This document defines a process to support our customer with data subject access requests (SARs) or for dealing directly with those requests where so requested by our customer. It describes what Lanetix considers relevant to handling SARs efficiently and in compliance with the GDPR.
Lanetix processes data our customers enter into our products or instruct us to process on their behalf. Lanetix’s customers decide what to enter. Lanetix generally has no knowledge about what is being stored. However, our understanding is that typically the information includes business-related information about our customers’ customers (e.g. names, business addresses, work phone numbers, work email addresses etc.), prospects and/or sales leads.
Through our public Privacy statement, Lanetix tries to inform data subjects of their right to access data. We provide an easily accessible mechanism through which such a request can be submitted with a dedicated email address, firstname.lastname@example.org
Lanetix has this SAR policy in place and has internal procedures on handling of SARs, which are accurate and complied with. Included, among other elements, are provisions on;
- Responsibilities (who and what)
- Changes to data
- Handling requests for rectification, erasure or restriction of processing.
Lanetix processes Customer Data pursuant to our subscription agreement. Our customers’ are they data controllers, and they are responsible for ensuring that personal data is easily accessible at all times in order to ensure a timely response to SARs. We provide our customers with the tools to ensure that personal data on specific data subjects can be easily filtered.
Lanetix, wherever possible, implements standards to respond to SARs, including our standard response of referring SARs to the applicable customer’s responsible party.
Upon receipt of a SAR
Upon receipt of a SAR, verify whether or not Lanetix is the controller of the data subject’s personal data. In nearly all cases, Lanetix is not the controller, but merely a processor for a customer. Based on the SAR information the data subject provides, informs the data subject of our role as data processor and refer them to the actual controller.
Our customer, as the data controller, must take appropriate steps, such as:
- Verify the identity of the data subject; if needed, request any further evidence on the identity of the data subject.
- Verity the access request; is it sufficiently substantiated? Is it clear to the data controller what information is requested? If not: request additional information.
- Verify whether requests are unfounded or excessive (in particular because of their repetitive character); if so, you may refuse to act on the request or charge a reasonable fee.
- Promptly acknowledge receipt of the SAR and inform the data subject of any costs involved in the processing of the SAR.
- Verify whether you process the data requested. If you do not process any data, inform the data subject accordingly. At all times make sure the internal SAR policy is followed and progress can be monitored.
- Ensure data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned are permitted.
- Verify whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the data subject; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.
Responding to a SAR
Lanetix tries to make sure to respond to a SAR within one month after receipt of the request:
- If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within the first month;
- If you do not take action on the request of the data subject, inform the data subject on this decision without delay and at the latest within one month of receipt of the request.
Assisting Our Customers
If a SAR is submitted in electronic form, any information should preferably be provided by electronic means as well.
If data on the data subject is processed, make sure to include as a minimum the following information in the SAR response:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules or EC model clauses;
- where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- if the data has not been collected from the data subject: the source of such data;
- the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Provide a copy of the personal data undergoing processing. This should be provided in a commonly used electronic form if the data subject has submitted the SAR electronically.
Correcting Our Customer’s Personal Data
This section defines the process for assisting our customer with correcting our customer’s personal data processed on systems for which Lanetix is responsible.
Our customers are the data controllers, and they are responsible for ensuring that personal data is easily accessible at all times in order to ensure a timely correction of personal data. We provide our customers with the tools to ensure that personal data on specific data subjects can be easily corrected and maintained.
In the very unlikely event that one of our customers needs assistance with correcting our customer’s personal data processed on systems for which Lanetix is responsible, our customer must engage Lanetix Support or Professional Services with correcting our customer’s personal data.
Timeliness and Escalation Procedures
If one of our customers engages Lanetix Support or Professional Services with correcting our customer’s personal data, then the terms of that engagement must have escalation procedures, timeliness for responses and processes for rectification.
Lanetix Support or Professional Services will attempt to respond within one month after receipt of the request. If more time is needed to respond to complex requests, an extension of another two months may be necessary. The customer is expected to communicate any delays to the data subject in a timely manner.