Introduction & Purpose

Certain data protection laws give data subjects the ability to access, rectify, erase, restrict processing, object to processing, and/or have portable formats of their personal information. Data subjects may exercise these rights by way of a data subject rights request, i.e. a written request by an individual to a data controller or data processor to exercise or as part of exercising her/his right under such laws. This document sets out Hitachi Vantara's policy for responding to a data subject rights request under applicable data protection laws, including the EU's General Data Protection Regulation.

Hitachi Vantara welcomes all reasonable requests for information. Hitachi Vantara will review and, when appropriate, respond to these requests within the time period specified by applicable law.

To learn more about what constitutes personal information, please refer to Hitachi Vantara's Global Data Protection and Privacy Policy (or the "Privacy Policy").

Making a Request to Access Your Information

Depending on where you live, you may have the right to see, correct, delete, object or limit how we process, and/or obtain a portable copy of the personal information we hold about you. However, this is not always an absolute right. This means that your requests may be subject to certain exemptions or grounds on which we may refuse. Should you wish to make a request, you are encouraged (but not compelled) to do so by using one of our request forms found online.

Receiving a Data Subject Request

Upon receiving a request, we will firstly seek to verify your identity to ensure that the request is made by you or by another person who is authorised on your behalf to make this request (such as a legal guardian or authorised agent). You may be asked to provide any evidence that confirms your identity (such as proof of your address). If you are requesting on behalf of another individual, you must supply the individual's consent for the release of that individual's personal information to you.

We will then evaluate your requests pursuant to applicable law, the rights of third parties, and any contractual agreements we have with you. This may involve communications with external stakeholders who hold the relevant personal information. Unless the other party has provided their consent or it is reasonable to do so without their consent, we will not share any information that relates to a third party. Information may be redacted with an explanation of its scope and reason.

We aim to respond to your request within the period mandated by the relevant law, or if none is specified, within a reasonable time period after you have made the request. If we are unable to do so, you can expect an explanation from us on why we are unable to do so. You may also receive a preliminary reply from us requesting for further information, or to update you on progress undertaken or the timing (including the fact that the time limit will not start to run until the further information is received).

Except where permitted by law, we will not charge you any administrative or other fee. If we do, we will inform you promptly of this.

Access Request: If you make a request to access your personal information, we may do any of the following as part of issuing our response when permitted by law: (a) summarise information rather than provide a copy of the whole document; (b) provide access to your personal information on an informal basis, such as by phone or in person; (c) send permanent copies of the information to you (except where otherwise agreed, it is impossible to do so, or it would involve undue effort); (d) allow you to view the information on screen. Your access will depend on the means by which we received the request, the volume of information sought or the nature of the information. In any event, we will consult with you to try to satisfy your request and also explain any complex terms or abbreviations contained in the information.

Refusing a Request

Data protection laws contain a number of exemptions to any right to access, correct, delete, object or limit how we process, and/or obtain a portable copy of your personal information. An example of an exemption is information covered by legal professional privilege. Should we refuse your request, we will write to you to explain our grounds for the refusal as well as setting out any other matters prescribed by the data protection law applicable to you.

Complaints Procedure

If you are not satisfied with our actions, you may submit a complaint to the Global Data Protection Officer (privacy@hitachivantara.com). If you remain dissatisfied, you may have the right to refer the matter to your local data protection authority.

General Application
This document forms part of and supplements the Privacy Policy, and prevails over the Privacy Policy in the event of any inconsistency. This document may be used as part of general privacy compliance training for those involved in handling subject access requests.

Last Updated: May 25, 2018