This Data Subject Rights Notice explains the rights afforded to individuals under the General Data Protection Regulation (GDPR) with respect to the processing of personal data. By utilizing web-based services, users located in the European Economic Area (EEA) or whose data is processed under GDPR jurisdiction are notified of their rights and the mechanisms to exercise them.
1. Data Controller and Processing Purposes: The provider acts as the Data Controller for personal data collected in connection with services. Personal data may be processed for the following lawful purposes:
a. Performance of a contract or to take steps to enter into a contract;
b. Compliance with legal obligations;
c. Protection of vital interests;
d. Consent (where obtained); and
e. Legitimate interests of the provider, such as marketing, analytics, fraud prevention, and business operations.
2. Data Subject Rights: Subject to applicable conditions and limitations, data subjects have the following rights:
a. Right to Access: Obtain confirmation of processing activities and a copy of personal data being processed.
b. Right to Rectification: Request correction of inaccurate or incomplete personal data.
c. Right to Erasure (“Right to be Forgotten”): Request deletion of personal data when processing is no longer necessary or consent is withdrawn.
d. Right to Restriction of Processing: Request limitation of processing when accuracy is contested, processing is unlawful, personal data is no longer needed, or objection is pending.
e. Right to Data Portability: Receive personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
f. Right to Object: Object to processing based on legitimate interests or direct marketing.
g. Right to Withdraw Consent: Withdraw consent for processing tasks that rely on consent at any time without affecting the lawfulness of prior processing.
3. Exercise of Rights: Data subjects may exercise their rights by submitting a written request via designated channels. Verification procedures may be implemented to confirm identity and prevent unauthorized disclosure. Requests will be addressed within one month unless complexity or volume necessitates extension, in which case data subjects will be informed of any delay.
4. Data Retention and Erasure: Personal data is retained only for the duration necessary to fulfill processing purposes or as required by law. Upon expiration of retention periods or valid request for erasure, data will be permanently deleted or anonymized.
5. Data Transfers: When personal data is transferred outside the EEA, appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules are implemented to ensure adequate protection.
6. Complaints: Data subjects have the right to lodge complaints with supervisory authorities in their member state if they believe processing infringes GDPR.
7. Contact for Privacy Inquiries: Data subjects seeking additional information or wishing to exercise rights should refer to privacy notice details provided within services.
8. No Automated Decision-Making: Services do not engage in profiling or legally significant automated decision-making without explicit consent.
9. Updates: This Notice may be amended to reflect changes in regulatory requirements or operational practices. Continued use of services after updates constitutes acceptance of the revised notice.