This procedure sets out the key features regarding the handling of or response to requests for access to personal data made by data subjects, their representatives, or other interested parties by Resolver (the “Company”). This procedure will enable the Company to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any state or local laws or regulations which may otherwise be applicable.
This procedure applies to employees that handle data subject access requests such as the Data Protection Officer.
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data.
A Data Subject Access Request must be made in writing (including by completing an online form on a corporate website: https://www.resolver.com/legal/data-subject-access-request/). In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal Data Subject Access Request is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all Data Subject Access Request applications.
A Data Subject Access Request can be made via any of the following methods: email, post, corporate website, or any other written method. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.
The rights of an individual in relation to a data subject access, insofar as this is possible, include the following:
The Company must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the Data Subject Access Request unless local legislation dictates otherwise.
To be able to respond to the Data Subject Access Requests on time, the data subject should:
Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Company.
However, the Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed), and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).
Upon receipt of a DSAR, the Data Privacy Officer will acknowledge the request. The requestor will be asked to complete a Data Subject Access Request Form to better enable the Company to locate the relevant information <== VLAD ISN’T THIS REPETITIVE? WHY WOULD THEY HAVE TO COMPLETE A DSAR IF IT IS ALREADY RECEIVED?
The Operations Coordinator<== WHO IS THIS? needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo ID and the other confirmation of address (e.g. e-mail address).
If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.
Upon receipt of the required documents, the person receiving the request will provide the Data Protection Officer with all relevant information in support of the DSAR. Where the Data Protection Officer is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that his/her DSAR will be responded to within 30 calendar days.
The 30-day period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Officer in writing if there will be any deviation from the 30-day timeframe due to other intervening events.
The Data Protection Officer will contact and ask the relevant department(s) for the required information as requested in the DSAR. This may also involve an initial meeting with the relevant department to go through the request if required.
The department which holds the information must return the required information by the deadline imposed by the Data Protection Officer and/or a further meeting is arranged with the department to review the information. The Data Protection Officer will determine whether there is any information that may be subject to an exemption and/or if consent is required to be provided from a third party.
The Data Protection Officer must ensure that the information is reviewed/received by the imposed deadline to ensure the 30-day timeframe is not breached. The Data Protection Officer will ask the relevant department to complete a “Data Subject Disclosure Form” to document compliance with the 30-day requirement.
The Data Protection Officer will provide the finalized response together with the information retrieved from the department(s) and/or a statement that the Company does not hold the information requested, or that an exemption applies.
The Data Protection Officer will ensure that a written response will be sent back to the requestor. This will be via email unless the requestor has specified another method by which they wish to receive the response (e.g. post). The Company will only provide information via secure channels.
When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.
After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Officer.
The procedure is presented as a flow chart in the Annex of this document.
An individual does not have the right to access information recorded about someone else, unless they are an authorized representative, or have parental responsibility.
The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified and to satisfy itself as to the identity of the data subject making the request.
In principle, the Company will not normally disclose the following types of information in response to a Data Subject Access Request:
There are situations where individuals do not have the right to see information relating to them. For instance:
If the responsible person refuses a Data Subject Access Request on behalf of the Company, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request to the Data Protection Officer to review the outcome.
The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer.
If the Company acts as a data controller towards the data subject making the request then the DSAR will be addressed based on the provisions of this procedure.
If the Company acts as a data processor the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.
|Record name||Storage location||The person responsible for the storage||Controls for record protection||Retention time|
|Data Subject Access Request Forms||DSAR Form||Data Protection Officer||Only authorized persons may access the folder||10 years|
|Data Subject Disclosure Form||Privacy Statement||Data Protection Officer||Only authorized persons may access the folder||10 years|
This document is valid as of July 2020.
The owner of this document is Data Protection Officer, who must check and, if necessary, update the document at least once a year.
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.