notTV Ltd. (GDPR) Data Deletion Instructions

1        Introduction

This document sets out how notTV Ltd. can accept and handle Data Subject Access Request (DSAR).

This procedure should be considered in conjunction with the following related documents:

  • Personal Data Protection Policy
  • 27 (8.2) Access Control Policy
  • Records Retention and Protection Policy

2        Identity control

The request shall be submitted in writing using the appropriate form. The forms and procedures are available at [WEBSITE]. The request is accepted after identity control.

To avoid unlawful access and change of personal data notTV Ltd. uses two methods of identity control:

  • Proof of identity at the controller’s site
  • Access control method
Proof of identity at the controller’s siteData subject and controller’s representative verify the request
  
Access control methodData subject contacts controller’s representative
Controller’s representative provides instructions for authentication
The form with identity control resolved is sent to the data subject or available for download
Data subject delivers the request according to the instructions received from the controller’s representative

3       Data Subject Access Request Procedure

Lawfulness of processing personal data is defined in Article 6 of the GDPR. If processing is based on the consent the data subject has given to the processing of his or her personal data, the person has the right to withdraw the consent at any time using GDPR-FORM‑4.1 “Data Subject Consent Withdrawal Form”. Beside this general right, the data subject has the right to:

  • Access his or her personal data
  • Rectification and Erasure
  • Right to object to the certain type of processing

With the information of his rights, the data subject shall receive information about controller’s representative[1]. The controller shall answer the request in one month. In some complicated cases, the controller might ask for an additional deadline. The controller is responsible for the action of the processor. Procesor shall answer to the request in 15 days.

3.1       Access to his or her personal data

Request for access shall be given in writing, using form GDPR – [FORM] “Data Subject Request Form”. The Controller’s representative shall confirm and verify data subject identity. The controller shall answer to the request in one month.

The data subject may ask for a printed or electronic version of personal data.

3.2       Rectification and Erasure

The data subject has the right to have incomplete personal data completed.

The data subject has the right to be forgotten. The controller shall without any delay erase data subject’s personal data or obtain proof from the processor that the data are erased. This type of request shall be made in writing using form “Data Subject Change Request Form”. The controller’s representative shall confirm and verify data subject identity.

3.3       Right to object and status of automatic processing

The data subject has the right to object to processing for direct marketing purposes (Article 21 of GDPR).

The data subject has the right not to be subject to a decision based on the solely automated processing. Request for both above rights shall be given in writing, using form GDPR-Form‑4.6 “Data Subject Request Form”. The Controller’s representative shall confirm and verify data subject identity.

3.4       Notification obligation

The controller must inform each recipient to whom the personal data have been disclosed on all changes, completion, restriction or erasure of personal data (Article 19 of GDPR states the conditions for the omission of such action). If the data subject requests, he or she is entitled to know all recipients of his/her personal data.


[1] Article 14, GDPR, “the identity and contact of the controller and, where applicable, the controller’s representative”.