Inclusive Pay Africa (IPA)
Data Subject Rights Management (DSRM) Process
1. Overview
The Data Subject Rights Management (DSRM) process is designed to ensure that all requests from data subjects regarding their personal data are handled in compliance with General Data Protection Regulation (GDPR) and Ethiopian privacy laws. This process outlines how requests are received, verified, processed, and documented, ensuring transparency, accountability, and legal compliance.
2. Scope
This DSRM process applies to all personal data processing activities carried out by Inclusive Pay Africa within the operating system environment. It covers all rights granted to data subjects under GDPR and Ethiopian privacy laws, including but not limited to the right of access, rectification, erasure, restriction, portability, and objection.
3. Data Subject Rights
Data subjects have the following rights under GDPR and Ethiopian privacy laws:
3.1. Right of Access: The right to request access to their personal data and obtain information about how it is being processed.
3.2. Right to Rectification: The right to request the correction of inaccurate or incomplete personal data.
3.3. Right to Erasure (Right to be Forgotten): The right to request the deletion of their personal data under certain conditions.
3.4. Right to Restriction of Processing: The right to request that the processing of their personal data be restricted in certain circumstances.
3.5. Right to Data Portability: The right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
3.6. Right to Object: The right to object to the processing of their personal data, particularly in cases of direct marketing or processing based on legitimate interests.
3.7. Right not to be Subject to Automated Decision-Making: The right to not be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significant impacts.
4. Request Submission
4.1. Submission Channels: Data subjects may submit their requests through the below email:
• privacy@inclusivepayafrica.com
4.2. Information Required: To process a request, data subjects must provide:
• Full name
• Contact details (email or phone)
• Details of the request
4.3. Acknowledgment of Request: Upon receiving a request, an acknowledgment email or letter is sent to the data subject within 3 working days, confirming receipt and providing a reference number for tracking.
5. Identity Verification
5.1. Initial Verification: Basic verification is done using the information provided in the request.
5.2. Additional Verification: If necessary, additional steps are taken to confirm identity, such as:
• Requesting a government-issued ID
• Asking for security questions related to the data subject’s account
5.3. Timeframe: Identity verification should be completed within 5 working days of receiving the request.
6. Internal Review and Assessment
6.1. Assignment to DSR Team: The request is assigned to a dedicated DSR team or Data Protection Officer (DPO) for review.
6.2. Assessment of Request: The DSR team evaluates the request to determine:
• The validity of the request under GDPR and Ethiopian privacy laws.
• The scope of the data involved.
• Any exemptions or limitations that may apply.
6.3. Consultation with Legal Team: For complex cases, the DSR team may consult with the legal team to ensure compliance and assess risks.
7. Processing the Request
7.1. Right of Access:
• Compile all relevant personal data.
• Provide a detailed report outlining the data processing activities, including purposes, categories of data, data recipients, retention periods, and any transfers to third countries.
• Deliver the information securely within 30 days of request validation.
7.2. Right to Rectification:
• Correct any inaccurate or incomplete data.
• Notify the data subject of the changes made.
7.3. Right to Erasure:
• Evaluate if the request meets the conditions for erasure.
• If approved, delete the data and confirm the erasure to the data subject.
• Notify any third parties with whom the data was shared, if applicable.
7.4. Right to Restriction:
• Temporarily suspend processing of the data.
• Notify the data subject and document the restriction in the data processing records.
7.5. Right to Data Portability:
• Extract the data in a structured, commonly used, and machine-readable format.
• Provide the data to the data subject or transmit it directly to another data controller, as requested.
7.6. Right to Object:
• Cease processing based on the objection, unless there are compelling legitimate grounds for the processing.
• Notify the data subject of the outcome.
7.7. Right not to be Subject to Automated Decision-Making:
• Review the automated decision-making process.
• If necessary, provide human intervention or alternative options to the data subject.
8. Response to Data Subject
8.1. Final Response: A final response, including the outcome of the request and any actions taken, is sent to the data subject within 30 days of request validation.
8.2. Extensions: If the request is complex and requires more time, an extension of up to 60 days may be applied. The data subject will be informed of the extension and the reasons for it.
9. Documentation and Record-Keeping
9.1. Request Log: All DSR requests are logged in a secure system, including details such as:
• Date of request
• Type of request
• Identity verification steps
• Actions taken
• Dates of acknowledgment and final response
• Outcome of the request
9.2. Retention of Records: Request logs and correspondence are retained for at least five years for auditing and compliance purposes.
10. Escalation and Dispute Resolution
10.1. Internal Escalation: If a data subject is dissatisfied with the response, the case may be escalated to a higher authority within the organization.
10.2. External Recourse: Data subjects are informed of their right to lodge a complaint with the relevant supervisory authority, such as the European Data Protection Board (EDPB) for GDPR or the Ethiopian Data Protection Commission.
11. Reporting and Continuous Improvement
11.1. Regular Reporting: The DSR team provides regular reports to senior management on the number, types, and outcomes of DSR requests.
11.2. Process Improvement: The DSR process is reviewed annually to identify areas for improvement and ensure ongoing compliance with evolving legal requirements.