Individual Rights Policy

BugSec

Bugsec Group Ltd. – Policy for Responding to Individuals’ Data Protection Rights

The following Individuals’ Rights Policy (“policy” or “Individuals’ Rights Policy”) provides instructions while designed to assist Bugsec Group Ltd. (“Bugsec”) in managing and responding to individuals’ requests to exercise their data protection rights under the EU General Data Protection Regulation 2016/679 (“GDPR”). 

Introduction and Scope

The following policy for responding to individuals’ data protection rights policy (“Individuals’ Rights Policy” or “Policy”) applies to Bugsec and its employees.

The GDPR entered into force on 25 May 2018, sets forth rules relating to the protection of natural persons with regard to the processing and free movement of personal data. The GDPR’s recitals, articles and interpretative framework reinforced global developments in the field of data protection and privacy and various regulative initiatives were inspired by its principles. The GDPR, as well as other prominent data protection laws, impose obligations on entities collecting personal data on individuals, to enable individuals to exercise their data protection rights. “Personal data” is defined and should be understood when reviewing this policy as any data that identifies an individual or makes an individual identifiable.

The purpose of this Individuals’ Rights Policy is to highlight the importance of identifying and reporting requests from individuals (or persons acting on behalf of any individuals) who are contacting Bugsec to exercise their rights under the GDPR or any other applicable data protection law (a “Request”) and to assist and provide instructions to Bugsec’s employees, who are responsible for managing such Requests. 

It is important that Bugsec’s employees are aware of this policy and the steps required to be taken when receiving a Request, so that Bugsec will not inadvertently be in violation of the GDPR or any other applicable data protection law.

Section 1 of this Individuals’ Rights Policy is applicable to all employees and temporary contractors and explains the process for identifying and reporting Requests to ensure that they are properly recorded and managed. It is important that all personnel read and understand Section 1.

Section 2 of this Individuals’ Rights Policy is applicable to the person or team who may be appointed to assist with managing a response to a Request.

A breach of this Individuals’ Rights Policy could expose Bugsec to substantial fines and other disciplinary actions. As such, if you have any concerns at all regarding a Request, please contact Itzik Vager – COO (the “Director”) BEFORE responding to the Request.      

If you have any other questions on this Individuals’ Rights Policy or on individuals’ rights under the GDPR or any other applicable data protection law, please contact the Director or request further instructions from Bugsec’s external legal counsel.

 

 

Section 1
Identifying and Reporting Requests

Key responsibilities of all employees

It is the responsibility of all employees of Bugsec to:

  • Understand how to identify a Request; and
  • Know the procedures to follow if a Request is received, as set out in this Individuals’ Rights Policy.

What rights does an individual have under the GDPR?

Under the GDPR, individuals may exercise various rights in relation to their personal data. Such rights include the following:

  • Right to be informed;
  • Right of access;
  • Right to rectification;
  • Right to erasure;
  • Right to restrict processing;
  • Right to data portability; and
  • Right to object,

In this Individuals’ Rights Policy, these rights are referred to as “Data Subject Rights”.

What does a Request look like?

There are no specific requirements under the GDPR that specify technical formalities regarding the manner in which Requests should be filed. Furthermore, there is no provision that states that the Request must be in writing or specifically mention the GDPR. Therefore, it may not be immediately apparent that the individual (or person acting on the individual’s behalf) is making a Request that is governed by the GDPR. However, it is your responsibility to inspect and identify Requests and to act promptly as soon as you receive one in accordance with this Individuals’ Rights Policy. 

Who might exercise a right in relation to their personal data?

Bugsec processes information about a variety of different types of people – such as employees, customers, customers’ employees or end users and Bugsec’s website users. Anyone from any of these groups could make a Request. A Request may also be made by a person, body or organisation acting on behalf of one or more individuals. Furthermore, Bugsec may process personal data on behalf of a customer, who Bugsec provides their services to. In such case, such customer may receive a Request and Bugsec will be required to cooperate with such customer and assist in complying with such Request.

What are the potential consequences of not spotting a Request?

If Bugsec does not spot and respond to a Request in accordance with the GDPR or any other applicable data protection law, it will be in breach of its data protection obligations and may also be in breach of its contractual obligations. The consequences of breaching the GDPR or any other applicable data protection law may include a fine or other regulatory enforcement action, criminal liability, contractual liability and reputational damage.

Following the procedures in this Individuals’ Rights Policy is very important to ensure that Bugsec is able to comply with the GDPR, demonstrate such compliance when required to do so and prevent these consequences from occurring.

What should I do if I spot or receive a Request?

  • If you become aware, or are notified of a Request, you should immediately refer it to the Director via the following email [email protected]. Do not make any statement of opinion or intent about an individual in your email referring the Request. Your email should be factual and as brief as possible, such as “please see below email which I think is related to an individual exercising their rights under the GDPR”.
  • It is your responsibility to ensure that your referral has been brought to the attention of the relevant personnel, as Bugsec may breach the GDPR or its contractual engagements, if response is not provided to the individual making the Request within a certain time by Bugsec or the applicable customer.
  • If you are unsure whether you have received a Request or if a response was not provided from the relevant personnel within 24 Hours, you should address the matter to the Director as soon as possible.

What should you not do?

  • Do not respond to the Request yourself. If necessary (for example, if you receive the Request by phone), you may acknowledge receipt of the Request and reply that you will refer it to the internal team responsible for handling such Requests, unless required otherwise in applicable contractual engagements.
  • If Bugsec is under a contractual obligation and is providing services to a customer, while processing personal data on their behalf, the issue must be referred to the Director, and the Director shall instruct the required following steps and all in accordance with the applicable contractual engagement (should be addressed in the  Data Processing Agreement) between the parties). Such contractual engagement may instruct Bugsec to not respond to the Request, unless the customer authorizes Bugsec to do so.
  • Do not attempt to delete, destroy or alter emails, information, logs or notes or otherwise conceal information that might relate to the Request.
  • Do not create any new written materials (including sending any emails) regarding an individual who has made a Request other than to refer the Request to the Director. Use verbal communication with relevant team members as much as possible. If you have to communicate in writing (including by email) ensure your communication is as factual as possible.
  • Other than informing the Director verbally, if necessary, do not carry out any further steps unless you have been asked to do so by him or unless steps are critically urgent to be taken to prevent irreversible damage.

 

  • Section 2
    Responding to Requests

Key responsibilities

It is the responsibility of Bugsec’s management personnel to ensure that this Individuals’ Rights Policy is up to date and accessible to all employees and temporary contractors, and that the Director: 

receives data protection training on handling Requests on an annual basis;

follows this Section 2 when a Request is received;

identifies if a Request is filed as a tactical tool as part of a wider issue or dispute and notifies his conclusions to the management personnel;

manages and responds to the Request within the timeframe required in accordance with Section 2 of this Individuals’ Rights Policy; and

handles the response to the Request in a manner that best mitigates the impact of the Request on the business.

Receiving the initial Request

The following instructions do not apply to Requests received by Bugsec’s customers, where Bugsec is required to follow customer’s instructions in facilitating the Request, and is subject to contractual obligations with respect to the Request. In such cases, Bugsec shall follow the obligations imposed under the respective contractual engagement and shall seek for advice from Bugsec’s external legal counsel on Bugsec’s required course of action.

Acknowledging receipt

Once a Request has been reported to the Director, they will be responsible for:

Acknowledging the receipt of the Request to the colleague who has referred the Request; and

Reminding the colleague of their responsibilities set out in Section 1 of this Individuals’ Rights Policy.

Format of the Request

As noted in Section 1, there is no specific requirement that states that the Request must be in writing. In other words, you cannot refuse to comply with a Request, or delay responding, simply because an individual (or person acting on behalf of an individual) did not file the Request in accordance with Bugsec’s Initial Request Form attached as Appendix A (the “Initial Request Form”). Nevertheless, it is advisable to encourage individuals who file Requests to complete the Initial Request Form, because it will make the process of complying with the Request more efficient.

Verifying identity

Before Bugsec can respond to the Request, it must verify the identity of the individual making the Request. Such verification may be obvious in light of the circumstances the Request was received, but in some cases additional information may be required to complete the verification process. This will prevent inadvertently disclosing personal data to the wrong person. In these circumstances, you should verify the identity of the individual using reasonable means, which may require asking the individual to deliver suitable documents, such as:

a certified copy of a form of identification; or

a file with the individual’s name and address that can be compared with details retained by Bugsec; and/or

a copy of a document with the individual’s signature on it, which can be compared with the signature on the letter or Request form.

Requesting additional information to clarify the Request

In order to adequately respond to the Request, you may need to request that the individual will provide you with additional information to enable you to locate the information requested, for example by completing the Initial Request Form. The individual is not obliged to complete the form, or to provide additional information, but this may result in Bugsec refusing to comply with the Request as further detailed under Section 2.8.

Identifying Requests that are being used for tactical purposes

It is important to bear in mind that data protection rights give individuals powerful rights which they may use (or which may be used on their behalf) as a tactical tool.

For example, Requests may be used as part of another on-going issue or dispute (including as a precursor to a complaint or litigation against Bugsec).

While there is no automatic permission to refuse such Requests, if you know or suspect that a Request is being used for these purposes you should immediately notify the Director, so that these broader tactical considerations can be considered before responding to the Request.

How long do you have to respond to such a Request?

Bugsec must provide the individual with information on the action taken (or in the case of an individual’s access Request, a copy of the information requested) without undue delay and, in any event, within one month of the receipt of the Request.

It may be that the time limit can be extended by a further two months where the Requests are particularly complex or numerous. In this case, Bugsec must inform the individual of the extension within one month of the initial receipt and explain the reasons for the extension.

If Bugsec decide not to take any steps in response to a Request, it must inform the individual making the Request of the decision without delay and, at the latest, within one month. The confirmation is required to include the reasoning for not complying with the Request, the possibility for individual to lodge a complaint with the relevant data protection supervisory authority, and the possibility to seek a judicial remedy.

Can Bugsec charge a fee?

Generally, Bugsec should comply with Requests free of charge. A limited exception applies to requests that are manifestly unfounded or excessive (see paragraph ‎2.8 below).

Bugsec may also charge an individual a reasonable fee based on its administrative costs if the individual requests additional copies of information provided.

What about requests that are manifestly unfounded or excessive?

If Bugsec can demonstrate that a Request is (or that Requests are) manifestly unfounded or excessive (for example, the Requests are unreasonably repetitive in nature), Bugsec may:

charge a reasonable fee, taking into account the administrative costs of taking actions or providing the necessary information; or

refuse to act on the Request.

A request may be considered manifestly unfounded if, for example:

the individual clearly has no intention to exercise their right. For example an individual makes a request to exercise their right of access, but then offers to withdraw it in return for some form of benefit from Bugsec; or

the request is malicious in intent and is being used to harass Bugsec with no real purposes other than to cause disruption. For example:

the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;

the individual is targeting a particular employee against whom they have some personal grudge; or

the individual systematically sends different requests to Bugsec as part of a campaign, e.g. once a week, with the intention of causing disruption.

To determine if a request is manifestly unfounded or excessive, Bugsec must consider each Request on a case-by-case basis. Furthermore, Bugsec must be able to demonstrate to the individual why it considers the Request to be manifestly unfounded or excessive and, if inquired by a supervisory authority, explain such reasons to the relevant authority. In practice, the refusal to act on the Request is likely to require Bugsec to demonstrate that a dialogue has taken place with the individual to try to narrow the Request. The Request should not be considered lightly, as if wrongful refusal occurs; Bugsec will be exposed to a violation of the GDPR or another applicable data protection law. Requests should not be refused unless such refusal was approved by the Director.

How should information be provided?

Where an individual’s Request requires Bugsec to provide certain information to them (for example, in response to a Request to exercise the right of access or the right to data portability) information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. For example, if the search reveals any information which is encoded, the information should either be decode it or it should be explained to the individual how to decode the information.

The information should be provided in writing. If the Request is made electronically, the information must be provided by electronic means in a commonly used electronic format where possible, unless otherwise requested by the individual.

It is possible, where requested by the individual, to provide the information orally. However, this should only be done where the identity of the individual has been verified by other means. This method should only be adopted if approved by the Director.

Right of access

Individuals have the right to obtain from Bugsec a confirmation as to whether or not personal data concerning them is being processed as well as the following details:

confirmation that their personal data is being processed;

a copy of information that Bugsec holds about them; and

other supplementary information, if requested, which includes:

The purposes for the processing activities conducted by Bugsec on that individual’s personal data.

The categories of personal data processed.

The recipients or categories of recipient Bugsec disclosed the individual’s personal data to.

Bugsec’s retention period for storing the individual’s personal data or, where this is not possible, the criteria for determining such retention period.

The existence of the individual’s right to request the rectification, erasure or restriction of processing the personal data, as well as the existence of the right to object to the processing activity conducted on the individual’s personal data.

The right to lodge a complaint to the relevant supervisory authority.

Information about the source of the collected data, where it was not obtained directly from the individual who submitted the request.

When applicable, the existence of automated decision-making.

The safeguards Bugsec implements if a transfer of personal data to a third country (as defined under the GDPR) is executed.

What information must be provided?

The GDPR does not provide individuals an unfettered right of access to information, and it is important to know what can legitimately be refused, as well as what must be provided, to individuals. You should try to obtain a very precise understanding of the extent of the information that is being sought. Individuals are free to ask for all personal data that Bugsec hold about them. If such Request is being filed, the requesting individual can be notified of the expected timeframe as well as requested to make the Request more specific to enable Bugsec to comply in a timely manner. You could suggest that the individual complete the Initial Request Form attached as Appendix A, although the individual is not obliged to do so.

Where might the information be located?

It is unlikely that all of the requested information will be located in one place. It is therefore important to carry out a thorough search for all information relating to the individual unless the individual has indicated that he or she require that the search will be restricted in some way. This may occur when the individual requests for a speedy response. 

Company computer files – computer systems should be searched for all references to the person making the Request, by reference to the person’s surname, surname and initials, and other variants.

Company manual files – manual files may include the requesting individual’s personal data and thus a search should be conducted for any reference to the individual making the Request.

Data processors’ (vendors) systems – third parties who are processing data on Bugsec’s behalf, should be required by Bugsec to carry out a similar search of data which they hold on Bugsec’s behalf, in relation to the person making the Request. 

The individual making the Request should be asked to complete an Initial Request Form in Appendix A, in which they are asked to set out the information he or she is seeking. However, as noted above Bugsec cannot oblige the individual to complete it.

It can often be difficult to assess how much effort should be applied to the search of the requested data. Bugsec must ensure that it can demonstrate that it has taken reasonably diligent efforts to find and retrieve the information requested. This is a difficult test to meet and cannot be used as a blanket justification to refuse an individual’s Request.

In making an assessment, Bugsec can take into account difficulties in finding the requested information, whether there is another route to obtaining the information, whether the individual has already received the information, whether the Request is an abuse of rights by the individual etc. However, the potential benefit to the individual should also be considered and Bugsec should inquire whether it is able to comply with the Request in some other manner that meets the individual’s expectations.

What should be done once the information has been located?

Please note that some information may not be disclosed to the person making the Request. Once all the information has been located, you:

Are required to decide whether information can be withheld because:

it reveals the identity of a third party; or

Bugsec is not in a position to identify the individual.

the Request is considered manifestly unfounded.

the Request is considered excessive.

May ask the individual making the Request to specify the information or processing activities to which the Request relates.

What if someone asks to see all emails in which their name is mentioned?

If access to emails is problematic, because of the vastness of information stored on the system, you may request the individual to identify places where the information requested may be located, e.g.:

names of authors and recipients;

subjects of the emails;

the dates or range of dates upon which the messages have been sent; and

whether the individual believes that the emails are held as live data or in archived or back-up form.

What do you do if the information adversely affects or identifies another person?

An individuals’ right to obtain a copy of their information should not adversely affect the rights and freedoms of others, including trade secrets, intellectual property and copyright protecting software. However, this does not validate an automatic refusal to comply with the individual’s entire Request. The individual should therefore be asked to specify the information or processing activities to which it’s Request relates to, for the avoidance of the provision of excessive information. 

Limiting the personal data provided should also be considered when disclosure might reveal the identity of another individual. In such case, information should be disclosed as possible without revealing the other person’s identity. This can be achieved by, for example, crossing out the other person’s name or other identifier (e.g. address). However, in some cases crossing out the other person’s name will not be enough to prevent the person making the Request from identifying that other person and actual content and context should also be considered.  

Under these circumstances, a consent from the third party for the disclosure of their personal data may be requested. If the third party does not consent to the disclosure of the requested information, it is still required to consider whether it would be reasonable to disclose the third party’s personal data. When deciding whether it is reasonable to make the disclosure, please consider the following:

Does Bugsec owe the other person a duty of confidentiality?

Did Bugsec take any steps to obtain the other person’s consent?

Was the other person capable of giving consent?

Did the other person expressly refuse to provide their consent?

If the answers to some or all of the above questions are “yes”, it may indicate that it is not reasonable to disclose the information that may reveal the third party’s identity, and adversely affect their rights and freedoms.

How should you provide the information?

Follow the steps identified at paragraph ‎2.9 above.

Right to rectification

When can someone request rectification?

Individuals have the right to request that inaccurate information about them will be rectified. In addition, where the information Bugsec holds about them is incomplete, the individual can request that the information will be completed. This type of Request will also apply to information disclosed to a third party who is processing personal data on Bugsec’s behalf. Bugsec is required to inform such third party about the Request and ensure that the information is updated accordingly.

Response to such Request should be provided within the timeframe indicated in paragraph ‎2.6 above.

Right to erasure

When can someone exercise the right to erasure?

There are specific circumstances in which individuals can request the erasure of their personal data:

the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;

the individual withdraws their consent to the processing, where consent is relied upon as the legal basis of processing, such as processing of special categories of data (which includes health data);

the individual objects to the processing carried out in the public interest (unlikely to be applicable to Bugsec) or on the basis of Bugsec’s legitimate interests and there are no overriding legitimate interest for continuing to process their personal data;

the individual objects to the processing carried out for direct marketing;

the personal data was unlawfully processed;

the personal data must be erased by law; or

the personal data is processed in relation to the offer of online services to a child (unlikely to be applicable to Bugsec).

It can often be difficult to know whether one of the above circumstances applies. If you receive a Request from an individual to erase their personal data, please contact the Director.

When do requests not have to be complied with?

Bugsec can refuse to comply with an individual’s Request to erase their personal data, when personal data is required:

for exercising the right of freedom of expression and information;

to comply with the law, for the performance of a task in the public interest (unlikely to be applicable to Bugsec), or in the exercise of official authority vested in Bugsec (unlikely to be applicable to Bugsec);

for public health reasons in the public interest (unlikely to be applicable to Bugsec);

for archiving purposes in the public interest, scientific or historical research, or statistical purposes.

for the exercise or defence of legal claims.

If Bugsec wishes to rely on one of the above exceptions, further inquiry and measures should be taken to assure that the exception applies. The reliance of any of the above exceptions requires the approval of the Director.

How far does the Request extend?

The Request will extend to information disclosed to a third party who is processing personal data on behalf of Bugsec. Bugsec is required to inform such third parties about the Request and ensure that the information is erased accordingly. Where such third parties operate in the online environment and make personal data public, Bugsec must assure that these third parties represent that links to, copies of, or replication of the personal data is also erased.

Right to restrict processing

When can someone restrict the processing of his or her personal data?

Specific circumstances allow individuals to request the restriction of the processing of their personal data:

where an individual contests the accuracy of the personal data, processing is required to be restricted until accuracy has been verified;

where the processing is unlawful and, instead of requesting the erasure of the information, the individual requests a restriction;

where Bugsec no longer requires the personal data for processing but the individual requires it to establish, exercise or defend a legal claim;

where the individual has objected to Bugsec’s processing of their personal data (see paragraph ‎8 – Right to Object below) or

where it was necessary for performance of a public interest task (unlikely to be applicable to Bugsec) or for the purpose of Bugsec’s legitimate interests and Bugsec is still in the process of considering whether its legitimate interests in processing the personal data override the individual’s interests.

What does a restriction on processing mean?

If an individual requests that the processing of their personal data will be restricted, it does not mean that the personal data is required to be erased. Bugsec may continue to store the personal data but, except for a few exceptions, it is restricted from any further processing of such data, unless the individual’s has consented to such further processing.

Bugsec may still process the personal data for the following purposes:

to exercise or defend legal claims;

to protect the rights of another person; or

for important public interest purposes.

The individual must be informed if any of the exceptions apply.

Methods for restrictions could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to individuals, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data is not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in Bugsec’s systems.

This Request will apply to personal data disclosed to a third party who is processing personal data on Bugsec’s behalf. Therefore, Bugsec should inform such third parties of the Request and ensure the processing of such personal data is restricted accordingly.

Right to data portability (this section will not be apply for employees)

Under certain circumstances, individuals have the right to receive their personal data and store it for further personal use. An individual has the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and request the transmission of such personal data to another entity.

When can someone exercise their data portability right?

Bugsec is obligated comply with the individual’s request to data portability when Bugsec is carrying out the processing by automated means and the processing of the individual’s personal data is based either on:

Consent.

The performance of a contract with the individual.

Explicit consent with respect to processing of special category personal data.

If the conditions above are met, Bugsec is encouraged to develop interoperable formats that enable data portability.

What information must be provided?

The right to data portability entitles an individual to receive a copy of their personal data; and/or have their personal data transmitted from Bugsec to another entity. Personal data will only fall within the scope of a Request if it concerns the individual making the Request and Bugsec must ensure that the personal data requested does not include the personal data of another. The personal data may include mailing address, username, age, history of website usage or search activities, traffic and location data. The transmission of the personal data does not automatically mean that Bugsec must erase the information from its systems, as this type of Request is different from the right to erasure.

Technical feasibility of transmission should be considered. The right to data portability does not create an obligation to adopt or maintain processing systems which are technically compatible with those of other entities. Though Bugsec is required to avoid putting in place any legal, technical or financial obstacles, which will slow down or prevent the transmission of the personal data to the individual, or to another entity. Bugsec will not be responsible for any subsequent processing carried out by the individual or the other entity to which personal data was transferred.

How should you provide the information?

Where the above conditions are met, the personal data must be provided free of charge in a structured, commonly used and machine-readable form. The individual must be able to extract specific elements of the data and the format should be widely-used and well-established which can be automatically read and processed by a computer.

Right to object

When can someone object to the processing of their personal data?

The circumstances in which an individual can exercise their right to object are:

Personal data is processed for direct marketing purposes.

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Bugsec.

Processing is based on the lawful ground of legitimate interests of Bugsec, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.

Personal data is processed for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

How do we comply with such a Request?

The response should vary depending on the circumstances in which processing is conducted.

Legitimate interests

The individual’s Request will be based on grounds relating to his or her particular situation. If the individual has not provided any grounds when making the Request, a clarification for the basis on which objection was filed should be provided.

Unless Bugsec can demonstrate either of the following, processing the individual’s personal data should no longer be conducted:

Bugsec has compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual; or

Bugsec is processing the personal data for the establishment, exercise or defence of a legal claim.

Direct marketing

As soon as an objection to processing for the purposes of direct marketing is received, processing activities in relation to that individual must immediately be discontinued. Please contact the Director if such Request has been received.

Notification Requirements – Summary of Operative Instructions

Complying with a Request: Bugsec is obligated to communicate any rectification, erasure of personal data or restriction of processing carried to each recipient to which the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

Providing Information on Recipients: If requested by the individual, Bugsec is obligated to inform the individual about the recipients personal data was disclosed to.

Timeframe: Bugsec is required to provide information on any action taken on a Request, without undue delay and in any event within one month of receipt of the request.

Extended Timeframe: The notification period under section c, may be extended by two further months where necessary, while taking into account the complexity and number of the requests. Bugsec is required to inform the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.

Manner of Response: where the individual submitted the request by electronic form means, if possible, the information is required to be provided to the individual by electronic means, unless otherwise requested by the individual.

Refusal Requirements: If Bugsec does not take action on a certain Request, it is required to inform the individual without delay and at the latest within one month of receipt of the Request of the reasons for not taking action and on their possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

 

 

Appendix A
Initial Request Form

Introduction

Please complete this form if you wish to exercise one of your rights under the EU General Data Protection Regulation (the “GDPR”). 

If you are completing this form on behalf of another person, please complete all sections of this form. If you are completing this form in order to obtain information about your own personal details, complete only Sections 1 and 3.

Section 1 – to be completed by all

Please provide your details:

Name

 

Address

 

 

 

Telephone

 

(land)

Telephone

 

(mobile)

E-mail address

 

Age (if under 18)

 

     

 

Please supply proof of identity. 

We may not be able to respond to your request if we cannot identify you. Valid identification includes a copy of a recent bill with your name and address, together with a copy of your driving licence or passport, with your name and current signature.

Please describe your relationship with Bugsec (for example: employee, website user, customer personnel and indicate whether the relationship is past or current):

…………………………………………………………………………………………………..………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..

Which right under the GDPR or any other data protection law do you wish to exercise in relation to your personal information?

…………………………………………………………………………………………………..………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..

If you wish to access the information that Bugsec holds about you, please supply answers to the following questions while providing as much details as you can to enable us to locate the information to which your request relates. Please note that the more extensive the search, the longer it will take us to provide the information:

Do you believe the information is held in manual files?

If yes, please answer the following:

Who do you believe may have the file(s)?

From/to which dates should we search?

Do you believe the information is held in the form of emails or other computerised format?

If yes, please provide the following information:

The names of the authors and recipients of the messages.

The subjects of the emails.

The dates/range of dates when you believe, the messages were sent.

Whether you believe the emails are “live” or in archived or back-up form.

Any other information which may assist you in our search.

Please provide as much information in relation to your reasons for wanting to exercise the right in question.

………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

If applicable, please provide details in relation to any errors in the information we hold about you or any information which is no longer up-to-date.

If applicable, please provide the details below of any organisation to whom you want us to transfer your personal information.

Company

 

Address

 

 

 

Telephone

 

 

E-mail address

 

    

 

 

 

Section 2 – to be completed only by those making a request on behalf of another person

  • Please provide details of the person on behalf of whom you are making this request:

Name

 

Address

 

 

 

Telephone

 

(daytime)

Telephone

 

(evening)

E-mail address

 

Age (if under 18)

 

     

 

  • Please explain your relationship to the above person (e.g. parent, legal representative):

………………………………………………………………………………………………………………………………………………………………………………

  • Please supply evidence of your authorisation to act on behalf of the above person.

 

Section 3 – to be completed by all

Please ensure that you have enclosed the following, together with this form:

Proof of identity (if required).

Proof of authorization to act on behalf of another person (if required).

Return the above to:

Itzik Vager – COO

In case that you believe that Bugsec has not adequately addressed your request, please notify [email protected] and provide sufficient information to clarify your dissatisfaction. We will then review the information and update you on the steps that we take in response to your request or, alternatively, the reasons for not taking any further actions and provide additional information, should you wish to lodge a complaint or seek a judicial remedy.

Signed  …………………………………………………

Date     …………………………………………………