This procedure sets out the key features regarding the handling of our response to requests for access to personal data collected by Resolver (the “Company”) which are made by data subjects, their representatives, or other interested parties (“Requestors”) in accordance with applicable laws. This procedure will enable the Company to comply with its legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any federal, state or local laws or regulations that may otherwise be applicable.
This procedure applies to all Company employees who handle data subject access requests, such as the Data Protection Officer.
Where the Company acts as a processor. Our customers may use certain Company software and services to host and process personal information which they have collected about data subjects. In such cases, the Company processes such personal information purely on behalf of those customers. Individual data subjects who seek to exercise their rights with respect to such personal information should direct their query to that customer (the controller). If the Company receives such a request, we will refer that request to the customer for handling, as our sole obligation.
A Data Subject Access Request (DSAR) is any request made by a Requestor for personal information which the Company holds about that individual. The Data Subject Access Request initiates the process for data subjects to see or view their own personal data in the Company’s control, as well as to request copies of the data.
A Data Subject Access Request must be made in writing (including by completing an online form on a corporate website: DSAR Form). Generally, verbal requests for information about an individual are not valid DSARs, unless otherwise permitted by applicable law. If a formal Data Subject Access Request is made verbally to a staff member of the Company, they should seek further guidance from the Data Protection Officer, who will consider and approve all Data Subject Access Request applications.
A Data Subject Access Request can be made via any of the following methods: email, post, corporate website, or any other written method. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.
The legal rights of an individual in relation to a data subject access request will vary by jurisdiction. Generally, such rights include the following:
The Company will use its best efforts to provide a response to data subjects requesting access to their data prior to the legal deadline (generally within 30 calendar days of receiving the Data Subject Access Request, unless local legislation dictates a different time period, and subject to such extensions as may be available under applicable law) (the ”Response Deadline”).
So that the Company may respond to the Data Subject Access Requests promptly, the Requestor should:
Subject to the exemptions referred to in this document and applicable law, the Company will provide information to Requestors whose requests are made in writing (or by some other method explicitly permitted by the local law) and are received from an individual whose identity can be validated by the Company.
However, the Company is entitled in some jurisdictions to not provide data where the resources required to identify and retrieve the data would be excessively difficult, expensive, or time-consuming. Requests are more likely to succeed when they are specific and targeted at obtaining particular information.
Factors which can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g., by making reference to a specific department), providing the time period in which the information was generated or processed (since the narrower the time frame for the search, the more likely a request is to succeed), and being specific about the nature of the data sought (e.g., a copy of a particular form or email records from within a particular department).
Upon receipt of a DSAR, a member of the Company’s Information Security team (“Analyst”) will be appointed to process the request. The Data Privacy Officer will be notified, to acknowledge receipt of the request to the Requestor.
The Analyst may ask the Requestor to complete a Data Subject Access Request Form with additional details, or to provide the detailed information via email, to enable the Company better to locate the relevant data.
The Company is required by law to verify the identity of anyone making a DSAR, so as to ensure that such information is only given to the person who is entitled to it. If the identity and authority of a Requestor has not already been provided, then the Analyst will ask the Requestor to provide two forms of identification, one of which must be a photo ID and the other confirmation of address (e.g. e-mail address).
If the Requestor is not the data subject, the Analyst will also require written confirmation that the Requestor is authorized to act on behalf of the data subject according to the requirements of applicable law.
Once the DSAR is completed and all requested documents have been received, the Analyst will confirm to the Data Protection Officer that the DSAR may proceed. Where the Data Protection Officer is reasonably satisfied with the information presented by the Analyst, the Data Protection Officer will notify the Requestor that his/her DSAR will be responded to by the applicable Response Deadline or, if applicable, whether there will be any deviation from that timeframe due to other intervening events.
The applicable response period begins from the date that the required documents are received.
The Analyst will begin the process of retrieving the requested data by contacting the relevant department(s). If required, this may also involve an initial meeting with the relevant department to go through the DSAR.
The department that holds the information must return the required information by the deadline imposed by the Data Protection Officer, and/or a further meeting is arranged with the department to review the information. The Data Protection Officer will also then determine whether any of the requested information may be subject to an exemption and/or if additional consents are required (e.g. from an affected third party).
The Data Protection Officer must ensure the information is extracted and reviewed by the imposed deadline so that the Company can make a timely response to the Requestor. The Data Protection Officer will also ask the relevant department to complete a “Data Subject Disclosure Form” to document compliance with the required timeline.
The Data Protection Officer will provide the finalized written response to the Requestor. That response will either: provide the requested information which was retrieved pursuant to the DSAR; or a statement that the Company does not hold the requested information; or that the request has been refused based on an exemption under applicable law.
If a request is refused, the Company’s reply will set out the reasons for that refusal and any recourse that the Requestor may have under applicable law, as well as the contact information for an officer or employee of the Company who can answer the Requestor’s questions about the refusal.
The response will be delivered via email, unless the Requestor has specified another reasonable method by which they wish to receive the response (e.g. by courier). The Company will only provide the data via secure channels.
When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Company will amend the information as required. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
After the Data Protection Officer has sent the response, the DSAR will be considered closed and archived by the Data Protection Officer.
The procedure is presented as a flow chart in the Annex of this document.
The Company reserves the right to impose a reasonable fee for the processing of DSARs, and the transcription, reproduction or transmission of identified information in alternative formats, where permissible under applicable law. Requestor will be advised of such fees prior to the Company’s engagement with any DSARs[DAR1] [IP2] .
The Company is not obliged to, and in some instances is prohibited from, disclosing certain information under its control in response to a DSAR. Examples include:
If the Company refuses a Data Subject Access Request, the reasons for the rejection will be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request to the Data Protection Officer to review the outcome.
The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer.
If the Company acts as a data controller toward the data subject making the request, then the DSAR will be addressed based on the provisions of this procedure.
If the Company acts as a data processor, the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes the personal data of the data subject making the request.
Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
Data Subject Access Request Forms | DSAR Form | Data Protection Officer | Only authorized persons may access the folder | 10 years |
Data Subject Disclosure Form | Privacy Statement | Data Protection Officer | Only authorized persons may access the folder | 10 years |
Canada Notice. Information may be made available in an alternative format to an individual with a sensory disability who has a right of access to personal information, and who requests that it be transmitted in the alternative format, if: a version of the information already exists in that format; or, if its conversion into that format is reasonable and necessary in order for the individual to be able to exercise their rights.
This document is valid as of September 2023.
The owner of this document is Data Protection Officer, who must check and, if necessary, update the document at least once a year.
EFFECTIVE ON: September 2023
REVIEW CYCLE: Annual at least and as needed