The data in a data store are, in principle, only available to that controller and under the same responsibility. If you pass data on to another organization for other use, you must clearly inform about it and state e.g. the recipient of the transfer and the legal basis.
Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:
Describe your own process for evaluating retention periods.
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management: