Your GDPR Rights

Last updated: January 19, 2025

Your Data Protection Rights

Under the General Data Protection Regulation (GDPR), you have several rights regarding your personal data. This page explains each right and how to exercise them.

1. Right of Access (Article 15)

What it means:

You have the right to know what personal data we hold about you and how we process it.

What you can request:

  • Confirmation that we process your personal data
  • A copy of your personal data
  • Information about how we use your data
  • Who we share your data with
  • How long we keep your data
  • Your other GDPR rights

2. Right to Rectification (Article 16)

What it means:

You can ask us to correct inaccurate or incomplete personal data.

When to use it:

  • Your contact information has changed
  • We have incorrect information about you
  • Some of your data is missing

3. Right to Erasure ("Right to be Forgotten") (Article 17)

What it means:

You can request deletion of your personal data in certain circumstances.

When this applies:

  • The data is no longer necessary for the original purpose
  • You withdraw your consent
  • Your data has been unlawfully processed
  • You object to processing and there are no overriding legitimate grounds

Limitations:

  • We may keep data required for legal compliance
  • Data needed for freedom of expression
  • Data for establishing, exercising, or defending legal claims

4. Right to Restrict Processing (Article 18)

What it means:

You can ask us to limit how we use your data without deleting it entirely.

When to use it:

  • You've contested the accuracy of your data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing pending verification

5. Right to Data Portability (Article 20)

What it means:

You can get your data in a structured, machine-readable format and transfer it to another service.

What we provide:

  • Your data in JSON or CSV format
  • Clear documentation of data fields
  • Assistance with data transfer when technically feasible

Requirements:

  • Only applies to data you provided to us
  • Only for automated processing based on consent or contract
  • Must not adversely affect others' rights

6. Right to Object (Article 21)

What it means:

You can object to certain types of data processing.

Types of objection:

  • Direct Marketing: Absolute right to object - we must stop immediately
  • Legitimate Interests: We must stop unless we have compelling legitimate grounds
  • Public Interest/Official Authority: Only in exceptional circumstances

7. Right to Withdraw Consent (Article 7)

What it means:

Where we process your data based on consent, you can withdraw it at any time.

Important notes:

  • Withdrawal doesn't affect past processing
  • Must be as easy to withdraw as to give consent
  • We may continue processing on other legal grounds

8. Rights Related to Automated Decision-making (Article 22)

What it means:

You have rights regarding automated decisions that significantly affect you.

Your rights:

  • Not to be subject to purely automated decision-making
  • Human review of automated decisions
  • Express your point of view
  • Contest the decision

How to Exercise Your Rights

Contact Methods:

  • Email: privacy@act.cx (preferred method)
  • Subject Line: "GDPR Request - [Type of Request]"
  • Online: Contact Form

What to Include in Your Request:

  • Your full name and email address
  • Clear description of your request
  • Proof of identity (if required)
  • Specific data or processing you're referring to

Response Timeline:

  • Standard Response: Within 30 days
  • Complex Requests: Up to 90 days (we'll explain the delay)
  • Urgent Requests: We'll prioritize where possible

Identity Verification

To protect your privacy, we may need to verify your identity before processing certain requests. We may ask for:

  • Government-issued photo ID
  • Proof of address
  • Additional verification questions

Fees and Charges

  • First Request: Always free
  • Repeated Requests: May charge reasonable fee for excessive requests
  • Manifestly Unfounded Requests: We may refuse or charge a fee

If You're Not Satisfied

Internal Process:

  1. Contact our privacy team at privacy@act.cx
  2. We'll investigate and respond within 30 days
  3. If unsatisfied, you can escalate to our Data Protection Officer

External Complaints:

  • UK: Information Commissioner's Office (ICO)
  • EU: Your local Data Protection Authority
  • Website: ico.org.uk
  • Phone: 0303 123 1113

Special Circumstances

Data of Deceased Persons:

GDPR rights generally don't apply to deceased individuals, but we may accommodate requests from authorized representatives in certain circumstances.

Children's Data:

Parents/guardians can exercise rights on behalf of children under 18. We may require proof of parental responsibility.

Emergency Situations:

In emergency situations where data processing could prevent serious harm, some rights may be temporarily limited.

Contact Information

Privacy Team

  • Email: privacy@act.cx
  • Response Time: Within 30 days
  • Urgent Requests: Mark subject line "URGENT"
  • Languages: English (other languages on request)