First version: 2021-05-13
Last updated: 2023-10-19
Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement.
Introduction
anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of all stakeholders. For the use of myDRE, anDREa has performed a GDPR Compliance Assessment. This displays what evidence myDRE can provide and what the user should provide to be GDPR-compliant.
The purpose of this document is to describe anDREa’s Data Handling Policy. The rules for acceptable use must take into consideration employees, temporary staff, contractors and other third parties where applicable across the information assets they have access to.
This document will be updated at least annually and when significant change happens to the relevant areas covered.
Data Handling Policy
- This applies to all kinds of data (see terms and definitions).
- anDREa is a processor not the data controller.
- Data in a Workspace, be it privacy sensitive or not, is not to be touched nor accessed unless on an explicit instruction of a Workspace Accountable, Privileged Member, or a Tenant mandated person.
- All related work needs to be documented in a Ticket
- Work can only be done with an explicit instruction by email or form that can be traced back to the requestor
- myDRE Users can get access to their data by a written request directly to the CEO or CTO of anDREa
- Unless with explicit permission of the CEO or CTO of anDREa, no user data is to be accessed or shared other than under the above conditions taking into account:
- A Tenant mandated person can only get:
- Data related to its own employees (which Workspaces he/she has or had access to)
- Data to Workspaces residing in the Tenant Subscription(s)
- A Workspace Accountable/Privileged member can only get:
- Data related to their own Workspace(s)
- When in doubt the CEO or CTO of anDREa must be contacted