General conditions of storage
The provider of services must ensure a proper physical protection of its hardware and the supervision of the physical access to its information system for storing. The provider's information and communication infrastructure connected to other information and communication networks must be protected with reliable protection mechanisms that prevent unauthorised accesses through this network and limit the access only via protocols necessary for the storage of data, whereas all other protocols must be disabled.
The provider's information system for storage must include only hardware and software required for the storage and must integrate adequate protection mechanisms that prevent the employees to misuse it and enable a clear separation of the tasks into different areas.
The data of the provider that affect the reliability and security of the provider's operation must not leave the system in an uncontrolled way that could endanger the operation.
The provider of services must carry out regular security checks of its infrastructure every working day.
At least two employees of the provider must at the same time manage the sensitive elements of the provider's information system for storage.
In addition, the provider must also ensure safe storage of at least two copies of the data at two geographically distant locations from the main location to prevent the loss of data or to prevent the use of unauthorised persons.
Persons permanently employed with the provider must not, apart from their own work, carry out the same or similar works with other persons as they carry out at their posts, if these persons are not persons who are capital-wise related to the provider or this performance of works is not explicitly contractually agreed upon between the provider and the other person, or conduct works which are incompatible with their tasks and responsibilities with the provider.
A person who is permanently employed with the provider may nevertheless conduct an independent scientific or pedagogic works, works in cultural, art, sport, humanitarian or other similar societies and organisations and works in the field of publication.
The provider must prepare a special record on all initiated authorisations and all proceedings used for establishing its information system for storage.
The provider must keep one or several separate records in a written form, where all the data prescribed by this regulation as well as other data on the proceedings and interferences in the infrastructure that affect the reliability of the operation of the provider must be entered.