Data Subject Right Policy
1. Objective
The purpose of this document is to determine the protocol to be followed in order to comply with the rights of access, rectification, cancellation, forgetfulness, opposition, limitation of processing, portability, and opposition to automated decision-making of personal data held in the files owned by Leapfrog Technologies and Signetic.
The European General Data Protection Regulation (GDPR) contains the rights of the data subject, including clarifications and new rights. The Regulation also lays down specific conditions concerning the procedure to be followed in order to ensure that data subjects can exercise their rights.
The purpose of this procedure is to bring closer together and facilitate the procedure to be followed by Leapfrog Technologies and Signetic stakeholders in order to give effect to their rights in this area with regard to the personal data provided to the company.
2. Terms and Definitions
- Affected: The person to whom the data belongs.
- Communication or transfer of data: Any disclosure of data to a person other than the data subject.
- Consent of the data subject: Any expression of free, unequivocal, specific and informed will by which the data subject consents to the processing of personal data concerning him/her.
- Personal Data: Any information concerning identified or identifiable individuals.
- Right of Access: It is acknowledged that the interested party may request a copy of the personal data processed.
- Right to Erasure/to be forgotten: Request the cancellation of your data. You must take into account whether the data whose cancellation is requested is necessary and not erroneous, neither obsolete nor excessive, in the employment relationship.
- Right to restriction of processing: In the exercise of this right, the interested party can request that, to his personal data, temporarily or indefinitely, the operations of treatment that would correspond in each case are not applied.
- Right to object: With the exercise of this right, the owner of the data is opposed to the use of any personal data for a specific purpose. You must take into account whether the processing of the data to which you object is necessary in the employment relationship, because if it is, the organization will be authorized to refuse it.
- Right to data Portability: In the exercise of this right, the data subject may request that his/her data be transmitted from one party responsible to another, or to his/her person, in a structured, common and automated format that allows for its automated reading.
- Right to rectification: By exercising this right, the data subject communicates to the organization the data that have changed and no longer correspond to his person so that they can be modified or cancelled.
- Data processor: A natural or legal person, public authority, service or any other body which, alone or jointly with others, processes data on behalf of the controller. File: Any organized set of personal data, whatever the form or modality of its creation, storage, organization and access.
- Stakeholder: The person to whom the data belongs.
- Data processing: Operations and technical procedures of an automated or non-automated nature that allow for the collection, recording, storage, processing, modification, blocking and cancellation, as well as the transfer of data resulting from communications, queries, interconnections and transfers.
- Controller: Natural or legal person, public or private, or administrative body, who decides on the purpose, content and use of the processing.
- Applicant: Person to whom the data belongs.
Description of Data Subject Right
Personal data and processing
Any person shall have the right to request and obtain, free of charge, information on the personal data subject to processing, the origin of such data, as well as the communications made or planned. Additionally, the interested party may request the rectification, cancellation, opposition or portability of their personal data.
The rights will be exercised by means of a request addressed to the mailbox privacy@lftechnology.com or privacy@signetic.com.
No consideration is required for the exercise of the rights of the data subjects.
Right of Access
The data subject shall have the right to obtain confirmation from the Privacy Officer as to whether the data are being processed or transferred to a third country or to an international organization. In the event that the data subject requests a copy of the personal data processed, the Privacy Officer shall provide it in a common electronic format.
Right of Rectification
The data subject shall have the right to have inaccurate personal data concerning him corrected without undue delay by the controller. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data supplemented, including by an additional declaration.
Right to erasure (Right to be forgotten)
The data subject shall have the right to obtain without undue delay from the Privacy Officer the deletion of personal data concerning him/her. The Privacy Officer is obliged to delete personal data when:
- The data are not necessary for the purposes for which they were collected.
- Are obsolete.
- The data subject's consent to processing is withdrawn.
- Have been used in an unlawful manner.
Right to object
The data subject shall have the right to object at any time to the processing of his or her personal data, provided that such processing is lawful. You may object to the processing of your data for reasons related to your particular situation, when the processing is based on: direct marketing; profiling; legitimate interest of the data controller or third parties, provided that the interests or rights and freedoms of the data subject do not prevail, especially if you are a child; or the purposes of the processing are associated with: historical, statistical or scientific research, unless the processing is necessary for reasons of public interest.
Right to restriction of processing
The data subject shall have the right to obtain from the Privacy Officer the limitation of the processing of the data when any of the following conditions are met:
- The data subject contests the accuracy of the personal data.
- The processing is unlawful and the data subject objects to the deletion of the data and instead requests the limitation of their use.
- The data controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the formulation, exercise or defence of claims.
- The data subject has opposed processing, while it is being checked whether the data controller's legitimate reasons prevail over the data subjects.
Right to data portability
The data subject shall have the right to have his or her data transmitted by the Privacy Officer to another Data Processor or to the data subject himself or herself, in a structured format for normal use and mechanical reading, when processing is carried out by automated means.
Right to object automated decision-making
The data subject shall have the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal effect on him or affects him in a similar manner.
Data subject rights execution
- The Privacy Officer must inform the data subjects of the possibility of exercising the data subject's rights under the regulation.
- For the exercise of the rights, the template available on the website will be completed with the data of the person interested in exercising the rights and will be sent to the email address privacy@lftechnology.com or privacy@signetic.com.
- The information may be requested by the data subject or his or her legal representative (in cases of disability or minority), expressly by sending the form and a photocopy of the Identity Document to the mail to certify his or her representation and detailing, where appropriate, the data to which he or she wishes to have access or on which the Privacy Officer must act.
- In the event that the requirement of identification of the data subject is not met (e.g.: request requested by a person other than the data subject, lack of accreditation by the legal representative, etc.), the Privacy Officer informs the data subject in writing of the impossibility of attending to the request until it is identified as specified.
- Once the request is received, the Privacy Officer decides whether or not to accept it. In both cases, it communicates the decision to the person concerned in writing so that he or she can subsequently prove it (registered mail with acknowledgement of receipt).
- In case of dispute between data subject and the Privacy Officer, the request will be escalated to appropriate related entities for resolution.
- Likewise, in the event of acceptance, the Privacy Officer may also facilitate access to your data in the corresponding file through direct viewing by the interested party at the Privacy Officer's premises. In this case, the Privacy Officer issues a written statement stating, with the signature of the interested party, that the right of access has been exercised in form and time. All requests for the exercise of rights received from the data subject are duly recorded.
- In all cases, the Privacy Officer informs the Privacy Officer of the actions to be taken in relation to the requests received.
- In cases where the data have been collected or recorded by fraudulent, unfair or illicit means, the cancellation of the same always involves the immediate deletion, and never the blocking of the data. In any event, such deletion is carried out when possible contractual obligations are extinguished or when the law imposes on the maintenance of documents. This premise must be studied by the Privacy Officer and the sector involved before proceeding with any action.
Reply Deadlines
- Privacy Officer must answer all the requests received and analysed, regardless of whether or not the personal data of the data subject appear in his or her files or processing. To this end, it uses the reply formats mentioned in section "Exercise of these Rights" and any other means of proving that the message has been sent and received (registered letter with acknowledgement of receipt).
- To answer the requests received, whether estimated or not, the Privacy Officer has the following maximum deadlines:
Right Deadline Right of Access up to 1 month from receipt of the application Right to Rectification up to 1 month from receipt of the application. Right to object up to 1 month from receipt of the application. Right to restriction of processing up to 1 month from receipt of the application. Right to portability up to 1 month from receipt of the application. Right to object automated decision making up to 1 month from receipt of the application. - Once the aforementioned periods have elapsed, as appropriate, without the Privacy Officer expressly responding to the requests, these may be considered rejected and the applicant may lodge the corresponding complaint with the corresponding data protection agency and take legal action.
Refusal the exercise the rights of the data subject
- The Privacy Officer may deny access to files or processing when:
- The data subject has already exercised his right within a period of less than twelve months and there is no evidence of a legitimate interest to that effect.
- The request has been made by a person other than the affected person (only in cases of disability and minority of the affected person, when it is not proven that he or she is the legal representative).
- The Privacy Officer can only refuse the rectification, opposition or cancellation or forgetfulness of the files or processing when:
- The request has been made by a person other than the affected person (only in cases of disability and minority of the affected person, when it is not proven that he or she is the legal representative).
- The cancellation causes damage to the legitimate interests of the affected party or third parties.
- There is an obligation to retain the data.