Zum Hauptinhalt springen
ProData Protection & Compliance

TOMs Generator

Technical and organisational measures - TOMs for short - are mandatory under Art. 32 GDPR, and their documentation is one of the first things asked for in any data protection audit. The TOMs Generator guides you through the classic areas of protection, assesses your status with a gap analysis and produces a clean document. A tool that supports you in creating it, not legal advice.

A live look inside

Live preview. It becomes interactive with your account.

What TOMs Generator does

Art. 32 GDPR requires you to protect personal data through appropriate technical and organisational measures - matched to the risk. What is appropriate the law does not spell out in detail, and that is exactly what overwhelms many. The TOMs Generator breaks the abstract obligation down into concrete, checkable measures along the established areas of protection, turning a paragraph into a list you can actually work through.

The tool assigns the measures to the classic areas of control familiar from data protection practice: physical access control, system access control, data access control, transfer control, input control, order control, availability control and separation control. For each area you find concrete measures - from the lockable server room through password policies and encryption to the backup concept.

Each measure can be assigned a protection level: basic, standard or enhanced. That way you can match your approach to the actual risk of your processing instead of documenting all or nothing wholesale. Ready-made presets for typical company sizes take the first selection off your hands.

The real value is the evaluation. As you check off measures, the tool calculates an implementation level for each area of control and for the overall picture and ranks it from critical to excellent. A gap analysis shows you which important measures are still missing and where the biggest weaknesses lie - your roadmap to improve in a targeted way instead of poking around in the dark.

For your company you record the master data - name, author, date, version - and at the end produce a clear PDF that you can file as evidence, attach to your record of processing activities or present to the supervisory authority. Your entries are saved locally as a draft, so you can pause the work and continue later.

The Generator structures and evaluates your measures and helps you spot gaps. But it makes no legally binding statement about whether your measures are appropriate in the sense of Art. 32 in your specific case - that depends on the concrete risk and the state of the art. Use the tool for structure, documentation and gap analysis, and if in doubt have the appropriateness judged by a data protection professional.

Features

All classic control areas

From physical access through data access and transfer to separation control - the familiar areas in full.

Concrete measures to check off

Server room, password policy, encryption, backup - an abstract duty becomes a workable list.

Three protection levels

Basic, standard or enhanced - match the measures to the actual risk of your processing.

Gap analysis

The tool shows which important measures are missing and where the biggest weaknesses lie.

Implementation level per area

For each control area and the overall picture a score from critical to excellent is calculated.

Ready-made presets

Presets for typical company sizes take the first selection of measures off your hands.

PDF export and draft

Produce a clear TOMs document as PDF. Your entries are saved locally as a draft.

How it works

  1. 1

    Choose a preset

    Start with a preset for your company size or go straight into the control areas.

  2. 2

    Check off measures

    Mark the implemented measures for each area. The implementation level updates immediately.

  3. 3

    Spot the gaps

    Look at the gap analysis to see which important measures are still missing.

  4. 4

    Generate the PDF

    Enter your company data and export the TOMs document as PDF for your data protection records.

Who needs this

→Companies that need to document their TOMs for the first time.
→Data protection officers who want to assess the implementation status and find gaps.
→Processors who provide their clients with a TOMs document as an annex.
→Founders documenting an appropriate protection level from the start.
→Anyone preparing for a data protection audit under Art. 32.

Frequently asked questions

What are TOMs?

TOMs are the technical and organisational measures with which you protect personal data under Art. 32 GDPR. Technical means for example encryption or access protection, organisational means such as policies, training and responsibilities.

Does the Generator make my TOMs legally watertight?

No. The Generator structures and evaluates your measures and uncovers gaps. Whether your measures are appropriate in the sense of Art. 32 in your specific case depends on the concrete risk and the state of the art and can only be judged professionally. The tool supports you but does not replace advice.

Which control areas does the tool cover?

The classic eight: physical access, system access, data access, transfer, input, order, availability and separation control. Each area has concrete measures to check off.

Why do I need a TOMs document?

The GDPR requires you to be able to demonstrate your protective measures. A TOMs document is that evidence. It also belongs as an annex to data processing agreements and is regularly requested in data protection audits.

Are my entries stored?

Your entries are saved locally in your browser as a draft so you can continue the work. You generate the finished PDF yourself and stay in control of it.

GDPR Art. 30 Helper

Create your GDPR Article 30 records of processing activities. All required fields, ready to p…

DPIA Quick Check

Check if a DPIA per Art. 35 GDPR is required. 12 questions, clear result.

DPA Generator

Generate a GDPR-compliant Data Processing Agreement (DPA) per Art. 28 GDPR. With 8 TOM catego…

Processing Purpose Library

30+ common processing purposes with legal basis, retention periods, data categories, and exam…

Deletion Concept Generator

Create a structured data deletion concept. Categories, retention periods, methods.

Privacy Policy Generator

Generate a GDPR-compliant privacy policy with 10+ presets, 20+ third-party services, cookie c…

Ready to use TOMs Generator?

No installation. No account needed to start. Open it right in your browser.

Open now