Data Subject Access Request Policy
1.0 Purpose
The purpose of this document is to outline SproutLoud’s policy in relation to the management of data subject access requests. A subject access request enables a data subject to gain access to any personal information held about them by SproutLoud. It promotes the right of data subjects to submit a subject access request in order to obtain a copy of such information held about them, in electronic or hard copy form, by SproutLoud, as the data controller. It also outlines the procedure to be followed by data subjects when submitting a data access request to SproutLoud.
2.0 Scope
This policy outlines how SproutLoud will meet its legal obligations under the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) upon receipt of a data access request. This policy applies to any request of data surrounding Personal Information in accordance with our Privacy Policy found here: www.sproutloud.com/legal/privacy.
3.0 Exclusions
This policy covers data access requests where SproutLoud acts as the Controller of the information being requested. For data subjects needing to make a request of a business that uses SproutLoud technology or services, whereas SproutLoud acts as a Data Processor, the data subject should make the request directly of the business. In such cases, SproutLoud will fulfill such data subject access request through the business to provide to the data subject, in accordance with this policy.
4.0 Ownership
The Data Subject Access Request Policy is maintained by SproutLoud’s Data Protection Officer (DPO), who is responsible for dealing with all subject access requests received by the organization. All questions or comments related to this policy or a specific subject access request should be directed to the DPO.
5.0 What is a data subject access request?
A data subject access request is a written or verbal request for personal information (known as personal data) held about you by SproutLoud.
In particular you have the right to the following information:
1. The data itself in a permanent and intelligible format
2. The purposes of the processing (what are we using your data for?)
3. The categories of personal data concerned (categories such as: name, address, email address, date of birth etc)
4. The recipients or categories of recipients to whom the personal data have been or will be disclosed (are we sharing your information with anyone else?)
5. Where possible, the period for which the personal data will be stored, or, if not possible, the criteria used to determine that period (how long are we keeping your
data?)
6. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data
subject or to object to such processing (the right to object to having your data processed, and to have data erased or corrected upon request)
7. The right to lodge a complaint with a supervisory authority
8. Where the personal data is not collected from the data subject, any available information as to their source (if we didn’t collect the data from you, where did we
get it?)
9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the
consequences of such processing for the data subject.
6.0 Ownership and Responsibilities
To allow us to respond promptly to any data subject access request we ask you to:
– Either, fill out the Access Request Form, available here, or call (877) 757-3727.
– Please complete, sign and date the form and be specific as possible about the information you wish to access.
– Attach a photocopy of your proof of identity and address to the Access Request Form.
– Send the completed request form, along with the proof of identity and address either electronically to [email protected], or by post to SproutLoud
– If you cannot download the Data Subject Access Request Form from the internet or complete the online form please write to us requesting a form from: DPO, SproutLoud Media Networks, LLC 15431 SW 14th Street Sunrise, FL 33326 and we shall send you a copy by return mail. Use of the Data Subject Access Request Form is not mandatory. However, completing the form should enable us to process your request more efficiently.
7.0 Definitions
We will first check that we have enough information to be sure of your identity. Usually we will have no reason to doubt a person’s identity. However, in rare cases we may request additional evidence we reasonably need to confirm your identity. We do this to ensure that we only disclose information about personal data to the data subject. We will then check that we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will then conduct a full search of all our relevant databases and filing systems and collect all data relevant to the subject access request. Provided that none of the restrictions in the applicable regulation apply, we will then share with you the data and the additional information that you are entitled to. The default position is that you will get a hard copy of the information in a permanent and intelligible format unless the supply of such a copy is not possible or would involve disproportionate effort, or you have agreed otherwise. Any terms which are not intelligible without an explanation will be accompanied by an explanation. The copy of the requested material will be dispatched by secure, registered delivery, and we will seek timely confirmation from you, as the data subject on receipt of the material.
8.0 Are there any fees payable?
In most instances there will be no charge, but we reserve the right, if the applicable binding regulation associated with the data subject access request permits, to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”. Subsequent copies may incur a reasonable fee based on administrative costs.
9.0 How long does it take to process my request?
All valid data subject access requests, once submitted with valid proof of identity and any other information necessary to comply with the request, will be dealt within 45 days for California Residents (CCPA) and 30 days for EU residents (GDPR).
10.0 Annual review.
This policy will be reviewed at least annually by the DPO to ensure alignment to appropriate risk management requirements and its continued relevance to current and planned operations, or legal developments and legislative obligations.
11.0 Revision History
Date of Change |
Responsible |
Summary of Change |
October 2019 |
Anjan Upadhya |
Initial Release |