...that the management is liable for misconducts of their employees while using corporate infrastructure?

 

...that there is a duty of notification of all affected persons after a data theft or breach (Databreach Notification Duty)?

 

...that data has to be protected against loss, destruction, manipulation or unlawful usage (Dataprotection Act)?

 

...that the responsibility for information security always remains with the management board, even if services are outsourced ?

 

...that logs which enable traceability of data access have to stored for at least three years?