All the content of this website are © Mazars Group and Mazars - Ukraine.
General conditions of use
This service is for personal use only. It is strictly prohibited to circulate or reproduce all or part of the content for other purposes, in any form whatsoever. Failure to comply with this rule will be treated as infringement of copyright and civil or legal proceedings may be instigated against the person or entity responsible.
The information available on the website is not subject to contract and may be altered without warning. The services mentioned on the website may differ from the stated form or be unavailable outside the following country: Ukraine. The website should not under any circumstances be treated as an advisory or consulting service.
Mazars cannot be held responsible for any problems caused by consulting or using the website. Hypertext links provide access to sites run by third parties, over which Mazars has no control. Mazars disclaims all responsibility for the content of these sites.
Confidentiality and privacy
GDPR – Personally Identifiable Information Policy: Requests and Rights of the Individual
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a Regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
This policy focuses upon the rights of the individual and how Mazars will react to these various rights and requests. These requests are noted in the GDPR under Article 15 through to 22. This policy covers the following:
- subject access requests;
- request for data rectification;
- request for erasure;
- request for restrictions;
- right to object to specific processing;
- data processing restrictions;
- automated processing restrictions;
- data portability.
Throughout this Policy the following definitions shall apply:
Identification of the Data Subject
The Controller or Processor should use all reasonable measures to verify the identity of a Data Subject who seeks to exercise any of their rights. Prior to providing any information in response to a request, confirmation of identity of the requestor must take place. The Data Controller/Processor must be confident that the requestor is authorized to receive the information, whether this be the individual, career, legal guardian or law enforcement agent with appropriate jurisdiction.
The DPO will record details of the identification check, along with the request, in the request log.
A log will be kept by Mazars of all requests for information under GDPR. This log is controlled and managed by DPO. This log will keep a record of requests, actions and the operator who executed the request. This log also evidences a chain of responsibility in the event of challenge to the appropriate handling of requests.
Requests by Data Subjects do not need to refer to GDPR nor the Article name and number; any intelligible request for information/action on any medium will be valid. This includes but is not limited to, written requests, electronic requests or telephone requests. As an advocate of data privacy and data security, Mazars will endeavor to support any legitimate request.
Subject requests to be sent to: email@example.com.
Subject Access Request
Requirements of Requests
Under GDPR Data Subjects have the right to obtain from Mazars confirmation as to whether personal data concerning them is being processed. If Mazars has data, the data subject has the right to be provided with a copy of that Personal Data and the following information:
- the purposes of the processing
- the categories of personal data concerned;
- confirmation of disclosure to third countries or international organizations;
- the specific or anticipated retention period;
- where the personal data is not collected from the data subject, any available information as to its source;
Mazars is obliged by law to respond in a suitable method, within 30 days. Mazars cannot charge a fee for requests that are reasonable and not repeated.
For excessive, multiple copies and unnecessary repeat requests, Mazars will charge an administration fee of £60.00.
Under no circumstances will Mazars charge for requests which do not concern access to Personal Data.
Responses to Subject Access Requests
Mazars will endeavor to respond as soon as practicable to reasonable requests, once identification is confirmed. Should a request take longer than the required 30 days, the subject will be notified before this time informing them of the delay. The delay will be no more than a further 30 days and this extension capacity will only be used in exceptional circumstances. Responses to requests will primarily be by email, unless the subject specifically requests otherwise.
The response will include all the required information paraphrased in the bullet points above and a complete list of information stored by Mazars on the data subject only; data not relevant to the subject must not be provided.
Request for Data Rectification
Data Subjects have the right to have inaccurate Personal Data concerning him or her rectified without undue delay. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Once identification of the requestor has been confirmed, data on the individual is to be updated. It is a legal requirement to inform the data subject, therefore Mazars shall confirm to the requestor, by email, that an update has occurred in line with information provided unless this proves impossible or involves disproportionate effort. The request shall be recorded in the request log.
In some circumstances it may be necessary to retain the inaccurate data originally held for legal purposes.A decision will need to be made for each request, assessing the risk of failure to retain the original inaccuracy balanced against the rights and freedoms of the Data Subject.
The data subject has the right to erasure of personal data concerning him or her without undue delay.
Mazars is obligated to erase personal data where one of the following grounds applies:
- personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent and no other legal basis for processing exists;
- the data subject objects to the processing carried out on the grounds of the Data Controller’s legitimate interests and there are no other overriding legitimate grounds for the processing
- the personal data have been unlawfully processed;
- he personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
If the request to erase Personal Data has been received, identity has been confirmed, the request meets one of the above requirements and there is no legal contrary reason for processing, Mazars must delete the relevant data in its entirety. This includes making reasonable efforts to ensure that relevant details are removed from ancillary storage, such as documents and emails. It also be noted that whilst removing data from backups will occur naturally over time, any restoration from backup will include removing requested erasure data.
Erasing Personal Data
Personal Data and its locations, reasons for processing and any external transfers will be mapped by the DPO and the Data Controller. If all criteria have been met to remove the data, it should be removed and documented in the request log. Whilst all data must be removed from all locations, a record of
such an event must be kept. Therefore Mazars reserves the right to retain the full name of the individual in the request log as a legal document showing the removal of data, alongside the authority/request to do so.
Basis for Declining a Request and Retaining Data
Requests for erasure can be declined by Mazars if the requirement for retention falls under one of the following categories:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of legal claims.
These reasons for declining a request are applicable to all GDPR personal data requests.
Data Processing Restrictions
Data Subjects have the right to restrict processing of their Personal Data where one of the following applies:
- the accuracy of the personal data is contested. Restrictions can be put in place for a reasonable period enabling the Controller to verify the accuracy of the personal data;
- he processing is unlawful;
- he controller no longer needs the Personal Data for the purposes of the processing, but their continued retention is required by the Data Subject for the establishment, exercise or defense of legal claims;
- the Data Subject has objected to processing and the case is pending verification as to whether the legitimate grounds of the Controller override the rights of the Data Subject.
If the request to erase data has been received, identity has been confirmed, it meets one of the above requirements and there is no legal contrary reason for processing, Mazars must restrict the use of the Personal Data. Methods by which to restrict the processing of Personal Data include; temporarily moving the selected data to another processing system, making the selected Personal Data unavailable to users, or temporarily removing published data from a website, amongst other solutions. Mazars will determine the most appropriate course of restriction in each case.
As with all other requests, request for restriction must be logged, alongside any actions taken to fulfil the request.
The Data Subject has the right to send personal data concerning him or her, from Mazars to another Data Controller. Mazars is obliged to send the data in a commonly used human and machine-readable format such as a Word, Excel or plain text format. The data subject is required to provide suitable contact details of the recipient controller for the transfer to take place. Mazars is not required to conduct due diligence on the recipient controllers’ security posture as this transfer is conducted at the behest of the data subject.
Contact details of Data Protection Officer:
Advice and guidance on any matters stemming from the Policy can be obtained by contacting the DPO.
Subject access request to be sent to: firstname.lastname@example.org.
The editor in chief of this website is the managing partner of Mazars - Ukraine:
20/24, rue Reitarska apt. 2