When operating the Rainbow Services, ALE is data processor and is only doing so upon receiving instructions from the data controller.
When ALE is instructed to process a data controller data subject request, such request is only deemed valid after it is:
- authenticated (requestor is entitled to submit such request) by the data controller,
- validated by the data controller prior to be handed over to ALE,
- it is agreed by both ALE and the instructing data controller that this latter has no possibility to meet data subject request by itself; then only does ALE assist the data controller,
- the instruction is compliant with applicable laws and regulations and,
- its processability (request can have an answer) exists for ALE.
Individuals' rights
An individual making a valid subject access request to its data controller who then instructs ALE under the conditions set forth in 1.2 is entitled:
- to be informed whether ALE holds and is processing personal information about that person;
- to be given a description of the categories of personal information processed, the purposes for which they are being held and processed and the recipients or classes of recipients to whom the information is, or may be, disclosed by ALE;
- to obtain rectification without undue delay of inaccurate personal information the Controller may process about them;
- to erasure of personal information, to restrict or to object to the processing on certain legal grounds, as well as their right to lodge a complaint with a data protection authority;
- to receive personal information about them from the Controller in a structured, commonly used and machine-readable format and to transmit that information to another Controller, if certain grounds apply...
Process
Receipt of a subject access request.
- If ALE receives any request from an individual, ALE will make reasonable effort to identify the data controller of this individual and will redirect the request to the data controller.
- Data controller should send valid request to the ALE Data Privacy Office at dataprivacy@al-enterprise.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the ALE Data Privacy Office to deal with the request.
- The request must be made in writing (a), which can include email.
- ALE must respond to a valid request within forty (40) calendar days (or any shorter period as may be stipulated under local law) of receipt of that request.
- (a) Unless the local data protection law provides that an oral request may be made, in which case ALE will document the request and provide a copy to the individual making the request before dealing with it.
ALE’s Search and the Response
- The ALE Data Privacy Office will arrange a search of all relevant electronic and paper filing systems.
- The ALE Data Privacy Office may refer any complex cases to the Data Protection Officer (DPO) for advice, particularly where the request includes information relating to third parties or where the release of personal information may prejudice commercial confidentiality or legal proceedings.
- The information requested will be collated by ALE Data Privacy Office into a readily understandable format (internal codes or identification numbers used at ALE that correspond to personal information shall be translated before being disclosed). A covering letter will be prepared by the ALE Data Privacy Office which includes information required to be provided in response to a subject access request.
- Where the provision of the information in permanent form is not possible or would involve disproportionate effort, there is no obligation to provide a permanent copy of the information. The other information referred to in section 2.1 above must still be provided. In such circumstances the individual may be offered the opportunity to have access to the information by inspection or to receive the information in another form.