Data Protection Policy
DATA PROTECTION POLICY
November 20, 2021
It is important that you take the time to familiarize yourself with the general aspects of Data Protection contained in this policy, as well as with any specific measures recommended by your department and relevant to the particular nature of your work. Further information and advice may be obtained from the Data Protection Officer.
Gaëtan Bio
Chemin du Creux-Bechet 6, 1096 Villette, Switzerland T: +41 (0)79 847 91 55
INTRODUCTION
In our day-to-day operations, we all create, gather, store and process large amounts of data on a variety of data subjects, such as on staff as well as on suppliers and members of the public. Our use of personal data ranges from the processing of the website users’ detail throughout their journey, from registration through to the effective use of the various functions on My Eco Best Friend Platform, to GPS tracker for the eco-mobility, or financial transactions related to the purchase on the eco-shop regardless of whether we do it electronically or by stuffing paper into filing cabinets.
As our recording and use of data continues to increase and we take data privacy evermore seriously, it is more important than ever that every member of the My Eco Best Friend company understands the laws that exist in relation to data protection and our responsibilities in ensuring that data is secured and processed in line with these laws.
SCOPE
The policy applies to all the staff of My Eco Best Friend and all other computer’s and network’s users authorized by My Eco Best Friend. It relates to their use of any My Eco Best Friend facilities; to all private systems when connected to the My Eco Best Friend network; to all My Eco Best Friend-owned or licensed data and programs (wherever stored); and to all data and programs provided to My Eco Best Friend by third parties (wherever stored). The policy also relates to paper files and records created for the purposes of My Eco Best Friend.
This policy comprises the internationally accepted data privacy principles, those covered by the EU General Data Protection Regulation (GDPR), without replacing the existing national policy. If there is any reason to believe that legal obligations contradict the duties under this policy, the Data Protection Officer must be informed.
KEY DEFINITIONS
Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by statement or other clear affirmative action, signifies agreement to the processing of personal data relating to him or herself. The GDPR clarifies that silence, pre-ticked boxes or inactivity do not constitute consent.
Data Controller means the legally independent company of the My Eco Best Friend group, whose business activity determines the means and purpose of the relevant processing measure.
Data Processor means the entity that process data for the Data Controller.
Data subject means any natural person whose data can be processed. In some countries, legal entities can be data subjects as well.
GDPR means EU General Data Protection Regulation 2016/679.
Personal data means the information that My Eco Best Friend holds about a data subject, and which identifies him/her or could identify him/her when combined with other data which My Eco Best Friend either holds or is likely to obtain.
Processing includes obtaining/collecting, recording, holding, storing, organizing, adapting, aligning, copying, transferring, combining, blocking, erasing, and destroying the information or data, whether by automated means or not. It also includes carrying out any operation or set of operations on the information or data, including retrieval, consultation, use and disclosure. Any actions on personal data must be considered as data processing.
Sensitive personal data means data about racial and ethnic origin, political opinions, religious or philosophical beliefs, union membership or the health and sexual orientation of the data subject. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
My Eco Best Friend means My Eco Best Friend Sàrl. The company has no subsidiary companies.
GENERAL PRINCIPLES
My Eco Best Friend is responsible for demonstrating that personal data is at any time:
processed lawfully, fairly and in a transparent manner
held only for specified, explicit and legitimate purposes and not used or disclosed in any way incompatible with those
adequate, relevant, and not excessive in relation to the purpose for which it is
accurate and kept up to date.
not kept for longer than necessary for the situation
processed in accordance with data subject’s
kept secure and not transferred outside the territory covered by the European Economic Area (EEA) and Switzerland without having the insurance of an adequate level of protection.
RELIABILITY OF DATA PROCESSING
Processing personal data is permitted only under one of the following legal bases. One of these legal bases is also required if the purpose of processing the personal data is to be changed from the original purpose.
Employee’s personal data
Data processing for the employment relationship In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, their data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other My Eco Best Friend contacts. If it should be necessary during the application procedure to collect information on an applicant from a third party, consent must be obtained from the data subject.
Data processing pursuant to legal provisions The processing of personal employee data is also permitted if applicable legislation requests, requires or authorizes it. The type and extent of data processing must be necessary for the legally authorized data processing activity and must comply with the relevant legal provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
Data processing pursuant to legitimate interest Personal data can also be processed if it is necessary to enforce a legitimate interest of My Eco Best Friend. Legitimate interests are generally of a legal (e.g. filing, enforcing, or defending against legal claims) or organizational or financial (e.g. valuation of companies) nature. Before data is processed, it is necessary to determine whether a My Eco Best Friend legitimate interest is overridden by any interests or rights of the individual because, if so, we should not process Personal Data on this basis. The legitimate interest of My Eco Best Friend and any interests of the data subject must be identified and documented before any measures are undertaken.
Consent to data processing Employee data can be processed upon consent of the data subjects concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. Before giving consent, the data subject must be informed in accordance with this policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation.
Processing of Sensitive personal data Sensitive personal data can be processed only under certain conditions. The processing must be expressly permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfil its rights and duties in the area of employment law. The employee can also expressly consent to processing. If there are plans to process Sensitive personal data, the Data Protection Officer must be informed.
Automated decisions If personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of the hiring process or the evaluation of skills profiles), this automatic processing cannot be the sole basis for decisions that would have negative consequences for the affected. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision. The data subject must also be informed of the facts and results of automated individual decisions and the possibility to respond. My Eco Best Friend must also ensure that all profiling and automated decision-making relating to a data subject is based on accurate data.
Telecommunications and internet Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by My Eco Best Friend primarily for work-related assignments. They are a tool and can be used within the applicable legal regulations and internal My Eco Best Friend policies including the Information Technology Policy. There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the My Eco Best Friend network that block technically harmful content or that analyses the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of My Eco Best Friend. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the My Eco Best Friend regulations.
Other parties’ personal data (including website users, suppliers, sponsors, partners…)
Data processing for a contractual relationship Personal data of the website users, sponsors, suppliers, and partners can be processed in order to establish, execute and terminate a contract. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare purchase orders or to fulfil other requests of the data subject that relate to contract requirements.
Consent to data processing Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with this policy. The declaration of consent must be obtained in writing or electronically as the granting of consent must be documented. Consent must be sought from the person who holds parental responsibility over the child. The age by which an individual is designated a child varies between 13 and 16 in accordance with national law.
Data processing for advertising purposes As a general rule My Eco Best Friend will not send promotional or direct marketing material to My Eco Best Friend contacts through digital channels such as mobile phones, email and the Internet, without first obtaining their consent. If the data subject contacts My Eco Best Friend to request information (e.g. request to receive information material about courses), data processing to meet this request is however permitted. When communicating with the data subject, consent shall be obtained from him/her to process the data for advertising purposes and the data subjects must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes at any time (e.g unsubscribe link). If the data subject refuses the use of his/her data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes so that we cease immediately any data use; and their details should be kept on a suppression list with a record of their opt-out decision, rather than being completely deleted. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed. In particular, direct marketing must also comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and in particular the e-privacy Directive as amended which covers marketing via telephone, text and email. The e-privacy Directive has now been superseded by a new ePrivacy Regulation probably to sit alongside the GDPR.
Data processing pursuant to legal authorization The processing of personal data is also permitted if national legislation requests, requires or allows. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the data subject that merit protection must be taken into consideration.
Data processing pursuant to legitimate interest Personal data can also be processed if it is necessary for a legitimate interest of My Eco Best Friend. Legitimate interests are generally of a legal or commercial nature (e.g. health and safety, use of the eco-shop). Before data is processed, it is necessary to determine whether My Eco Best Friend legitimate interest is overridden by any interests or rights of the individual because, if so, we should not process Personal Data on this occasion. The legitimate interest of My Eco Best Friend and any interests of the data subject must be identified and documented before any measures are taken.
Processing of Sensitive personal data Sensitive personal data can be processed only if the law requires this or the data subject has given express consent. If there are plans to process Sensitive data, the Data Protection Officer must be informed.
Automated individual decisions Automated processing of personal data that is used to evaluate certain aspects (e.g. creditworthiness, anti-corruption risk) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by a My Eco Best Friend representative who must also ensure that all profiling and automated decision-making relating to a data subject is based on accurate data.
User data and internet If personal data is collected, processed and used on websites or apps, the data subjects must be informed of this in a privacy statement. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects. If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be effected upon consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out in the privacy statement. If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access to the website or app.
Data Retention
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed it should be disposed of. Paper records should be shredded or disposed of in confidential waste and electronic records should be permanently deleted.
Users of personal data are responsible for ensuring the appropriate retention periods for the information they hold and manage, based on My Eco Best Friend guidance. Retention periods will be set based on legal and regulatory requirements and good practice.
If data is fully anonymized, then there are no time limits on storage from a data protection point of view as the GDPR does not apply to anonymized data.
Data Transmission
Transmission of personal data to recipients outside or inside the My Eco Best Friend company is subject to the authorization requirements for processing personal data. If data is transmitted by a third party to My Eco Best Friend, it must be ensured that the data can be used for the intended purpose.
In order for My Eco Best Friend to carry out its operations effectively, there may be occasions when it is necessary to allow access to the personal data from an overseas location. Should this occur, the My Eco Best Friend entity sending the personal data remains responsible for ensuring protection for that personal data.
As a general rule personal data should not be passed on to third parties, particularly if it involves Sensitive personal data as certain conditions need to be met before personal data can be shared with a third party or before an external provider is used to process data on behalf of My Eco Best Friend.
Where an external provider is hired to process personal data, without being assigned responsibility for the related business process (as a processor), the following requirements must be complied with:
the provider must be chosen based on its ability to cover the required technical and organizational protective measures. A provider can document its compliance with data security requirements in particular by presenting suitable certification; and
a data processing agreement must be concluded covering the guidance on data processing and the responsibilities of the controller and external provider (as a processor).
An external provider may also be a data controller and the agreement between My Eco Best Friend and such a provider should clarify each party’s responsibilities in respect to the personal data.
Assurance of such compliance must be obtained from all external providers, whether companies or individuals, prior to granting them access to personal data controlled by My Eco Best Friend.
As a general rule, you should always consult with the Legal department if you are entering into a new contract that involves the sharing or processing of personal data (see the Contract Management Policy) or when you receive requests for personal information from third parties such as relatives, police etc…
The Data Protection Steering Committee (as described in Section 13.1) shall conduct regular audits of the processing of personal data performed by external providers and other third parties, especially in respect of technical and organizational measures. Any major deficiencies identified will be reported to and monitored by the Executive Committee.
Transfers of Personal Data Outside the EU
Personal data can only be transferred out of Switzerland or the EEA (third country) under certain conditions. Information published on the internet must be considered to be an export of data outside the EU. This also covers data stored in the cloud unless the service provider explicitly guarantees data storage only takes place within the EU.
In the event of cross-border data processing agreement, one of the following requirements must be met:
a European Commission decision provides that the country or territory to which the transfer is made ensures an adequate level of protection;
the transfer is subject to one or more of the “appropriate safeguards” for international transfers prescribed by applicable law (e.g. standard data protection clauses adopted by the European Commission); or
there exists another situation where the transfer is permitted under applicable law (e.g. where we have explicit consent).
Records of Processing Activities
As a data controller My Eco Best Friend is required to maintain records of processing activities which covers all the processing of personal data carried out by My Eco Best Friend. Amongst other things these records contain details of why the personal data is being processed, the types of individuals about whom information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU.
My Eco Best Friend has been working on a set of Records of Data Processing Activities:
Staff data (including candidates and previous staff).
Website user data and
Data subjects other than staff and website users.
These records are kept by the Data Protection Officer.
Staff embarking on new activities involving the use of personal data and that is not covered by one of the existing records of processing activities should inform the Data Protection Officer before starting the new activity.
Data Subject Rights & Access Requests
As part of our duty of transparency and in order to help data subjects to understand how and why we collect their personal data and what we do with it, My Eco Best Friend has issued Privacy notices that are available to the following stakeholders on myecobestfriend.com:
staff:
website users (clients, visitors, sponsors, partners, suppliers)
Any processing of data beyond the scope of the standard privacy notices, or processing of the personal data of any other individuals will mean that a separate privacy notice needs to be issued.
These privacy notices also explain the decisions that the data subjects can make about their personal data which cover the following rights guaranteed by the GDPR:
Right to access and portability – Data subjects have the right to access personal data and request that personal data is provided in a structured, commonly used, and machine-readable form (so it can be sent to another data controller for instance).
Right to rectification & data quality – Data subjects have the right to require us to rectify inaccuracies in personal data held about them. Regular data quality checks should be completed to provide assurances on the accuracy of the data.
Right to restrict data processing activities – Data subjects have the right to require us to restrict our data processing activities (and, where our processing is based on his/her consent, he/she may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal).
When processing is restricted, we are permitted to store the personal data, but not further process it;
Right to object – Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right. Online services must offer an automated method of objecting.
Rights in relation to automated decision making and profiling – The right relates to automated decisions or profiling that could result in significant affects to an individual. Profiling is the processing of data to evaluate, analyse or predict behaviour or any feature of behaviour, preferences or identity. Individuals have the right not to be subjected to decisions based solely on automated processing. When profiling is used, measures must be put in place to ensure the security and reliability of services.
Right to be forgotten (erasure) – Individuals have the right to have their data erased in certain situations such as where the data are no longer required for the purpose for which they were collected, the individual withdraws consent or the information is being processed. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research.
The above rights are not absolute, and the availability of rights largely depends on the legal justification for data processing.
We must verify the identity of the person making the request to confirm that the requestor is the data subject or its authorized legal representative. Any requests made to invoke any of the rights above must be dealt with free of charge, promptly and in any case within 30 days of receiving the request.
Members of staff should act according to the Data Subject Request Handling Procedure attached as Schedule A and consult the Data Protection Officer in case of any doubt.
Data Security
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss or modification. This applies regardless of whether data is processed electronically or in paper form. This includes implementing technical and organizational measures for protecting personal data such as:
Anonymization, which is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified. Individuals may be directly identified from their name, address, postcode, telephone number, photograph or image, or some other unique personal information. Individuals may also be indirectly identifiable when certain information is linked together with other sources of information, including, their place of work, job title, salary, their postcode or even the fact that they have a particular diagnosis or condition.
While there may be incentives to process data in anonymized form, this technique may devalue the data, so that it is no longer useful for some purposes. Therefore, before anonymization, consideration should be given to the purposes for which the data is to be used.
Pseudonymization, which is defined under the GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non- attribution to an identified or identifiable individual”. GDPR does not apply to anonymised information, it is not the case for pseudonymised information.
Encryption, which is the process of converting information or data into code, to prevent unauthorised access.
Responsible departments should regularly consult with the Chief Information Security Officer as the technical and organizational measures for protecting personal data must also be adjusted continuously to the technical developments and organizational changes that occur.
As part of the GDPR ‘privacy by design’ requirement and to ensure that privacy and protection of data is not an after-thought, when designing new systems or processes and/or when reviewing or expanding existing systems or processes, each of them must go through the Idea to Project approval process, which contain a gate that ensures that any data privacy considerations have been made.
For some projects the GDPR also requires that a Data Protection Impact Assessment (DPIA) is carried out. The types of circumstances when this is required include: those involving processing of large amounts of personal data or monitoring of publicly assessable areas (i.e. CCTV). The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimize or reduce risks, and an exercise that must be duly documented.
The “need to know” principle applies. My Eco Best Friend employees and employees of external providers, as data processors so contracted, may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities. Any unauthorized collection, processing, or use of such data by employees is forbidden. In particular, are forbidden the use of personal data for private or commercial purposes, disclosure to unauthorized persons or making it available in any other way. This obligation shall remain in force even after any employment/data processing agreement has ended.
All My Eco Best Friend users of personal data must ensure that all personal data they hold is kept securely. The Information Technology Policy relating to the security of manual filing systems, storage of personal data on portable devices, removal of personal data from My Eco Best Friend premises, downloading of personal data on personal devices should be strictly adhered to.
Data Breach Management
My Eco Best Friend makes every effort to avoid personal data breaches, however, data security breaches are increasingly common occurrences whether these are caused through human error or via malicious action. Examples of personal data breaches include:
Loss or theft of data or equipment
Inappropriate access controls allowing unauthorised use
Equipment failure
Unauthorised disclosure (e.g. email sent to the incorrect recipient)
Human error
Hacking attack
If a data protection breach occurs, My Eco Best Friend is required in most circumstances to report this as soon as possible to the relevant supervisory authority, and not later than 72 hours after becoming aware of the breach.
If you become aware of a data security incident/breach you must report it immediately. Details of how to report a breach and the information that will be required are included in the Security Incidents & Data Breach Management Policy.
Roles & Responsibilities
Governance. To demonstrate its commitment to Data Protection, and to enhance the effectiveness of its compliance efforts, My Eco Best Friend has established a Data Protection Steering Committee. The Steering Committee operates independently and is staffed by suitability skilled individuals granted all necessary authorizations. The Steering Committee is under the supervision of the My Eco Best Friend Data Privacy Officer who has direct access to the Board of Directors.
Chief Information Security Officer. The Chief Information Security Officer has primary responsibility for overseeing My Eco Best Friend’s information security. This includes:
developing, maintaining and implementing a My Eco Best Friend information security program;
documenting and disseminating information security policies and procedures;
coordinating the development and implementation of a My Eco Best Friend information security training and awareness program;
perform risk assessment and ensure that information security consideration have been addressed as part of the process for design/expansion/review of systems or processes;
coordinating with the Data Protection Officer response to actual or suspected data breach and security incidents as per the Data Breach Management Policy.
Data Protection Officer (DPO). The Data Protection Officer has primary responsibility for My Eco Best Friend’s compliance with the data protection This comprises:
My Eco Best Friend’s notification with the relevant supervisory authority;
handling data subject access requests and requests from third parties for personal data;
promoting and maintaining awareness of the data protection laws and regulations, including training;
investigating data breach and security incidents as per the Data Breach Management Policy.
Contact of the DPO for My Eco Best Friend Company:
Chemin du Creux-Bechet, 6, 1096, Villette (Switzerland)
T: +41 (0)798479155
Manager. Managers are responsible for ensuring their staff understand the role of the data protection principles in their day-to-day work, through induction, training and performance monitoring, and for monitoring compliance within their own areas of concern. They should also ensure to keep the Data Protection Officer informed of changes in the collection, use, and security of personal data within their department.
My Eco Best Friend expects its employees and any My Eco Best Friend contractors, suppliers, agencies, temporary workers, or any other parties acting on My Eco Best Friend’s behalf (collectively, “External Parties”) who collect or manage personal information to follow this policy, whether they are utilizing My Eco Best Friend’s and/or their own electronic systems and data management tools. My Eco Best Friend employees are responsible for ensuring that any External Parties they work with in support of My Eco Best Friend operations comply with this policy.
Impact of Non Compliance
My Eco Best Friend could be heavily fined for non-compliance with the Data Protection policy.
Each My Eco Best Friend department shall perform its own self-assessments of compliance with this policy. In addition, My Eco Best Friend may periodically assess whether employees and relevant third parties comply with this policy and related My Eco Best Friend standards and procedures when they handle personal data. Appropriate follow-up measures, if necessary, are enforced.
Failure by employees to comply with this policy can result in disciplinary action which may include termination of contract. For External Parties collecting or managing personal data on My Eco Best Friend’s behalf, failure to comply with this policy can lead to negative business consequences, up to and including termination of the business relationship and claims for Staff may also incur criminal liability if they knowingly or recklessly obtain and/or disclose personal data for their own purposes.
General
This policy is effective as of November 21th, 2021 and available on myecobestfriend.com.
The Office of Data Protection is responsible for the maintenance and accuracy of this policy. Notice of significant revisions shall be provided to My Eco Best Friend employees. Changes to this policy will come into force when published on myecobestfriend.com.
Purpose
This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives, or other interested parties. This procedure will enable My Eco Best Friend to comply with legal obligations, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
A Data Subject Request is any request made by an individual or an individual’s legal representative for information held by My Eco Best Friend about that individual.
A Request must be made in writing. In general, verbal requests for information held about an individual are not valid. A Request can be made by email, by post, on the corporate website or through any other available method.
My Eco Best Friend must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the Request unless local legislation dictates otherwise.
In order to be able to respond to the Request in a timely manner, the data subject should:
Submit his/her request using an Access to Personal Information Request Form (see template attached).
Provide My Eco Best Friend with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
Subject to the exemptions referred to in this document, My Eco Best Friend will provide information to data subjects whose requests are in writing and are received from an individual whose identity can be validated by My Eco Best Friend.
However, My Eco Best Friend will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular piece of information.
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).
Request
Upon receipt of a Request, the Data Protection Officer will acknowledge the request. The requestor may be asked to complete an Access to Personal Information Request Form to better enable My Eco Best Friend to locate the relevant information.
The Data Protection Officer needs to check the identity of anyone making a Request to ensure information is only given to the person who is entitled to receive it. If the identity of a requestor has not already been provided, the person receiving the request will ask the requestor to provide identification.
If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.
Upon receipt of the required documents, the person receiving the request will provide the Data Protection Officer with all relevant information in support of the Request. Where the Data Protection Officer is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that their Request will be responded to within 30 calendar days. The 30-day period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Officer in writing if there will be any deviation from the 30-day timeframe due to other intervening events.
The Data Protection Officer will contact and ask the relevant department(s) for the required information as requested in the Request. This may also involve an initial meeting with the relevant department to go through the Request if required. The department which holds the information must return the required information by the deadline imposed by the Data Protection Officer and/or a further meeting is arranged with the department to review the information. The Data Protection Officer will determine whether there is any information which may be subject to an exemption and/or if consent is required to be provided from a third party.
The Data Protection Officer must ensure that the information is reviewed/received by the imposed deadline to ensure the 30-calendar day timeframe is not breached.
The Data Protection Officer will provide the finalized response together with the information retrieved from the department(s) and/or a statement that My Eco Best Friend does not hold the information requested, or that an exemption applies. The Data Protection Officer will ensure that a written response will be sent back to the requestor. This will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post).
After the response has been sent to the requestor, the Request will be considered closed and archived by the Data Protection Officer.
In principle, My Eco Best Friend will not normally disclose the following types of information in response to a Request:
Information about other people – A Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted unless the individuals involved consent to the disclosure of their data.
Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request will be considered a repeat request, and My Eco Best Friend will not normally provide a further copy of the same data.
Publicly available information – My Eco Best Friend is not required to provide copies of documents which are already in the public domain.
Privileged documents – Any privileged information held by My Eco Best Friend needs not be disclosed. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and their lawyer) and is created for the purpose of obtaining or giving legal advice.
The overall responsibility for ensuring compliance with this procedure rests with the Data Protection Officer.
If My Eco Best Friend acts as a data controller towards the data subject making the Request then the Request will be addressed based on the provisions of this procedure.
If My Eco Best Friend acts as a data processor the Data Protection Officer will forward the Request to the appropriate data controller on whose behalf My Eco Best Friend processes personal data of the data subject making the Request.