Privacy/Procedures: Difference between revisions
(Procedures) |
No edit summary |
||
Line 1: | Line 1: | ||
This page documents procedures applicable to privacy. | This page documents procedures applicable to privacy. | ||
== Privacy requests == | |||
''Those procedures have never been applied, as we never received any privacy request. They've been established according the ICO handbook for data portability and fee question. We're encouraged to document how it went when we do them, so we can refine those procedures.'' | |||
European reglementation allows data protection rights. | European reglementation allows data protection rights. |
Revision as of 22:20, 23 May 2023
This page documents procedures applicable to privacy.
Privacy requests
Those procedures have never been applied, as we never received any privacy request. They've been established according the ICO handbook for data portability and fee question. We're encouraged to document how it went when we do them, so we can refine those procedures.
European reglementation allows data protection rights.
Anyone willing to exercice it needs to fill a task on DevCentral. This form allows to do so easily and sorts is like security issue to a private space only for Nasqueron Ops SIG.
Nasqueron Ops SIG is currently responsible to manage those requests. A specific team for privacy issues can be created in the future.
When a request is filled, the delay for a response is ONE MONTH. We can extend the time to respond by a further two months if the request is complex or if we have received a number of requests from the individual, but we need to warn them during that month.
What can be requested and how to response?
Right | Description of the right | What to do? |
---|---|---|
Access | Request Nasqueron for copies of personal data | To document, as each application has its own data. Probably worthwhile to ask requester the precise applications the data has been submitted too.
If the request is manifestly unfounded or excessive, reject it: The request is manifestly unfounded or excessive; according the article 12(5) of the GDPR, such request may be rejected by the data controller. We've opted to reject it.. If an individual requests further copies of their data, and data has been modified, it's probably legit. If not, request a fee: The request is is excessive, as you've already exercised your rights previously: [...]. According the article 12(5) of the GDPR, we may charge a reasonable fee for such request. We've opted to charge you a fee of 80 EUR to cover partly (one hour) of the administrative cost to prepare this request; if any, the remaining time won't be billed to keep the fee small and reasonable. If you agree, please confirm your intent and we'll give you wire transfer instructions. Once your wire transfer received, we'll process your request swiftly.. Once this request is sent, stop the timer pending payment. Once payment is received, timer runs again to continue the 30 days delay. Use timer on DevCentral so we can track time and demonstrate the fee is reasonable for the time spent. |
Rectification. | Request Nasqueron to:
|
Ask requester the precise application, the data it sees, the data it expects to see.
Can the user edit themself the data?
Don't edit manually the database but prepare a script published to rOPS with a reference to the issue created. Log on #nasqueron-ops [server] Run ... privacy maintenance script (T... / T...) with two tasks references: the initial request, the maintenance script task if it's a new one. |
Erasure. | Request Nasqueron to erase personal data, under certain conditions |
|
Restrict processing. | Request Nasqueron to restrict processing of personal data, under certain conditions | See below, but ask how we CAN and what the restriction is. |
Object to processing. | Object Nasqueron from processing of personal data, under certain conditions | Request how we CANNOT process the request if it's not clear enough on the request.
Then, do we do that?
|
Data portability. | Request Nasqueron to transfer the data to another organisation or to the person |
|
For all rejections / fee request, we need to include the following information:
- the reasons to not take action
- the right of the requester to make a complaint to the autorité de protection des données:
- first, by requesting the authority to intervene and act for mediation at https://www.autoriteprotectiondonnees.be/citoyen/agir/demander-une-mediation or another supervisory authority
- secondly, if the mediation doesn't reach a solution suitable by all parties, to make a complaint at https://www.autoriteprotectiondonnees.be/citoyen/agir/introduire-une-plainte or another supervisory authority
- thirdly, their ability to seek to enforce this right through a judicial remedy.