I work as a freelance within Human Resources for a pharmaceutical SME company in ***, which belongs to an international group. We have strong co-determination rights regarding the works council.
Members of the international headquarters want to know in which chapter of the GDPR it is written down, that a company, i.e. in ***, who has servers on its premises with various software programmes that process personnel data, must have a IT Security Structure: i.e. who has access to the servers' room, which security measures have been taken in case of fire or other emergency incidents, etc.
Thanks a lot for a link or some further information