Data - ownership, responsibility, and control

Data - ownership, responsibility, and control

Ownership of data can be a tricky question when it comes down to personal data or data of persons. For instance, it is not unlikely that it depends on what subsection of Article 6 was used.

By design, myDRE is a pragmatic and solid answer to a, certainly in a research setting, difficult question around ownership of data:
  1. anDREa BV has no knowledge of what data is used in a Workspace
  2. anDREa BV has no knowledge of who owns the data that resides in a Workspace
  3. anDREa BV has no role in the agreements underlying the storage and processing of the data in a Workspace
  4. anDREa BV does not actively process data residing in a Workspace
  5. The Tenant controls: the purpose, the means, and who has access in what role to the data
  6. The Tenant to which the Workspace belongs is responsible for the data in that Workspace:
    1. All the data is and only is stored and processed in a Microsoft Azure subscription that is owned by the Tenant
    2. At any given time the Tenant can get their Microsoft Azure subscriptions under their control by either:
      1. requesting anDREa BV to do so
      2. instruct the Tenant's Microsoft Azure provider to do so
    3. All Microsoft Azure consumption that follows the storage and processing of that data is and only is billed directly
    4. The subscription holding the Workspaces is almost 100% controlled by anDREa BV:
      1. Almost because the Tenant's Microsoft Azure provider can gain access at any given time to the Tenant's Microsoft Azure subscriptions
      2. After the Tenant created a Microsoft Azure subscription within their own contract and handed this over to anDREa BV by means of associating this Microsoft Azure subscription with the anDREa AAD rather than their own AAD (< 1 hour process, mostly waiting)
      3. To enable the Tenant to use myDRE to create, use, and manage Workspaces
      4. Until the Tenant wants to have full control of all the resources in which anDREa BV will associate the Microsoft Azure subscription(s) to that of the Tenant AAD (<1 hour process, mostly waiting)
        1. No data will be moved during this process for the data resides within a Microsoft Azure subscription already owned by the Tenant
        2. After handing over the control, the myDRE services will cease to work
      5. See also: Offboarding and Exit Strategy

    • Related Articles

    • anDREa FAQ

      First version: 2021-12-09 Last updated: 2025-02-13 Last change: links to new ISMS and underlying documents Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information General ...

    • Data Landing Zone (DLZ)

      version: 2022-06-09 update: 2024-04-04 Introduction The Data Landing Zone (DLZ) API is a public API that allows to safely push data to specific myDRE Workspace. Data transfer authentication and authorisation is managed by two API keys: Subscription ...

    • 20230606 - External control audit management summary

      anDREa B.V. is continuously evaluating and improving its Information Security Management System (ISMS). As such anDREa is ISO 27001:2017 certified as of September 1st 2022. Each year, an external control audit is conducted on selected topics, with ...

    • myDRE Workspaces DO NOT use Microsoft Teams, OneDrive, or Sharepoint to store or process your data

      On February 15th 2022, the Dutch Privacy Body (Authoriteit Persoonsgegevens) issued a statement that often the Cloud Services do not comply with the privacy laws and regulations. (source). The statement of the Dutch Privacy Body is based on a report ...

    • Data Breach Procedure

      Replaced by: anDREa ISMS Section: Supportive Documents Section: ISMS Chat for easy answers (beta)