Government Data Request Policy


 

 

1.   Introduction

  1. This Government Data Request Policy sets out Brightidea’s procedure for 1) prior assessment of existing third country requirements to disclose personal data or measures authorizing access by public authorities; and 2) responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose personal data processed by Brightidea (hereafter “Data Disclosure Request“) which is aligned with our Data Processing Agreement: Government Access Requests. The Policy also sets out Brightidea’s notification procedure for instances where we became aware of a direct access (i.e., access to personal data without prior request, and/or approval/collaboration by Brightidea) by law enforcement or other government authority to personal data processed by Brightidea (hereafter “Direct Access”), which is aligned with our Data Processing Agreement: Government Access Requests.
  2. Where Brightidea receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal data than is required by this policy, Brightidea will comply with the relevant requirements of those applicable data protection law(s).

2.   Prior Assessment

  1. Prior to Brightidea carrying out international transfers of personal data subject to the requirements of this Controller and/or Processor Policy, it will carry out an assessment of laws and practices of the third country of destination regarding Data Disclosure Request requirements or measures authorizing Direct Access (including in transit), which could prevent Brightidea from fulfilling its obligations under the respective Controller/Processor Policy, such as practices that do not respect the essence of the fundamental rights and freedoms and exceed what is necessary and proportionate in a democratic society, as well as the applicable limitations and safeguards. Such assessment shall be carried out in light of the specific circumstances of the transfer, and of any envisaged onward transfer (including purposes, location and sector in which the transfer and the related processing take place, types of entities involved in the processing, categories/format of personal data transferred and transmission channels used) and determine whether additional contractual, technical or organizational safeguards (be it during personal data transmission or at rest) are required. The assessment (and safeguards, as appropriate) will be communicated by members of the Security & Compliance team. Brightidea will reasonably monitor future developments of laws of the country of destination to, as appropriate, to consider impacts such changes may have on the initial assessment it carried out. Brightidea, acting as data importers under this Controller and/or Processor Policy shall reasonably communicate such changes they become aware of to Subscribers acting as data exporters and to the EEA Group Member with delegated data protection responsibilities.
  2. Where Brightidea determines that additional safeguards are to be put in place to address the findings of the assessment in paragraph 2.1, Brightidea will notify the relevant EEA Group Member with delegated data protection responsibilities, and relevant members of the broader privacy team will be involved, in order to reflect their views regarding such safeguards.
  3. Brightidea will document such assessment as outlined in paragraph 2.1 and additional measures pursuant to paragraph 2.2 and make these available to competent supervisory authority upon request.
  4. Where Brightidea determined that effective supplementary measures were needed to fulfil its obligations under the respective Controller/Processor Policy, however, it could not identify any, or if instructed by the competent supervisory authority, Brightidea commits to suspend the relevant transfers (including transfers for which the same assessment and reasoning would lead to the same conclusion) and inform all involved of the same. Following such suspension, entities exporting personal data under this Controller and/or Processor Policy can end such personal data transfer and personal data, which were not subject to sufficient protections required under the Controller/Processor Policy, may be returned to the exporting entity and/or destroyed.

3.   General Principle on Data Disclosure Requests

  1. As a general principle, Brightidea does not disclose personal data in response to a Data Disclosure Request unless either:
  2. is under a legal obligation to make such disclosure; or
  3. taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
  4. For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, Brightidea will notify and consult with the competent data protection authorities (and, where it processes the personal data on behalf of a Subscriber, the Subscriber) to address the Data Disclosure Request.

4.   Handling of a Data Disclosure Request

  1. If Brightidea receives a Data Disclosure Request, the recipient of the request must pass it to Security and Compliance Team immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Security and Compliance Team to respond to the request. Similarly, if a Brightidea becomes aware of Direct Access, it shall communicate this to the Security and Compliance Team immediately, indicating the date on which it occurred together with any other information that may assist the Security and Compliance Team to respond in line with this Policy.
  2. The Requesting Authority’s request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, however made, must be notified to the Security and Compliance Team for review.
  3. Brightidea’s Security and Compliance Team will carefully review each and every Data Disclosure Request and Direct Access on a case-by-case basis. The Security and Compliance Team will liaise with outside counsel as appropriate to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request/Direct Access, and its validity under applicable laws and principles of international comity, to identify whether action may be needed to challenge the Data Disclosure Request/Direct Access, including by means of an appeal to the Requesting Authority, and/or by seeking interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits or otherwise requiring the disclosure under the applicable procedural law, as appropriate, and/or to notify the Subscriber and/or competent data protection authorities.

5.   Notice of a Data Disclosure Request/Direct Access

  1. Notice to the Subscriber
    1. If a request concerns personal data for which a Subscriber is the controller, Brightidea will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Subscriber. If the Requesting Authority agrees, Brightidea will support the Subscriber in accordance with the terms of its contract to respond to the Data Disclosure Request.
    2. If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Subscriber or does not know the Subscriber’s identity), Brightidea will notify and provide the Subscriber with the details of the Data Disclosure Request prior to disclosing any personal data, unless legally prohibited from doing so, or where an imminent risk of serious harm exists that prohibits prior notification.
    3. If Brightidea becomes aware of a Direct Access concerning personal data for which a Subscriber is the controller, Brightidea will notify and provide the Subscriber with the details of such Direct Access, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits such notification.
  2. Notice to the competent data protection authorities
    1. If the Requesting Authority is in a country that does not provide an adequate level of protection for the personal data in relation to such request, in accordance with applicable data protection laws, then Brightidea will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
    2. If the law enforcement or other government authority which carried out a Direct Access is in a country that does not provide an adequate level of protection for the personal data in relation to such request, in accordance with applicable data protection laws, then Brightidea will also notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
    3. Where Brightidea is prohibited from notifying the competent data protection authorities and/or suspending the request, Brightidea will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority/authority that carried out the Direct Access about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority/authority that carried out the Direct Access to put the request on hold, so that Brightidea can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Brightidea’s Subscriber, and may also, in appropriate circumstances, include seeking a court order to this effect. Brightidea will maintain, and upon reasonable request provide to its Subscribers and competent data protection authorities, a written record of the efforts it takes, in line with its established business record maintenance practices, unless legally prohibited from doing so.

6.   Transparency Reports

  1. Brightidea commits to preparing a semi-annual report (a “Transparency Report”), which reflects the number and type of Data Disclosure Requests it has received for the preceding six months, as may be limited by applicable law or court order. Brightidea will publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.

7.   Bulk Transfers

  1. In no event will Brightidea transfer personal data to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments