Data Subject Rights Policy

BACKGROUND:

Cloudey understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our customers and will only collect and use personal data in a lawful and transparent manner, as set out in our Privacy Policy, available from our website.

As a ‘data subject’ you have a number of rights under the law with respect to our use of your personal data. This policy explains those rights and how to exercise them.

1. Information About Us

Cloudey IT OÜ.

Limited company registered in Estonia under company number 12675855.

Email address: [email protected]

We are regulated by the laws and regulations of Estonia and the regulations of the European Union.

2. What Does This Policy Cover?

Under data protection law in Estonia, including key legislation such as EU Regulation 2016/769 General Data Protection Regulation (the “GDPR”) (collectively, “the Data Protection Legislation”) individuals have important rights designed to protect them and their personal data.

This Policy sets out those rights, explains them in clear terms, and provides guidelines on how to exercise them.

3. What Is Personal Data?

Personal data is defined by the Data Protection Legislation as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out in our Privacy Policy.

4. What Are My Rights? (Summary)

The GDPR sets out your key rights as a ‘data subject’ as follows:

a) The right to be informed;

b) The right of access;

c) The right to rectification;

d) The right to erasure;

e) The right to restrict processing;

f) The right to data portability;

g) The right to object;

h) Rights in relation to automated decision-making and profiling.

The following sections of this Policy explain each right in more detail. If you have any questions about any of your rights under the Data Protection Legislation, or require more detailed information, please contact us at [email protected], or the Data Protection Inspectorate.

5. The Right to Be Informed

You have the right to be informed about our collection and use of your personal data. The information we provide must include details of the purpose or purposes for which your data is used, how long we keep it, and who (if anyone) it will be shared with.

This important privacy information is provided in our Privacy Policy. Additional information about your rights is also provided here, in this Policy.

If we collect data directly from you, this privacy information will be provided at the time it is collected.

If we collect data about you from a third party, this privacy information will be provided to you as soon as possible and in any event no later than one month after we have obtained that data.

6. The Right of Access

This right, also known as ‘subject access’ gives you the right to obtain a copy of any personal data that we hold about you as well as other supporting information.

This right is designed to help you understand how and why we use your data, and to check that we are using it lawfully.

You can exercise this right by making a ‘subject access request’. A subject access request can be made orally or in writing and although the more detail you can provide, the easier it will be for us to respond quickly, there is no prescribed format for such requests.

We are required by law to respond to a subject access request within one calendar month of receipt. In certain limited cases, for example, where a request is ‘manifestly unfounded or excessive’ or because we are waiting for proof of identity from you, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for a subject access request. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs.

7. The Right to Rectification

Under the Data Protection Legislation, you have the right to have inaccurate personal data corrected, or incomplete personal data completed.

As a ‘data controller’ we are required to take all reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up-to-date. Your right to rectification is closely tied to this obligation.

You can exercise this right by contacting us and asking for your data to be rectified if you believe it is incorrect, out-of-date, or incomplete. Requests for rectification can be made orally or in writing.

We are required by law to respond to a request for your personal data to be rectified within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for having your personal data rectified. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

8. The Right to Erasure

This right is also known as the ‘right to be forgotten’ and gives you the right to have your personal data deleted (or ‘otherwise disposed of’ if, for example, it is kept in paper records rather than electronically).

You can exercise this right by contacting us and asking for your data to be erased. Requests for erasure can be made orally or in writing.

We are required by law to respond to a request for your personal data to be erased within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for having your personal data erased. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

Please note that the right to erasure is not an absolute right and there are certain circumstances set out in the Data Protection Legislation in which the right does not apply. For example, we may not have to erase your personal data if we need it to comply with a legal obligation. If any of these circumstances apply, we will explain why your personal data cannot be erased when responding to your request for erasure.

9. The Right to Restrict Processing

You have the right to request the restriction or suppression of your personal data. In practice, this is an alternative to having your personal data erased. This means that you can limit the way in which we use your personal data, while still allowing us to retain it.

Please note that the right to restrict processing is not an absolute right and only applies in certain circumstances as follows:

a) You have contested the accuracy of your personal data and we are verifying the accuracy of it;

b) Your personal data has been processed unlawfully and you want us to restrict processing rather than erasing your personal data;

c) We do not need the personal data any more, but you need us to keep it in order to establish, exercise, or defend a legal claim; or

d) You have exercised your right to object (see Part 10, below), and we are considering whether our legitimate grounds for processing your personal data override your right to object to us using it.

When processing is restricted, we cannot do anything with your personal data other than store it unless we have your consent to do so or unless one of the following applies:

a) We need to use your personal data in the establishment, exercise, or defence of legal claims;

b) We need to use your personal data in order to protect the rights of another person; or

c) Important public interest reasons justify using it.

You can exercise this right by contacting us and asking for the processing of your data to be restricted. Requests for the restriction of processing can be made orally or in writing.

We are required by law to respond to a request to restrict the processing of your personal data within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for having the processing of your personal data restricted. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

10. The Right to Data Portability

Where we are processing your personal data either with your consent or for the performance of a contract between us, and we are using automated means of processing (i.e. not using paper files), you have the right to obtain a copy of your personal data in a commonly-used format for use with another organisation. You can also request that we send your personal data directly to another organisation.

This right is designed to enable you to easily move, copy, or transfer your personal data from one organisation’s IT system to another organisation’s IT system in a safe and secure way, without affecting its usability.

Please note that this right only applies to personal data that you have provided to us. This includes information in your account as well as data that we may obtain from your activities on our website such as usage history and other factors such as resource usage statistics of our services provided to you. It does not include additional data that we may create based upon the data you have provided or to data that has been anonymised. In some cases, more personal data relating to you may be available under your right of access (see Part 6, above).

You can exercise this right by contacting us and asking either for a copy of your personal data for use with another organisation, or for your personal data to be transferred to that organisation. Requests can be made orally or in writing.

We are required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for exercising your right to data portability. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

11. The Right to Object

Where we are processing your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, you have the right to object to us processing your personal data.

You also have the absolute right to object to us using your personal data for direct marketing purposes.

If you object to us using your personal data for direct marketing purposes, your right to do so is absolute and we have no grounds on which to refuse.

If you object to us using your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, please note that your right to do so is not absolute. When making your request to exercise this right, you must give specific reasons for your objection based upon your particular situation. We can continue using your personal data if we can demonstrate ‘compelling legitimate grounds’ which override your interests, rights, and freedoms; or if the processing is necessary for the establishment, exercise, or defence of legal claims. Additional limitations apply if your personal data is being processed for research purposes.

You can exercise this right by contacting us and stating your objection to the processing of your personal data for the relevant purpose or purposes, providing an explanation if required (see previous paragraph). Objections to processing can be made orally or in writing.

We are required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for exercising your right to object. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

12. Automated Decision-Making (Including Profiling)

We carry out certain automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data, as described in our Privacy Policy.

You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal or ‘similarly significant’ effects.

You have the right to challenge decisions made in this way and can:

a) Request human intervention;

b) Express your own point of view; and

c) Obtain an explanation from us about the decision and challenge it.

You can exercise this right by contacting us and stating that you wish to ask about or challenge a decision made using your personal data by solely automated means, telling us which of the above (a, b, and/or c) you wish to do (see previous paragraph). You can contact us in writing.

We are required by law to respond within one calendar month of receipt of your request to exercise this right. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

There is not normally a fee payable for exercising your rights relating to automated decision-making (including profiling). For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

13. Exercising Your Rights

To exercise any of your rights as a data subject, please contact us via:

When contacting us to exercise your right of access, please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address; and

· Details of the information being requested.

When contacting us to exercise your right to rectification, please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address;

· Details of the information you wish to have rectified; and

· (Where relevant) any information that supports your request or otherwise provides evidence of the need for rectification.

When contacting us to exercise your right of erasure, please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address;

· Details of the information you wish to have erased; and

· (Where relevant) any information that supports your request or otherwise justifies the need to have the data erased.

When contacting us to exercise your rights to restrict processing or to object to processing, please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address;

· Details of the processing you wish to restrict or object to;

· Details of why you want the processing to be restricted or why you object to it; and

· (Where relevant) any information that supports your request or otherwise provides evidence of the need for processing to be restricted or stopped.

When contacting us to exercise your right to data portability, please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address;

· Details of the personal data you wish to use with another service or organisation, also stating whether you require a copy of that data for yourself or whether you would like us to transfer it directly to the other service or organisation; and

· (Where relevant) any information that supports your request.

When contacting us to exercise your rights relating to automated decision-making (including profiling), please provide:

  • Your full name;
  • Your address;
  • Your telephone number;
  • Your email address;

· Details of the decision that you wish us to explain or review, also stating whether you would like us to explain the decision, if you are requesting human intervention, wish to express your own point of view about the decision, or wish to challenge the decision; and

· (Where relevant) any information that supports your request.

14. Our Acknowledgement and Response

We will always respond quickly to your request to exercise any of your rights in relation to your personal data. We will acknowledge receipt without undue delay and will provide a complete response to your request as quickly as possible. Normally, as stated above, this will be within one calendar month of receipt of your request. If additional time is required, we will contact you within the first calendar month to explain why the delay is necessary.

15. Your Right to Complain

If you have any cause for complaint about our use of your personal data, or about our handling of your request to exercise your rights under this Policy, you have the right to lodge a complaint with the Data Protection Inspectorate.

We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first using the details set out above in Part 12.

16. Changes to this Policy

We may change this Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. This Policy will also be reviewed regularly.

Any changes will be made available on our website. This Policy was last reviewed on 25th May 2019 and last updated on 25th May 2019.

Close Menu