Handling data requests
Every company and organisation that determines the purposes and means of the processing of personal data is classed as a data controller. Aceworks is the data controller for merchants, whilst merchants are the data controllers for their customers.
As a data controller, you should familiarise yourself with the personal data that you may have relating to your customers and employees. This could be anything that is used to identify a person, including their name, email address, telephone number or any other piece of data linked to them
Under the GDPR, your customers and employees can request a copy of their data or ask you to delete, update or restrict the processing of their data. If you receive a data request, you should follow these steps:
- Confirm their identity to ensure you are dealing with the correct person
- Comply to the request within 30 days
- Confirm the requirements - copy, delete, update or restrict
- Take action - you can use the tools available in the mobile or web app to help you
- Provide the data securely (if required) - do not charge for it
- Record the details of the request to ensure you can provide evidence of compliance
You should always keep yourself informed about your responsibilities under GDPR. If you do not comply, the maximum fines which can be levied are 4% of global revenue or €20 million (whichever is higher).