Data Subject Access Request

This document describes our procedure for handling Data Subject Access Requests under GDPR.

Scope and Purpose

This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties. This procedure enables us, Mesh Payments Inc. (the “Company”), to comply with EU GDPR 2016/679 General Data Protection Regulation (“GDPR”) obligations and enable individuals to verify that information held about them is accurate.

This procedure applies to Company employees that handle data subject access requests, such as the Company’s Data Protection Officer.

Data Subject Access Request

A Data Subject Access Request (“DSAR”) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data.

A Data Subject Access Request must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal Data Subject Access Request is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all Data Subject Access Request applications.

A Data Subject Access Request can be sent to us by emailing compliance@meshpayments.com.

The Rights of a Data Subject

The rights to data subject access include the following:

The Company must provide a response to data subjects requesting access to their data within 30 days (the “30-day response period”) of receiving the Data Subject Access Request, unless local legislation dictates otherwise.

Requirements for a Valid DSAR

In order to be able to respond to the DSAR in a timely manner, the data subject should provide the Company with sufficient information to validate their identity to ensure that the person requesting the information is the data subject or their authorized person.

Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing, and are received from an individual whose identity can be validated by Company.

However, Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.

Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).

DSAR Process

International Data Transfers

Upon receipt of a DSAR, the Data Protection Officer will acknowledge the request. The requestor may be asked to complete a Data Subject Access Request Form to better enable the Company to locate the relevant information.

However, we understand that some Mesh payments customers may want to ensure that their use of our services, and any California resident’s personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.

This page helps to clarify how we process any personal information on behalf of our customers as it relates to the CCPA.

Identity Verification

The Data Protection Officer needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address.

If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.

Information for Data Subject Access Request

Upon receipt of the required documents, the person receiving the request will provide the Data Protection Officer with all relevant information in support of the DSAR.

Where the Data Protection Officer is reasonably satisfied with the information presented by the person who received the request, the Data Protection Officer will notify the requestor that his/her DSAR will be responded to within the 30-day response period. The 30-day response period begins from the date that the required documents are received. The requestor will be informed by the Data Protection Officer in writing if there will be any deviation from the 30-day response period due to other intervening events.

Review of Information

Response to Access Requests

The Data Protection Officer will provide the finalized response together with the information retrieved from the department(s) and/or a statement that the Company does not hold the information requested, or that an exemption applies. The Data Protection Officer will ensure that a written response will be sent back to the requestor. This will be via email.

Archiving

After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Officer.

Exemptions

An individual does not have the right to access information recorded about someone else, unless they are an authorized representative, or have parental responsibility.

The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified and to satisfy itself as to the identity of the data subject making the request.

In principle, the Company will not normally disclose the following types of information in response to a Data Subject Access Request:

Responsibilities

The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer of the Company.

If the Company acts as a data controller towards the data subject making the request, then the DSAR will be addressed based on the provisions of this procedure.

If the Company acts as a data processor, the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.

For questions and notices, please email compliance@meshpayments.com.