Data Subject Request Policy

Version 1 Date: 27.10.2021

1. Introductory statement

Privacy and confidentiality of your information and execution of your privacy rights is a top priority for JADBio. This data subject request policy will advise you on how to execute your privacy rights regarding personal data that is collected and processed by JADBio. This policy also provides instructions to Data Subjects on how to request information and fulfill their data subject rights in regards to the personal data that is collected and processed by JADBio.

This data subject request policy is developed in line with our Privacy Policy, which can be accessed at JADBio Website (the “Website”) and other web resources of JADBio and published on the Internet. This policy and Privacy Policy do not apply to any other sites, which may be used, but not owned or controlled, by JADBio.

We may need to change this Policy from time to time. All the changes to the policy will be published at the official JADBio website. We advise you to regularly refer to our website for the current version of this policy.

2. Your rights in relation to the personal information

When JADBio is acting as a Data Controller, we can ensure that you are the owner of personal data that we collect and process about you. We have developed this policy to ensure that you are able to execute your privacy rights in relation to the personal data that we collect and process. As a data subject, you have the following rights:

• to obtain a confirmation whether or not personal data concerning yourself are being processed;
• to have access to the personal data concerning you and to exercise that right easily and at reasonable intervals;
• where possible, to obtain remote access to a secure system of JADBio, but only where JADBio is a Controller and only to the extent the system provides the Data Subject with direct access to personal data;
• if requested, to be provided with the following information, in concise, transparent, intelligible and easily accessible form, using clear and plain language:
  • the purpose of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data will be disclosed;
  • the storage period for personal data, or, if not possible, the criteria used to determine that period;
  • the existence of the right of correction or erasure of personal data;
  • the existence of the right to restrict processing of his/her personal data, or to object to such processing;
  • the existence of right to lodge a complaint with a supervisory authority;
  • the source(s) from which personal data were collected;
  • the existence of automated decision-making and the logic involved in any automatic processing; and
  • safeguards relating to the transfer of personal data to a third countries;
• if requested, to obtain a copy of the personal data undergoing processing free of charge;
• if possible to obtain information in a commonly used electronic form, when the Data Subject makes a request by electronic means; and
• if possible to restrict personal data processing.

In general, when JADBio is acting as the Controller, we do process any personal data for performing automated individual decision-making. If required, you may request information about purposes of personal data processing and ensure that you are not subject to automated decision making when JADBio is acting as the Controller.

It cannot be excluded that the Company might receive a request from a Data Subject who previously filed a similar request. If the information has not changed since the answer to the previous request, the DPO should respond promptly and inform the Data Subject that the data did not change since the last request.

3. Filling a Data Subject request

A Data Subject access request is a written request for the Data Subject’s personal data held by the Company. Data Subject should fill out an online request form or send an email.

4. Confirmation of the Data Subject identity

JADBio defines rules and is in charge of providing access to personal data at a Data Subject’s request only when acting as the controller of such personal data. If JADBio is only a processor of your personal data, we follow written instructions of the data controller as long as it provides your data to us. Therefore, we handle requests from the Data Subject based on the controller’s instructions.

When JADBio is acting as the controller, the DPO must confirm a requestor’s identity and whether they have enough information to find the requested records, before providing any personal data. To confirm your identity, the following actions may be performed:

• If JADBio regularly communicates / corresponds with you and your Data Subject request form contains enough information no additional data may be required.
• If your identity may not be confirmed from the received information, the DPO may ask you to provide additional information via a call or an email. For example, a piece of information held in a Data Subject’s records that the Data Subject is expected to know may be requested.
• If a person refuses to answer the question(s) or answers the question(s) incorrectly, the DPO should inform this person that it could not comply with his/her request until the person’s identity has been confirmed. The DPO may also suggest another way to identify the requestor as long as this does not involve collection of additional personal data.
• If the requester of personal data is a representative of a Data Subject concerned, then the representative is entitled to access his/her own personal data only, and must supply the Data Subject’s consent authorizing the release of the Data Subject’s personal data. This does not apply to persons acting for a Data Subject based on a valid right of representation, which must be clear or otherwise proven for the DPO.
• If the identity of a Data Subject or a valid right of representation of the Data Subject cannot be confirmed, or further information is needed on what data is being requested the request for data cannot be satisfied. In the latter case, the DPO should promptly identify the requested data from the Data Subject.

5. Providing information requested by the Data Subject

When JADBio is acting as a Data Controller, after identification of the requesting Data Subject, the DPO sends the request to the relevant personnel of JADBio A responsible person of JADBio then checks whether any personal data of the requestor are being processed at all. The requested information or notification about absence of any personal data will be provided to the DPO within one month after the Data Subject and the information sought have been identified.

6. Format of the response

When JADBio is acting as a Data Controller the information will be provided in electronic format (or in other format if requested by the Data Subject) free of charge, if the request is not manifestly unfounded or excessive.

Data Subject may request provision of the data orally. In this case, the Data Subject should send a written confirmation specifying the date that he / she was provided with the oral information.

7. Procedure for JADBio acting as a Data Processor

When JADBio is acting only as a processor, it also has an indirect obligation to respond to Data Subject access requests received by a Controller.

8. Payment for information provided by the Company

JADBio must provide one copy of the personal data undergoing processing free of charge. For any further copies requested by the Data Subject, JADBio may charge a reasonable fee based on administrative costs.

9. Provision of inaccurate information

If the DPO and the Data Subject agree that the information for which JADBio is a controller is inaccurate, the DPO will correct it and, where possible, destroy or erase the inaccurate information. The DPO will consider informing any relevant third party of the correction. If the DPO does not agree or is unable to decide whether the information is inaccurate, it will make a note of the alleged error and keep this on file.

If Data Subject receives inaccurate information for which JADBio is processor, Data Subject should contact controller with request for data rectification and / or erasure (if other is not stated in formal contracts and / or written instructions with the data controller).

10. Dealing with excessive and/or unfounded requests

Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the responsible personnel in consultation with the DPO may either:

• charge a reasonable fee taking into account the administrative costs of providing the information; or
• refuse to act on the request; and
• to inform the requesting Data Subject.

In this case, JADBio will be able to demonstrate the manifestly unfounded or excessive character of the request.

Annex 1: Data Subject Request Form

1. Details of the person requesting the information

Full name _____________________________________________________

Email address _________________________________________________

Contact number _______________________________________________

2. Are you the Data Subject?

(The Data Subject is the individual to whom the information requested relates).

Please tick as appropriate:

YES. ☐

Please specify the reason for your request:

• to obtain a confirmation whether or not personal data concerning me are being processed;
• to have access to the personal data concerning me;
• to obtain remote access to a secure system of JADBio (if possible and only where JADBio is a Controller and only to the extent the system provides the Data Subject with direct access to personal data);
• to be provided with the information regarding the purpose of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data will be disclosed; the storage period for personal data, or, if not possible, the criteria used to determine that period; the existence of the right of correction or erasure of personal data; the existence of the right to restrict processing of his/her personal data, or to object to such processing; the existence of right to lodge a complaint with a supervisory authority; the source(s) from which personal data were collected; the existence of automated decision-making and the logic involved in any automatic processing; and safeguards relating to the transfer of personal data to a third countries;
• to obtain a copy of the personal data undergoing processing;
• to obtain information in a commonly used electronic form;
• to restrict personal data processing;
• to request erasure of my personal data;
• to object about personal data processing
• Other (please specify) ____________________________________________________________.

NO. ☐

If you are acting on behalf of the Data Subject, you must be in possession of, and provide JADBio with a copy of, written authorization from the Data Subject, or other appropriate documents to obtain their Personal Data, before this request will be processed. JADBio will still need to receive confirmation of the identity of the Data Subject, and the documents based on which you are acting on his behalf. Please attach these documents to this form before submitting to JADBio, or send electronic copies of the documents to haronykt@jadbio.com.

Details of the Data Subject

Full name _________________________________________________

Email address _____________________________________________

Contact number __________________________________________

Please specify the reason for your request:

• to obtain a confirmation whether or not personal data concerning me are being processed;
• to have access to the personal data concerning me;
• to obtain remote access to a secure system of JADBio (if possible and only where JADBio is a Controller and only to the extent the system provides the Data Subject with direct access to personal data);
• to be provided with the information regarding the purpose of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data will be disclosed; the storage period for personal data, or, if not possible, the criteria used to determine that period; the existence of the right of correction or erasure of personal data; the existence of the right to restrict processing of his/her personal data, or to object to such processing; the existence of right to lodge a complaint with a supervisory authority; the source(s) from which personal data were collected; the existence of automated decision-making and the logic involved in any automatic processing; and safeguards relating to the transfer of personal data to a third countries;
• to obtain a copy of the personal data undergoing processing;
• to obtain information in a commonly used electronic form;
• to restrict personal data processing;
• to request erasure of my personal data;
• to object about personal data processing
• Other (please specify) ____________________________________________________________.

3. Search details

Please insert a detailed description of the information you would like to receive or any other comments _______________________________________________________________

________________________________________________________________

________________________________________________________________   

________________________________________________________________