IDT Retail Europe Limited
Subject Access Request Policy and Procedures
Effective as of May 25, 2018
1. Introduction
IDT Retail Europe Limited (“IDT”) gathers and processes personal data regarding its customers and agents in accordance with our applicable privacy notices and in compliance with the General Data Protection Regulation (“GDPR”) and other relevant data protection regulations and laws.
This policy and procedure document (the “Policy”) provides the process for individuals to use when making an access request, along with the protocols followed by IDT when such a request is received.
IDT needs to collect personal data to effectively and compliantly carry out our everyday business functions and services and in some circumstances to comply with legal and regulatory requirements. We are obligated under the GDPR to protect such data, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles.
IDT acts as a data controller when processing your personal data, which means that we determine the purposes and means of the processing of your personal data collected by us. IDT is a company registered in England and Wales under company registration number 135555314. Our registered office and contact information is:
IDT Retail Europe Limited
44 Featherstone Street
London EC1Y 8RN
Email: legal-uk@idt.net
IDT’s Representative: Amy Reynolds
IDT’s Representative’s Email: data_info@idt.net
2. The GDPR
The GDPR gives individuals the right to know what data is held about them, to access this data and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal data is obtained, handled and disposed of properly.
IDT abides by the principles of the GDPR and other relevant data protection laws, which ensure that personal data shall be:
IDT has adequate and effective measures, controls and procedures in place that protect and secure your personal data and to ensure that it is only ever obtained, processed and disclosed in accordance with the relevant data protection laws and regulations.
3. What is personal data?
Information protected under the GDPR is known as “personal data” and is defined as:
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
4. The right of access
4.1 General. Under Article 15 of the GDPR, an individual has the right to obtain from the controller confirmation as to whether personal data concerning him/her is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to their personal data. You have the right to access any personal data that IDT processes about you and to request information about:
4.2 How to make a subject access request. A subject access request (“SAR”) is a request for access to the personal data that IDT holds about you, which we are required to provide you under the GDPR, unless an exception or exemption applies. To make a request for access to your personal data or to exercise any of your other rights, you can email us at data_info@idt.net or you can also submit your request in writing using the form in Appendix 1 to this Policy and sending that form to us at:
IDT Retail Europe Limited
44 Featherstone Street
London EC1Y 8RN
Attn: Data Protection Team
Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).
4.3 What we do when we receive a SAR.
(a) Identity verification. A record of each SAR is made as soon as it is received by our data protection team. We will use all reasonable measures to verify the identity of the individual making the SAR, especially where the request is made using online services. We will utilise the requested data to ensure that we can verify your identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your data and rights. If a third party, relative or representative is requesting the data on your behalf, we will verify their authority to act for you and may contact you to confirm their identity and gain your authorisation prior to actioning the request.
(b) Data gathering. If you have provided enough information in your SAR to locate and collate the personal data we hold about you, we will gather all data relating to you and ensure that the data required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
(c) Data provision. Once we have located and collated all the personal data held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The data will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
4.4 Timeframes and fees. We are required to respond to a valid SAR within one month of receipt of the SAR. However, where the retrieval or provision of data is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will contact you within the original 30 day period and provide the reasons for the delay. In most cases the data is provided free of charge. However, under certain circumstances we may charge a reasonable fee to cover our administrative costs in responding to the SAR.
5. Your other rights
Under the GDPR, you have the following other rights, which you can exercise using the form in Appendix 1 to this Policy:
5.1 Right of rectification. You have the right to request rectification of any inaccurate personal data held by us. Where you notify us of inaccurate data about you, and we agree that the data is incorrect, we will amend the details promptly as directed by you and make a note on our system of the change and reasons. We will rectify any errors and inform you in writing of the correction and where applicable provide the details of any third party to whom the data has been disclosed. If for any reason we are unable to act in response to a request for rectification and/or data completion or need more time, we will provide a written explanation to you and inform you of your right to complain to the supervisory authority and to seek a judicial remedy.
5.2 Right of erasure (right to be forgotten). You have the right to request erasure of your personal data in certain circumstances, including where the including the data are no longer necessary to the purposes for which it was collected, you withdraw your consent (and there is no other legal basis for processing) or you object to the processing (and we have no overriding legitimated grounds for the processing). Even if you request erasure of your data, we may continue to hold and process such data under certain circumstances, including for compliance with legal obligations.
5.3 Right to restrict processing. You have the right to restrict processing of your personal data under certain circumstances (such as the accuracy of the data is contested) and subject to certain exceptions (such as processing for legal claims).
5.4 Right to data portability. You have the right to data portability, meaning the right to receive the personal data concerning you which you have provided us in a commonly used, machine-readable format and to have that data transmitted to another controller (where feasible), if our processing is based on your consent or a contract and the processing is carried out by automated means.
5.5 Right to object to processing. You have the right to object to any processing of your personal data which is based on our legitimate interests, including profiling, and we shall no longer process such data unless we demonstrate compelling legitimate grounds to do so. You also have the right to object to the processing of your personal data for direct marketing purposes.
5.6 Right not to be subject to automated decision. You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you, subject to certain exceptions including if the decision is necessary for us to perform our contract with you or is authorised by EU or Member State law or is based on your consent. At times we will use systems to make automated decisions based on your data. You can challenge these automated decisions, and ask that a person review the data and the result.
6. Automated decision making
At times we will use systems to make automated decisions based on your personal data. This enables us to make quick and fair decisions, based on what we know. These automated decisions can affect the products, services, or features available to you. We use your data to make automated decisions mainly for (a) ecommerce risk management in order to spot any activity that could potentially be fraudulent or criminal and (b) to understand how you use our Services. If we think there is a risk of fraud or criminal activity, we may take action such as denying a transaction or refusing access to a service or product or a feature of a service or product. In addition, when you open an account with us we use automation to check that the product or service is relevant for you, based on what we know. You have the right not to be subject to a decision based solely on automated processing, which significantly affects you and you can request that we not make our decisions based solely on automated means – see Section 5.6 of this Policy.
7. Exemptions and refusals
The GDPR contains certain exemptions from the provision of personal data. If one or more of these exemptions applies to your SAR or where we do not act upon the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the SAR. Where possible, we will provide you with the reasons for not acting and any possibility of lodging a complaint with the supervisory authority and your right to seek a judicial remedy. Details of how to contact the supervisory authority can be found in Section 8 of this Policy.
In addition, we may be subject to EU or Member State law that restricts some of your rights primarily in order to safeguard national security, public defence, public security, the prevention, investigation, detection or prosecution of criminal offences, other important objectives of general public interest of the EU or of a Member State, the protection of judicial independence and judicial proceedings, the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the data subject or the rights and freedoms of others and the enforcement of civil law claims.
8. Contacting us & lodging a complaint
If you wish to contact IDT, raise a complaint regarding the processing of your data or are unsatisfied with how we have handled your data, you can contact us in writing at:
IDT’s contact information
IDT Retail Europe Limited
44 Featherstone Street
London EC1Y 8RN
Email: legal-uk@idt.net
IDT’s Representative: Amy Reynolds
IDT’s Representative’s Email: data_info@idt.net
If you remain dissatisfied with our actions, you have the right to lodge a complaint with the applicable supervisory authority in your Member State. Here is the contact information for the supervisory authorities in the United Kingdom, Germany and Spain.
Supervisory Authority contact information – United Kingdom
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
Email: enquiries@ico.org.uk
Supervisory Authority contact information – Germany
The Federal Commissioner for Data Protection and Freedom of Information
Husarenstraße 30
53117 Bonn
Telephone: +49 (0) 228-997799-0
E-Mail: poststelle@bfdi.bund.de
Supervisory Authority contact information – Spain
Spanish Agency for Data Protection
C / Jorge Juan, 6
28001-Madrid
Telephone: 901 100 099 - 912 663 517
Electronic office: http://sedeagpd.gob.es/sede-electronica-web/
Appendix 1
Subject Access Request Form
Under the General Data Protection Regulation, you are entitled as a data subject to obtain from IDT confirmation as to whether we are processing personal data concerning you, as well as to request details about the purposes, categories and disclosure of such data.
You can use this form to request information about, and access to, any personal data we hold about you. Details on where to return the completed form can be found at the end of the form.
1. Personal Details:
Data Subject’s Name:
DOB:
Home Telephone No:
Email:
Data Subject’s Address:
Any other information that may help us to locate your personal data:
2. Specific Details of the Data Requested:
3. Representatives (only complete if you are acting as the representative for a data subject)
[Please Note: We may still need to contact the data subject where proof of authorisation or identity are required]
Representative’s Name:
Relationship to Data Subject:
Telephone No:
Email:
Representative’s Address:
I confirm that I am the authorised representative of the named data subject:
Representative’s Name:
Signature:
4. Confirmation
Data Subject’s Name: [print name]
Signature:
Date:
5. Completed Form
For postal requests, please return this form to:
IDT Retail Europe Limited
44 Featherstone Street
London EC1Y 8RN
Attn: Data Protection Team
For email requests, please return this form to:
data_info@idt.net