Policy Statement

A data subject is the individual to whom the personal data we process belongs. The General Data Protection Regulation (GDPR) grants data subjects certain rights, such as confirming whether we are lawfully processing their personal data, correcting or deleting their personal data, and obtaining copies of their personal data. This policy outlines our approach to identifying and responding to such access requests.



This policy applies to the data subjects whose personal data we process, including employees, external partners, customers, suppliers, etc. It is applicable to all those who may be responsible for identifying and responding to data subject access requests, including other organizations processing personal data on our behalf.

Responsibilities

Management Responsibility
Management is responsible for implementing and overseeing this policy. They must understand its requirements, particularly for processes under their control, and ensure the adoption of appropriate procedures across the organization.

Data Protection Team
The team is responsible for implementing, monitoring, and reviewing the overall process. They must ensure that individuals directly involved in handling access requests are aware of their responsibilities and adequately trained. Regular exercises are encouraged.

Submission of Requests

Data subject access requests may be submitted in writing, electronically, or verbally. Therefore, we must develop and implement appropriate mechanisms for promptly identifying and responding to requests.

Identity Verification

If we have doubts about the identity of the person making the request, we may request additional information. However, it is important to request only what is necessary to confirm their identity. Such information should be minimal and strictly relevant to the purpose of identification. In many cases, requesting a copy of an ID, passport, or birth certificate may be disproportionate and may not necessarily provide sufficient assurance of the individual’s identity. We must therefore ensure that appropriate procedures and mechanisms are in place to verify the legitimacy of the requester.

Identifying and Responding to Requests

All responsible parties must be able to recognize and properly forward a request. The request must be evaluated for its legitimacy and then processed according to its nature and the specific requirements of the GDPR.

Response Time

We must respond to a data subject access request within one month of receiving it. If more time is required to respond to complex requests, an extension of up to two additional months is allowed, provided that the data subject is informed in a timely manner within one month of receiving the request, including the reasons for the delay.

Fees

We will provide a copy of the requested information free of charge in accordance with the GDPR. However, a reasonable fee may be charged if a request is manifestly unfounded or excessive, especially if it is repetitive. We may also charge a reasonable fee for complying with requests for further copies of the same information.

Exceptions

Exempt information must be redacted from disclosed documents, with an explanation of the reasons for withholding it, e.g., third-party personal data.

Complaints

If we fail to respond to a data subject's request, we will notify the data subject without delay and at the latest within one month of receiving the request, explaining the reasons for non-compliance and informing them of their right to file a complaint with the Supervisory Authority or seek judicial redress.