Data Subject Access Request Process (DSAR)

1. Information to be provided to data subjects

ARuVR provides natural persons (the data subjects) with information in an appropriate format which clearly communicates:

  • the identity of ARuVR and its representatives where applicable
  • the purposes for which the personal information can be processed
  • the legitimate interests of ARuVR or the processing where ‘legitimate interest’ is the legalbasis used
  • the types of personal information collected, where this is from a source other than the naturalperson
  • information about the disclosure of personal information to third parties
  • whether personal information is transferred outside the UK and EEA and an explanation of thesafeguards in place, and how to get a copy of the safeguards
  • where ARuVR is based outside the EU and the natural person is in the EU, the identity of theEU based representative, where this is required
  • details of any technologies (such as cookies) used on a web site to collect personalinformation about the natural persons
  • other information to make the processing fair and transparent, such as:
    • the retention period(s) or the criteria used to set retention
    • information regarding the natural person’s rights of access to, and correction, deletion and restriction of personal information, as well as their right to data portability o the right to lodge a complaint with the ICO
    • where the processing is based on consent, the right to withdraw consent
    • where the provision of information is a statutory or contractual requirement, informing the natural person why it is necessary and what the consequences are o failing to provide the information
    • information about any automated decision making and/or profiling that the information might be used for, including logic involved and the consequences for the natural person

Where personal information is collected for marketing purposes or might be used in the future for marketing purposes, ARuVR ensures the natural person(s) are aware of how they can object to such marketing. This is clearly explained to them.

Where profiling by automated means is used for marketing purposes, ARuVR ensures the natural person(s) are aware of how they can object to such marketing. This is clearly explained to them.

All requests for access to their personal information from data subjects shall be notified to the ARuVR CTO who acts as the Data Protection Officer (DPO), or another person appointed by the ARuVR Directors as responsible for data protection compliance and the PIMS.

1.1. Timing of privacy information

Where ARuVR collects personal information directly from a natural person (a data subject), it ensures the natural person is provided with, or has access to, the privacy information required to be given, in advance of the data being collected.

Where ARuVR does not collect personal information directly from the natural person (data subject) the privacy information is provided after obtaining the personal information or:

  • Within one month (having regard to the specific circumstances in which the information is processed)
  • If the information is used to communicate with the natural person, then at the time of first communication
  • If the information is intended to be disclosed to another recipient, then at least when the information is first disclosed

The ARuVR CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

1.2. Timing of privacy information

ARuVR ensures that personal information collected from third parties is collected fairly and lawfully. Where necessary the identified natural persons are provided with the information listed above in the bullet points in Section 3 within one month of collection unless the natural person already has the information or doing so would involve disproportionate effort. ARuVR will make considerable effort to provide the information.

The CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

2. Rights of natural persons

2.1 Timeline for responding to data subject requests

The natural person’s rights in relation to their personal information are respected by ARuVR. Requests from natural persons to exercise their rights are addressed without undue delay and within one month of receipt of the request from the natural person. If it is not possible for ARuVR to respond to the request within one month the natural persons are informed in the event of any necessary extension to the one-month time period for supplying the information in an electronic or hard-copy format as requested by the natural person. Any extension to the one-month period for complying with a request from a natural person is no longer than a further two months (maximum of three months). ARuVR may consider whether any derogations (relaxations of law) or exemptions apply.

Such rights include access to information, objection to processing, rectification of inaccurate information, erasure and/or restriction on the use of information, data portability and the right not to be subject to automated processing where such processing relates to profiling or that significantly affects the natural person.

The CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

2.2 Timeline for responding to data subject requests

In response to a request from a data subject the Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS verifies the identity of the requestor then confirms whether or not personal information concerning them is being processed and, where that is the case, advises the data subject that they can receive a copy of their personal information and the following information (unless a specific derogation (relaxation of law) applies):

  • The purpose(s) of the processing
  • The categories of personal information concerned
  • The recipients or categories of recipient to whom the information has been disclosed, inparticular recipients in third countries or international organisations
  • Where possible, the envisaged period for which the personal information will be stored, or ifnot possible, the criteria used to determine that period
  • The existence of the right to request rectification or erasure of personal information orrestriction of processing of personal information concerning the natural person, or to object to

    such processing

  • The existence of the right to lodge a complaint with the ICO
  • Where the personal information has not been collected from the data subject, any availableinformation as to the source of the information
  • The existence of automated decision-making, including profiling and meaningful informationabout the logic involved, as well as the significance and consequences of such processing for

    the natural person

  • Where the personal information is transferred to a third country or international organisation,what the appropriate safeguards are that have been put in place

The Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS first verifies the identity of the requestor. The template in Annex A is then completed and supplied to the data subject. The records of communication to/from the data subject are retained in accordance with the Information Retention Policy.

2.3 Data rectification requests procedure

ARuVR ensures that the natural person is able, without undue delay, to obtain the rectification of inaccurate personal information concerning him or her.

The natural person is also entitled to have incomplete personal information completed.

In response to a data rectification request from a data subject the CTO or Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, then issues the instruction to the relevant department(s) to rectify the data. The relevant departments respond to confirm the data has been rectified. The data subject is then informed that the data has been rectified. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

2.4 Data erasure requests procedure

ARuVR ensures that requests from natural persons under the “right to erasure” are appropriately handled.
ARuVR ensures that a natural person has the right to obtain erasure of personal information about them without undue delay where:

  • The personal information is no longer necessary in relation to the purposes for which it was originally collected or otherwise processed
  • Where the processing was based on consent, the natural person withdraws their consent, and there is no other legal ground for continuing to process the information
  • The natural person has objected to the processing in question and there are no overriding legitimate grounds for the processing, or the natural person has objected to marketing

Company Confidential 7 of 12

  • The personal information has been unlawfully processed
  • The personal information needs to be erased to conform to a legal obligation
  • The personal information has been collected to offer information society services

ARuVR ensures that where the information has been made public, appropriate measures are taken to inform other organisations that might be processing the personal information that the natural person has requested the erasure of the information
In response to a data erasure request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to retain the data, then if it should be erased issues the instruction to the relevant department(s) to erase the data. The relevant departments respond to confirm the data has been erased. The data subject is then informed that the data has been erased. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

4.5 Restriction of processing requests procedure

ARuVR ensures that a natural person has the right to obtain restriction of processing personal information where:

  • The accuracy of the personal information has been contested by the natural person, for a period enabling ARuVR to verify the accuracy of personal information
  • The processing is unlawful and the natural person objects to the erasure of personal information and requests the restriction of its use instead
  • ARuVR no longer needs the personal information for the purposes of the processing, but it is required by the natural person for the establishment, exercise or defence of legal claims
  • The natural person has objected to processing and the restriction stays in place pending the verification as to whether the legitimate grounds of the organisation override those of the natural person

ARuVR ensures that when a restriction is going to be lifted, the natural person is informed before this takes place.
In response to a restriction of data processing request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to continue processing the data, then if it should be restricted, issues the instruction to the relevant department(s) to restrict the processing of that natural person’s data. The relevant departments respond to confirm the data processing has been restricted. The data subject is then informed that the data processing has been restricted. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

4.6 Data portability request procedure

ARuVR ensures that where the natural person has the right to data portability and the information is being processed by automated means, the natural person is able to have that information transmitted to them, or to any other organisation they nominate, free of charge and in a structured, commonly used machine-readable format.
In response to a data portability request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to not release or to retain the data, then if it should be ported, issues the instruction to the relevant department(s) to supply the natural person’s data in a format suitable for porting. The relevant departments prove the data to the 3rd party and then responds to confirm the data has been ported. The data subject is then informed that the
Company Confidential 8 of 12
data has been ported. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

4.4 Objection to processing requests procedure

ARuVR ensures that the PIMS has procedures to consider and respond to requests from a natural person who objects to processing of personal information.
Where a natural person objects to the processing of personal information for the purposes of direct marketing, ARuVR ensures that processing ceases for that natural person.
In response to an objection to data processing from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to process the data, then if it should not be processed, issues the instruction to the relevant department(s) to cease processing that natural person’s data and if appropriate to erase the data. The relevant departments cease processing the data and confirms the data processing has been ceased and/or erased. The data subject is then informed that the data processing has been ceased and/or erased as appropriate. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

5 Complaints and appeals procedure

In response to a compliant or appeal to data processing from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, then logs the complaint in the ARuVR Complaints Log spreadsheet then investigates the nature and grounds for the complaint or appeal. Where necessary ARuVR legal counsel shall be informed and asked to provide legal advice and support.
The result of an upheld compliant or appeal will be one of the actions detailed above in Section 4.
The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.