Data Subject Access Request
In the United States, and around the world, consumer privacy and data protection laws now give people specific rights to access, delete, correct, port (transfer), and opt out of the sale of their personal information. These rights – called “Data Subject Access Requests” (DSARs), “Subject Rights Requests” (SRRs), “Individual Rights Requests” (IRRs), or “Verified Consumer Requests” (VCRs) among other names – enable people around the world to have much stronger control over the information they share with companies. We’ll call these “DSARs” for short below.
WireWheel provides a full software platform to enable companies to safely manage DSARs, including under the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). If you are a consumer/individual/data subject (we’ll call you a “Consumer” to keep it simple) who is submitting a DSAR request, this document is intended to provide you information to understand how WireWheel treats the personal information you submit as part of the DSAR request.
Here’s what you need to know up front:
WireWheel is a service provider to companies who use our platform. Companies who subscribe to WireWheel (“WireWheel Subscribers”) to manage DSARs, receive their own “instance” of WireWheel, and WireWheel Subscribers decide and control what data is collected from Consumers during a DSAR process.
As a Consumer, you should know:
WireWheel considers information collected from Consumers during a DSAR request to be very sensitive, and the sole property of WireWheel Subscribers, and so the WireWheel Platform is designed to encrypt that data, and to enable WireWheel
Subscribers to use it for DSAR fulfillment.
WireWheel does not access, process, or use Consumer data collected by or for WireWheel Subscribers for any purpose, other than to make it available to our WireWheel Subscribers, and for the limited purposes necessary to provide services to our WireWheel Subscribers including the “Limited Additional Processing” listed below.
We certainly do not sell any Consumer information collected by WireWheel Subscribers as part of the DSAR processes.
What information is collected during the DSAR Process:
As a general matter, here is the personal information collected during the DSAR process on WireWheel:
- Initial Form: Any information that you submit on the initial DSAR form is likely to include personal information. The submission form can be customized by WireWheel Subscribers, and WireWheel does not have control over what is requested on the forms. This usually will include at least an e-mail address, together with other identifying information like name, address, phone number, and similar information.
- Logged information during submission: During the DSAR submission process, we log information about a consumer’s interaction with the platform, including keystrokes, time periods between steps, and similar kinds of information. We could use this information to provide guidance to WireWheel Subscribers about whether a DSAR request is valid.
- Additional Information Required by a WireWheel Subscriber: Following submission of the initial form, and validation of the email address, a WireWheel Subscriber has the choice to ask you to provide the following:
- Other email addresses
- Phone numbers
- Name and Signature on an affidavit
- Photo of identification and/or other photos
- During the process of submitting a DSAR request, a WireWheel Subscriber can directly send one-off requests for information. These are completely at the discretion of a WireWheel Subscriber.
- When you receive your data, you can either create an account with WireWheel, or proceed via a timed link. WireWheel logs your interactions with the platform in the course of accessing the link, and retrieving the information.
With Whom Do We Share Your Personal Information
- Identification Verification – If a WireWheel Subscriber requires automated identification verification and selfie-check on the WireWheel platform, that check will be processed by our third party service providers, such as IDology.
- Specifically, when you upload your identification and selfie-photo, those uploads are passed to Ideology, which processes those images, checks a number of databases, and returns to a WireWheel Subscriber certain “checks” about the identification and selfie-photo.
- In addition, a WireWheel Subscriber has the option to see the identification and selfie photo themselves, in order to conduct a visual inspection.
- The WireWheel Platform keeps these items encrypted as long as they are kept within the platform, and we set very limited timeframes, usually no longer than a few weeks, in which these images are retained.
- WireWheel Subscribers Can Collect and Share Other Information. Ultimately, outside of the automated identification and selfie-checks, it is completely within the discretion of a WireWheel Subscriber to decide what other information to collect from a Consumer, how to use it when processing a DSAR request, how long to retain that information, and with whom to share that information. Other than the Limited Additional Processing listed below, WireWheel does not access, process, use, or certainly sell any information on the WireWheel Platform.
- Other WireWheel Suppliers. Like most software providers, we use other services and platforms to provide the WireWheel Platform. These include cloud providers (like Amazon Web Services, Azure, and Google Cloud), database services (like MongoDB Atlas), cybersecurity providers, logging services, and other similar types of vendors. These services may be viewed as having “access” to your data, and in each instance, is accessing your data for the specific purpose of enabling the provision of the DSAR service. We have contracts in place with these WireWheel suppliers providing that none of these providers can use your data for unrelated purposes, and none of them can sell your data.
Limited Additional Processing
- In the course of providing a platform to help a WireWheel Subscriber manage DSARs, WireWheel may “process” your information in certain limited ways necessary to provide the DSAR processing services.
- These include:
- Security: We use a number of techniques and services to treat your data as safely as possible, and some of these services may touch, process, or access your data in order to try to protect it. While we have taken many reasonable steps to attempt to protect your information, nothing is unbreachable. Please contact us at email@example.com if you would like more information about security measures.
- Service Issues and Product Improvement. From time to time, WireWheel may need to diagnose a service or product issue, or may seek to improve the provision of WireWheel services. When doing so, WireWheel may need to touch, process, or access your data in order to do so.
- Compliance with Laws or similar requirements. WireWheel is required to comply with laws, law enforcement requests, court and regulatory requirements, and fraud detection and crime prevention efforts. WireWheel may touch, access, or process your data in connection with a valid law enforcement, regulatory, or national security request, or in the course of defending civil claims, fraud and financial crime detection, or similar types of legal, regulatory, criminal, civil, or national security requirements.
We hope this has given you a sense about how WireWheel processes your personal information in connection with a DSAR request. If you have any additional information, please contact us at firstname.lastname@example.org.
LAST UPDATED: April 12, 2021