Your business may be required to comply with various data protection legislation, such as the European General Data Protection Regulation or the California Consumer Privacy Act.
These piece of legislation grant certain rights to the data subject in relation to that data, and TimeZest is committed to providing the means for you to remain in compliance with privacy legislation when those rights are exercised.
As a general overview, data subjects have the following rights, although for exact details you will need to consult the relevant legislation:
the right to have information about the data collected about them, and the purposes for which it is used.
the right to access their data, and receive a copy of data held about them.
the right to modify that data, and correct any inaccuracies in it
the right to delete their data
the right to object to, or limit, the processing of their data
the right to move their data to another provider
In the context of the various data protection legal regimes, TimeZest is acting as a data processor, which means that it processes customer data that is under your control, and on your instructions (i.e. by signing up to TimeZest). TimeZest only has limited types of data where it is the data controller (e.g. primarily data related to our marketing website visitors).
The consequence of this is that any requests for a data subject to exercise their rights in relation to data that TimeZest is processing for you, must be made to you. TimeZest will not act on any requests to access data subject rights directly (except for data we are the controller for), but will instead inform anyone who does so to make their request to you, as the data controller.
Acting on Data Subject Requests
When a request is made by a data subject to you to exercise one of their rights in relation to data processed by TimeZest, we suggest that you evaluate their request in view of the legislation which applies to your company, and the operational requirements of your company. There are certain exceptions in the legislation to acting on a data subject's request to exercise their rights.
We also suggest that you verify, as permitted to by the legislation, that the person making the request to exercise a right is the person whose data is affected. TimeZest will not communicate directly with the data subject in relation to processed data.
After you have determined that the request to exercise a data subject right is legitimate, necessary to be actioned, and from the person whose data it is, you should then communicate with TimeZest regarding the data to be accessed/modified/deleted to fulfil the data subject's rights.
As permitted by legislation, TimeZest itself may refuse to fully act on a request to exercise data subject rights, where necessary and permitted to do so by legislation - for example, we may retain data about data subjects where necessary to fulfil legal obligations or to protect the security of TimeZest, even where the data subject has requested that data's deletion.
To get TimeZest to act on a request of a data subject to exercise their rights, contact [email protected], clearly stating that it is a request to exercise data subject rights, and providing details of the changes you wish TimeZest to make to the data it processes on your behalf to give effect to the data subject's request. Additionally, we require you to confirm in writing that you have verified the identify of the data subject requesting to exercise their rights.