Data - ownership, responsibility, and control

Data - ownership, responsibility, and control

Ownership of data can be a tricky question when it comes down to personal data or data of persons. For instance, it is not unlikely that it depends on what subsection of Article 6 was used.

By design, myDRE is a pragmatic and solid answer to a, certainly in a research setting, difficult question around ownership of data:
  1. anDREa BV has no knowledge of what data is used in a Workspace
  2. anDREa BV has no knowledge of who owns the data that resides in a Workspace
  3. anDREa BV has no role in the agreements underlying the storage and processing of the data in a Workspace
  4. anDREa BV does not actively process data residing in a Workspace
  5. The Tenant controls: the purpose, the means, and who has access in what role to the data
  6. The Tenant to which the Workspace belongs is responsible for the data in that Workspace:
    1. All the data is and only is stored and processed in a Microsoft Azure subscription that is owned by the Tenant
    2. At any given time the Tenant can get their Microsoft Azure subscriptions under their control by either:
      1. requesting anDREa BV to do so
      2. instruct the Tenant's Microsoft Azure provider to do so
    3. All Microsoft Azure consumption that follows the storage and processing of that data is and only is billed directly
    4. The subscription holding the Workspaces is almost 100% controlled by anDREa BV:
      1. Almost because the Tenant's Microsoft Azure provider can gain access at any given time to the Tenant's Microsoft Azure subscriptions
      2. After the Tenant created a Microsoft Azure subscription within their own contract and handed this over to anDREa BV by means of associating this Microsoft Azure subscription with the anDREa AAD rather than their own AAD (< 1 hour process, mostly waiting)
      3. To enable the Tenant to use myDRE to create, use, and manage Workspaces
      4. Until the Tenant wants to have full control of all the resources in which anDREa BV will associate the Microsoft Azure subscription(s) to that of the Tenant AAD (<1 hour process, mostly waiting)
        1. No data will be moved during this process for the data resides within a Microsoft Azure subscription already owned by the Tenant
        2. After handing over the control, the myDRE services will cease to work
      5. See also: Offboarding and Exit Strategy

    • Related Articles

    • A.9 Access control

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions to align more with anDREa’s ...

    • Data Protection policy

      First version: 2021-05-13 Last updated: 2023-10-25 Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting. Approval: 2023-10-26 ...

    • Data Breach Procedure

      First version: 2021-04-15 Last updated: 2023-10-19 Last change: Link to Data Protection policy Introduction Every care is taken by anDREa to protect personal data from situations where a data protection breach could compromise security. This policy ...

    • Data Handling policy

      First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...

    • Data Protection Impact Assessment (DPIA)

      First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...