Data Subject Rights Procedure

Date Implemented: 01 January 2024

Date Last Updated: 01 January 2024

  1. Introduction

This procedure outlines the steps and guidelines for handling data subject rights requests to ensure compliance with applicable data protection laws. The purpose is to protect individuals’ privacy rights, provide transparency, and enable efficient responses to such requests. This procedure must be adhered to by all personnel who handle or come across any requests by a data subject to enable their data protection right. GeoPoll shall take all the relevant steps needed to enable the rights of the data subjects, these measures shall include mapping out of all communication channels via which requests may be made, training of all employees on what data subject rights are and set clear guidelines on timelines for prompt response for any request received.

  1. Types of Data Subject Rights

Data subject rights include but are not limited to:

a) Right to know if personal data is held by GeoPoll.

b) Right to receive a description and, if permissible and practical, a copy of the data held about them.

c) Right to be informed about the purpose(s) and source(s) of the data processing.

d) Right to know if the data is being disclosed to third parties and the identity of those recipients.

e) Right to data portability, allowing transfer of personal data to the data subject or a third party in a machine-readable format (Word, PDF, etc.), subject to specified conditions.

f) Right to be informed about automated decision-making based on personal data and the ability to request human intervention.

Submission of Data Subject Rights Requests

a) Data subject rights requests can be made through various methods, including but not limited to email, fax, post, corporate website, or any other permissible method as outlined by GeoPoll.

b) Requests made online should be treated with the same level of attention and confidentiality as requests received through other channels.

c) All employees / contractors manning any social media pages must ensure that no personal information is provided via social media channels.

4. Validity and Responding to Data Subject Rights Requests

a) To ensure timely responses, data subjects should submit requests using a Data Subject Access Request (DSAR) Form, as captured on the website or through filling the DSAR Form outlined under the Data Protection (General) Regulations 2021. For GeoPoll’s purposes, the DSAR Form format will be a simple email request identifying the requester, his/her mobile number and other contact information, and further information specifying the nature of the request being made.

b) To validate the requester’s identity, GeoPoll may require sufficient information and documentation from the data subject. This information shall include any identification document such as a passport or a National Identity Card. In verification of the data subject’s identity, GeoPoll shall not ask for excessive information other than that which is necessary to fulfill the purpose of verification.

c) GeoPoll will generally provide responses to requests that are in writing or in other permissible formats and from individuals whose identity can be verified. Where a request is received in another format other than in writing, the recipient of the request shall ensure that it is documented in writing and a chain of custody is maintained for purposes of audit.

e) Specific and targeted requests are more likely to be successful, and data subjects should consider identifying the likely holder of the requested information to help narrow the scope of the search (where possible).

f) GeoPoll will respond to data subject rights requests as soon as possible but no later than within 30 calendar days of receiving the request unless local legislation dictates otherwise.

Data Portability Requirements

a) Data subjects requesting data portability must meet the following conditions:

i) The data subject provided the data to GeoPoll.

ii) The data is processed automatically.

iii) The data is processed based on consent or fulfillment of a contract.

b) GeoPoll will fulfill valid data portability requests by providing the requested data in a machine-readable format (Word, PDF, etc.) where feasible and in accordance with applicable legal requirements.

Record-keeping and Retention

a) GeoPoll will maintain records of data subjects’ rights requests, including relevant documentation, correspondence, and actions taken to fulfill the requests.

b) These records will assist in demonstrating compliance with data protection laws and inform improvements to the procedure. For the avoidance of doubt records should normally be maintained for five (5) years.

Regular Procedure Review

a) GeoPoll will periodically review this procedure to ensure its effectiveness and compliance with changes in data protection laws.

b) Updates or revisions will be made as necessary to reflect evolving legal requirements and best practices.

Responsibilities & Consequence Management.

a) This procedure shall be implemented by the Data Protection Officer (DPO) supported by the Operations, HR, Legal, and other risk departments.

b.) Any acts of non-compliance with this procedure either intentionally or unintentionally shall attract disciplinary action on the person involved and in repeat cases could lead to the termination of the contract of the employee / contractor.

c.) The DPO and the HR department shall ensure that all staff are properly trained on data protection particularly on data subjects access requests and how to respond to them. A schedule of the trainings undertaken shall be kept in the custody of the HR department and shall be produced to the supervisory authority or auditors upon request.

Download

—-