Toll Collect GmbH has developed a comprehensive and integrated data protection and security policy for the toll system. The technical measures conform to the current state of security technology and are continuously refined.
A need-for-protection analysis was conducted for all components in accordance with the Basic IT Protection Handbook published by the Federal Office for the Security of Information Technology (BSI) , which took the risks to availability, integrity, and confidentiality into account. The data to be processed must be classified according to its sensitivity and the technical and organizational precautions required by the classification scheme must be taken.
Based on this security concept, security measures are taken for personal data to prevent such data from being used for unauthorised purposes or from becoming known to unauthorised persons.
Personal data will only be communicated in these notifications and to the extent required for fulfilment of toll system functions that are either legally required or are specified in the contract agreed with the toll customer. The security concept takes into account that the communications (SMS or GPRS) are transmitted over public networks. To protect against unauthorised access by third parties, the messages sent from the OBU to Toll Collect headquarters are encoded using our own encryption process. In addition, the communications partner is authenticated. A closed (end-to-end) security chain is always formed with cryptographic functions to prevent the manipulation of data and any "listening in" on information.
It is not possible to access and read information in an OBU. Modified SIM cards designed solely for data communication are used. Speech communication is not possible. Only authorised service stations have the capability to work on terminals. Reading out data from an OBU requires an access code, which may not be given to third parties. If an attempt is made to manipulate an On-Board Unit or if it is stolen and re-installed, the control technology automatically recognises this.
A data protection and security organization with data protection and security coordinators in certain operating areas has been established. Need-for-protection analyses and measures are documented in a database and made available to the competent employees in the data protection and security organization.
The truck toll system is operated under high security standards with a security organisation that can react quickly to security incidents. The Data Protection and Data Security Divisions work together closely here.