Data Subject Rights Policy and Procedure
Section 1: General Purpose and Scope
Data Subjects, who are the residents of any of the member states of the European Union, have rights on their personal data that is controlled/owned/handled by NetEnrich. Data Subjects have a right to know what Personal Data NetEnrich collects, stores and uses. This document encompasses the Data Subject Rights as per the GDPR, to which controllers and processors have to adhere to and the process that needs to be followed.
The purpose of this Policy is to set forth the directive for NetEnrich to fulfill Data Subject Rights Requests and guide NetEnrich to follow the defined process.
This document applies to all NetEnrich divisions, subsidiaries and affiliates, where Data Subject Rights Requests are received from employees as well as third parties (including customers), for the personal data stored in paper and electronic format.
Data Subject: Data Subject can be defined as an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Data Subject Rights Inquiry: An inquiry submitted by a Data Subject to NetEnrich for information related to Personal Data that NetEnrich holds, stores, processes or transfers about a Data Subject. Data Subject Rights Inquiries include both internal (e.g. employees) and external inquiries. For Data Subject Rights Inquiries from employees, certain requests are outside the scope of this Policy and therefore are not required to follow the requirements contained herein (e.g. data subjects(customers, partners, employees etc…) request to view copies of their personal data which NetEnrich holds). See Section 6 for more information.
Machine-Readable Format: Data in a format that can be automatically read and processed by a computer, such as CSV, JSON, XML. Machine-readable data must be structured data.
Personal Data: Any information relating to an identified or identifiable natural person (also known as a Data Subject).
Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data whether regarding a new process or the review of an existing process, whether or not by automated means. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Sensitive Personal Data: Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
System: Broadly defined to encompass systems, applications, services, devices, technologies and tools that Process Personal Data.
Unstructured Data: Data that is not contained in a database or some other type of data structure (e.g. email).
Right to be informed: To provide Data Subjects with information about how their data will be used (or ‘processed’) to ensure transparency.
Right of rectification: Right for Data Subjects to have their data rectified without undue delay and this includes having incomplete data completed
Right to object: Data Subjects can object to the processing of their data
Right to restrict processing: Data Subjects will have the right to restrict processing in the following circumstances:
- They contest the accuracy of the personal data (the controller can then verify the accuracy of the personal data)
- The processing is unlawful, but the Data Subject doesn’t want the data erasing
- The organization no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal
Right to data portability: Data Subject has the right to receive the personal data concerning themselves in a structured, commonly used and machine readable format (e.g. CSV, XML or JSON).Have that data transferred to another controller without hindrance
Right to erasure: The right to erasure of data will apply, unless required for legal obligation, processing for legal claim :
- Where their data is no longer necessary for the purpose it was collected, or processed, or if it was unlawfully processed.
- Where the data subject has withdrawn their consent or objects to the processing of their data.
Right to access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and if processed details about
- Purposes of the processing
- Recipients or categories of recipient to whom the Personal data have been or will be disclosed
- Period for which the personal data will be stored
Right object to automated decision-making including: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects the data subject.
Section 2: Methods and Processes
I. Data Subject Rights Process and Timing
Below listed steps set forth the process by which NetEnrich will receive, action and respond to a Data Subject Rights Request.
- Data Privacy Officer(also referred as Data Protection officer/DPO herein after) shall:
- Receive requests from Data Subjects
- Verify the identity of Data Subjects
- Define, and if possible, narrow the scope of the request
- Monitor all Data Subject Rights Requests
- Compile the data in the form requested for providing back to the Data Subject
- Provide the data to the Data Subject
- Consult the system inventory and applicable data mapping records to identify in-scope Systems, System owners, business owners and third parties that store the requested Personal Data
- Pass the Data Subject Rights Request to each identified System, System owner and/or business owner
- Store the data provided by System owners in the storage database
- System owners shall:
- Identify the requested Personal Data
- Work with DPO to further refine and define the scope of records
- Fulfill the Data Subject Rights Request within the applicable Systems
- Provide the requested data (if any) back to the DPO
- Work with DPO and/or Divisional Lawyers to contact applicable third parties to fulfill Data Subject Rights Requests
II. Responding window
Data Subject Rights requests must be responded by NetEnrich within 30 calendar days. Therefore, upon the System or business owner’s receipt of the request from the DPO, the System or business owner must, within 10 calendar days of receiving the request:
- Identify the requisite data
- Complete the requested action
- Provide the data to the DPO
III. In-Scope Systems for Data Subject Rights Requests
Data Subject rights requests apply to all:
- Active Systems (internal and external-facing), including databases and repositories
- Inactive Systems on the NetEnrich network (internal and external-facing)
- Third party Systems that process a Data Subject’s Personal Data on NetEnrich’s behalf
- Paper records (e.g. file cabinets, paper forms)
IV. Out of scope Systems for Data Subject Rights Requests
This Policy does not apply to the following Systems or types of data:
- Systems or data currently under Legal Hold
- Unstructured Data
- Decommissioned Systems that are retained for audit, tax, or legal purposes
V. Matching Criteria for Identifying the Correct Personal Data
The criteria to be used to identify and match the correct Personal Data and Data Subject are:
- Email address
- IP address
- Cookie data
- Contact information(in case of lead generations for sales and marketing purposes)
- Information collected as part of on-boarding process
Upon receiving the Data Subject Rights Request, business and System owners must search for these data elements within their records (electronic and paper) to identify the Data Subject’s Personal Data. Additional information may also be provided to assist with the search.
In certain circumstances, it may be difficult to identify the correct Personal Data and/or Data Subject. In such cases, consult with the DPO for guidance. Examples of such situations might include where:
- There are misspellings of data elements, including for example, name and email address (e.g. Hemant and Hemanth)
- Variations in name or email address resolve to one Data Subject (e.g. Hemanth Kumar and Hemant Kumar resolve to the same email address)
- An identifier results in records associated with more than one Data Subject (e.g. an IP address is associated with multiple email addresses)
- The combination of the above identifiers match to more than one Data Subject (e.g. an email address + IP address match to Tom Jones and Samantha Jones)
If you believe there are other data stores that may be relevant to the Data Subject Rights Request, notify the DPO.
Section 3: Fulfilling Specific Types of Requests
I. Requests for Copies of Personal Data
Data Subjects have the right to request a copy of the Personal Data that NetEnrich stores about them. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Collect the relevant Personal Data from the Systems
- Generate and provide to the DPO a copy of the Data Subject’s Personal Data in an editable format (e.g., Word, Excel)
- If requested by the DPO, generate and provide to data subject a copy of the Personal Data in Machine-Readable Format
II. Deletion Requests – Right to be forgotten
Data Subjects have the right to have their Personal Data deleted from Systems. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Hard delete the specific Personal Data elements or the Data Subject’s entire record from Systems (depending on nature of request)
- For front-end websites, apps, or other forums that make a Data Subject’s Personal Data public (e.g., message boards, leader boards), remove the Data Subject’s Personal Data from public view and delete the underlying data
- Where permitted and with appropriate guidance from the DPO, anonymize the personal Data. Anonymization requires removing any Data Subject identifiers or pseudonymous data, such as name, email address, IP address, device ID, or third party ID.
Compliance with a deletion request should have the following result:
- Once a Data Subject’s Personal Data is deleted from the System, the System no longer passes that Data Subject’s Personal Data to other Systems
The following are not sufficient actions for deletion:
- Masking, delinking, or blacklisting data
- “Covering” data with a deletion record or note
- Setting an account to inactive
Exception: DPO will provide guidance related to deletion after it has evaluated whether NetEnrich has the right or obligation to retain the data for legal or other purposes, including legal hold, or other legal, security, and tax purposes.
III. Correction, Modification or Amendment Requests
Data Subjects have the right to have their Personal Data corrected, modified and amended. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Correct, amend or modify the Personal Data in the System
- Once a Data Subject’s Personal Data is corrected, modified or amended, the System must pass the modified data to any applicable downstream systems, such that the out of date data is overwritten with the new and/or updated data
IV. Request to Restrict Processing
Data Subjects have the right to restrict Processing of their Personal Data. To respond, after identifying the Data Subject and the Personal Data, business and System owners must either:
- Flag the applicable data in the System to omit it from data sets used for Processing activities OR
- Transfer the data to a different system/environment in order to ring-fence its use
In some cases, NetEnrich will treat a restriction of processing request in the same manner as a deletion request. Such determination will be provided by the DPO.
V. Portability Requests
Data Subjects have the right to have their Personal Data provided in a format that can be provided to another entity. To respond, after identifying the Data Subject and the Personal Data, business and System owners must:
- Collect relevant personal data from applicable Systems
- Generate a copy of the Personal Data in a Machine-Readable Format that can be provided to the Data Subject or another organization
Section 4: Logging and Tracking Data Subject Rights Requests
I. Logging Requests
DPO will keep records of the fulfillment of Data Subject Rights Requests.
System and business owners should retain and provide to the DPO evidence of:
- Copies, extracts, modifications, and/or deletions that were made to the Personal Data by category or field, not by value (e.g. that first name was changed, not that Susan was changed to Sue)
- The date the copy, extract, modifications, and/or deletions were made
II. Retention and Purging of Data
Personal data must be purged from Systems in accordance with the NetEnrich Record Retention Schedule:
- Records Management and the DPO may update and roll-out a records retention schedule for business and System owners to follow
- Systems or procedures must be developed to facilitate purging of Personal Data in accordance with the retention schedule through either automated or manual means
- System and business owners must be careful to confirm that data is not subject to a legal hold before purging (consult the DPO if you are unsure whether a legal hold is in effect)
- Once Personal Data is purged in accordance with the retention schedule, it must no longer be available to the System or other Systems
Section 5: Auditing and Monitoring
I. Periodic Audits
Periodic audits may occur to verify compliance with this Policy.
II. Policy Violations
Data Subjects who violate this policy may be subject to disciplinary action, up to and including termination.
Section 6: Exceptions
There may be instances in which an exception to this Policy is required. Requests for exceptions must be documented in writing, have a justifiable business case, and be submitted to the DPO.
Deviations from the NetEnrich process for receiving and responding to an Data Subject Rights Request as documented herein, will be treated as an exception and will be documented by the DPO and stored by the DPO.
II. Employee Requests
Standard employee requests for information related to their employment relationship with NetEnrich (e.g. copies of paystubs, tax forms, performance reviews, etc.) will not constitute an Data Subject Rights Request. However, there will be instances in which some requests will constitute an Data Subject Rights Request and will be required to follow this Policy. Examples include where:
- The request presents a heightened risk to either the employee, another Data Subject or NetEnrich
- The employee and/or request may be part of an investigation or other legal action
- The request is outside the scope of typical employee requests
Consult with the DPO if you are unsure whether an employee request is within scope of this Policy.
Section 7: Storage and Retention
All information related to this Policy will be stored in the document repository in accordance with the NetEnrich Records Retention Policy and Records Retention Schedule.
Section 8: Appendices
APPENDIX 1 – DATA SUBJECT RIGHTS PROCESS FLOW