Data Subject Rights Policy & Procedure
-
1. GENERAL PURPOSE AND SCOPE
1.1 OVERVIEW
Data Subjects, who are the residents of any of the member states of the European Union (EU), have rights on their personal data that is controlled, owned, and/or handled by Netenrich. Data Subjects have the right to know what Personal Data Netenrich collects, stores and uses. This document encompasses the Data Subject Rights as per the General Data Protection Regulation (GDPR), to which controllers and processors have to adhere to and the process that needs to be followed.
1.2 PURPOSE
The purpose of this Policy is to set forth the directive and guidance for Netenrich to fulfill Data Subject Rights Requests and follow the defined process.
1.3 SCOPE
This document applies to all Netenrich divisions, subsidiaries and affiliates, where Data Subject Rights Requests are received from employees as well as third parties (including customers, partners) for the personal data stored in paper and electronic formats.
1.4 DEFINITION
Term Definition Data Subject Data Subject can be defined as an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Data Subject Rights Inquiry An inquiry submitted by a Data Subject to Netenrich for information related to Personal Data that Netenrich holds, stores, processes and/or transfers about a Data Subject. Data Subject Rights Inquiries include both internal (e.g. employees) and external inquiries. For Data Subject Rights Inquiries from employees, certain requests may be outside the scope of this Policy and therefore are not required to follow the requirements contained herein. See Section 6 for more information. Machine-Readable Format Data in a format that can be automatically read and processed by a computer, such as CSV, JSON, XML. Machine-readable data must be structured data. Personal Data Any information relating to an identified or identifiable natural person (also known as a Data Subject). Processing Any operation or set of operations which is performed on Personal Data or sets of Personal Data whether regarding a new process or the review of an existing process, whether or not by automated means. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Sensitive Personal Data Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. System Broadly defined to encompass systems, applications, services, devices, technologies and tools that process Personal Data. Unstructured Data Data that is not contained in a database or some other type of data structure (e.g. email). Right to be informed - To provide Data Subjects with information about how their data will be used or processed to ensure transparency.
- Referred to as Consent form or Privacy notices or Fair processing information or Notice of data processing.
Right of rectification Right of Data Subjects to have their data rectified without undue delay, including having incomplete data completed. Right to object Data Subjects can object to the processing of their data Right to restrict processing Data Subject has the right to restrict processing in the following circumstances: - They contest the accuracy of the personal data. If so, the Controller can then verify the accuracy of the personal data;
- The processing is unlawful, but the Data Subject doesn’t want the data erased;
- The organization no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal proceedings.
Right to data portability Data Subject has the right to receive the personal data concerning themselves in a structured, commonly used and machine-readable format (e.g. CSV, XML or JSON) and have that data be transferred to another controller without hindrance. Right to erasure The right to erasure of data will apply, unless required for legal obligation, for legal claim processing: - Where their data is no longer necessary for the purpose it was collected, processed, and/or if it was unlawfully processed;
- Where the Data Subject has withdrawn their consent or objects to the processing of their data.
Right to access The Data Subject shall have the right to obtain confirmation from the Controller whether personal data concerning him or her are being processed and processing details regarding: - Processing purposes;
- Recipients or categories of recipients to whom the personal data (will) have been disclosed;
- Time period for which the personal data will be stored.
Right to object to automated decision-making including profiling The right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or may similarly affect the Data Subject significantly. -
2. METHODS AND PROCESSES
2.1 DATA SUBJECT RIGHTS PROCESS AND TIMING
The below listed steps set forth the process by which Netenrich will receive, action and respond to a Data Subject Rights Request.
1. Data Privacy Officer (also referred as Data Protection Officer or DPO herein after) shall:
Work with DPO and/or Divisional Lawyers to contact applicable third parties to fulfill Data Subject Rights requests.
- Receive requests from Data Subjects;
- Verify the identity of Data Subjects;
- Define and if possible, narrow the scope of the requests.
- Monitor all Data Subject Rights requests;
- Compile the data in the form requested for providing back to the Data Subjects;
- Consult the system inventory and applicable data mapping records to identify systems, system owners, business owners and third parties that store the requested Personal Data.
- Pass the Data Subject Rights requests to each identified systems, System owner and/or business owner
- Store the data provided by System owners in the storage database.
- Provide the data to the Data Subjects;
2. System owners shall:
- Identify the requested Personal Data;
- Work with DPO to further refine and define the scope of records;
- Fulfill the Data Subject Rights requests within the applicable Systems;
- Provide the requested data (if any) back to the DPO;
- Work with DPO and/or Divisional Lawyers to contact applicable third parties to fulfill Data Subject Rights requests.
2.2 RESPONDING WINDOW
Data Subject Rights requests must be responded by Netenrich within 30 calendar days. Therefore, upon the System or business owner’s receipt of the request from the DPO, the System or business owner must, within 10 calendar days of receiving the request:
- Identify the requisite data;
- Complete the requested action(s);
- Provide the data to the DPO
2.3 IN-SCOPE SYSTEMS FOR DATA SUBJECT RIGHTS REQUESTS
Data Subject Rights requests apply to all:
- Active Systems (internal and external facing), including databases and repositories;
- Inactive Systems on the Netenrich network (internal and external facing);
- Third Party Systems that process Data Subject’s Personal Data on Netenrich’s behalf
- Paper records (e.g. file cabinets, paper forms).
2.4 OUT OF SCOPE SYSTEMS FOR DATA SUBJECT RIGHTS REQUESTS
This Policy does not apply to the following Systems or types of data:
- Systems or data currently under Legal Hold;
- Unstructured Data;
- Decommissioned Systems that are retained for audit, tax, and/or legal purposes.
2.5 MATCHING CRITERIA FOR IDENTIFYING THE CORRECT PERSONAL DATA
The criteria to be used to identify and match the correct Personal Data and Data Subject are:
- Email address;
- IP address;
- Cookie data;
- Contact information (in case of lead generations for sales and marketing purposes);
- Information collected as part of onboarding process.
Upon receiving the Data Subject Rights requests, business and System owners must search for these data elements within their records (electronic and paper) to identify the Data Subject’s Personal Data. Additional information may also be provided to assist with the search.
In certain circumstances, it may be difficult to identify the correct Personal Data and/or Data Subject. In such cases, consult with the DPO for guidance. Examples of such situations might include where:
- There are misspellings of data elements, such as name and email address (e.g. Hemant and Hemanth);
- Variations in name or email address resolve to one Data Subject (e.g. Hemanth Kumar and Hemant Kumar resolve to the same email address);
- An identifier results in records associated with more than one Data Subject (e.g. an IP address is associated with multiple email addresses);
- The combination of the above identifiers match to more than one Data Subject (e.g. an email address + IP address match to Tom Jones and Samantha Jones)
If you believe there are other data stores that may be relevant to the Data Subject Rights requests, notify the DPO.
-
3. FULFILLING SPECIFIC TYPES OF REQUESTS
3.1 REQUESTS FOR COPIES OF PERSONAL DATA
Data Subjects have the right to request a copy of the Personal Data that Netenrich stores about them. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Collect the relevant Personal Data from the Systems;
- Generate and provide to the DPO a copy of the Data Subject’s Personal Data in an editable format (e.g., Word, Excel);
- If requested by the DPO, generate and provide to Data Subject a copy of the Personal Data in Machine-Readable Format;
3.2 DELETION REQUESTS – RIGHT TO BE FORGOTTEN
Data Subjects have the right to have their Personal Data deleted from Systems. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- For front-end websites, apps, and/or other forums that make a Data Subject’s Personal Data public (e.g., message boards, leader boards), remove the Data Subject’s Personal Data from public view and delete the underlying data;
- Where permitted and with appropriate guidance from the DPO, anonymize the Personal Data. Anonymization requires removing any Data Subject identifiers and/or pseudonymous data, such as name, email address, IP address, device ID, or third party ID.
- Once a Data Subject’s Personal Data is deleted from the System, the System no longer passes that Data Subject’s Personal Data to other Systems.
The following are not sufficient actions for deletion:
- Masking, delinking or blacklisting data;
- ’Covering‘ data with a deletion record or note;
- Setting an account to inactive.
Exception: DPO will provide guidance related to deletion after it has evaluated whether Netenrich has the right or obligation to retain the data for legal or other purposes, including legal hold, and/or other legal, security, and tax purposes.
3.3 CORRECTION, MODIFICATION OR AMENDMENT REQUESTS
Data Subjects have the right to have their Personal Data corrected, modified and amended. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Correct, amend or modify the Personal Data in the System;
- Once a Data Subject’s Personal Data is corrected, modified or amended, the System must pass the modified data to any applicable downstream systems, such that the out of date data is overwritten with the new and/or updated data.
3.4 REQUEST TO RESTRICT PROCESSING
Data Subjects have the right to restrict Processing of their Personal Data. To respond, after identifying the Data Subject and the Personal Data, business and System owners must either:
- Flag the applicable data in the System to omit it from data sets used for Processing activities OR
- Transfer the data to a different system/environment in order to ring-fence its use.
In some cases, Netenrich will treat a restriction of processing request in the same manner as a deletion request. Such determination will be provided by the DPO.
3.5 PORTABILITY REQUESTS
Data Subjects have the right to have their Personal Data provided in a format that can be provided to another entity. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Collect relevant personal data from applicable Systems;
- Generate a copy of the Personal Data in a Machine-Readable Format that can be provided to the Data Subject or another organization.
-
4. LOGGING AND TRACKING DATA SUBJECT RIGHTS REQUESTS
4.1 LOGGING REQUESTS
The DPO will keep records of the fulfillment of Data Subject Rights Requests.
System and business owners should retain and provide to the DPO evidence of:
- Copies, extracts, modifications, and/or deletions that were made to the Personal Data by category or field, not by value (e.g. that first name was changed, and do not mention the actual change for e.g., ‘Susan was changed to Sue’);
- The date the copy, extract, modifications, and/or deletions were made.
4.2 RETENTION AND PURGING OF DATA
Personal data must be purged from Systems in accordance with the Netenrich Record Retention Schedule:
- Records Management and the DPO may update and roll out a records retention schedule for business and system owners to follow;
- Systems or procedures must be developed to facilitate purging of Personal Data in accordance with the retention schedule through either automated or manual means;
- System and business owners must be careful to confirm that data is not subject to a legal hold before purging. Please consult the DPO if you are unsure whether a legal hold is in effect;
- Once Personal Data is purged in accordance with the retention schedule, it must no longer be available to any Systems.
-
5. AUDITING AND MONITORING
5.1 PERIODIC AUDITS
Periodic audits may occur to verify compliance with this Policy.
5.2 POLICY VIOLATIONS
Data Subjects who violate this policy may be subject to disciplinary action, up to and including termination.
-
6. EXCEPTIONS
6.1 GENERAL
There may be instances in which an exception to this Policy is required. Requests for exceptions must be documented in writing, have a justifiable business case, and be submitted to the DPO at datasecurity@netenrich.com.
Deviations from the Netenrich process for receiving and responding to Data Subject Rights Requests as documented herein, will be treated as an exception and will be documented and stored by the DPO.
6.2 EMPLOYEE REQUESTS
Standard employee requests for information related to their employment relationship with Netenrich (e.g. copies of paystubs, tax forms, performance reviews, etc.) will not constitute Data Subject Rights Request. However, there will be instances in which some requests will constitute a Data Subject Rights Request and will be required to follow this Policy. Examples include where:
- The request presents a heightened risk to either the employee, another Data Subject and/or Netenrich;
- The employee and/or request may be part of an investigation or other legal action;
- The request is outside the scope of typical employee requests.
Please consult with the DPO if you are unsure whether an employee request is within scope of this Policy.
-
7. STORAGE AND RETENTION
All information related to this Policy will be stored in the document repository in accordance with the Netenrich Records Retention Policy and Records Retention Schedule.
-
8. APPENDIX
DATA SUBJECT RIGHTS PROCESS FLOW