Does anDREa have access to the data in a Workspace?
Created: 2021-10-24
Last update: 2023-01-23
myDRE is designed and regularly evaluated on the objective that and only that authorized people and services can have access to the data in a Workspace.
"that and only that" implies that both authorized people and services can have access, and also that authorized people and services must be able to have access or gain it when they have not.
Both, 'can have access' and 'must be able to have access or gain it' are important for the Controller to be able to be compliant to
GDPR Art 32.
In the event there is a (suspected) incident with or access to the data of a Workspace, it is the obligation of the Controller to be able to take timely any action required to limit further damage and gain control over the situation.
anDREa can, on instruction, assist the Controller to gain access (again) to their Workspaces and the data in those Workspace(s).
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
** a) and d) are not (necessarily) applicable for this question
In the event there is a (suspected) incident with or access to the data of a Workspace, it is the obligation of the Controller to be able to take timely any action required to limit further damage and gain control over the situation. The process to be followed here is:
A.16.1.5 Reponse to information security incidents.
The combination of the technical and organizational measures implemented below ensure:
- That regardless the incident, the Controller can gain timely access to any of their Workspaces to undertake appropriate measures given the incident, and
- The level of security is appropriate to the risk that follows from anDREa being able to assist the Controller to gain timely access to any of their Workspaces
Technical measures
- A.9 Access control
- Azure AD Privileged Identity Management
Organizational measures
- Clear instructions
- A.16.1.5 Reponse to information security incidents.
- Data Handling Policy
- Training & signed compliance
- (Core) Support Team Agreement
Related Articles
License Server Access from anDREa
Introduction This section details the network design that enables outbound access to license servers from VMs running in the anDREa research environment. We will assist in setting up License Server Access, but will not provide or mediate in ...
anDREa FAQ
First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...
Data Handling policy
First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...
Data Protection policy
First version: 2021-05-13 Last updated: 2023-10-25 Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting. Approval: 2023-10-26 ...
Data - ownership, responsibility, and control
Ownership of data can be a tricky question when it comes down to personal data or data of persons. For instance, it is not unlikely that it depends on what subsection of Article 6 was used. By design, myDRE is a pragmatic and solid answer to a, ...