back to top
Data Subject Request Procedure
INTRODUCTION
DATA SUBJECT REQUEST PROCEDURE
GENERAL POINTS
PROCEDURE STEPS
THE RIGHT TO WITHDRAW CONSENT
THE RIGHT TO BE INFORMED
THE RIGHT OF ACCESS
THE RIGHT TO RECTIFICATION
THE RIGHT TO ERASURE
THE RIGHT TO RESTRICT PROCESSING
THE RIGHT TO DATA PORTABILITY
THE RIGHT TO OBJECT
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
INTRODUCTION
This procedure is intended to be used when a data subject exercises one or more of the rights they are granted under the European Union General Data Protection Regulation (GDPR).
Each of the rights involved has its own specific aspects and challenges to PartnerHero Inc. in complying with them and doing so within the required timescales. In general, a proactive approach will be taken that places as much control over personal data in the hands of the data subject as possible, with a minimum amount of intervention or involvement required on the part of PartnerHero Inc. This may be achieved by providing online access to the personal data so that the data subject can verify and amend it as required.
However, in some cases there is a decision-making process to be followed by PartnerHero Inc. regarding whether a request will be allowed or not; where this is the case, the steps involved in these decisions are explained in this document.
This procedure should be considered in conjunction with the following related documents:
Each of the rights involved has its own specific aspects and challenges to PartnerHero Inc. in complying with them and doing so within the required timescales. In general, a proactive approach will be taken that places as much control over personal data in the hands of the data subject as possible, with a minimum amount of intervention or involvement required on the part of PartnerHero Inc. This may be achieved by providing online access to the personal data so that the data subject can verify and amend it as required.
However, in some cases there is a decision-making process to be followed by PartnerHero Inc. regarding whether a request will be allowed or not; where this is the case, the steps involved in these decisions are explained in this document.
This procedure should be considered in conjunction with the following related documents:
• Data Protection Impact Assessment Process
• Personal Data Breach Notification Procedure
• Privacy and Personal Data Protection Policy
• GDPR mapping
• Personal Data Breach Notification Procedure
• Privacy and Personal Data Protection Policy
• GDPR mapping
1 identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
DATA SUBJECT REQUEST PROCEDURE
GENERAL POINTS
The following general points apply to all of the requests described in this document and are based on Article 12 of the GDPR:
1. Information shall be provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
2. Information may be provided in writing, electronically or by other means.
3. The data subject may request the information orally (e.g., over the telephone or face-to- face), as long as the identity of the data subject has been established.
4. We must act on a request from a data subject, unless we are unable to establish their identity.
5. We must provide information without undue delay and within a maximum of one month from the receipt of the request.
6. The response time frame may be extended by up to two further months for complex or a high volume of requests. However,he data subjects must be informed of this within one month of the request, and the reasons for the delay given.
7. If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
8. If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority
9. Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (GDPR Article 12). In which case we will either charge a reasonable fee or refuse to action the request.
10. If there is doubt about a data subject’s identity, we may request further information to establish it.
2. Information may be provided in writing, electronically or by other means.
3. The data subject may request the information orally (e.g., over the telephone or face-to- face), as long as the identity of the data subject has been established.
4. We must act on a request from a data subject, unless we are unable to establish their identity.
5. We must provide information without undue delay and within a maximum of one month from the receipt of the request.
6. The response time frame may be extended by up to two further months for complex or a high volume of requests. However,he data subjects must be informed of this within one month of the request, and the reasons for the delay given.
7. If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
8. If it is decided that we will not comply with a request, we must inform the data subject without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the supervisory authority
9. Generally, responses to requests will be made free of charge, unless they are “manifestly unfounded or excessive” (GDPR Article 12). In which case we will either charge a reasonable fee or refuse to action the request.
10. If there is doubt about a data subject’s identity, we may request further information to establish it.
Please refer to the exact text of the GDPR if clarification of any of the above is required.
The procedure for responding to requests from data subjects is set out in this flowchart.
The procedure for responding to requests from data subjects is set out in this flowchart.
The specifics of each step in the procedure will vary according to the type of request involved.Refer to the relevant section of this procedure for more detail.
Step
Data Subject Request Received
Description
The data subject submits a request via one of a number of methods, including electronically (via email or via our website), by letter or on the telephone. This may be received by any part of the organization but should ideally be channelled through People Operations (Human Resources). A Data Subject Request Form is available for this purpose.
People Involved
People Operations
Step
Log Data Subject Request
Description
Log data subject request The fact that the request has been received is logged in the Data Subject Request Register and the date of the request recorded.
People Involved
People Operations
Step
Confirm Data Subject’s Identity
Description
The identity of the data subject is confirmed via an approved method. More information may be requested to confirm identity if required. If the identity of the data subject cannot be confirmed, the request is rejected and the reason for this communicated
to the data subject.
to the data subject.
People Involved
Request Administrator
Step
Charge For Request
Description
Charge for request. If a charge is applied, the data subject is informed of the charge and has an opportunity to decide whether or not to proceed. If the data subject decides not to proceed, the request is rejected and the reasons communicated to the data subject.
People Involved
Request Administrator
Step
Compile Requested Information
Description
The relevant information is compiled according to the type of request. This may involve planning how the requested action (e.g., erasure or restriction of processing) will be achieved. A maximum of one month is permitted to address the request; if the request will take more time, then a maximum of two further months are allowed, and the data subject must be informed of the delay and the reasons for it within one month of the request being submitted.
People Involved
Request Administrator
Step
Take Requested Action/Provide Information
Description
The requested action is carried out (if applicable) and the information requested is provided to the data subject electronically, if that is the preferred method, or via other means.
People Involved
Request Administrator
Step
Close Data Subject Request
Description
The fact that the request has been responded to is logged in the Data Subject Request Register together with the date of closure.
People Involved
Request Administrator
PROCEDURE STEPS
THE RIGHT TO BE INFORMED
When personal data iscollected from the data subject or obtained from another
source, we must inform the data subject about our use of that data and their
rights over it. Compliance with this right is addressed in a separate document, Privacy Notice Procedure.
source, we must inform the data subject about our use of that data and their
rights over it. Compliance with this right is addressed in a separate document, Privacy Notice Procedure.
THE RIGHT OF ACCESS
A data subject has the right to ask PartnerHero whether we process data about them and to request access to that data.In addition the, the data subject has the right to the following information:
1. The purposes of the processing
2. The categories of the personal data concerned
3. The recipients, or categories of recipients, of the data, if any, in particular any third countries or international organizations
4. The length of time that the personal data will be stored for (or the criteria used to determine that period)
5. The data subject’s rights to rectification or erasure of their personal data and restriction of, or objection to, its processing
6. The data subject’s right to lodge a complaint with a supervisory authority
7. Information about the source of the data, if not directly from the data subject
8. Whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved
9. When the data are transferred to a third country or international organization, information about the safeguards that apply
2. The categories of the personal data concerned
3. The recipients, or categories of recipients, of the data, if any, in particular any third countries or international organizations
4. The length of time that the personal data will be stored for (or the criteria used to determine that period)
5. The data subject’s rights to rectification or erasure of their personal data and restriction of, or objection to, its processing
6. The data subject’s right to lodge a complaint with a supervisory authority
7. Information about the source of the data, if not directly from the data subject
8. Whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved
9. When the data are transferred to a third country or international organization, information about the safeguards that apply
In most cases, the decision-making process for such requests will be straightforward unless it is judged that the request is manifestly unfounded or excessive. The compilation of the information is likely to require the input of the data owner.