Making a Subject Access Request

Making a Subject Access Request

DATA SUBJECT RIGHTS IN RELATION TO DATA PRIVACY V1.0.1 May 2018

GENERAL POLICY ON YOUR RIGHTS IN RELATION TO YOUR DATA

A) AIM

This policy outlines the rights that data subjects have, under the General Data Protection Regulation (GDPR), in relation to the data about them that we hold. Data subjects, for the purposes of this policy, includes current customers of Blacknight with a valid account ID on cp.blacknight.com, subscribers to Blacknight mailing lists (past and current subscribers), domain registrants whose information may be stored in Blacknight WHOIS service database.

B) THE RIGHT TO BE INFORMED

In order to keep you informed about how we use your data, we have a privacy notice on our website. You can obtain a copy of the privacy notice from our Data Protection Statement.

Our privacy notices set out:

  1. the types of data we hold and the reason for processing the data;
  2. our legitimate interest for processing it;
  3. details of who your data is disclosed to and why, including transfers to other countries. Where data is transferred to other counties, the safeguards used to keep your data secure are explained;
  4. how long we keep your data for, or how we determine how long to keep your data for;
  5. where your data comes from;
  6. your rights as a data subject;
  7. your absolute right to withdraw consent for processing data where consent has been provided and no other lawful reason for processing your data applies;
  8. your right to make a complaint to the Data Protection Commission if you think your rights have been breached;
  9. whether we use automated decision making and if so, how the decisions are made, what this means for you and what could happen as a result of the process;
  10. the name and contact details of our appointed compliance officer.

C) THE RIGHT OF ACCESS

You have the right to access your personal data which is held by us. You can find out more about how to request access to your data by reading our Subject Access Request policy. See Annex A for details on making a Subject Access Request

D) THE RIGHT TO ‘CORRECTION’

If you discover that the data we hold about you is incorrect or incomplete, you have the right to have the data corrected. If you wish to have your data corrected, you should submit this request by email to gdpr@blacknight.com

Usually, we will comply with a request to rectify data within one month unless the request is particularly complex in which case we may write to you to inform you we require an extension to the normal timescale. The maximum extension period is two months.

You will be informed if we decide not to take any action as a result of the request. In these circumstances, you are able to complain to the Data Protection Commission and have access to a judicial remedy.

Third parties to whom the data was disclosed will be informed of the rectification.

E) THE RIGHT OF ‘ERASURE’

In certain circumstances, we are required to delete the data we hold on you. Those circumstances are:

  1. where it is no longer necessary for us to keep the data;
  2. where we relied on your consent to process the data and you subsequently withdraw that consent. Where this happens, we will consider whether another legal basis applies to our continued use of your data;
  3. where you objected to the processing (see below) and the Company has no overriding legitimate interest to continue the processing;
  4. where we have unlawfully processed your data;
  5. where we are required by law to erase the data.

If you wish to make a request for data deletion, you should submit this request by email to gdpr@blacknight.com

We will consider each request individually, however, you must be aware that processing may continue under one of the permissible reasons. Where this happens, you will be informed of the continued use of your data and the reason for this.

Third parties to whom the data was disclosed will be informed of the erasure where possible unless to do so will cause a disproportionate effect on us.

F) THE RIGHT OF ‘RESTRICTION’

You have the right to restrict the processing of your data in certain circumstances.

We will be required to restrict the processing of your personal data in the following circumstances:

  1. where you tell us that the data it holds on you is not accurate. Where this is the case, we will assist you in updating the data with the correct detail , or if possible we will cease processing of the data where applicable.
  2. where the data is processed for the performance of a public interest task or because of our legitimate interests and you have objected to the processing of data. In these circumstances, the processing may be restricted whilst we consider whether our legitimate interests mean it is appropriate to continue to process it;
  3. when the data has been processed unlawfully;
  4. where we no longer need to process the data but you need the data in relation to a legal claim.

If you wish to make a request for data restriction you should submit this request by email to gdpr@blacknight.com

Where data processing is restricted, we will continue to hold the data but will not process it further unless you consent to the processing or processing is required in relation to a legal claim.

Where the data to be restricted has been shared with third parties, we will inform those third parties of the restriction where possible unless to do so will cause a disproportionate effect on us.

You will be informed before any restriction is lifted.

G) THE RIGHT TO DATA ‘PORTABILITY’

You have the right to obtain the personal data that we collect and process on you and transfer it to another party. Where our technology permits, we will transfer the data directly to the other party on your instruction. This would generally apply to your account information or domain registration details NOT the website content or other associated services, and any existing transfer procedures will remain in place.

Data which may be transferred is data which:

  1. Personal data (PII) you have provided to us; and
  2. is processed because you have provided your consent or because it is needed to perform the employment contract between us; and
  3. is processed by automated means.

If you wish to exercise this right, please email gdpr@blacknight.com

We will respond to a portability request without undue delay, and within one month at the latest unless the request is complex or we receive a number of requests in which case we may write to you to inform you that we require an extension and reasons for this. The maximum extension period is two months.

You will be informed if we decide not to take any action as a result of the request, for example, because the data you wish to transfer does not meet the above criteria. In these circumstances, you are within your rights to complain to the Data Protection Commission and have access to a judicial remedy.

The right to data portability relates only to data defined as above. You should be aware that this differs from the data which is accessible via a Subject Access Request.

H) THE RIGHT TO ‘OBJECT’

You have a right to require us to stop processing your data; this is known as data objection.

You may object to processing where it is carried out:

  1. in relation to the Company’s legitimate interests;
  2. for the performance of a task in the public interest;
  3. in the exercise of official authority; or
  4. for profiling purposes.

If you wish to object, you should submit this request in writing to gdpr@blacknight.com

In some circumstances we will continue to process the data you have objected to. This may occur when:

  1. we can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights; or
  2. the processing is required in relation to legal claims made by, or against, us.

If the response to your request is that we will take no action, you will be informed of the reasons.

I) RIGHT NOT TO HAVE AUTOMATED DECISIONS MADE ABOUT YOU

You have the right not to have decisions made about you solely on the basis of automated decision-making processes where there is no human intervention, where such decisions will have a significant effect on you.

However, the Company does not currently make any decisions based on such processes.

In circumstances if/where we use special category data, for example, data about your health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership the Company will ensure that one of the following applies to the processing:

  1. you have given your explicit consent to the processing; or
  2. the processing is necessary for reasons of substantial public interest.

 


 

ANNEX A – Making a Subject Access Request (SAR)

1. Making a request

All SAR should be emailed to GDPR@BLACKNIGHT.COM

The email will generate a support ticket directed to our privacy office and the email will be acknowledged within one (1) working day (excl. weekends /bank holidays etc.)  Requests that are made directly by you should be accompanied by evidence of your identity a valid account ID and the email should originate from the authorised email account registered in the control panel. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request. In some cases we may require further proof of ID such as drivers licence, passport etc. Once the identity has been validated we will purge any such additional documentation.

2. Timescales

Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.

3. Fee

We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.

4. Information you will receive

When you make a subject access request, you will be informed of:

  1. whether or not your data is processed and the reasons for the processing of your data;
  2. the categories of personal data concerning you;
  3. where your data has been collected from if it was not collected from you;
  4. anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
  5. how long your data is kept for (or how that period is decided);
  6. your rights in relation to data rectification, erasure, restriction of and objection to processing;
  7. your right to complain to the Office of the Data Protection Commissioner if you are of the opinion that your rights have been infringed;
  8. the reasoning behind any automated decisions taken about you.

5. Circumstance in which your request may be refused

We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to our appointed compliance officer and to a judicial remedy. If you are not satisfied, you can escalate your complaint to the Office of the Data Protection Commissioner.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.