Your company provides a SaaS tool for B2B services and does not interact with individual consumers. A client's current employee reaches out with a right to delete request. what is the most appropriate response?
A.
Forward the request to the contact on file for the client asking them how they would like you to proceed.
B.
Redirect the individual back to their employer to understand their rights and how this might impact access to company tools.
C.
Process the request assuming that the individual understands the implications to their organization if their information is deleted.
D.
Explain you are unable to process the request because business contact information and associated data is not covered under privacy rights laws.
If your organization provides a SaaS tool for B2B services and does not interact with individual consumers, and a client’s current employee reaches out with a right to delete request, the most appropriate response is to redirect the individual back to their employer to understand their rights and how this might impact access to company tools. This is because your organization is acting as a processor for the client, who is the controller of the employee’s personal data. The controller is responsible for determining the purposes and means of processing personal data, as well as responding to data subject requests. The processor should only process personal data on behalf of and in accordance with the instructions of the controller. Therefore, you should not forward the request to the client, process the request without consulting the client, or deny the request based on business contact information being exempt from privacy rights laws1, 2. References: CIPM - International Association of Privacy Professionals, Free CIPM Study Guide - International Association of Privacy Professionals
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit