International Aerospace Environmental Group, Inc. Individual Rights Request Policy

 

  1. INTRODUCTION AND SCOPE

    1. Under data protection and privacy laws, individuals have the right to understand how the International Aerospace Environmental Group, Inc. (“IAEG”) uses any personal information which IAEG collects and uses about them, and individuals have the right to make certain decisions about how that information is used.
    2. When IAEG uses, or 'processes' personal information for its own purposes (rather than processing personal information as part of providing a service to another organization), IAEG is called a 'controller' of that personal information. This means IAEG is responsible for meeting the requirements of data protection and privacy laws which apply to it, and with making sure that individuals can exercise their rights over their personal information.
    3. In particular, individuals whose personal information is collected and/or used in Europe[1] or by IAEG Staff (“Staff” includes officers, directors, Working Group leaders, employees, and volunteers), (or our suppliers) (for example in the course of an EU based IAEG conference) have the following rights over their personal information which is collected, stored and used by IAEG:
        1. the right of access to personal information;
        2. the right to rectification of personal information;
        3. the right to erasure of their personal information;
        4. the right to 'data portability';
        5. the right to restrict IAEG’s processing of their personal information; and
        6. the right to object to IAEG’s processing of their personal information.
    4. Even if personal information is collected and used by an organization located outside Europe, individuals will continue to benefit from these rights over their personal information.
    5. This policy explains how IAEG must deal with an individual's request to exercise each of their rights (each a "Rights Request").

 

Failure to comply with this policy is a serious matter and may result in appropriate action.

 

  1. PURPOSE OF THIS POLICY

    1. IAEG is required to respond to all Rights Requests in a documented, consistent and timely manner in a way that complies with applicable data protection and privacy laws.
    2. All Rights Requests should be completed within one calendar month of the receipt of the Rights Request and, where applicable, receipt of the information needed to verify the identity of the requestor. If these documents are provided separately, the deadline will be one calendar month from the date of receipt of the later document. It may be possible to extend the deadline in certain circumstances as described in section 4.11.

 

IAEG is required to respond to Rights Requests promptly and within 30 days. Don’t ignore communications you think could be Rights Requests – act quickly!

 

  1. What is 'personal information'?

    1. Personal information is information which relates to an individual, who can be identified either directly by that information or in combination with other information held or easily accessible by IAEG.
    2. Personal information includes, among other things, names, email addresses, images of the individual, employee numbers, passport information, bank details, and photographs. In other words, it is information about an individual whether their name is used or not, so long as it is clear that it is about that individual.
    3. Personal information includes expressions of opinion or intended actions which relate to that individual. The definition also states that there has to be an element of 'biographical significance' for the individual, and more than a casual connection between the individual and a matter/event. For example, where an individual is simply referred to as having attended a meeting, or is the author of an email, the meeting minutes and content of the email will not be personal information (unless those minutes or content also have the individual as their subject matter), but the fact that the individual attended the meeting or sent the email would be personal information about the individual.

 

Individuals have rights to their personal information. Personal information is a broadly defined concept. If you’re not sure whether information is personal information, ask the Data Privacy Administrator.

 

  1. Procedure for Responding to Rights Requests

Submitting a Rights Request

    1. Individuals can make Rights Requests by contacting us through email or mail. IAEG should consider and respond to all requests from individuals relating to their rights.
    2. If IAEG Staff receives a Rights Request from an individual, that Rights Request should be forwarded to the IAEG Data Privacy Administrator immediately, where it will be assigned to an IAEG official (the "Responding Official").

 

If you are the Responding Official, you are responsible for ensuring that the Rights Request is properly dealt with in accordance with this Policy.

 

Receipt of the request

    1. When the Responding Official receives a Rights Request, they should review that request.
    2. The Responding Official should:
        1. ensure that the scope of the Rights Request is sufficiently clear. If it is not clear, the Responding Official should contact the requestor to request further information. The types of further information which may be required in respect of each right are set out in the descriptions of each right in the Appendix; and
        2. check that the identity of the requestor has been verified. If a Rights Request is made by an individual other than a current employee, IAEG is only obliged to comply with the Rights Request if the individual making the request supplies IAEG with information which allows IAEG to confirm their identity. This should comprise both proof of identity (e.g. copy of passport, driving license or ID card) and proof of address (e.g. recent utility bill or bank statement). The Responding Official should contact the requestor promptly to ask for such information if it has not been provided.

 

IAEG must always ensure that the scope of any request is sufficiently clear and that IAEG can verify the identity of the requestor.

 

    1. Once the Responding Official has received any additional information required about the scope of the request and appropriate identification documents from the requestor, the Responding Official should acknowledge receipt of the Rights Request by contacting the requestor.
    2. The Responding Official should then determine whether the Rights Request is valid. Information about whether a Rights Request is valid is set out in the information about each particular right in the Appendix.
    3. If the Rights Request is not valid, the Responding Official should contact the requestor and explain the reasons why the Rights Request is not valid. However, if the Rights Request is valid, the Responding Official should properly respond to the Rights Request.

 

IAEG must always acknowledge a Rights Request by contacting the requestor. IAEG should always check that the Rights Request is valid and identify which right the requestor wishes to exercise e.g. access, rectification, objection etc.

Responding to the Rights Request

    1. The Responding Official should follow the appropriate steps for responding to the relevant type of Rights Request. Relevant considerations with respect to each right are set out in the descriptions of the rights in the Appendix. It is important for the Responding Official to record the steps he or she takes when responding to the Rights Request.
    2. In considering the personal information that falls within the Rights Request, the Responding Official may need to contact different parts of the IAEG – for example those with responsibilities in IT, Communication and Finance. IAEG Staff are asked to assist should provide full cooperation to the Responding Official.
    3. In certain cases, responding to a Rights Request will require third parties (e.g. service providers and other third parties which IAEG shares personal data with) to take certain actions, for example to amend their records in response to a request to rectify personal information, or to delete personal information they hold in response to a request for erasure. The Responding Official should therefore contact all third parties who hold personal data relating to the relevant individual and ask that they respond to the Rights Request, and confirm to the Responding Official that they have done so.

 

If IAEG needs to involve a third party (e.g. a service provider hosting the personal information) to help IAEG respond to the Rights Request, inform them as soon as possible.

 

    1. If, due to the scope of the Rights Request, it is possible that concluding the Rights Request will take longer than one calendar month (due to its complexity and the number of requests), the Responding Official should notify the IAEG Data Privacy Administrator and should then contact the requestor to inform them that the response to the Rights Request will be delayed. This should only happen in exceptional circumstances, and the Responding Official should document the reasons why the deadline was not met internally, and to the requestor. IAEG can only extend the response period by a further two months.
    2. IAEG may be able to refuse to act on a Right Request when it is manifestly unfounded or excessive, in particular because of its repetitive nature. Alternatively, IAEG can offer to act on the Rights Request but only if the relevant individual pays a reasonable fee taking into account the administrative costs of providing the information. It is IAEG’s responsibility to demonstrate that a Rights Request is manifestly unfounded or excessive.

 

In exceptional circumstances, IAEG can take longer than one calendar month to respond in full to the Rights Request but IAEG must keep the requestor updated about the delay or IAEG may refuse to act on the request if manifestly unfounded or excessive.

 

    1. Once the Rights Request has been completed, the Responding Official should prepare a report which sets out how the Rights Request has been completed. This report should contain a description of all steps taken to determine whether the Rights Request was valid, and all steps taken to action the Rights Request. The Responding Official should then contact the requestor to confirm that the Rights Request has been completed, attaching the report. The additional information which may be required in respect of each right is set out in the Appendix.

 

You must record the steps taken and the results of the Rights Request.

 

 

 

 

APPENDIX

The Rights

  1. The Right of Access

 

Individuals have the right to make a request to access and receive a copy of all personal information which IAEG holds and processes about them (an "Access Request").

Additional information which may be required before responding to an Access Request

The scope of the searches

    1. If it is not clear from the Rights Request what personal information the requestor seeks to obtain, IAEG will need to confirm the scope of the searches it will carry out for that individual's personal information. IAEG is expected to make extensive efforts to search for all information that the requestor wishes to obtain. IAEG cannot ask the requestor to narrow the scope of the proposed searches. However, IAEG is not required to do anything which would be unreasonable or disproportionate while taking into account the fact that the right of access to personal information is regarded as fundamental for individuals to have control over their personal information.
    2. When sending the requestor confirmation of the Rights Request, the Responding Official should set out the scope of the searches to be carried out and request confirmation that these are appropriate.
    3. When reviewing the relevant request and confirming the scope of the searches, IAEG should suggest searches of the email folders of relevant individuals, folders of network hard drives , and any other areas particularly relevant to that individual. Specific search terms should also be agreed. Generally, these will be the name of the requestor, along with a reasonable date range. This will allow electronic documents to be searched quickly.
    4. The following considerations may be relevant when determining the scope of the search:
      1. date ranges: if there is a particular matter which the requestor is interested in, a limited date range while that matter was active may be more appropriate. However, the requestor can insist on receiving personal information from any date range;
      2. local hard drives: to preserve the confidentiality of the requestor, IAEG should as far as possible not inform any other individuals within or outside IAEG about the Access Request and the document searches. However, this will mean that searches can only be made of documents on shared network drives rather than local hard drives. In the event that the requestor makes a complaint to a data protection authority, IAEG might be required by that authority to carry out searches of local hard drives, and the individuals whose hard drives are to be searched would then have to be informed that these will be searched;
      3. deleted and backed-up data: data protection authorities will not expect IAEG to provide personal information which has been deleted. In respect of back-up data, if IAEG is satisfied that the back-up replicates the data held in live systems, it is unlikely that a data protection authority would require specific searches of back-up data.
      4. archived data: archived data should be searched, as data protection authorities generally deem this to be data which an organization has decided it may wish to retrieve at a later date. The exception is where this archived data is difficult to retrieve and would therefore be very unlikely to be used to make decisions about an individual;
      5. hard copy documents: hard copy documents that are stored in such a way that information about individuals is readily accessible are within the scope of Access Request.

 

It is important to determine the scope of the searches for personal information. IAEG can do this partly through checking with the requestor and confirming the scope with them.

When is an Access Request valid?

    1. Access Requests are always valid.
    2. However, IAEG is not obliged to respond to repeated requests which are made at unreasonably frequent intervals. If you receive a repeated request from the same individual and consider that the previous request was very recent, you should take into account whether the personal information is particularly sensitive, whether the processing might affect the requestor's rights and whether the personal information is likely to have changed since the last request before determining whether the interval between requests is unreasonable. If you have any questions about whether a repeat request has been made unreasonably soon, please contact the IAEG Data Privacy Administrator.
    3. In the event of a repeated request, you can offer only to provide information which has changed since the previous request, but if the requestor insists on receiving all the personal information again, IAEG must provide this.

 

Where there are repeated Access Requests, IAEG may be able to refuse to respond but IAEG would need to justify why.

Information relevant to carrying out an Access Request

    1. As well as the documents held by IAEG in hard copy or electronic form, the scope of the searches may refer to information held by third parties such as service providers. In this case, IAEG should consider whether third parties may be holding information to which IAEG would not have access.
    2. After the searches are carried out, the documents returned should be reviewed  in such a way as to review them as quickly as possible.
    3. If the request is subject to UK law, the following considerations are relevant to the review process:
      1. if the documents contain any personal information of individuals other than the requestor, this information should normally not be disclosed. This information should be redacted in order to provide only the personal information of the requestor. It should only be disclosed if the other individual has consented to its disclosure;
      2. if information is subject to legal privilege, for example personal information is included in legal advice provided to IAEG, or has been prepared by lawyers in reasonable anticipation of litigation, it should not be disclosed to the requestor. The IAEG Staff responding to the request should request a list of lawyers (internal and external) who may have provided advice to IAEG in matters that the requestor wishes to obtain information about, to ensure that the review team is aware of which documents may be subject to legal privilege. If it is unclear whether documents are privileged, this should be referred to the IAEG ata Privacy Administrator;
      3. if personal information is included in information that relates to the prevention or detection of a crime, it should not be disclosed if doing so might prejudice the investigation into that crime;
      4. where personal information is included in management forecasting or planning, that personal information does not have to be provided if providing it would prejudice any of IAEG’s business activities;
      5. records of IAEG’s intentions in relation to negotiations with the requestor do not have to be provided where release of that information would be likely to prejudice those negotiations;
      6. there are other exceptions relating to confidential references, corporate finance, publicly available information, armed forces,  and self-incrimination. If you believe these might apply, please contact the IAEG Data Privacy Administrator.

 

There are certain exemptions that allow IAEG to withhold personal information even if it falls within the scope of an Access Request.

What must IAEG provide in response to an Access Request?

    1. Subject to applicable data protection law and in addition to the report prepared by the Responding Official, IAEG should provide the requestor with:
      1. a copy of all personal information extracted; and
      2. a copy of the relevant privacy notice to the requestor.

 

  1. The Right of Rectification

 

Individuals have a right to submit a request to exercise their right of rectification (a "Rectification Request").
    1. Individuals have the right to require IAEG to rectify their personal information to the extent that it is inaccurate. For example, if an individual changes their name, IAEG must update their records on receipt of a Rectification Request.
    2. Individuals also have the right for any personal information which is incomplete to be updated, taking into account the purposes of the processing.

Additional information which may be required before responding to a Rectification Request

    1. Upon receipt of a Rectification Request, IAEG should verify that the personal information provided as a correction to existing personal information is actually correct.
    2. For example, if an individual claims to have changed their name, they could be required to provide documentation proving this (e.g. a certified copy of an updated identity document).
    3. If required, further information should be requested from the individual who made the Rectification Request, and they should be informed what information would be required to verify the changes and for IAEG to comply with the Rectification Request.

IAEG should seek evidence to ensure that the personal information should be rectified.

When is a Rectification Request valid?

    1. If the information which IAEG has on file is incorrect, and the updated information provided by the requestor is correct as described above, a Rectification Request is valid.

Information relevant to carrying out a Rectification Request

    1. IAEG should ensure that any entities which have received the personal information which was subject to the Rectification Request are informed of the updated personal information. IAEG is not required to do this if it would be impossible or would involve a disproportionate effort.

If the personal information was disclosed to third parties and IAEG is now rectifying that personal information, IAEG must inform those third parties that the personal information has been rectified unless this proves impossible or involves disproportionate effort.

What must IAEG provide in response to a Rectification Request?

    1. The confirmation that the relevant information has been corrected or updated should be communicated to the requestor so that they are aware that changes have been made.
    2. If requested by the requestor, IAEG must also provide a list of all the entities which have received the personal information, and which have been contacted by IAEG in accordance with section 2.7 above.

IAEG must update the requestor and provide them with a list of recipient entities if they request it.

 

  1. The Right of Erasure (AKA the Right to Be Forgotten)

 

Individuals have a right to of erasure (an "Erasure Request") in certain circumstances

Additional information which may be required before responding to an Erasure Request

    1. If it is not clear from the Erasure Request, IAEG may need to verify precisely which personal information the requestor wishes to be erased, and it may also be helpful to understand why the requestor wishes to have that information erased.

When is an Erasure Request valid?

    1. IAEG must delete personal information on receipt of an Erasure Request where:
      1. the personal information is no longer necessary for the purpose for which it was collected. For example, if a contact at a member no longer works for that member makes an Erasure Request, there would be no need to retain that information as the information was originally collected for processing in the context of that member relationship;
      2. the personal information is processed only on the basis of the consent of the requestor, and the requestor withdraws that consent. In general, making an Erasure Request would be considered a withdrawal of consent;
      3. the requestor objects to processing as described in section 6 below, and there are no overriding legitimate grounds for IAEG to carry on the processing.

 

To determine whether IAEG has an overriding interest in retaining the personal information, you should consider what business reason IAEG has for retaining it. You should then balance this against the requestor's right to control their personal information. For example, while IAEG may retain personal information in order to conduct analytics and create appropriate marketing segments on the basis that this allows it to manage its business most effectively, using an individual’s personal information when that individual has not engaged with IAEG  for a significant period is intrusive. If that individual actively objects to this retention of their personal information, their privacy interests would likely outweigh IAEG’s business interests.

In general, if the requestor actively keeps using IAEG’s services for which their personal information is processed on the basis of IAEG’s legitimate interests, IAEG’s legitimate interests will outweigh the requestor's interests and their personal information should not be deleted. You can refer to the records of processing activities which IAEG keeps in order to determine the basis for processing

 

      1. the personal information is being processed unlawfully, for example if IAEG was processing personal information on the basis that the processing was necessary for the performance of a contract with the requestor, but that contract has now been terminated;
      2. the personal information must be erased to comply with a legal obligation to which IAEG is subject; or
      3. the personal information relates to a child under the age of 16, which has been processed on the basis of parental consent in the context of providing an 'information society service', which includes any service provided over the internet. This is unlikely to apply to IAEG’s activities.
    2. But even if the Erasure Request meets one of the conditions in section 3.2 above, IAEG is not required to delete personal information where IAEG’s processing of the personal information is necessary:
      1. for exercising the right of freedom of expression and information. This is unlikely to apply to IAEG, but if you consider it might, seek advice from the IAEG Data Privacy Administrator;
      2. for compliance with a legal obligation under EU or Member State law to which IAEG is subject or for the performance of a task carried out in the public interest;
      3. For reasons of public interest in the area of public health;
      4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and only if erasing the personal information would be likely to render impossible or seriously impair the achievement of these objectives; or
      5. For the establishment, exercise or defense of legal claims. For example, IAEG would not be required to delete personal information about a former employee with whom there is an existing employment dispute.

If you have any questions about whether these factors apply, you should contact the IAEG Data Privacy Administrator.

A right to erasure is not an automatic right. Even if an individual can claim a right to erasure there are exemptions available which allow us to refuse their right to erasure.

Information relevant to carrying out an Erasure Request

    1. Taking into account the costs of implementation, IAEG should ensure that any entities which have received the personal information which was subject to the Erasure Request are informed of the erasure. IAEG is not required to do this if it would prove impossible or involve disproportionate effort to inform all recipients of this personal information.

 

If the personal information was disclosed to third parties and IAEG are now erasing that personal information, we must inform those third parties that the personal information has been erased unless this proves impossible or involves disproportionate effort.

What must IAEG provide in response to an Erasure Request?

    1. Once an Erasure Request has been implemented, IAEG should contact the requestor to inform them that their personal information has been deleted as requested.
    2. If requested by the requestor, IAEG must also provide a list of all the entities which have received the personal information, and which have been contacted by IAEG in accordance with section 3.4 above.

 

IAEG must update the requestor and provide them with a list of recipient entities if they request it.

 

  1. The Right to Data Portability

 

Individuals may exercise a right of data portability (a "Portability Request") in certain circumstances

Individuals have the right to receive personal information which they have provided to IAEG in a commonly-used digital format, and have the right to request that this information be sent by IAEG to another controller in certain circumstances.

Additional information which may be required before responding to a Portability Request

    1. IAEG may wish to contact the individual to confirm which controller or controllers their personal information should be transmitted to, including a means by which this personal information should be transmitted.

 

IAEG needs to know who the requestor wants their personal information to be ported to.

When is a Portability Request valid?

    1. Individuals have the right to receive their personal information in a commonly-used digital format, and have the right to request that this information be sent by IAEG to another controller where:
      1. the processing of that personal information is carried out on the basis of:
        1. the consent of the individual; or
        2. on the basis that it is required for the purposes of performing a contract to which the individual is a party. For example, if an individual customer contracts with IAEG for IAEG to provide products to that customer, any processing which is necessary to take payment from the customer or deliver the products;

It is therefore important that we identify the lawful basis upon which IAEG has collected or processed the personal information which the requestor has requested.

      1. the processing is carried out by automated means, for example processing payments made by customers for products they have ordered will be carried out automatically to take a debit against the customer's credit card; and
      2. where the information has been 'provided to' IAEG by the requestor. This includes:
        1. personal information which has been actively and knowingly provided by the individual requestor (e.g. their name, address, email address, payment information); and
        2. personal information which has been created through the requestor using a service, or which IAEG has observed about the requestor's use of a service (e.g. cookie data, search histories, location data)

 

A right to portability is not an automatic right that applies to all personal information IAEG holds. It is only relevant in certain circumstances.

Information relevant to carrying out a Portability Request

    1. IAEG should compile the personal information about the requestor which meets the requirements set out above.

What must IAEG provide in response to a Portability Request?

    1. IAEG must provide the requestor with a copy of all the information which is subject to the right to data portability in a format that has been reasonably determined.
    2. In responding to a Portability Request, IAEG must ensure that such actions do not adversely affect the rights of others. This means IAEG must ensure that actioning the Portability Request does not adversely affect other individuals, e.g. individuals whose contact details appear in an online address book which is subject to a Portability Request. IAEG should not transmit personal information of other individuals unless the requestor only wishes to use that information for personal reasons e.g. to begin using a new online email system. If a company to which IAEG is requested to transmit the requestor's personal information would process the personal information of individuals other than the requestor for other purposes (e.g. carrying out analytics or sending marketing to the individual other than the requestor) it should not be sent.

 

IAEG must be careful that complying with the request does not adversely affect the rights of other individuals.

 

  1. The Right to Restriction of Processing

 

Individuals have a right to restrict IAEG’s processing of their personal information (a "Restriction Request").

Individuals have the right to restrict the processing activities that IAEG can carry out with respect to their personal information.

Additional information which may be required before responding to a Restriction Request

    1. If it is not clear from the Restriction Request, IAEG should confirm which uses of personal information the requestor wishes to restrict.

When is a Restriction Request valid?

    1. A Restriction Request will be valid where:
      1. the accuracy of the personal information is disputed by the individual making the request;
      2. the processing is unlawful, but the individual does not wish to have the personal information erased and wishes to restrict its use instead;
      3. IAEG no longer requires the personal information for the purposes of the processing, but the individual requires the personal information for the establishment, exercise or defense of legal claims; or
      4. the individual has objected to the processing (see section 6 below), and IAEG is in the process of verifying whether the legitimate interests of IAEG override those of the individual.

If a Restriction Request is found to be valid, IAEG will not be able to process the individual's personal information other than where (i) the individual has consented to the processing, (ii) for the establishment, exercise or defense of legal claim, (iii) to protect the rights of another person, (iv) or for reasons of important public interest of the EU or a Member State.

    1. If you have any questions about whether a restriction request is valid, please contact the IAEG Data Privacy Administrator.

 

A Restriction Request is not an automatic right and is only valid is specific circumstances.

Information relevant to carrying out a Restriction Request

    1. Taking into account the costs of implementation, IAEG should ensure that any entities which carry out processing activities which were subject to the Restriction Request are informed of the request. IAEG is not required to do this if it would prove impossible or involve a disproportionate effort to inform all users of this personal information.

 

If the personal information was disclosed to third parties and we are now restricting that personal information, IAEG must inform those third parties that the personal information has been restricted unless this proves impossible or involves disproportionate effort.

 

What must IAEG provide in response to a Restriction Request?

    1. IAEG must inform the requestor that the processing of their personal information has been restricted in line with their request, and provide details of which processing activities have ceased.
    2. If requested by the requestor, IAEG must also provide a list of all the entities which process the relevant personal information, and which have been contacted by IAEG in accordance with section 5.4 above.

 

IAEG must update the requestor and provide them with a list of recipient entities if they request it.

 

  1. The Right to Object to Processing

 

Individuals have a right to object to the processing of their personal information (an "Objection").

Individuals have the right to object to the processing activities that IAEG carries out with respect to their personal information.

Additional information which may be required before responding to a Restriction Request

    1. If it is not clear from the Objection, IAEG should confirm which uses of personal information the requestor wishes to object to.

When is an Objection valid?

    1. Individuals have the right to object to the processing activities that IAEG carries out with respect to their personal information if:
      1. the processing activity in question takes place on the basis of IAEG’s (or a third party’s) 'legitimate interests' and IAEG cannot demonstrate any compelling legitimate grounds to override the interests of the requestor. You can refer to the relevant privacy notice to determine whether the relevant personal information is processed on the basis of IAEG’s legitimate interests;

 

To determine whether IAEG can demonstrate an overriding interest in continuing to process the personal information, you should consider what reason IAEG or a third party has for using it. You should then balance this against the requestor's right to control their personal information. For example, if IAEG profiles individuals who work for a member on the basis that this allows it to manage its business most effectively, building a profile of such individuals is intrusive and if they actively object to this, their privacy interests may well outweigh IAEG’s business interests.

In general, if the requestor wishes to keep using IAEG’s services for which their personal information is processed on the basis of IAEG’s legitimate interests after their objection has been resolved, IAEG’s legitimate interests will outweigh the requestor's interests. You can refer to the records of processing activities which IAEG keeps to determine the basis for processing;

 

      1. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in IAEG and IAEG cannot demonstrate any compelling legitimate grounds to override the interests of the requestor. You can refer to the relevant privacy notice to determine whether the relevant personal information is processed on the basis of IAEG’s legitimate interests;
      2. the processing takes place for the purposes of carrying out direct marketing activities (such as sending marketing emails, letters, SMS messages or push notifications). In this case, IAEG should immediately cease those direct marketing activities; or
      3. the processing is for scientific or historical research purposes or statistical purposes unless IAEG can argue that the processing is necessary for the performance of a task carried out for reasons of public interest.
    2. If, however, IAEG is required to keep the personal information in order to make or defend legal claims (for example if a former employee is making a claim against IAEG) an Objection would not be valid. If you have any questions about whether an Objection is valid, please contact the IAEG Data Privacy Administrator.

 

A right to object is not an automatic right. However, it applies, for instance, when IAEG is relying on the legitimate interest ground and does not have a compelling legitimate reason to override the individual’s objection.

What must IAEG provide in response to an Objection?

    1. IAEG must inform the requestor that the processing of their personal information has ceased in line with their request, and in particular provide details of which processing activities have ceased.

 

[1]               In these guidelines Europe means the EEA plus Switzerland and the UK