PII Principal Rights Management Policy

The PII Principal Rights Management Policy establishes the organization’s mandatory approach for managing requests from PII principals or their authorized representatives. Its scope covers the full lifecycle of rights request handling: receiving, validating, evaluating, fulfilling, refusing, extending, closing, monitoring and evidencing requests. It applies to access, rectification, erasure, restriction, portability, objection, automated decision-making, consent withdrawal routing, complaints and related inquiries. The policy is designed for controller, joint controller, processor and subprocessor contexts, with processor and subprocessor duties applying where support is provided to a controller, customer or upstream processor under documented instructions. The policy’s purpose is to ensure that PII principal rights requests are handled consistently, lawfully, securely, within defined timeframes and with audit-ready evidence. It requires each request to be recorded in REG06 within two business days of receipt and classified before evaluation begins. Required classification fields include request type, request channel, request date, requestor identity reference, assigned owner, internal due date, statutory or contractual due date and current status. For controllers, the Privacy Lead / PIMS Manager must acknowledge receipt or provide the next required communication within five business days of intake. Requests must also be linked to relevant REG02 processing activities before fulfilment actions are assigned, ensuring that response decisions are grounded in processing records, purposes, PII categories, systems, recipients and retention constraints. A major operational emphasis is identity verification and secure evaluation. Before disclosing PII or making requested changes, the Privacy Lead / PIMS Manager must verify the requestor’s identity or representative authority in REG06. Where identity or authority is insufficient, only the minimum additional information needed for verification may be requested. The policy assigns high-risk, disputed, unclear, excessive, repeated, refused or partially fulfilled requests to the Data Protection Officer / Privacy Advisor for review before the decision is communicated. It also requires System Owner / Application Owner review of response extracts to exclude unrelated PII and unauthorized third-party data, and Information Security Lead review of delivery methods before high-volume, sensitive, special-category or high-risk PII is disclosed. Fulfilment requirements are specific to the nature of the right. Business owners must provide access-search results no later than ten business days before the response deadline. System owners must complete approved rectification, erasure, restriction or suppression actions and record completion evidence in REG06. Access and portability response packages must be delivered through an authorized method, with delivery evidence recorded before closure. Objection requests must be evaluated and recorded before challenged processing continues or stops. Requests involving solely automated decisions require review before the organization provides an outcome, human-review route or refusal rationale. When approved outcomes require notification to processors, subprocessors, joint controllers, recipients or data sharing parties recorded in REG08, the Vendor / Procurement Owner must coordinate that notification. The policy also defines governance, measurement, exception and enforcement requirements. The Privacy Lead / PIMS Manager owns the rights request workflow, REG06 structure, deadlines, assignment rules and closure criteria, with at least annual review and updates after material change. Metrics include monthly measurement of requests by type, status, business owner and processing activity, monthly reporting of overdue items, quarterly measurement of refusal, partial fulfilment and extension rates, and quarterly review of recurring themes, complaints, disputes and corrective actions. Planned audits must sample closed REG06 records and record evidence-quality, timeliness and closure findings in REG12. Exceptions must be approved in REG12 before implementation, with expiry dates, owners and compensating controls assigned. Enforcement provisions require nonconformities, escalation of third-party non-cooperation, management assignment of corrective action ownership for systemic failures and REG10 review where a nonconformity suggests unauthorized disclosure, loss, alteration, unavailability or another suspected PII incident.