Procedure for Exercising Data Subject Rights

1. General Provisions and Objectives

The purpose of this Procedure for exercising Data Subject Rights (hereinafter referred to as the Procedure) is to lay down the requirements and binding rules relating to the exercising of the privacy rights by natural persons with regard to the processing of their Personal Data (hereinafter referred to as the Data Subject) by the companies — members of Exadel Group (hereinafter referred to as the Company).

The Procedure describes the scope of the privacy rights, rules for exercising these rights, and processes and tools that allow the Company to ensure that the Data Subjects exercise their privacy rights in accordance with the Applicable laws.

The Data Subject’s request must be submitted using the request form on our website, at this link: https://exadel.com/privacy-policy/.

2. Definitions and Abbreviations

The most relevant definitions and abbreviations are presented below:

  • Personal Data (PD) — Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.
  • Data Subject (DS) — An identified or identifiable natural person whose Personal Data is processed by the Company.
  • Applicable laws — Refers to the scope of laws on privacy and data protection governing Data Subject Rights.

3. Data Subject Rights

3.1 Right to be informed about processing of Personal Data

Before or at the time of collecting Personal Data, the Company informs the Data Subjects about processing of their Personal Data by directing them to the Privacy Policy or Privacy Notice published on the Exadel corporate website.

In addition, the Company will, upon receiving the Data Subject request:

  • Send a copy of the Privacy Policy or the Privacy Notice to the Data Subject by email, or
  • Communicate the Privacy Policy or Privacy Notice by other means of communication acceptable to the Data Subject

The Privacy Policy or the Privacy Notice provided to the Data Subjects contains the following information:

  • The identity and the contact details of the Company as a controller and, where applicable, of the Company’s relevant representative
  • The contact details of the data protection officer, where applicable
  • The purposes of the processing for which the Personal Data are intended, as well as the legal basis for the processing
  • Where the processing is based on legitimate interests, the Company shall describe these interests pursued by the Company and/or by a third party
  • The recipients or categories of recipients of the Personal Data, if any
  • Where applicable, the fact that the controller intends to transfer Personal Data to a third country with reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available

In addition to the information referred to in the clause above, if applicable, the Company shall provide the Data Subject with the following further information where necessary to ensure fair and transparent processing:

  • The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period
  • The existence of the right to request from the controller:
    • Access to and rectification or erasure of Personal Data
    • Restriction of processing concerning the Data Subject
    • To object to processing as well as the right to data portability
  • Where the processing is based on consent, the existence of the right to withdraw consent at any time shall be ensured without affecting the lawfulness of processing based on consent before its withdrawal
  • The existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject

When Personal Data of a Data Subject are not collected directly from the Data Subject, the Privacy Policy or the Privacy Notice shall be delivered to the Data Subject in accordance with the following rules:

  • Within a reasonable period of time from the receipt of Personal Data, but not later than within 1 (one) month, taking into account the specific circumstances of Personal Data processing
  • If Personal Data will be used for communication with the Data Subject — at the latest, for the first time when contacting that Data Subject
  • If Personal Data are to be disclosed to another recipient, at the latest at the time of the first disclosure

3.2 Right to restrict processing of Personal Data

The Data Subject has the right to request restriction of processing where one of the following applies:

  • The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the Personal Data
  • The processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead
  • The Company no longer needs the Personal Data for the purposes for which it has been collected, but they are requested by the Data Subject to keep it for the establishment, exercise, or defense of legal claims
  • The Data Subject has objected to processing pending verification whether the legitimate grounds of the Company override those of the Data Subject

Personal Data whose processing is restricted shall be stored until such restriction will be lifted. The Data Subject shall be informed in writing or by electronic means about lifting of any restriction before such restriction is lifted.

The Company shall no longer process the Personal Data after receiving a request of restriction of data processing unless the Company can demonstrate compelling legitimate grounds for the processing which override the interests and the rights and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

If the Personal Data being processed was restricted at the request of the Data Subject and has been transferred to the third parties, the Company should inform these third parties thereof, unless this would be impossible or would require a disproportionate effort. The Data Subject shall have the right to request information on such third parties.

3.3 Right of access to Personal Data

The Company, at the request of the Data Subject to access their personal data, must provide:

  • Information on whether or not the Personal Data of the Data Subject are processed
  • The information related to the processing of Personal Data provided for in Section Right to be informed about processing of Personal Data, if the Personal Data of the Data Subject are processed
  • A copy of the Personal Data processed

As a rule, the Company provides a copy of Personal Data in digital format by using electronic means of communication.

The Data Subject has the right to request a copy of the Personal Data in a form other than that normally provided by the Company, but the Company may charge a fee for this, calculated according to the administrative costs of compiling this form.

3.4 Right to rectification of Personal Data

The Data Subject has the right to request rectification of their Personal Data, without undue delay. The Data Subject has the right to demand that any inaccurate or incomplete Personal Data is not be processed by the Company until the Personal Data is corrected or supplemented as a whole.

The DS should provide to the Company information about the inaccuracy or incompleteness of the Personal Data as well as present the accurate and true Personal Data for further rectification of inaccurate or incomplete data.

If the Personal Data that was corrected at the request of the Data Subject has been transferred to a third party, the Company shall immediately inform the third party about inaccuracy of transferred Personal Data, unless this would be impossible or would require a disproportionate effort for the Company.

The Data Subject shall have the right to obtain from the Company information on the third parties to whom their Personal Data have been transmitted for further implementation of the right of rectification.

3.5 Right to erasure of Personal Data (“Right to be forgotten”)

This right empowers individuals to request deletion or removal of their Personal Data when certain conditions are met.

The Company has the obligation to erase Personal Data without undue delay where one of the following grounds applies:

  • The Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed and there is no justification to keep it longer (e.g. legal obligation)

The Data Subject withdraws their consent on which the processing is based, and where there is no other legal ground for processing

  • The Personal Data has been unlawfully processed
  • The Personal Data has to be erased for compliance with a legal obligation imposed by an applicable law or a court order.

The Data Subject’s right to request the erasure of Personal Data may not be exercised in the following cases:

  • To protect the right of freedom of expression and information;
  • To comply with a legal obligation which requires processing by applicable law to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
  • For the establishment, exercise or defense of legal claims.

If the Personal Data that should be deleted at the request of the DS has been transferred to third parties, the Company should inform these third parties, unless this would be impossible or would require a disproportionate effort. The Data Subject has the right to request information on such third parties.

3.6 Right to Personal Data portability

The Data Subject shall have the right to receive the Personal Data concerning them, which they have provided to a controller. The Personal Data shall be provided in a structured, commonly-used, and machine-readable format. The Data Subject also has the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where one of the following applies:

  • The processing is based on consent
  • The processing is based on a contract
  • The processing is carried out by automated means

The Company could transmit Personal Data directly to a third party at the request of the Data Subject, where technically feasible.

3.7 Right to object to processing of Personal Data

The right to object allows individuals to challenge the processing of their Personal Data under certain circumstances. At the latest at the time of the first communication with the Data Subject, the right to object shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.

General right to object: Individuals have the right to object to the processing of their Personal Data when the processing is based on legitimate interests (including profiling) of the data controller or a third party, unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise, or defense of legal claims.

Right to object to direct marketing: Individuals have an absolute right to object to the processing of their Personal Data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. If an individual objects to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes. This is an absolute right and there are no exemptions or grounds for the Company to refuse it.

3.8 Right not to be subject to a decision based solely on automated processing, including profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Here’s a breakdown of what this right entails:

Automated Decision-Making: This refers to decisions that are made entirely by automated means, without any human involvement. These decisions are often based on algorithms, computer programs, or artificial intelligence systems.

Profiling: Profiling involves the automated processing of Personal Data to evaluate certain aspects of an individual, such as their behavior, preferences, interests, or location. This can be done to analyze or predict aspects of the individual’s personal or professional life.

The right not to be subject to automated decision-making, including profiling, applies when such decisions have legal or similarly significant effects on the individual. This includes decisions that could result in significant impacts on the individual’s rights, freedoms, or legal status. For example, using algorithms to screen job applicants based on specific criteria such as qualifications, experience, and skills. Candidates who do not meet certain thresholds are automatically excluded from consideration for a position, without any meaningful human intervention.

There are some exceptions to this right, such as when automated decision-making is necessary for entering into or performing a contract, is authorized by law, or is based on explicit consent given by the individual. However, even in these cases, individuals still have the right to obtain human intervention, express their point of view, and challenge the decision.

Human Intervention: Individuals have the right to request human intervention in automated decision-making processes. This means they can ask for a decision to be made or reviewed by a person, rather than solely relying on automated processes.

Organizations are required to provide individuals with meaningful information about the logic involved in automated decision-making processes, as well as the significance and potential consequences of such processing.

Right to Challenge Decisions: Individuals have the right to challenge decisions made through automated processes, including profiling. They can request a review of the decision, express their own views and provide additional information to be considered.

4. Submission of a Data Subject request to exercise the Data Subject rights

In accordance with Applicable data protection laws, including the European General Data Protection Regulation (GDPR), the Data Subjects have the right to access, rectify, erase, or restrict the processing of their Personal Data, as well as other rights such as data portability and objection to processing as described in more details in sections above.

To exercise their rights, the Data Subjects are asked to submit a request using the dedicated Data Subject Rights Request Form available on Exadel website. This helps us process their requests efficiently and ensures the security of the Personal Data. The Data Subjects can also exercise their data rights in person, by electronic means, or by post.

Note: In order to ensure confidentiality requirements, when the request is submitted by ordinary post, the Data Subject must note that the correspondence is addressed to the “Data Protection Officer”.

When submitting a request, the Data Subject will be required to provide sufficient information to verify their identity. This will include as a minimum their full name, contact details, and any other relevant identifiers associated with their interactions with Exadel. The Data Subject may be contacted if additional information is needed to confirm their identity and process their request.

The request will be valid if it contains all of following information:

  • Data Subject’s complete name, address, and/or email address in order for us to respond to the request
  • Type of the relationship that the Data Subject has with Exadel (e.g. client, employee, candidate)
  • Request details (e.g. request to exercise the right of access)

If a request relates to the rectification of data, the Data Subject should indicate which data and how it should be amended.

The Data Subject may exercise their rights themselves or through a legitimate representative.

The representative must indicate in the request the name, address and/or other contact details, and the name of the represented person, as well as other data necessary to identify the Data Subject (e.g., customer identification code).

5. Important points when exercising Data Subject rights

Response Time: Exadel will respond to the requests in accordance with the Applicable laws. If GDPR applies to the request, Exadel will respond within one month from the date of receipt. In case of complex requests, this period may be extended by up to two additional months, in which case Exadel will inform the Data Subject accordingly.

Limitations and Exemptions: Data Subject rights may be subject to certain legal exceptions or limitations, for example, where compliance with the request would conflict with Exadel legal obligations or the rights of others.

If, during the examination of the request, the Company determines that the rights of the Data Subject are restricted on the grounds provided below, it shall immediately inform the Data Subject:

  • National security
  • Defense
  • Public security
  • The prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
  • Other important objectives of general public interest specified in applicable laws, in particular an important economic or financial interest, including monetary, budgetary and taxation matters, public health, and social security
  • The protection of judicial independence and judicial proceedings
  • The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions
  • A monitoring, inspection, or regulatory function connected to the exercise of official authority in cases mentioned above
  • The protection of the Data Subject or the rights and freedoms of others
  • The enforcement of civil law claims

Communication language: Information on exercising the Data Subject rights shall be provided in the official language and, if necessary, translated into the language in which the request was made.

Right to complain: The Data Subject has the right to complain to the Supervisory Authority according to Applicable law. Contact details to the relevant Supervisory Authority is available on the Authority’s website. The Data Subject can also ask the Company to provide the contact details for the appropriate Supervisory Authority.

Compensation: In case of material or non-material damage due to violation of the Data Subject’s rights, the Data Subject has the right to compensation; for the award of this compensation, they have the right to apply to a court in accordance with the Applicable laws.

Contact Us

For more information about exercising your rights as a Data Subject, you can contact us:

  • For US: USA, Walnut Creek, 1340 Treat Blvd., Suite 375, CA 94597, +1 (866) 787 9631.
  • For EU: Poland, Warsaw Corporate Center ul. Emilii Plater 28, 00-688 Warszawa
  • Or via email [email protected].