Data Subject Access Request (DSAR) Policy and Procedures

1. Purpose and Scope

This document establishes the policies and procedures governing Shade's handling of Data Subject Access Requests (DSARs) in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws. These procedures apply to all data subject requests received by Shade regarding personal data we process as either a data controller or data processor.

2. Data Subject Rights

Shade acknowledges its obligation to facilitate data subjects' rights under applicable privacy laws. These rights include access to personal data, rectification of inaccurate data, erasure of personal data ("right to be forgotten"), restriction of processing, data portability, objection to processing, and rights related to automated decision making and profiling. The following sections detail our procedures for addressing these rights.

3. Request Handling Process

Receipt and Initial Processing

Data subjects may submit requests via email to privacy@shade.inc or through our customer support channels. Upon receipt of a request, the Privacy Team will be notified immediately. All requests will receive acknowledgment within 48 hours of receipt.

Identity Verification

Prior to processing any request, Shade will verify the identity of the requesting party through appropriate authentication methods. The Privacy Team may request additional information when necessary to confirm the requestor's identity. All verification measures taken will be documented in our secure system.

Assessment and Response Preparation

Upon verification of the requestor's identity, the Privacy Team will evaluate the nature and scope of the request to determine appropriate action. This evaluation includes identifying all systems containing relevant personal data, assessing any applicable exemptions or limitations, and determining whether the request can be fulfilled within the standard 30-day timeline.

Response Timeline and Delivery

Shade commits to responding to all requests without undue delay and within 30 days of receipt. In cases of complex requests or high volume, we may extend this period by up to 60 additional days, provided we inform the data subject of such extension within the initial 30-day period, explaining the reasons for the delay.

4. Response Requirements

All responses to DSARs will be provided in clear, plain language and delivered through secure channels when containing sensitive information. When fulfilling access or portability requests, information will be provided in a commonly used, machine-readable format. In cases where we cannot fulfill a request, we will provide a detailed explanation of the reasons and inform the data subject of their right to lodge a complaint with a supervisory authority.

5. Special Circumstances

Complex Requests

In cases where requests are deemed complex due to technical limitations, volume of data, or other factors, the Privacy Team will assess the complexity upon receipt and notify the requestor if additional time is required. The justification for any timeline extension will be documented in our records.

Third-Party Information

When responding to DSARs, Shade will take appropriate measures to protect the privacy rights of other individuals. Any personal data of third parties contained within the requested information will be redacted unless explicit consent has been obtained for its disclosure.

6. Documentation and Record Keeping

Shade maintains comprehensive records of all DSARs processed. These records include the date of receipt, nature of the request, verification methods employed, response date, request outcome, and documentation of any special circumstances or timeline extensions. This documentation ensures accountability and helps improve our request handling procedures over time.

7. Training and Policy Updates

Shade provides comprehensive training to all staff members involved in handling DSARs. This policy undergoes annual review and updates to reflect changes in privacy regulations, improvements in handling procedures, and technological advancements. All updates are documented and communicated to relevant staff members.

8. Contact Information

For questions about this policy or to submit a DSAR, please contact privacy@shade.inc

Last Updated: Jan 2nd, 2025