Public Authorities Access Request Policy
1. Introduction
Goodlife+ is committed to ensuring the utmost levels of protection and transparency in transferring and disclosing Customer’s Personal Data to third parties.
This Public Authorities Access Request Policy (“Policy”) sets out Goodlife+’s principles and procedure for responding to a disclosure request received from a public authority, including judicial authorities (“Public Authority”) that involves Customer’s Personal Data Processed by Goodlife+ and its Sub-Processors (the “Request”) in adherence to applicable Data Protection Laws and the Agreement (including the Standard Contractual Clauses (Processor to Processor)) between Goodlife+ and Customer.
2. Requirements for data disclosure
2.1. Customer’s Notification
Unless otherwise required under applicable law or instructed by a competent Public Authority, before disclosing any Customer Personal Data to a Public Authority, Goodlife+ will promptly notify the affected Customer of the Request. As a Data Controller, each Customer owns their Customer Personal Data, not Goodlife+. Thus, Goodlife+ believes that any Public Authority seeking the disclosure of Customer Data should address its request directly with that Customer where possible. Additionally, this would allow each Customer the ability to work on its response directly with the Public Authority.
If Goodlife+ is prohibited from notifying Customer under the laws of the country of destination, Goodlife+ will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Goodlife+ will document its best efforts in order to be able to demonstrate them on the request of the Customer.
Where permissible under the applicable laws, Goodlife+ will provide the Customer, at regular intervals for the duration of the Agreement, with as much relevant information as possible on the Requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.) as described in the Section 4 of this Policy.
2.2. Review of Request’s legality and data minimisation
Goodlife+ will review the legality of the Request, in particular whether it remains within the powers granted to the requesting Public Authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider
that the Request is unlawful under the laws of the country of destination. Goodlife+, will, under the same conditions, pursue possibilities of appeal. When challenging a Request, Goodlife+ will seek interim measures with a view to suspending the effects of the Request until the competent judicial authority has decided on its merits. Goodlife+ will not disclose Customer’s Personal Data requested until required to do so under the applicable procedural rules.
Goodlife+ will document its legal assessment and any challenge to the Request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Customer. It will also make it available to the competent Supervisory Authority on Request.
If Goodlife+ finds that a Request is lawful and binding, Goodlife+ will disclose only the minimum amount of information necessary to comply with the Request.
If Goodlife+ finds that a Request is incompatible with European law, Goodlife+ shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by Goodlife+ and/or its Sub-Processors to address the situation, if appropriate in consultation with the Customer. No transfer will take place until sufficient alternative measures can be taken to allow for compliance with Agreement between Goodlife+ and the Customer. If no alternative measures have been identified, or if instructed by the Customer or the Supervisory authority, Goodlife+ will suspend the transfer of Customer’s Personal data until appropriate safeguards and/or terminate the Agreement.
3. Data access request handling process
Goodlife+ and its Sub-processors are committed to the following steps for each and every Request received:
- immediately upon receipt of a Request, each Goodlife+ Sub-processor will forward that Request to Goodlife+’s Data Protection Officer
- to the extent that the Request concerns information by which Goodlife+ is not the Data Controller (as defined under applicable Data Protection Law), and unless such notification is prohibited by applicable law or if otherwise instructed by a competent Public Authority, Goodlife+’s Privacy Team will promptly notify the Customer as further set out in the “Third-Party Disclosure” section of our DPA and Standard Contractual Clauses (Processor to Processor);
- Goodlife+’s Privacy Team will review each Request on a case-by-case basis, and liaise with outside counsel as appropriate, to determine the nature, context, purposes, scope, and urgency of the Request, and its validity under applicable laws. This review takes into account all applicable laws and regulations, and mandates that the Public Authority follow the requisite legal process outlined under the applicable laws (e.g. issuing the request via court order, or a warrant signed by a relevant judicial authority). If such Request is determined to be invalid or unlawful, Goodlife+ will challenge that Request on the basis of overbreadth, appropriateness, or conflict with applicable law. Any requests that are found to be not legally binding will be rejected;
- After exhausting steps i-iii above, Goodlife+ will adhere to and satisfy the Request only to the minimum amount absolutely necessary to comply with the requirements of Section 2 of this Policy.
4. Transparency report
Pursuant to the Section 2.1 of this Policy, Goodlife+ is committed to maintaining an Annual Report (a “Transparency Report”) which reflects the number and type of Requests that it has received in the preceding year, as may be limited by applicable law or court order.