Purpose of this document
This documents describes the process for considering and fulfilling data subject access requests at ResQ Club Oy. The process aims to give clear idea of how the company complies with the current regulation about data subjects’ rights for their personal data.
Rights of the data subject (you)
Data subject has the right to get a confirmation that their data is being processed and access to their personal data being processed by ResQ at the time of fulfilling the request.
Each request is considered and fulfilled in no more than 30 days after the request was submitted.
Roles during the procedure
Requester means the individual making the data subject access request.
ResQ means ResQ Club Oy, which acts as the data Controller, having the legal obligation to meet data subject access requests. Also referred as “we”.
Stage 1: Making the request
Data subject can submit the request via email to email@example.com.
Stage 2: Considering the request
Determining the validity of the request
First we will determine whether or not the request is an actual data subject access request. Our Staff will determine the validity based on two questions:
- Does Requester ask for confirmation about processing her personal data by ResQ?
- Does Requester ask for access for her personal data being processed by ResQ?
If the answer for either of the question is yes, the request is a valid data subject access request.
Confirming Requester’s identity
In order to fulfill the request, we need to confirm that the Requester has the right to access the processed personal data in question. In order to confirm Requester’s identity, we do the following:
- In case of an electronic request, we ensure that the request is coming from an email that matches our user records
- In addition, we ask Requester to provide information that is stored on our service and should be known only to the data subject, such as: last four (4) digits of the payment method used in our service, data subject’s recent order history, signup method and recently used device
- If we have good cause to doubt Requester’s identity we can ask them to provide further evidence we need to confirm it, such as a copy of passport or driving license
Stage 3: Fulfilling the request
Gathering the requested personal data
When fulfilling the request, we will gather all requested personal data of the data subject processed by ResQ and combine it into a single PDF file.
This file includes:
- All personal data the data subject has submitted into the service
- All personal data that has been collected automatically upon using the service
This file doesn’t include:
- Any information or references to other data subjects
- Data subject’s full payment card information. ResQ uses a 3rd party PSD2 compliant payment processor, and does not have access to its users’ full payment information.
- Aggregate data or summary statistics that have been derived using the data subject’s personal data. By definition, aggregate data is data combined from several measurements and thus don’t fall into the category of personal data.
Delivering personal data to Requester
All personal data is delivered to Requester using password protected download links that expire automatically. Requester is solely responsible for sharing the link with any 3rd party. In case of a data breach resulting due to such activity, ResQ is not held liable for any damages.
In case you have any questions regarding our Data Subject Access Request Procedure, please contact us at firstname.lastname@example.org.