General Data Protection Regulation (GDPR) Compliance – Rahi

General Data Protection Regulation (GDPR) Compliance

Introduction

Rahi hereinafter referred to as ‘we’, ‘our’, ‘the company’. The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our stakeholder, customers and for the community. In doing so, it is essential that people’s privacy is protected through the lawful and appropriate use and handling of their personal information. The company has a responsibility to adhere to the Data Protection Principles outlined in all the applicable privacy and data protection laws, and to this Personal Data Protection Policy and any other policies which may be formulated for data protection and data privacy purposes by the company.

Aim

This policy aims to protect personal data of the various stakeholders connected to our organization. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
This Policy is also intended to provide adequate safeguards for the processing of Personal Data entrusted to the company and transferred from countries requiring such protections. This is to enable the company to transfer Personal Data wherever it is needed around the globe to enable and support its internal business processes or enable services and product functionality and improvement. In order to do this, the company may formulate and describe certain additional obligations and legal rights in circumstances where data protection laws and regulations of other jurisdictions are applicable.

Scope

This policy control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees and other third parties who have access to personal data available within the company.
The company is also committed to ensure that its employees conduct themselves in line with this, and other related, policies. Where third parties process data on our behalf, the Company will ensure that the third party takes such measures in order to maintain the Company’s commitment to protecting data. The company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

Definitions

Personal data: It is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
Special categories of personal data: It is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
Data processing: It is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any other term not defined herein, shall have the same meaning as defined in the Regulation (EU) 679/2016 (General Data Protection Regulation).

Reference Documents

• IT Security Policy
• Privacy Notice
• Cross Border Personal Data Transfer Procedure
• Data Retention Policy
• Personal data breach notification procedure
• Employee Privacy Notice
• Data Subject Access Request Procedure

Types of Personal Data Processed

Personal data is kept in personnel files or within the electronic records of Rahi Systems the following types of data may be held by the Company, as appropriate, on relevant individuals:
A. Members and Clients data
• First Name, Last name
• Job title & Company
• Email address
• Phone numbers
• Area of Interests
• Country of residence
B. Human Resource Data
• Name, address, phone numbers – for individual and next of kin
• CVs and other information gathered during recruitment references from former employers,
• National Insurance numbers, job title, job descriptions and pay grades,
• Conduct issues such as letters of concern,
• Disciplinary proceedings
• Holiday records
• Internal performance information
• Medical or health information sickness absence records
• Tax codes
• Employment training details.
C. Website Visitor Data
• Visitors IP Data
• Data and time of website visit
• Pages visited and navigation on the website
• Browser being used
• County of accessing website
• Language of the browser being used
• Words searched for
D. Inquiries
• Personal data stated in the form- Name, address, phone number, country
• Subject of Inquiry
• Payment Information
• Personal details (Name on the card, billing address)
• Payment details (card numbers, card type)
We are using a secure third party to manage transactions and ecommerce payment processing.
Relevant individuals should refer to the Company’s privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.

Data Protection Principles

All personal data obtained and held by the Company will:
• be processed fairly, lawfully and in a transparent manner
• be collected for specific, explicit, and legitimate purposes
• be adequate, relevant and limited to what is necessary for the purposes of processing
• be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
• not be kept for longer than is necessary for its given purpose
• be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
• comply with the relevant applicable data protection laws and procedures for international transferring of personal data.

Data Subject Rights

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as may be enshrined under various data protection law and regulations which the company may be subject to.
The company makes a commitment to honour rights that a data subject may enjoy under any applicable data protection law.
Some of the rights available to the data subjects are:
• the right to be informed
• the right of access
• the right for any inaccuracies to be corrected (rectification)
• the right to have information deleted (erasure)
• the right to restrict the processing of the data
• the right to portability
• the right to object to the inclusion of any information
• the right to regulate any automated decision-making and profiling of personal data.
Exercise and processing of these rights shall be subject to the applicable data protection laws and regulation governing these rights.

Processing of Personal Data

All processing of personal data must meet one of the following bases:
• Where we have the consent of the data subject
• Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
• Where necessary to meet a legal obligation.
• Where necessary to fulfil a contract, or pre-contractual obligations.
• Where we are protecting someone’s vital interests.
• Where we are fulfilling a public task or acting under official authority.
Any special category data /sensitive types of personal data as defined must further be processed only in the line with one of the conditions specified the relevant laws.
The most appropriate lawful basis will be noted in the Data Processing Register.
Where processing is based on consent, the data subject has the option to easily withdraw their consent.
Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, and this choice should be recognised and adhered to by us.
Personal data must be processed in a lawful manner and in good faith. Data Processing may only take place if and insofar as a sufficient legal basis exists for the processing activity. Only such data would be processed, which would be necessary. Such personal data would be updated regularly. Personal data must be processed in a manner that uses technical or organisational measures to ensure appropriate security that protects the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Procedures

The Company has taken the following steps to protect the personal data of relevant stakeholders, which it holds or to which it has access:
• it appoints or employs employees with specific responsibilities for:
◦ the processing and controlling of data
◦ the comprehensive reviewing and auditing of its data protection systems and procedures
◦ overviewing the effectiveness and integrity of all the data that must be protected.
◦ There are clear lines of responsibility and accountability for these different roles.
• it provides information to its stakeholders on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
• it provides its employees with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
• it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
• it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the Company
• it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Company understands that consent must be freely given, specific, informed and unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time
• it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the relevant supervisory authority, and is aware of the possible consequences
• it is aware of the implications of international transfer of personal data internationally.

Access to Data

Relevant individuals have a right to be informed whether the Company processes personal data relating to them and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
• a form on which to make a subject access request is available. The request should be made to [email protected]
• the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
• the Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.
Relevant individuals must inform the Company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information.
For more information on making a subject access request, reach out to our Data Protection Officer at [email protected].

Data Disclosures

The Company may be required to disclose certain data/information to any of the following:
• regulatory authorities and enforcement agencies
• any court of law or any relevant party in connection with any claim or legal proceedings
• our contractors, service providers, consultants, auditors and advisors on a need to know basis. The Personal Information may in some circumstances be transferred overseas however we will also ensure that these overseas entities we work with observe strict confidentiality and data protection obligations.
The responsible department must inform the data subjects of the purposes and circumstances of the processing of their personal data in a concise, transparent, intelligible and easily accessible form and in clear and plain language. This information must be given whenever the personal data is collected for the first time. If the Company receives the personal data from a third party, it must provide the information to the data subject within a reasonable period after obtaining the data, unless
• the data subject already has the information or
• it would be impossible or
• extremely difficult to provide this information.
These kinds of disclosures will only be made when strictly necessary for the purpose.

Data Security

With constant developments and changes in technology and innovations facilitating data sharing and access, it is important that a consistent approach be adopted to safeguard personal data.
Rahi Systems will ensure that appropriate technical and organizational measures are in place, supported by privacy impact and risk assessments, to ensure a high level of security for personal data, and secure environment for information held both manually and electronically.
The Company adopts procedures designed to maintain the security of data when it is stored and transported.
In addition, as part of its organizational security measures, employees at Rahi Systems must:
• ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
• ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
• check regularly on the accuracy of data being entered into computers
• always use the passwords provided to access the computer system cautiously and such access should not be circulated, unless absolutely necessary
• use computer screen blanking to ensure that personal data is not left on screen when not in use.
Personal data should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised. Where personal data is recorded on any such device it should be protected by:
• ensuring that data is recorded on such devices only where absolutely necessary
• using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
• ensuring that laptops or USB drives are not left lying around where they can be stolen.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

International Data Transfers

The Company may be required to transfer personal data to a country/ countries outside of the respective jurisdiction.
Transmission of personal data to recipients outside or inside the Company is subject to the authorization requirements for processing personal data.
The data recipient must be required to use the data only for defined purposes.
In the event of a cross-border transmission of personal data (including granting access from another country), the relevant national requirements for the transfer of personal data abroad must be fulfilled. Personal data from the EU may only be processed outside the Companies in a third country if the recipient can prove that it has a data protection level equivalent to this Policy.
Transfers of personal data to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society. In the event of conflicts between these and public authority requirements, the company will find a practical solution that fulfils the purpose of this Policy.

Breach Notification

Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the relevant supervisory authority within 72 hours of the Company becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.

Training

New employees must read and understand the policies on data protection as part of their induction.
All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the applicable laws.
All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.

Records

Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions. It is impossible to be compliant with information law without robust records management policies and practises.
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its Data Retention Records. These records will be kept up to date so that they reflect current processing activities.
Good records management practices ensure not only record quality, but that personal data is only kept for as long as necessary for its original purpose and help support data minimization.
Rahi Systems is committed to implementing robust management policy, process, and practises to ensure compliance with the applicable data protection laws and regulations.

Organization and Responsibilities

Rahi Systems will maintain records of data processing as required under and in accordance with relevant data protection laws, the company may be subject to.
The ‘Data Protection Officer’ (DPO) has the specific responsibility of overseeing data protection and ensuring that we comply with the data protection principles and relevant legislation.
The DPO will ensure that the Data Processing Register is kept up to date and demonstrates how the data protection principles are adhered to by our activities. Individual members of staff have a duty to contribute to ensure that the measures outlined in the Register are accurately reflected in our practice.
Our compliance with relevant policies and regulatory requirements in respect of data protection as part of our Data Management Strategy will be periodically monitored internally by a designated governance group.
All employees, volunteers, consultants, partners or other parties who will be handling personal data on behalf of Rahi Systems will be appropriately trained and supervised where necessary.
The collection, storage, use and sharing of personal data will be regularly reviewed by the Data Protection Officer, the Governance Group, and any relevant business area.
We will adhere to relevant codes of conduct where they have been identified and discussed as appropriate.
Where there is likely to be a high risk to individuals rights and freedoms due to a processing activity, we will first undertake a Data Protection Impact Assessment (DPIA) and consult with the relevant supervisory authority prior to processing if necessary.

Conflicts of Law

This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
Additional information for CALIFORNIA RESIDENTS

California Residents’ Rights Under CCPA

• the right to Opt-out of sale of personal information
• the right to know what categories of Personal Information are being collected, sold, or disclosed and the categories of sources of that Personal Information
• the right to request business to delete personal information
• the right to be free from discrimination

Categories of California Consumers’ Personal Information Collected, Sold, or Disclosed

We collect a variety of categories of personal information about California consumers. We will not collect additional categories of personal information or use the personal information we collect for materially different, unrelated, or incompatible purposes without providing an advance notice and receiving specific consent wherever required under applicable law.
Collection
In particular, we have collected the following types of Personal Information in the last twelve (12) months:
• Personal identifiers. Examples of these identifiers include, but are not limited to, a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e). Examples of this information include, but are not limited to, a name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
• Protected classification characteristics under California or federal law. Examples of this protected information include, but are not limited to, age, race, colour, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
• Commercial Information. Examples of such commercial information include, but are not limited to, favourite restaurant location, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Biometric information. Genetic, physiological, behavioural, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
• Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
• Geolocation data. Physical location or movements.
• Sensory data. Audio, electronic, visual, thermal, factory, or similar information.
• Professional or employment-related information. Current or past job history or performance evaluations.
• Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
• Inferences drawn from other Personal Information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
• Sensitive personal Information. Consumers Social Security, driver’s license, identification card, passport number, a consumer’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, genetic data, contents of consumer’s mail, email or text messages, consumers racial or ethnic origin, religious or philosophical beliefs, or union membership and their genetic data.
We may have obtained some or all the personal information listed above from the following sources in the last twelve (12) months:
• Directly from you. For example, from forms you complete, information you provide to our customer service department, or documents you provide to us.
• Indirectly from you or from a third party. For example, through information we collect in the course of providing services to you, or information we obtain from government agencies, public repositories, or third parties.
• Directly and indirectly from activity on our website. For example, we may automatically collect certain information such as unique device identifiers and cookies when you use our online services, such as our website, online portals or mobile applications.
Business or Commercial Purposes for which Information is used and disclosed
We use and disclose the personal information described above for one or more of the following business or commercial purposes:
• To fulfil or meet the reason you provided the information. For example, if you provide your name and contact information to request or avail one of our services or product offerings, we will use that information to activate or access your account, set up services, and otherwise respond to your request. If you provide your personal information to pay for one of our services or product offerings, we will use that information to process your payment.
• Making a decision about your recruitment or appointment;
• Determining the terms on which you work for us, including administering the contract/agreement/deed we have entered into with you;
• Checking you are legally entitled to work;
• For the administration of your benefits;
• Paying you and, if you are an employee, deducting any applicable tax, social or national insurance contributions;
• Managing sickness absence;
• Complying with employment and other laws and regulations, and health and safety obligations;
• Conducting performance reviews, managing performance, determining performance requirements, and making salary and compensation decisions;
• Compliance with security and other mandatory policies and building access;
• Contacting you in the event of a business disruption or continuity event;
• Equal opportunities monitoring and complying with obligations under laws and regulations applicable to Rahi Systems.
• Satisfying (or assisting you in satisfying) education, training and development requirements;
• Providing information to relevant external authorities for tax, social security and other purposes as legally required;
• Conducting surveys to assess your satisfaction with Rahi Systems including but not limited to its processes or policies;
• Assessing qualifications for a particular job or task, including decisions about promotions;
• Using internal and external training and promotional presentations and publications;
• Setting up and maintaining accounts and subscriptions with third parties that provide information and research services or communication services
• Making decisions about your continued engagement, employment or membership of Rahi Systems
• Gathering evidence for possible grievance or disciplinary hearings;
• Making arrangements for the termination of our working relationship;
• Dealing with legal or regulatory disputes or investigations involving you, our work, or other partners, employees, workers and contractors, including accidents at work, potential and actual negligence claims and professional discipline matters;
• To prevent fraud;
• To monitor use of our information and communication systems to ensure compliance with our IT and data retention management policies;
• To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution;
• Business management and planning, including accounting, auditing and insuring;
• Planning or reviewing options in relation to the operation or management of Rahi Systems
• Keeping registers required by law or regulation;
• To conduct data analytics studies to review and better understand employee retention and attrition rates;
• Providing requested references for future employers;
• Providing proof of employment;
• Providing information in the context of a possible sale or restructuring of the business, including but not limited to due diligence purposes.
• To administer claims for benefits including sickness absence or family related leaves, to comply with employment and other laws, to carry out obligations or exercise special rights in the field of employment and social security law
• Communicating with you, for example to respond to inquiries
• Informing you of job opportunities and evaluating your suitability for a job
• Enhancing the safety and security of the services and preventing fraud, or protecting our or our customers’, or your rights or property
• Enforcing applicable terms and conditions and other applicable policies
At, Rahi Systems we do not engage in selling consumer’s personal information to third parties.
Disclosure of Personal Information
We disclose consumer’s personal information with our affiliates, service providers or third parties in connection with performance of our services and business operations, as permitted or required by applicable law. For example, we work with third parties that provide services to us and partner with third parties to develop, operate, deliver, maintain, improve, enhance, and protect our services and in connection with our offerings and operations. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract, while ensuring that their obligations arising under CCPA and other applicable law are honoured.
We have disclosed for a business purpose the following Personal Information in the preceding twelve (12) months:
• Identifiers.
• Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
• Commercial information.
• Biometric information.
• Internet and other similar network activities
• Geolocation data
• Sensory Data
• Professional or employment related information
• Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
• Inferences drawn from other Personal Information.
• Sensitive personal Information
Parties to whom personal information is disclosed can include but are not limited to:
• Website hosting or information technology consulting service providers
• Data analysis service providers
• Legal service providers
• Accounting service providers
• Administrative service providers
• Security service providers
• Application service providers
• Other third party service providers for the following types of activities carried out by them:
◦ human capital management administration;
◦ benefits provision and administration (including payroll, timekeeping, compensation, tax, insurance and discount voucher schemes);
◦ occupational health or medical assessments regarding your fitness to work and health and safety (e.g., work station assessments);
◦ insurance or benefits claims and notifications;
◦ provision and administration of recruitment assessments, training and professional development;
◦ building security access and maintenance;
◦ travel services providers;
◦ telecommunications and messaging services such as our business continuity emergency notification system;
◦ consultants such as talent management and law firms;
◦ hard copy archiving; and
◦ IT services including systems providers for meetings, communications (including telephone, messaging, and email), productivity applications, document management, and security.
We may also disclose your personal information for other purposes permitted by law and to:
• Comply with applicable laws
• Respond to governmental inquires or requests, including tax authorities, regulators or supervisory
• authorities, the police or a court of competent jurisdiction
• Comply with valid legal processes
• Protect the rights, privacy, safety or property of Rahi Systems website visitors, users of the services, customers
• Permit us to pursue available remedies or limit the damages that we may sustain
• where it is necessary to administer the contract, working relationship and any associated benefits
• with or for you; for the purposes of auditing, insuring and in the course of seeking advice with regards to our
• business operations and claims handling; or where we have another legitimate interest in doing so
• Enforce our Terms of Service
In the event there is a change or contemplated change in the corporate structure of Rahi Systems such as a merger, consolidation, sale, liquidation or transfer of substantial assets, we may disclose your personal information and may, in its sole discretion, transfer, sell or assign personal information collected on and through the services, including your personal information, to one or more affiliated or non-affiliated third parties.

Methods for Exercising Consumer Rights and Submitting Request to Rahi

This section explains how you can exercise your rights arising under the CCPA, described above. Consumer must provide Rahi Systems with sufficient information to enable us to reasonably verify their identity or that of their authorized agent. The company will only use the personal information provided in your request to verify your identity or that of your authorized agent.  Please note that we cannot provide any personal information in response to a request if we cannot verify your or your authorized agent’s identity, or your authorized agent’s authority to make the request on your behalf, and/or if we cannot confirm that the collected Personal Information relates to you.
• Email. You can submit requests by emailing on our mailing address, at [email protected].

Verification Process

Once we receive a request to know or to delete, we must verify your identity before we can respond and process any such requests provided by you.
If you do not maintain an account with us or do not wish to fill out the request forms, you will have to at the least be required to provide the following information for verification purposes, such as:
• Your first and last name;
• Your email address; and
• Your telephone number.
• Your relationship with us
• Specific description of your request
If any request is found to be manifestly unfounded or excessive, in particular because of their repetitive character, the company can either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. Upon such refusal or the charging of processing fee, the company will communicate such need to the consumer.
If you submit either a request to know specific pieces of Personal Information collected, or a request to delete sensitive, irreplaceable, or otherwise valuable Personal Information, you (or your authorized agent, if applicable) will be required to provide a signed declaration affirming your identity (or your authorized agent’s identity, if applicable). The declaration is included on the online CCPA Consumer Request to Know Form and online CCPA Consumer Request to Delete.

Authorized Agents

An authorized agent is either a natural person or a business entity registered with the California Secretary of State that a consumer has authorized to act on his or her behalf.
You may use an authorized agent to submit any such requests that consumers are entitled to. Your agent will need to provide: either (1) a power of attorney; or (2) your written permission to allow the authorized agent to submit the request on your behalf and verification of your identity.

Response Timing and Format

Acknowledgement of receipt of request
We will confirm receipt of a request from you within ten (10) days. This confirmation will provide information about how we will process the request, including a description of our verification process and an approximation of when we will send you a substantive response.
Substantive Response
We will respond to a verifiable request from you within forty-five (45) days, which is inclusive of the time taken by us in acknowledging the receipt of your request.  If we cannot respond in that time, we will notify you in writing that we need an additional forty-five (45) days and explain the reason for the needed additional time.
If you have an account with us, we will respond to that account. If you do not have an account with us, we will deliver the written response by mail or email, at your option.
Any disclosures we provide will cover only the 12-month period preceding our receipt of your verifiable request. If we cannot comply with your request, we will explain why. If you have requested to know specific Personal Information we collected, we will provide that information to you via mail or e-mail.
We do not charge a fee to process or respond to a verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why and provide you with a cost estimate before completing the request.
Acting upon opt-out requests.
We will act upon an opt-out as soon as commercially reasonable, but no later than forty-five (45) days from the date we receive the request.

Do Not Sell My Personal Information

Rahi Systems does not sell personal information, including in the preceding 12 months.

Company Details

Company Name: Rahi
Data Protection Officer: [email protected]


error: Content is protected !!