1Scope, Purpose and Users

This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties and for exercising of all other data subject’s rights under the GDPR. This procedure will enable RxPhoto (the “Company”) to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.

This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any state or local laws or regulations which may otherwise be applicable.

This procedure applies to employees that handle data subject access requests such as the Data Protection Officer.

2Reference Documents

• EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”)
• Personal Data Protection Policy

3What is personal information?

Personal data is information which relates to an individual or refers to the individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

4Data Subject Access Request (“DSAR”)

A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to obtain from RxPhoto confirmation as to whether or not personal data concerning the particular data subject are being processed, and,
where that is the case to see or view their own personal data as well as to request copies of the data.

A Data Subject Access Request may be made in writing via our contact form, email, fax or post. In general, we prefer not to receive, verbal requests, however if we receive such for instance via phone, the data subject must ensure that he/she speaks with an RxPhoto responsible employee that is on duty and to provide all required information under our DSAR form, otherwise we may
not accept such verbal request. The employee needs to document the request and to forward it to the relevant contacts in the Company.

As mentioned, Data Subject Access Request can be made via any of the following methods: email, fax, or post. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.

Requests for exercising of all other data subject’s rights under this policy (The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object) are submitted according to the rules of this section.

5The Rights of a Data Subject

The rights to data subject access include the following:

• Know whether a data controller holds any personal data about them.
• Receive a description of the data held about them (including mentioning of the categories of personal data concerned, as for instance name, address, email, medical records, etc.) and, if permissible, a copy of the data.
• Be informed of the purpose(s) for which that data is being processed, and from where it was received.
• Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients or at least their category.
• The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
• The existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
• The right to lodge a complaint with a supervisory authority
• The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to the Company, 2) is processed automatically and 3) is processed based on consent or fulfilment of a contract.
• If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention
• If there is a transfer of the personal data to a country that is outside the European Economic Area or to an international organization, the data subject will be informed of the appropriate safeguards that have been applied to the transfer (for instance standard data protection clauses).

The Company must provide a response to data subjects requesting access to their data within thirty (30) days of receiving the Data Subject Access Request.

That period may be extended with sixty (60) days where necessary, taking into account the complexity and number of the requests.

The Company will inform the data subject of any such extension within thirty (30) days of receipt of the request, together with the reasons for the delay.

6The right to rectification

Individuals are entitled to have any inaccurate or incomplete personal data rectified. Where the personal data in question has been disclosed to third parties, RxPhoto will inform them of the rectification where possible. RxPhoto will inform the individual about the third parties that the data has been disclosed to, where this was requested by the data subject. Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex. Where no action is being taken in response to a request for rectification, RxPhoto will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

7The right to erasure

Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. Individuals have the right to erasure in the following circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• When the individual withdraws their consent, and where there is no other legal ground that applies for the processing
• When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
• The personal data was unlawfully processed
• The personal data is required to be erased in order to comply with a legal obligation
• The personal data is processed in relation to the offer of information society services to a child

RxPhoto has the right to refuse a request for erasure where the personal data is being processed for the following reasons:

• To exercise the right of freedom of expression and information
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority
• For public health purposes in the public interest
• For archiving purposes in the public interest, scientific research, historical research or statistical purposes
• The exercise or defense of legal claims

As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request. Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so. Where personal data has been made public within an online environment, RxPhoto will inform other organizations who process the personal data to erase links to and copies of the personal data in question.

8The right to restrict processing

Individuals have the right to block or suppress RxPhoto’s processing of personal data. In the event that processing is restricted, RxPhoto will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future. RxPhoto will restrict the processing of personal data in the following circumstances:

• Where an individual contests the accuracy of the personal data, processing will be restricted until RxPhoto has verified the accuracy of the data
• Where an individual has objected to the processing and RxPhoto is considering whether their legitimate grounds override those of the individual
• Where processing is unlawful and the individual opposes erasure and requests restriction instead
• Where RxPhoto no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim

If the personal data in question has been disclosed to third parties, RxPhoto will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. RxPhoto will inform individuals before the restriction of processing is lifted.

9The right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability. The right to data portability only applies in the following cases:

• To personal data that an individual has provided to a controller
• Where the processing is based on the individual’s consent or for the performance of a contract
• When processing is carried out by automated means

Personal data will be provided in a structured, commonly used and machine-readable form. RxPhoto will provide the information free of charge. Where feasible, data will be transmitted directly to another organization at the request of the individual. RxPhoto is not required to adopt or maintain processing systems which are technically compatible with other organizations. In the event that the personal data concerns more than one individual, RxPhoto will consider whether providing the information would prejudice the rights of any other individual. RxPhoto will respond to any requests for portability within one month. Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request. Where no action is being taken in response to a request, RxPhoto will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

10The right to object

RxPhoto will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information. Individuals have the right to object to the following:

• Processing based on legitimate interests or the performance of a task in the public interest
• Direct marketing
• Processing for purposes of scientific or historical research and statistics.

Where personal data is processed for the performance of a legal task or legitimate interests:

• An individual’s grounds for objecting must relate to his or her particular situation.
• RxPhoto will stop processing the individual’s personal data unless the processing is for the establishment, exercise or defense of legal claims, or, where RxPhoto can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.

Where personal data is processed for direct marketing purposes:

• RxPhoto will stop processing personal data for direct marketing purposes as soon as an objection is received.
• RxPhoto cannot refuse an individual’s objection regarding data that is being processed for direct marketing purposes.

Where personal data is processed for research purposes:

• The individual must have grounds relating to their particular situation in order to exercise their right to object.
• Where the processing of personal data is necessary for the performance of a public interest task, RxPhoto is not required to comply with an objection to the processing of the data.
• Where the processing activity is outlined above, but is carried out online, RxPhoto will offer a method for individuals to object online.

11Requirements for a valid DSAR

RxPhoto will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information. Individuals have the right to object to the following:

• Submit his/her request using a Data Subject Access Request Form.
• Provide the Company with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
• In case of DSAR submitted via verbal form, the data should provide both the required information under our Data Subject Access Request Form and sufficient information to validate his/her identity that should be not orally provided, but by the same means as required for the written/electronic requests.

Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the applicable law), and are received from an individual whose identity can be validated by Company. However, the Company will not provide data where the request is manifestly unfounded or the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.

Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).

12DSAR Process

12.1. Request

Upon receipt of a DSAR, the Data Protection Team will log and acknowledge the request. The requestor may be asked to complete a Data Subject Access Request Form to better enable the Company to locate the relevant information.

12.2. Identity verification

The Data Protection Team needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other
confirmation of address.

If the requestor is not the data subject, written confirmation that the requestor is authorizedto act on behalf of the data subject is required.

12.3. Information for Data Subject Access Request

Upon receipt of the required documents, the person receiving the request will provide the Data Protection Team with all relevant information in support of the DSAR. Where the Data Protection Team is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that his/her DSAR will be
responded to within 1 (one)month. The 1 month period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Team in writing if there will be any deviation from the 1 month time frame due to other intervening events.

12.4. Review of Information

The Data Protection Team composed of cross department representative will collate the relevant and required information as requested in the DSAR.

The Data Protection Team must ensure that the information is reviewed/received by the imposed deadline to ensure the 1 month timeframe is not breached. The Data Protection Officer will ask the relevant department to complete a “Data Subject Disclosure Form” to document compliance with the 1 month requirement.

12.5. Response to Access Requests

The Data Protection Team will provide the finalized response together with the information retrieved and/or a statement that the Company does not hold the information requested, or that an exemption applies.

The Data Protection Team will ensure that a written response will be sent back to the requestor. This will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post).

The Company will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.

12.6. Archiving

After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Team

13Exemptions

An individual does not have the right to access information recorded about someone else, unless they are an authorized representative.

The Company is not required to respond to requests for information if therequest is manifestly unfounded or the resources required to identify and retrieve it would be excessively difficult or time-consuming, and if it is not provided with sufficient details the Company to satisfy itself as to the identity of the data subject making the request. Where the Company processes a large quantity of information concerning the data subject, the data subject should specify the information or the processing activities to which the request relates, in order to enable the information request to be satisfied.

In principle, the Company will not normally disclose the following types of information in response to a Data Subject Access Request:

• Information about other people – A Data Subject Access Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved consent to the disclosure of their data.
• Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data
• Publicly available information – The Company is not required to provide copies of documents which are already in the public domain.
• Opinions given in confidence or protected by copyright law – The Company does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.

14Data Subject Access Request Refusals

There are situations where individuals do not have a right to see information relating to them. For instance:

• If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available or kept in a form that identifies any of the individuals involved.
• Requests made for other, non-data protection purposes can be rejected.

If the responsible person refuses a Data Subject Access Request on behalf of the Company, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request to the Data Protection Officer to review the outcome.

15Responsibilities

The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer. If the Company acts as a data controller towards the data subject making the request then the DSAR will be addressed based on the provisions of this procedure. If the Company acts as a data processor the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.