All systems operational · 99.98% uptime
← All articles
DSGVO7 min · 27.05.2026

DPA, TOMs, deletion policy: the GDPR checklist for transport operators

What your data protection officer wants to see before you roll out software — as a tickable list.

Before a transport operation rolls out new software that processes health data, the data protection officer — internal or external — wants to see certain things. This list helps you walk into that conversation well prepared. It doesn't replace individual legal advice, but it covers the points most audits start with.

1. Data processing agreement (DPA)

As soon as an external provider processes data on your behalf, you need a contract under Article 28 GDPR.

  • Is there a signed DPA?
  • Are the subject, duration and purpose of the processing described in it?
  • Is it stipulated that the provider engages no sub-processors without your consent?

Reputable providers supply the DPA on their own. Having to ask for it repeatedly is a warning sign.

2. Technical and organizational measures (TOMs)

The TOMs describe how the provider technically protects the data. Check for:

  • Encryption in transit (TLS) and at rest (database)
  • Access control: role-based, on a need-to-know basis
  • Logging of all access
  • Backup and recovery concept
  • Server location — for health data ideally Germany or at least the EU

3. Legal basis for processing

Every processing operation needs a named legal basis. For transport operators, typically:

  • Article 9(2)(h) (health care) for carrying out the ride
  • Article 6(1)(b) (contract performance) for billing
  • explicit consent where processing goes beyond that

4. Deletion policy

Data may not be stored forever. The deletion policy defines:

  • Which data category is kept for how long? (Note: tax and commercial retention periods of up to ten years may apply.)
  • When and how is it deleted?
  • How is the deletion documented?

5. Data subject rights

Patients have rights you must be able to fulfill:

  • Access (Art. 15): which data do you store about the person?
  • Rectification (Art. 16) and erasure (Art. 17)
  • Data portability (Art. 20)

Check: can your system provide this information in a reasonable time? An access request that means three days of manual work is an operational risk.

6. Record of processing activities

Under Article 30 GDPR you must keep a record documenting all processing activities. Rolling out new software is a good occasion to update this record.

7. Breach notification paths

If a data breach occurs, you generally have 72 hours to report it to the supervisory authority. Clarify in advance:

  • Who is informed when something happens?
  • Does the provider support you in the investigation?

The pragmatic conclusion

This list looks long but is worked through faster than many fear — provided the software vendor brings the fundamentals out of the box. A provider that supplies a DPA, TOMs documentation, German hosting and a clean deletion policy without being asked handles half your checklist for you. MITA Base is designed for exactly this: hosting in Frankfurt, DPA included, GDPR Art. 9 as the default.

Take this list into your next conversation with your data protection officer. If you have a provable answer to every point, you're better positioned than most operations in your industry.

Enough reading. See it run.

A 30-minute demo with your real workflows — no sales pressure, promised.

🇩🇪 Hosting Frankfurt · DSGVO Art. 9 · AV-Vertrag inkl.