myDRE does not provide evidence of | However, this usually can be found in/obtained from |
Full list of studies | Study Registry |
The purpose of the processing | Ethical Commission approval, Data Management Plan, Study Registry |
What kind of data is processed | Data Management Plan |
Location of the third parties | Processing agreement |
When you plan to erase the data | Data Management Plan |
myDRE does provide evidence of | This can be found in |
Who has/had access (incl. third parties) | Access to a Workspace is restricted to members, logging of the history is available |
What is done to protect the data | - Only authorized users/processes have access to a Workspace - Users are required username, password and MFA (incl number matching) - Data is encrypted in-transit - Data is encrypted at-rest - Data is only stored and processed in the by the Tenant decided Microsoft Azure Region |
Erasing data | When a Workspace is deleted, all the data is deleted. Erasure of data on the Data Share comes really in effect when the 30-day rolling snapshot passes after deletion, and any backups prior to the erasure of data are deleted. |
| myDRE does not provide evidence of | However, this usually can be found in/obtained from |
| Any legal justification, nor the lawfulness for processing of data in a Workspace | Ethical Commission Approval, Informed Consent of participants |
| myDRE does provide evidence of | This can be found in/obtained from |
| Legal justification and the lawfulness for processing myDRE user information | The logging of the consent people give before their account has been created. |
| myDRE does not provide evidence of | However, this usually can be found in/obtained from |
| Clear information about data processing in a Workspace | Data Management Plan, Informed Consent |
Legal justification in privacy policy that applies to the data in a Workspace | Informed Consent, or the approved argumentation for using an other basis of processing (Article 6) |
Clear information about data processing of subject data in a Workspace | Data Management Plan, Informed Consent, Study Proposal, Study Management System |
| myDRE does provide evidence of | This can be found in/obtained from |
| Clear information about data processing of User Account data | Cookie Policies |
Legal justification in privacy policy for User Account data |
| myDRE does not provide evidence of | However, this usually can be found in/obtained from |
| Implemented appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects | Data Management Plan, Study Management System |
| myDRE does provide evidence of | This can be found in |
| Who was allowed to access the data in what role, who accessed the Workspace, who requested egress, who approved egress, who egressed when what, who approved opening specific outbound ip-address/domain access. | In logging (retained for 90 days) and in audit records |
Actions | Description | GDPR Article(s) | Implementation in myDRE | Not anDREa's responsibility |
Record keeping | Maintain records of the controller and Data Protection Officer (if applicable). Maintain categories of data, logs of transfers. Wherever possible add descriptions of possible measures taken to ensure security. | myDRE maintains records of: - Workspace membership - Data transfer using Portal | - Maintaining records of the controller and Data Protection Officer is the responsibility of the Tenant - Maintaining categories of data (e.g. in Data Management Plan, research management tool) is the responsibility of the PI | |
Data Protection Officer (DPO) | Establish whether the company is required to have a DPO. If the company is not required to have a DPO, you may appoint a voluntary DPO. DPO contact details must be notified to the regulatory authority and published to the public. | N/a. anDREa is not required to have a DPO. The role CTO takes care of the responsibilities of the DPO | A DPO (FG, Functionaris Gegevensbescherming) is the responsibility of the Tenant | |
Employee Training | Employees who handle personal data of either customers or other employees must be trained to handle it according to GDPR principles. | The role Accountable in a Workspace is responsible to ensure that all the members are trained in GDPR principles | ||
Policies and Procedures | There is a list that covers different policies and procedures. There is no fixed way to handle this but it should be done according to what is applicable for your business. Some of the items on the list are: - General Data Protection Policy - Data Subject Access Rights Procedure - Data Retention Policy - Data Breach Escalation and Checklist - Employee Privacy Policy and Notice - Processing customer data policy - Guidance on privacy notices | - Employee Privacy Policy and Notice | Tenant/Accountable is responsible for data subjects in a Workspace |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Issue notices at the right time | Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one-month | Articles 12-14 | anDREa does not receive user data from third parties. People will only be onboarded as users if they explicitly agree. | Tenant/Accountable is responsible to give notice to data subjects whose data is being processed in a Workspace. |
Be complete and concise | Notices must be complete and provide all the required information, like the identity of the controller, purpose of processing, duration, consent, right to withdraw consent, etc. | The information for potential users of the myDRE is complete and concise. | Tenant/Accountable is responsible for data subjects in a Workspace. | |
Easy to understand and comprehend | The format of the notice should be easy to read, handle and understand | The information for potential users of the myDRE is easy to understand and comprehend. | Tenant/Accountable is responsible for data subjects in a Workspace. |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Establish a legal basis for processing all the personal data that you hold | As a business, you need to be able to provide evidence that you have a legal basis to own and process personal data that you hold. Consent from the data subject, the legal obligation of the controller, and special care where data is that of a child is necessary. | Articles 5, 6, 7, 9, 10, 85 to 91 | For myDRE users this is part of the onboarding procedure. | Ensure informed consent of each participant, or have an approval to work without informed consent |
Profiling | A few questions to answer here: - Does your company carry out profiling on employees or customers? -If so, does this profiling result in making a decision about the individual which would have a significant legal effect or similar on that individual e.g. refusal of credit or refusal for an interview? - If the answer to (b) is yes, does your Company have the consent of the individuals to this profiling? | anDREa does not profile employees or users. | Conduct a DPIA per Study | |
Children | If your business processes personal data of children, then consider the language used for privacy notices and plan out how to obtain valid consent from parents/guardians. | anDREa users are 16+ | Ensure compliance with these articles |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Data subject access right | As a company, are your employees or customers allowed to get access to their personal data processed by your company? Do you have employees that have been trained to respond to such requests within the stimulated timeframe of 1 month? | Article 15 | When requested, anDREa can and will provide access to their personal data processed by anDREa and as a general rule of thumb this will be done within 1 month after a written request. | Tenant/Accountable is responsible for any requests regarding subjects whose data resides in a Workspace. |
Processed to allow subjects to exercise their rights | This basically understands if as a company you have the technology and processes in place to allow data subjects to exercise their rights like the right to erasure, data portability, restriction of processing, and right to object. | When requested anDREa can and will remove user account information. User interaction in logging will be retained for compliance requirements. | Tenant/Accountable is responsible for any requests regarding subjects whose data resides in a Workspace. |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Privacy by design | The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures in an effective manner. The controller is responsible to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subjects | Article 25 | All data is and only is role based accessed and requires username, password and 2FA. | For all data in a Workspace the Tenant or Accountable is the controller. |
Privacy by default | The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. | The minimum amount of myDRE user data is processed: name, email, phone number, membership of what Workspaces in what role, activities such as but not limited to ingress, access, egress, add/remove members, add/remove resources, start/stop resourcesData Handling Policy | For all data in a Workspace the Tenant or Accountable is the controller. |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Group companies or third-party vendors | If you use group companies or third-party vendors to process data, there must be a written contract with each one of them validating that they meet the expectations set out in Article 28. | Article 28 | anDREa uses three third party vendors:
| If a Workspace uses resources outside the EEA (by default it is within EEA), the necessary written contracts have to be in place. |
Transferring data out of EEA | If you are exporting data outside of EEA, you need to follow an approved transfer mechanism, which includes one of the following: A) a country which has a finding of adequacy from the European Commission B) If it is within The Company group, are binding corporate rules in place? C) Standard contractual clauses as approved by the European Commission D) If the transfer is to the US, on the basis of the Privacy Shield. E) With the consent of the data subject. F) The transfer is necessary to carry out a contract with the data subject G) The transfer is in the public interest H) The transfer is necessary to establish, exercise or defend legal rights I) The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent. | anDREa, if at all, will only transfer data to another site on explicit instruction of a Tenant or Accountable person. It is not possible to transfer data from one Microsoft Azure Region to another. | Tenant or Accountable is responsible for complying to Articles 44-49 if applicable. Usually this is part of Data Transfer Agreements made with receiving parties |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Appropriate security measures for personal data | Security has to be appropriate to the likely risks to individuals if data was lost, stolen or disclosed to unauthorized people. It is important to note here that the security covers both organizational as well as technical measures. Some factors to consider are: - Pseudonymisation - Encryption - Ensuring ongoing integrity, confidentiality, availability and resiliency - The ability to restore in a timely manner - Processes for testing security | Article 32 | - Data is encrypted at rest - Data is encrypted in transit - 30-day rolling snapshots are made of the data that can be self-serviced restored - myDRE / Shared Tenant code lifecycle follow a strict procedure myDRE is classified for Integrity (of data) as MEDIUM, found suitable for most studies- myDRE is classified for Availability MEDIUM, found suitable for most studies | - Pseudonymisation, encryption is the responsibility of the PI/Tenant - Workspace members are responsible for checking the data ingress, processing, and egress fitting the classification for Integrity (of data) as MEDIUM, found suitable for most studies - Workspace itself |
| Actions | Description | GDPR Article(s) | Implementation in myDRE | Tenant Responsibility |
| Mandatory notification | Do you have the necessary procedures in place to report a breach within 72 hours of becoming aware of it? The breach has to be investigated and details provided to the regulator and mitigations have to be taken to address it. | Article 33 | Data Breach Procedure This expanded with notification to myDRE Tenant(s) in case anDREa is aware of a (potential) data breach of one or more of their Workspaces | Tenant remains Controller of data residing in Workspaces Data Breaches affecting the Tenant will be notified to the Tenant appointed person(s) |
| Notification to affected individuals | If the breach is likely to result in a high risk to the rights and freedoms of individuals, the company will need to notify the individuals affected. Only if the data is encrypted or otherwise unintelligible, then individuals will not need to be notified. | Part of the Data Breach Procedure This expanded with notification to Azure DRE Tenant(s) in case anDREa is aware of a (potential) data breach of one or more of their Workspaces | - Tenant remains Controller of data residing in Workspaces - Data Breaches affecting the Tenant will be notified to the Tenant appointed person(s) |