-
Who is responsible for the personal data in the datasets?
-
Is there such logging that in the event of a (suspected) data breach or other type of security incident, analyses can be made, such as who accessed, modified or deleted which data, which data was affected, et cetera?
-
How are the log files protected and are they in a different location from the systems themselves?
-
Can an institute, as part of an audit or following an incident, access the relevant part of the log file?
-
Can complete deletion of a dataset be done only at the request of the institute or depositor?
-
Do employees of DANS and/or subprocessors have access to the data?
-
Is there layering and/or compartmentalization of management accounts? How is this regulated?
-
Do developers have access to the production environment? Do developers have access to production data?
-
How does user authentication take place?
-
Are there log files that track mutations to datasets?