This document sets out how notTV Ltd. can accept and handle Data Subject Access Request (DSAR).
This procedure should be considered in conjunction with the following related documents:
- Personal Data Protection Policy
- 27 (8.2) Access Control Policy
- Records Retention and Protection Policy
The request shall be submitted in writing using the appropriate form. The forms and procedures are available at [WEBSITE]. The request is accepted after identity control.
To avoid unlawful access and change of personal data notTV Ltd. uses two methods of identity control:
- Proof of identity at the controller’s site
- Access control method
|Proof of identity at the controller’s site||Data subject and controller’s representative verify the request|
|Access control method||Data subject contacts controller’s representative|
|Controller’s representative provides instructions for authentication|
|The form with identity control resolved is sent to the data subject or available for download|
|Data subject delivers the request according to the instructions received from the controller’s representative|
Lawfulness of processing personal data is defined in Article 6 of the GDPR. If processing is based on the consent the data subject has given to the processing of his or her personal data, the person has the right to withdraw the consent at any time using GDPR-FORM‑4.1 “Data Subject Consent Withdrawal Form”. Beside this general right, the data subject has the right to:
- Access his or her personal data
- Rectification and Erasure
- Right to object to the certain type of processing
With the information of his rights, the data subject shall receive information about controller’s representative. The controller shall answer the request in one month. In some complicated cases, the controller might ask for an additional deadline. The controller is responsible for the action of the processor. Procesor shall answer to the request in 15 days.
Request for access shall be given in writing, using form GDPR – [FORM] “Data Subject Request Form”. The Controller’s representative shall confirm and verify data subject identity. The controller shall answer to the request in one month.
The data subject may ask for a printed or electronic version of personal data.
The data subject has the right to have incomplete personal data completed.
The data subject has the right to be forgotten. The controller shall without any delay erase data subject’s personal data or obtain proof from the processor that the data are erased. This type of request shall be made in writing using form “Data Subject Change Request Form”. The controller’s representative shall confirm and verify data subject identity.
The data subject has the right to object to processing for direct marketing purposes (Article 21 of GDPR).
The data subject has the right not to be subject to a decision based on the solely automated processing. Request for both above rights shall be given in writing, using form GDPR-Form‑4.6 “Data Subject Request Form”. The Controller’s representative shall confirm and verify data subject identity.
The controller must inform each recipient to whom the personal data have been disclosed on all changes, completion, restriction or erasure of personal data (Article 19 of GDPR states the conditions for the omission of such action). If the data subject requests, he or she is entitled to know all recipients of his/her personal data.
 Article 14, GDPR, “the identity and contact of the controller and, where applicable, the controller’s representative”.