Managing Data Requests from Users

Updated as of: September 19, 2019

Pursuant to Articles 12 through 15 of the General Data Protection Regulation (the “GDPR”), Preemptive Love Coalition, a U.S. registered 501(c)3 charitable organization [*corporate name] (“Preemptive Love Coalition,” “we,” “us,” or “our”), has issued this Data Subject Rights Handling Policy to describe how we, as a data controller (i.e., the entity determining the purpose for which and manner in which data is processed), handle requests for personal data of employees, contractors, clients, and users.

Rights that all Data Subjects have regarding their personal data:

Data Subjects from the European Economic Area, whose personal data is processed by Preemptive Love Coalition, such as the personal data of customers, website visitors, employees, contractors, etc. (each a “Data Subject”), have certain data protection rights (“Data Subject Rights”), which may be exercised upon request to us (each a “Data Rights Request”).

These Data Subject Rights are the rights to request:

1. Access to their personal data;
2. Rectification of their personal data;
3. Erasure of their personal data (this right is also referred to as the “right to be forgotten”);
4. Restriction of their personal data;
5. Portability of their personal data;
6. Cessation of processing of their personal data (the right to object);
7. Not to be subject to automated decision making; and
8. Not to be sent direct marketing.

Our responsibility to respond to a Data Rights Requests:

The controller of a Data Subject’s personal data is primarily responsible for responding to a Data Rights Request and for helping the Data Subject concerned to exercise his/her rights under applicable data protection laws. Where a Data Subject makes a Data Rights Request to us, we are the controller of the personal data held and processed about the user, because we determine the purposes for which the data is collected and the means by which it is processed.

Personal data which we make available to third parties:

When we share personal data with third parties, it is also our responsibility to inform those third parties of any request by a Data Subject to rectify, erase, or restrict his/her personal data, unless doing so would involve a disproportionate effort or if it is impossible. For example, we must notify any relevant Preemptive Love Coalition entity and other third parties (such as advertising service providers) to whom that Data Subject’s personal data has been disclosed so that those entities can also update their records accordingly. If requested, we will provide details for the third parties to whom that Data Subject’s personal data has been disclosed.

Request verification process:

When we receive a Data Rights Request, our Data Protection Officer, Dane Barnett (“DPO”), will make an initial assessment to verify that the request has been validly made. The DPO will contact the Data Subject in writing to confirm receipt of the Data Rights Request and to seek confirmation of identity of the Data Subject (if not already validated).

If the DPO determines that the Data Rights Request is valid and that Preemptive Love Coalition is not exempt from fulfilling the Data Rights Request, then we will request any further information needed to act upon the Data Subject’s request. Once Preemptive Love Coalition has all the information we need to fulfill the Data Rights Request, Preemptive Love Coalition will respond to the request as described below.

When we may be exempt from responding to a Data Rights Request:

Preemptive Love Coalition is only permitted to decline to act on a Data Rights Request if the request is “excessive” and/or “manifestly unfounded” (for example, if repetitive requests have been made). In such case, we will notify the Data Subject that we intend to decline the Data Rights Request and explain that an exemption applies, stating the exemption in our response. 

Depending on the type of Data Rights Request, additional exemptions may apply, as explained below.

Timeframe for responding to Data Rights Requests:

Data Subject Requests must be responded to without undue delay and in no case later than one (1) month of receipt unless this is not possible because the request is particularly complex (in which case, Preemptive Love Coalition will be entitled to extend the response period by up to two (2) additional months and Preemptive Love Coalition must still give the Data Subject notice within one (1) month of receipt of the request of its intention to respond within the extended time period and provide reasons for the delay).

Fees for Data Rights Requests:

Preemptive Love Coalition is not permitted to charge for acting on a Data Rights Request unless we are exempt from the obligation to act on the request (as described above). In the case that an exemption does apply, a reasonable fee may be charged taking into account the administrative costs of providing the information or communication or taking the action requested.

The Right to Be Informed: 

Data Subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. We provide individuals with relevant information, including our purposes for processing their personal data, our retention periods for that personal data, and parties with whom it will be shared. Our posted Privacy Policy on our website contains this as well as the following information: 

• The name and contact details of our organization and DPO;
• Our purposes, lawful basis, and legitimate interests for the processing;
• The types of personal data collected;
• The recipients of the collected personal data;
• Our retention of the personal data; and
• The rights available to Data Subjects in respect of the processing.

We also provide privacy information to individuals at the time we collect personal data from them and when/if we obtain personal data from other sources. We will bring any new uses of a Data Subject’s personal data to his/her attention before we start the new processing.

We make a practice of regularly reviewing and, as necessary, updating our Privacy Policy. 

The Right of Access — Requests for access to personal data: 

This is a right for a Data Subject to obtain confirmation as to whether a controller processes personal data about him/her and, if so, to be provided with details of that personal data and with access to it. 

Information to be provided in response to a request. A Data Subject is entitled to request a copy of his/her personal data from Preemptive Love Coalition. Where a Data Subject makes such a request, Preemptive Love Coalition must confirm whether it holds and is processing personal data about that Data Subject and, if so, then provide that personal data to the Data Subject in an intelligible form. The Data Subject making the request should also be provided with the following information:

• A description of the personal data and categories of personal data concerned;
• The period for which the personal data will be stored;
• The purposes for which the personal data is being held and processed;
• The recipients or classes of recipients to whom the personal data is (or may be) disclosed by Preemptive Love Coalition (especially those outside of the European Economic Area);
• Confirmation of the Data Subject’s right to request rectification or erasure of his/her personal data or to restrict or object to its processing;
• Confirmation of the Data Subject’s right to lodge a complaint with a competent data protection authority;
• Details about the source of the personal data if it was not collected from the Data Subject;
• Details about whether the personal data is subject to automated decision-making (including profiling), if applicable; and
• Where personal data is transferred from the European Economic Area to a country outside of the European Economic Area, the appropriate safeguards that Preemptive Love Coalition has put in place relating to such transfers in accordance with European data protection laws.

Format of requests.  A Data Rights Request for access does not have to be official or mention data protection law to qualify as a valid request. The request does not need to be made in writing and can be made orally, but it is advisable that any oral requests are noted in writing (by the requesting Data Subject) for record-keeping purposes. It is also helpful if the Data Subject provides an e-mail address and confirms whether the personal data can be sent by e-mail (or by other means). Requests made electronically (e.g., by e-mail) must be responded to electronically (in a commonly used format) unless the Data Subject stipulates otherwise. Data Subjects may also ask for information to be provided orally instead.

Exemptions.  Preemptive Love Coalition is not permitted to refuse to comply with an access request unless we can demonstrate that we are not in the position to identify the Data Subject who is making the request or unless we are exempt from the obligations to comply.

The Right to Rectification — Requests to rectify personal data:

This is the right for a Data Subject to obtain rectification to his/her personal data where there are inaccuracies in the data that a controller may process about him/her. If Preemptive Love Coalition holds inaccurate or incomplete information about a Data Subject, the Data Subject is entitled to request that the information is rectified (and we must also notify third parties who may also be processing the Data Subject’s personal data). 

Supplementary statements to complete information.  If a request to rectify information involves ensuring that it is complete, the Data Subject may provide a supplementary statement for us to hold in order to complete the personal data held about that Data Subject.

The Right to Erasure — Requests to erase personal data (aka the “right to be forgotten”):

This is a right for a Data Subject to request that we erase personal data concerning him/her on certain grounds (i.e., where the personal data is no longer necessary to fulfill the purposes for which it was collected).

Circumstances in which Right to Erasure applies: A Data Subject may request that we erase his/her personal data in the following circumstances:

• The personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
• The personal data was unlawfully processed by Preemptive Love Coalition;
• If the processing was on the basis of consent from the Data Subject and he/she withdraws consent (and no other legitimate grounds for processing the information exists);
• The Data Subject objects to the processing (see below) and no overriding legitimate grounds exist for processing the information; or
• The personal data needs to be erased to comply with our legal obligations.

Erasure of personal data by third parties.  If Preemptive Love Coalition erases a Data Subject’s personal data further to such a request, we must also notify third parties who may be processing that Data Subject’s information.  If we have made the personal data public and are then obliged to erase it, we must take reasonable steps, including technical measures (taking in account available technology and the cost of implementation), to inform other controllers who are processing that Data Subject’s personal data. 

Exemptions.  In addition to the general exemptions referred to above, Preemptive Love Coalition is exempt from the obligation to erase personal data where the processing of the information is necessary for:

• Compliance with our legal obligations;
• Establishing, exercising, or defending legal claims;
• Scientific, historical, or statistical purposes where erasure of the personal data would make this processing impossible or seriously impair it;
• Public interest reasons (performance of a task carried out in the public interest, exercise of an official authority vested in Preemptive Love Coalition, public health reasons, archiving in the public interest); and
• Exercising the right of freedom of expression and information.

The Right to Object — Right to object to processing:

This is the right for a Data Subject to object, on grounds relating to his/her particular situation, to a controller’s processing of personal data about him/her if the processing is on the grounds that it is for the legitimate interests of the controller.

Circumstances in which Data Subjects can object to processing.  If Preemptive Love Coalition is relying on the grounds that the processing is pursuant to our legitimate business interests, then a Data Subject may object to that processing. Data Subjects may also object if the processing is to perform a task in the public interest or to exercise an official authority vested in the controller. 

Exemptions.  In addition to the general exemptions referred to above, Preemptive Love Coalition is exempt from the obligation to cease processing the personal data after an objection if:

• We can  demonstrate  it has compelling  legitimate grounds for  processing the information, which override the interests, rights, and/or freedoms of the Data Subject;
• The processing is to establish, exercise, or defend a legal claim; or
• The processing is for scientific, historical, or statistical purposes carried out in the public interest.

The Right to Restriction: 

This is a right for a Data Subject to require a controller to restrict processing of personal data about him/her on certain grounds (e.g., where a data subject has contested the accuracy of data and a period of time is required for us to verify the accuracy of the personal data).

If Preemptive Love Coalition is processing a Data Subject’s personal data and the Data Subject wishes to restrict that processing on the grounds of the accuracy of the data, we will limit the processing of that Data Subject’s personal data until such time as the accuracy has been appropriately verified. 

The Right to Data Portability: 

This is the right of a Data Subject to receive personal data concerning him or her from a controller in a structured, commonly used, and machine-readable format and to transmit that information to another controller, if the processing is based on consent of the Data Subject and if the processing is carried out by automated means.

If we are processing a Data Subject’s personal data and the Data Subject wishes to request a copy of the personal data that he/she has submitted to us, then Preemptive Love Coalition will provide this copy of the data to the Data Subject in a structured, commonly used, and machine-readable format (as further described above).

The Right Not to be Subject to Automated Decision-Making and Direct Marketing: 

This is a right to object to an automated decision made about a Data Subject (i.e. without human involvement) that has a legal or other similar effect on the Data Subject. Data Subjects can request human intervention in the process.

Data Subjects also have the right to object to direct marketing, including profiling relating to direct marketing. Preemptive Love Coalition must stop using personal data for any direct marketing if we receive such a request. See our Privacy Policy for more information on our obligations relating to direct marketing.

Where to send received Data Rights Requests and any questions you may have:

Any questions regarding Data Rights Requests should be sent to the Preemptive Love Coalition DPO by email at dataprotection@preemptivelove.org. 

If you receive a Data Rights Request from a Data Subject through any of our websites, the request should immediately be sent to the Preemptive Love Coalition DPO by email at dataprotection@preemptivelove.org (indicating the date on which it was received together with any other information which may help deal with the request).