Data Handling policy

Data Handling policy

First version: 2021-05-13
Last updated: 2023-10-19
Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement.

Introduction

anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of all stakeholders. For the use of myDRE, anDREa has performed a GDPR Compliance Assessment. This displays what evidence myDRE can provide and what the user should provide to be GDPR-compliant.

The purpose of this document is to describe anDREa‚Äôs Data Handling Policy. The rules for acceptable use must take into consideration employees, temporary staff, contractors and other third parties where applicable across the information assets they have access to. 

This document will be updated at least annually and when significant change happens to the relevant areas covered.

Data Handling Policy

  1. This applies to all kinds of data (see terms and definitions).
  2. anDREa is a processor not the data controller.
  3. Data in a Workspace, be it privacy sensitive or not, is not to be touched nor accessed unless on an explicit instruction of a Workspace Accountable, Privileged Member, or a Tenant mandated person.
    1. All related work needs to be documented in a Ticket
    2. Work can only be done with an explicit instruction by email or form that can be traced back to the requestor
  4. myDRE Users can get access to their data by a written request directly to the CEO or CTO of anDREa
  5. Unless with explicit permission of the CEO or CTO of anDREa, no user data is to be accessed or shared other than under the above conditions taking into account:
    1. A Tenant mandated person can only get:
      1. Data related to its own employees (which Workspaces he/she has or had access to)
      2. Data to Workspaces residing in the Tenant Subscription(s)
    2. A Workspace Accountable/Privileged member can only get:
      1. Data related to their own Workspace(s)
    3. When in doubt the CEO or CTO of anDREa must be contacted

    • Related Articles

    • Data Protection policy

      First version: 2021-05-13 Last updated: 2023-10-25 Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting. Approval: 2023-10-26 ...
    • Privacy Policy

      Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Data Handling Policy. The rules for acceptable use must take into consideration ...
    • Data Protection Impact Assessment (DPIA)

      First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...
    • Does anDREa have access to the data in a Workspace?

      Created: 2021-10-24 Last update: 2023-01-23 myDRE is designed and regularly evaluated on the objective that and only that authorized people and services can have access to the data in a Workspace. "that and only that" implies that both authorized ...
    • AI/LLM Use Policy

      Version: 1.0 Valid until: 2025-03-26 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2024-03-26 Purpose & Background anDREa B.V. (hereafter called anDREa) ...