In data protection law, the abbreviation "TOM" stands for "technical and organizational measures" in the area of data security. These serve to protect personal data.

Here you can find out what measures are available here and what your company should bear in mind.

TOM goals

Technical and organizational measures (TOM) play a major role in protecting both analog and electronically stored personal data. They include all precautions that must be taken to protect this data.

First and foremost, the measures ensure the secure processing of personal data. This means, above all, that unauthorized access is prevented. The GDPR requires that you document in writing which technical and organizational measures the company takes to ensure this protection.

Physical protection measures are also part of TOM: alarm systems, access controls or similar may be required.

In addition, it is also important to provide regular training to the company's employees. This Trainings must be adapted to the work area and the data and security risks that arise there.

All protective measures must always correspond to the current state of the art.

Select TOM

In order to decide which measures are appropriate, risk assessments must be carried out on a regular basis. In this process, the company identifies possible risks and their probability of occurrence. This is used to determine which protective measures are appropriate in accordance with the principle of proportionality.


Examples of technical protection measures can be found in IT. Information security, for example, can be achieved by measures from the IT-Grundschutz Comendium The company can also regulate access to data in IT systems by means of rights and role concepts. In addition, the company can regulate access to data in IT systems by means of rights and role concepts. Data should also be processed in encrypted form, e.g., during transport on data carriers or via data connections.

As a purely physical measure, entrance controls are an option. Systems to secure the premises and sensitive areas may also be appropriate, e.g. alarm systems and video surveillance.

Organizationally Staff training very important. Employees should be trained in what to do in the event of a data protection breach and how to deal with suspected cases of unauthorized access.

The protective measures that a company must take in accordance with the GDPR depend on the individual case and are based on risks, legal requirements and the need for protection, among other things. An appropriate level of protection must be achieved. Factors such as the probability of occurrence of a risk and its severity as well as the rights and freedoms of the data subjects play a role here.

Do you need advice on which technical and organizational measures need to be taken in your company and how to implement them? Our team of experts will be happy to answer these questions for you. We will also be happy to help you individually with the topic of training. Simply contact us here.

DSB buchen