Data Subject Rights Policy & Procedure

1.1 OVERVIEW

Data Subjects, who are the residents of any of the member states of the European Union (EU), have rights on their personal data that is controlled, owned, and/or handled by Netenrich. Data Subjects have the right to know what Personal Data Netenrich collects, stores and uses. This document encompasses the Data Subject Rights as per the General Data Protection Regulation (GDPR), to which controllers and processors have to adhere to and the process that needs to be followed.

1.2 PURPOSE

The purpose of this Policy is to set forth the directive and guidance for Netenrich to fulfill Data Subject Rights Requests and follow the defined process.

1.3 SCOPE

This document applies to all Netenrich divisions, subsidiaries and affiliates, where Data Subject Rights Requests are received from employees as well as third parties (including customers, partners) for the personal data stored in paper and electronic formats.

1.4 DEFINITION

2.1 DATA SUBJECT RIGHTS PROCESS AND TIMING

The below listed steps set forth the process by which Netenrich will receive, action and respond to a Data Subject Rights Request.

1. Data Privacy Officer (also referred as Data Protection Officer or DPO herein after) shall:

Work with DPO and/or Divisional Lawyers to contact applicable third parties to fulfill Data Subject Rights requests.

• Receive requests from Data Subjects;
• Verify the identity of Data Subjects;
• Define and if possible, narrow the scope of the requests.
• Monitor all Data Subject Rights requests;
• Compile the data in the form requested for providing back to the Data Subjects;
• Consult the system inventory and applicable data mapping records to identify systems, system owners, business owners and third parties that store the requested Personal Data.
• Pass the Data Subject Rights requests to each identified systems, System owner and/or business owner
• Store the data provided by System owners in the storage database.
• Provide the data to the Data Subjects;

2. System owners shall:

• Identify the requested Personal Data;
• Work with DPO to further refine and define the scope of records;
• Fulfill the Data Subject Rights requests within the applicable Systems;
• Provide the requested data (if any) back to the DPO;
• Work with DPO and/or Divisional Lawyers to contact applicable third parties to fulfill Data Subject Rights requests.

2.2 RESPONDING WINDOW

Data Subject Rights requests must be responded by Netenrich within 30 calendar days. Therefore, upon the System or business owner’s receipt of the request from the DPO, the System or business owner must, within 10 calendar days of receiving the request:

• Identify the requisite data;
• Complete the requested action(s);
• Provide the data to the DPO

2.3 IN-SCOPE SYSTEMS FOR DATA SUBJECT RIGHTS REQUESTS

Data Subject Rights requests apply to all:

• Active Systems (internal and external facing), including databases and repositories;
• Inactive Systems on the Netenrich network (internal and external facing);
• Third Party Systems that process Data Subject’s Personal Data on Netenrich’s behalf
• Paper records (e.g. file cabinets, paper forms).

2.4 OUT OF SCOPE SYSTEMS FOR DATA SUBJECT RIGHTS REQUESTS

This Policy does not apply to the following Systems or types of data:

• Systems or data currently under Legal Hold;
• Unstructured Data;
• Decommissioned Systems that are retained for audit, tax, and/or legal purposes.

2.5 MATCHING CRITERIA FOR IDENTIFYING THE CORRECT PERSONAL DATA

The criteria to be used to identify and match the correct Personal Data and Data Subject are:

• Email address;
• IP address;
• Cookie data;
• Contact information (in case of lead generations for sales and marketing purposes);
• Information collected as part of onboarding process.

Upon receiving the Data Subject Rights requests, business and System owners must search for these data elements within their records (electronic and paper) to identify the Data Subject’s Personal Data. Additional information may also be provided to assist with the search.

In certain circumstances, it may be difficult to identify the correct Personal Data and/or Data Subject. In such cases, consult with the DPO for guidance. Examples of such situations might include where:

• There are misspellings of data elements, such as name and email address (e.g. Hemant and Hemanth);
• Variations in name or email address resolve to one Data Subject (e.g. Hemanth Kumar and Hemant Kumar resolve to the same email address);
• An identifier results in records associated with more than one Data Subject (e.g. an IP address is associated with multiple email addresses);
• The combination of the above identifiers match to more than one Data Subject (e.g. an email address + IP address match to Tom Jones and Samantha Jones)

If you believe there are other data stores that may be relevant to the Data Subject Rights requests, notify the DPO.

3.1 REQUESTS FOR COPIES OF PERSONAL DATA

Data Subjects have the right to request a copy of the Personal Data that Netenrich stores about them. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:

• Collect the relevant Personal Data from the Systems;
• Generate and provide to the DPO a copy of the Data Subject’s Personal Data in an editable format (e.g., Word, Excel);
• If requested by the DPO, generate and provide to Data Subject a copy of the Personal Data in Machine-Readable Format;

3.2 DELETION REQUESTS – RIGHT TO BE FORGOTTEN

Data Subjects have the right to have their Personal Data deleted from Systems. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:

• For front-end websites, apps, and/or other forums that make a Data Subject’s Personal Data public (e.g., message boards, leader boards), remove the Data Subject’s Personal Data from public view and delete the underlying data;
• Where permitted and with appropriate guidance from the DPO, anonymize the Personal Data. Anonymization requires removing any Data Subject identifiers and/or pseudonymous data, such as name, email address, IP address, device ID, or third party ID.
• Once a Data Subject’s Personal Data is deleted from the System, the System no longer passes that Data Subject’s Personal Data to other Systems.

The following are not sufficient actions for deletion:

• Masking, delinking or blacklisting data;
• ’Covering‘ data with a deletion record or note;
• Setting an account to inactive.

Exception: DPO will provide guidance related to deletion after it has evaluated whether Netenrich has the right or obligation to retain the data for legal or other purposes, including legal hold, and/or other legal, security, and tax purposes.

3.3 CORRECTION, MODIFICATION OR AMENDMENT REQUESTS

Data Subjects have the right to have their Personal Data corrected, modified and amended. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:

• Correct, amend or modify the Personal Data in the System;
• Once a Data Subject’s Personal Data is corrected, modified or amended, the System must pass the modified data to any applicable downstream systems, such that the out of date data is overwritten with the new and/or updated data.

3.4 REQUEST TO RESTRICT PROCESSING

Data Subjects have the right to restrict Processing of their Personal Data. To respond, after identifying the Data Subject and the Personal Data, business and System owners must either:

• Flag the applicable data in the System to omit it from data sets used for Processing activities OR
• Transfer the data to a different system/environment in order to ring-fence its use.

In some cases, Netenrich will treat a restriction of processing request in the same manner as a deletion request. Such determination will be provided by the DPO.

3.5 PORTABILITY REQUESTS

Data Subjects have the right to have their Personal Data provided in a format that can be provided to another entity. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:

• Collect relevant personal data from applicable Systems;
• Generate a copy of the Personal Data in a Machine-Readable Format that can be provided to the Data Subject or another organization.

4.1 LOGGING REQUESTS

The DPO will keep records of the fulfillment of Data Subject Rights Requests.

System and business owners should retain and provide to the DPO evidence of:

• Copies, extracts, modifications, and/or deletions that were made to the Personal Data by category or field, not by value (e.g. that first name was changed, and do not mention the actual change for e.g., ‘Susan was changed to Sue’);
• The date the copy, extract, modifications, and/or deletions were made.

4.2 RETENTION AND PURGING OF DATA

Personal data must be purged from Systems in accordance with the Netenrich Record Retention Schedule:

• Records Management and the DPO may update and roll out a records retention schedule for business and system owners to follow;
• Systems or procedures must be developed to facilitate purging of Personal Data in accordance with the retention schedule through either automated or manual means;
• System and business owners must be careful to confirm that data is not subject to a legal hold before purging. Please consult the DPO if you are unsure whether a legal hold is in effect;
• Once Personal Data is purged in accordance with the retention schedule, it must no longer be available to any Systems.

5.1 PERIODIC AUDITS

Periodic audits may occur to verify compliance with this Policy.

5.2 POLICY VIOLATIONS

Data Subjects who violate this policy may be subject to disciplinary action, up to and including termination.

6.1 GENERAL

There may be instances in which an exception to this Policy is required. Requests for exceptions must be documented in writing, have a justifiable business case, and be submitted to the DPO at datasecurity@netenrich.com.

Deviations from the Netenrich process for receiving and responding to Data Subject Rights Requests as documented herein, will be treated as an exception and will be documented and stored by the DPO.

6.2 EMPLOYEE REQUESTS

Standard employee requests for information related to their employment relationship with Netenrich (e.g. copies of paystubs, tax forms, performance reviews, etc.) will not constitute Data Subject Rights Request. However, there will be instances in which some requests will constitute a Data Subject Rights Request and will be required to follow this Policy. Examples include where:

• The request presents a heightened risk to either the employee, another Data Subject and/or Netenrich;
• The employee and/or request may be part of an investigation or other legal action;
• The request is outside the scope of typical employee requests.

Please consult with the DPO if you are unsure whether an employee request is within scope of this Policy.

All information related to this Policy will be stored in the document repository in accordance with the Netenrich Records Retention Policy and Records Retention Schedule.

DATA SUBJECT RIGHTS PROCESS FLOW