Technical and Organisational Measures (TOMs)
Security safeguards that controllers and processors must implement under Art. 32 GDPR to ensure a level of protection appropriate to the risk.
Technical and Organisational Measures (TOMs) are the concrete security safeguards that a controller or processor must implement under Art. 32 GDPR to ensure a level of protection appropriate to the risk. The GDPR lists the following as examples: pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of an incident; and a process for regularly testing and evaluating the effectiveness of measures.
Rather than prescribing a fixed list of required measures, the GDPR deliberately applies the principle of risk proportionality. When selecting and evaluating TOMs, organisations must take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the likelihood and severity of the risks. Typical TOMs include technical measures such as firewalls, access control frameworks, and automatic screen locks, as well as organisational measures such as data protection training, confidentiality agreements, and mobile device policies.
As compliance officer, you are responsible for documenting TOMs — often as an annex to a DPA or as a standalone TOM document. This document must be regularly reviewed and updated, particularly when the technical infrastructure or processing activities change. An outdated TOM document can be treated as negligence in the event of a data breach and may increase the organisation's liability. Supervisory authorities increasingly scrutinise the quality and currency of TOM documentation during inspections.
Legal Basis
Art. 32 GDPR
Practical Example
A new cloud service provider asks your organisation to sign its standard DPA and attaches a TOM document that contains only generic statements about ISO 27001 certification. As compliance officer, you request a more detailed description of the concrete measures in place: What encryption standards are used? How is the access control framework designed? What processes exist for detecting and responding to security incidents? Only after receiving and reviewing a revised TOM document that answers these questions do you approve the onboarding of the vendor.