accounting and reporting greenhouse gas emissions, dividing them into Scope 1, Scope 2

Greenwashing refers to misleading or unsubstantiated marketing and sustainability claims that present a company, product, or service as more

The world's most widely used sustainability reporting framework, developed by the Global Reporting Initiative.

The handler confidentiality duty requires everyone involved in processing a report to keep the identity of whistleblowers, accused persons and third

A HinSchG administrative fine is the monetary penalty that can be imposed for breaching duties under the German Whistleblower Protection Act, for

Human rights due diligence is an ongoing process through which companies identify, prevent, mitigate and account for actual and potential adverse

Identity and access management (IAM) encompasses the processes and technologies used to manage digital identities, roles and access rights throughout

Identity protection is the reporting channel's duty to keep the identity of the whistleblower and of any other persons named in a report confidential

Impact materiality (the inside-out perspective) captures a company's actual and potential, positive and negative impacts on the environment and

The IRO analysis is the procedure required under the ESRS for systematically identifying and assessing a company's impacts, risks and opportunities

Incident response is the structured process for detecting, responding to and containing security incidents in order to limit damage and restore normal

Independence of the reporting office means that the persons tasked with handling reports carry out their work free from professional instructions,

Information classification assigns information to defined protection levels based on its protection requirements and establishes binding labelling and

The information security officer (ISO) is the central role that steers, coordinates and is accountable for an organisation's information security

An information security policy is the binding, management-approved governing document that defines the objectives, roles and requirements for an

Integrity and confidentiality is the security principle enshrined in Art. 5(1)(f) GDPR, requiring that personal data be adequately protected against

A structured fact-finding process carried out by the organisation itself to examine a report of a possible legal violation, document the findings and

The designated function that organisations with 50 or more employees must establish under the HinSchG to receive and handle reports of wrongdoing.

An internal whistleblowing policy is a company's in-house procedural framework that defines how reports are received and handled and how

An intrusion detection system (IDS) monitors network traffic or system activity, detects attacks and anomalies using signatures or behavioural

A systematic framework of policies, processes, and controls for managing an organization's information security risks.

The international standard specifying requirements for establishing, implementing, maintaining, and continually improving an ISMS.

A joint controller arrangement transparently sets out, under Art. 26 GDPR, who fulfils which data protection obligations when two or more parties

Exists when two or more controllers jointly determine the purposes and means of processing personal data, as defined in Art. 26 GDPR.

Key management comprises all processes for the secure generation, distribution, storage, use, rotation and destruction of cryptographic keys across

A knowingly false report is the deliberate or grossly negligent submission of untrue information about alleged breaches; it is not protected under the

In cross-border data processing, the lead supervisory authority is the single competent authority under the one-stop-shop principle, located where the

The principle of least privilege states that users, services and systems are granted only the exact access rights they genuinely need to perform their

A legal basis is one of the six grounds for lawful processing required under Article 6 GDPR; without at least one of these grounds, any processing of

Legitimate interest is a legal basis under Art. 6(1)(f) GDPR that permits data processing where the interests of the controller or a third party

A Life Cycle Assessment (LCA) is a systematic method for evaluating the environmental impacts of a product or service across its entire life cycle,

Limited assurance is the lower of two assurance levels used by auditors to examine CSRD sustainability disclosures, resulting in a negatively worded

Preventive measures under the German Supply Chain Due Diligence Act (LkSG) are precautions through which companies prevent or minimise human rights

Remedial measures under the German Supply Chain Due Diligence Act (LkSG) are the legally mandated steps a company must take to end, prevent or at

The LkSG risk analysis is the systematic process by which companies identify, weigh and prioritise human rights and environmental risks within their

Logging and monitoring describe the systematic recording and continuous analysis of security-relevant events in IT systems, making attacks,

Malware (malicious software) refers to programs that are introduced into IT systems without the user's knowledge or consent in order to steal,

The NIS2 Directive requires the management bodies of in-scope entities to personally approve cybersecurity risk-management measures, oversee their

The obligation to integrate CSRD/ESRS sustainability reporting as a clearly identified section directly within the (consolidated) management report,

The material scope defines which breaches are covered by the protection of the German Whistleblower Protection Act – essentially criminal offences,

A materiality assessment is the structured process by which a company identifies, evaluates and prioritises the sustainability topics, impacts, risks

The Minimum Safeguards are the mandatory social and governance requirements under Art. 18 of the EU Taxonomy Regulation that an economic activity must

Multi-factor authentication (MFA) is a method that verifies a person's identity using at least two independent factors from different categories

The ability of software to manage multiple legally separate organisations (tenants) within a single system with strict data separation.

The need-to-know principle grants access to information only to those people who demonstrably require that access to carry out a specific job-related

Net zero is the state in which a company has reduced its anthropogenic greenhouse gas emissions as far as possible and permanently removes the

Network segmentation is the division of an IT network into separated zones in order to control traffic and contain the spread of attacks.

EU Directive 2022/2555 strengthening cybersecurity requirements for essential and important entities across the European Union.

The process of determining whether an organization qualifies as an essential or important entity under the NIS 2 Directive.

The obligation of affected entities to report significant security incidents to the competent authority within 24 hours of detection.

The NFRD (Non-Financial Reporting Directive, Directive 2014/95/EU) was the EU predecessor of the CSRD and required large public-interest entities to

Obstruction of reporting is any attempt to prevent a whistleblower from making a report or to make reporting more difficult; such conduct is

An external, impartial trusted intermediary – often a lawyer – who serves as a confidential point of contact for whistleblowers and is bound by strict

Opt-in and opt-out describe two opposing consent models: under opt-in the data subject must actively agree to the processing, whereas under opt-out

Under the German Whistleblower Protection Act, an oral report is a disclosure made by telephone, through another voice-messaging system, or on request

Outsourcing the reporting office means delegating the operation of the internal reporting channel to an external third party, such as a law firm,

PCAF (Partnership for Carbon Accounting Financials) is a globally recognised standard that enables banks, insurers and investors to measure and

Patch management is the orderly process of identifying, assessing, testing and deploying software updates and security fixes in order to remediate

Penetration testing is an authorised, controlled attack on IT systems, applications or networks that aims to uncover exploitable security gaps before

Under the German Whistleblower Protection Act (HinSchG), a person concerned is a natural or legal person named in a report or disclosure as the cause

Any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.

The personal scope of the German Whistleblower Protection Act defines which natural persons qualify as protected whistleblowers when they report or

Phishing is a social engineering attack in which adversaries use forged emails, websites or messages to steal credentials or trick the victim into

The right of a whistleblower to meet a competent person at the reporting channel in person within a reasonable period, at their own request, in order

The plausibility check is the first substantive assessment of an incoming report to determine whether the alleged breach appears credible and falls

The principle that a person accused in a whistleblower report is deemed innocent until misconduct is proven, and is entitled to fair, confidential and

Privacy by default obliges controllers under Article 25(2) GDPR to ensure, through data protection-friendly default settings, that by default only the

Privacy by design (data protection by design) obliges the controller under Art. 25 GDPR to build appropriate technical and organisational measures

A privacy policy transparently informs website visitors, in a concise and easily accessible form, which personal data is processed for which purposes,

Privileged access management (PAM) comprises the processes and technologies used to secure, control and monitor privileged administrative accounts and

A processor is a natural or legal person that processes personal data solely on the documented instructions and for the purposes of a controller,

Profiling is any automated processing of personal data used to evaluate, analyse or predict personal aspects of an individual, such as work

The prohibition of bundling forbids making the performance of a contract conditional on a data protection consent that is not necessary for that

The legal prohibition on taking adverse measures – such as dismissal or demotion – against whistleblowers as a consequence of their report.

A protected report is the disclosure of information about breaches that falls within the personal and material scope of the German Whistleblower

A protection requirements analysis determines, for each information asset, how high the protection needs are in the three core values of

Pseudonymisation is the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of

Public disclosure means making information about breaches available to the public; it only protects whistleblowers from reprisals when narrow

A public key infrastructure (PKI) is the organisational and technical system for generating, distributing, managing and revoking digital certificates

Purpose limitation requires that personal data be collected only for specified, explicit and legitimate purposes and not be further processed in a

Ransomware is malware that encrypts data or entire systems, or blocks access to them, and extorts a ransom in exchange for restoring access.

Reasonable assurance is the high, positively worded level of assurance that the external audit of sustainability reports is intended to reach in later

Reasonable grounds exist where, at the time of the report, a whistleblower could reasonably believe—based on the circumstances known to them—that the

The mandatory register of all processing activities that every controller must maintain under Art. 30 GDPR.

Referral to authorities means forwarding a report to the competent law enforcement or supervisory authority when the reported matter falls within

A reporting channel is the technical and organisational route through which whistleblowers can report breaches – in writing, orally, or, on request,

Under the German Whistleblower Protection Act (HinSchG), a reporting person is a natural person who reports or discloses information about breaches

The retention period for a report defines how long the documentation of a whistleblower report may be stored; under Section 11(5) HinSchG it must be

A retention schedule structurally defines, for each data type, how long personal data may be kept and when it must be deleted or anonymised.

Under the German Whistleblower Protection Act, the reversal of the burden of proof presumes that any detriment suffered by a whistleblower is a

The right of access under Art. 15 GDPR entitles data subjects to obtain confirmation that their personal data is being processed, a copy of that data

The right to compensation under Article 82 GDPR entitles data subjects to redress for both material and non-material damage suffered as a result of an

The right to data portability under Art. 20 GDPR allows data subjects to receive the data they have provided in a structured, commonly used and

The right to erasure (Art. 17 GDPR), also known as the right to be forgotten, obliges the controller to delete personal data without undue delay once

The right to object lets data subjects oppose the processing of their personal data, especially for direct marketing, where the objection applies at

The right to rectification entitles data subjects to have inaccurate personal data corrected and incomplete personal data completed without undue

The right to restriction of processing under Art. 18 GDPR allows data subjects to have the further processing of their personal data temporarily

The systematic process of identifying, analyzing, and evaluating risks to an organization's information security.

Risk management is the systematic, continuous process of identifying, assessing, treating and monitoring information security risks in order to limit

Risk treatment is the process of selecting and implementing measures to avoid, reduce, share or knowingly accept identified information security

Role-based access control (RBAC) grants access rights not to individual people but to defined roles to which users are assigned, so that permissions

A cloud-based delivery model in which software is accessed and used over the internet as a service.

Science Based Targets are corporate emission reduction goals aligned with the 1.5-degree pathway of the Paris Agreement and validated against a

The classification of greenhouse gas emissions into direct (Scope 1), energy-related indirect (Scope 2), and other indirect (Scope 3).

Security awareness is the targeted training and sensitisation of employees so they can recognise security risks such as phishing or social engineering

A security concept is the documented, comprehensive description of all technical and organisational security measures of an organisation, capturing

An event that compromises or threatens the confidentiality, integrity, or availability of information or information systems.

The security objectives of information security are confidentiality, integrity and availability (the so-called CIA triad), which define the threats

A security operations center (SOC) is a central organizational unit that monitors an organization's IT environment around the clock, detects and

The seven-day deadline is the statutory period under the German Whistleblower Protection Act (HinSchG) within which a reporting office must confirm

A shared reporting office is an internal reporting channel operated jointly by several companies under the German Whistleblower Protection Act, which

Security Information and Event Management (SIEM) is a central platform that collects, normalises and correlates security-relevant log data from IT

The EU Taxonomy defines six environmental objectives used to assess whether an economic activity is environmentally sustainable; an activity must

Social engineering is the deliberate psychological manipulation of people to make them disclose confidential information or perform security-critical

Special categories of personal data are highly sensitive data under Art. 9 GDPR whose processing is generally prohibited and permitted only under

Stakeholder engagement is the systematic dialogue with affected interest groups, conducted to incorporate their perspectives into the materiality

Standard contractual clauses (SCC) are model contract clauses adopted by the European Commission that contractually secure an adequate level of data

A mandatory ISO 27001 document that lists all Annex A controls, states which are applicable, and explains why others are excluded.

The mandatory feedback that organisations must provide to a whistleblower within three months of acknowledging their report, informing them of any

Storage limitation is a GDPR principle requiring that personal data be kept in an identifiable form only for as long as is necessary for the purposes

A data protection supervisory authority is an independent public body that monitors and enforces the application of the GDPR and advises both data

Supply chain due diligence is a company's obligation to identify, prevent, mitigate and transparently report on human-rights and environmental risks

Supply chain security covers all measures by which an organisation identifies, assesses and manages cyber risks arising from its relationships with

Sustainability assurance is the external verification of CSRD-mandated sustainability disclosures by an independent assurance provider, confirming

A sustainability report is the structured disclosure of a company's environmental, social and governance impacts, risks and opportunities, which under

The SFDR (Sustainable Finance Disclosure Regulation) requires financial market participants and financial advisers to disclose transparently how they

System hardening is the deliberate reduction of an IT system's attack surface through secure configuration, such as disabling unnecessary services,

Taxonomy alignment is the demonstrated conformity of an economic activity with all technical screening criteria of the EU Taxonomy and is the

Taxonomy eligibility describes the assignment of an economic activity to an activity defined in the EU Taxonomy, regardless of whether that activity

Security safeguards that controllers and processors must implement under Art. 32 GDPR to ensure a level of protection appropriate to the risk.

The transfer of personal data to countries outside the EEA, which requires specific safeguards under Art. 44–49 GDPR.

Third-party risk management is the systematic assessment, contractual safeguarding and ongoing monitoring of security risks that arise from engaging

Threat intelligence is the systematic collection, processing and analysis of information about current cyber threats, attack methods and threat actors

The three-month deadline requires the internal reporting office to provide the whistleblower with feedback on the follow-up measures planned or

The three-tier reporting system describes the reporting channels available to whistleblowers under the German HinSchG: the internal reporting office,

A transfer impact assessment (TIA) is the case-by-case evaluation required after the Schrems II ruling to determine whether a transfer of personal

Transparency obligations require the controller to inform data subjects, at the point of collection, in a clear and intelligible way about the

The TTDSG (now TDDDG) governs data protection in telecommunications and telemedia, especially the protection of terminal equipment, and complements

In the ESG context, the value chain covers all of a company's upstream and downstream activities and forms the key reporting boundary of the ESRS,

The German automotive industry's information security assessment catalogue, audited through the TISAX scheme managed by the ENX Association.

Vulnerability management is the continuous process of systematically identifying technical vulnerabilities in IT systems, assessing their risk and

Vulnerability scanning is the automated examination of IT systems, networks and applications for known security weaknesses based on current

The German law protecting whistleblowers, transposing EU Whistleblower Directive 2019/1937 into national law.

A technical system enabling the secure and, where applicable, anonymous submission of reports about legal violations.

The act of reporting misconduct, legal violations, or unethical behaviour within an organisation to a responsible authority.

Works council involvement covers its co-determination and participation rights when an internal reporting system is introduced and configured under

A written report is a disclosure of a breach submitted in text form – for example by email, online form, letter or whistleblowing system – to an

A zero trust architecture is a security model that grants no implicit trust to any user, device or service and continuously authenticates, authorises