2.1 How to make a SAR

A SAR must normally be in writing, but there is no specific format required. What is important is for both parties, the requestor and the Controller, to understand the request in order to respond accordingly. To this end, we may be required to communicate with you to clarify and potentially refine the scope of the SAR response, particularly when a broad quantity of information may be available.

Each SAR is different, and must be responded to on a case by case basis. Steps that may be taken in order to appropriately respond to a SAR include:

• Authenticate individuals submitting SARs before handing over any data: we “may” request additional informationto authenticate your identity when required. Authentication is also a valid security safeguard against providingPersonal Data to the wrong person, particularly in the context of online services and online identifiers.
• Refine the scope of the Personal Data requested: We may ask questions to get a better understanding of theuniverse of data requested and will indicate potential technological or other issues in advance to ensure aresponse that is reasonably appropriate, useful and informational for you. Compliance with the SAR is onlyrequired once such information is received.
• Searching for Personal Data requested: We will use appropriate measures to exhaust our search for thePersonal Data you request, but will notify you of whether the search will entail disproportionate measures andany next steps to resolve the issue.
• Format and Delivery: The DP Law requires that the response must be made in an intelligible form. We will agreethe format of the response with you in advance if possible. Also, before supplying any information in response toa SAR, we will check that your postal or email address or any other contact information to which the data is to besent is correct.

2.2 Data to be Provided in Response

“Personal Data” can be interpreted very broadly, and may include identifiers – that data which make someone “identifiable” – such as identification numbers, location data, and “online identifiers.”

Additionally, you are entitled to be:

• told whether any Personal Data is being processed;
• given a description of the Personal Data, the reasons it is being processed, and whether it will be given to anyother organizations or people;
• given a copy of the Personal Data; and
• given details of the source of the data (where this is available and disclosable).

2.3 Potential Exclusions and Exemptions

We reserve the right to exclude data that does not qualify as Personal Data or may not be appropriately responsive to the SAR. For example, we may exclude anonymous data, or notations that are purely internal to Arqaam and its systems, or other information that may not be appropriate to disclose for other valid legal reasons.

Where third party or unrelated data is included in the data set but is not legally required to be provided, it may be redacted or excluded from the data set as appropriate unless the third party has consented to providing their data. Even if the third party has not consented, it may still be reasonable to include the data in the SAR response where disclosure is reasonable under the circumstances.

Exemptions and restrictions to providing certain data may apply as well, depending on the circumstances. Any withholding of data due to an exemption or restriction will first be approved by both the Data Protection Officer and a senior manager in the BU (where applicable). Where any redaction of information is permitted on whatever basis, the SAR response will clearly and fully explain, to the extent practical, the fact that information has been withheld and the reasons why.

2.4 Response Time

In accordance with the DP Law, the response to the SAR must be provided within one (1) month of the request, subject to any other applicable conditions set out in the relevant provisions of the DP Law. For example, in certain circumstances, it may take a considerable amount of time and / or cost to properly search for the Personal Data requested. In these cases, we will continue to communicate with you about any timing issues and potential resolutions.

2.5 Fees for SARs

The information should be provided free of charge unless the request results in high administrative costs or you request additional copies of the documentation provided.

3.1 Rectification

Rectification is the right of individuals to have inaccurate Personal Data rectified, or completed if it is incomplete. Best practice suggests we:

• Verify the accuracy of data by whatever factual means available, including discussions with and collectingdata from you;
• If the data is linked to an opinion, determine whether the data is indeed inaccurate and needs to be rectified;
• While the above is in progress, restrict the processing of the Personal Data in question whilst verifying itsaccuracy, whether or not the individual has exercised their right to restriction;

When accuracy is established, we will let you know whether or not it will be amended.

In certain circumstances a request for rectification may be refused, but only upon review and approval by the Data Protection Officer.

3.2 Erasure

Individuals have the right to have Personal Data erased. As with the other rights already discussed, the right to erasure (aka, to be forgotten) is not absolute and only applies in certain circumstances.

Personal Data may be erased for reasons such as:

• the Personal Data is no longer necessary for which it was originally collected or processed;
• the Controller is relying on consent as the lawful basis for holding the data, and the individual withdraws theirconsent;
• the Controller is relying on legitimate interests as the basis for processing, the individual objects to theprocessing of their data, and there is no overriding legitimate interest to continue this processing;
• the Controller is processing the Personal Data for direct marketing purposes and the individual objects to thatprocessing; or
• the Controller must do it to comply with a legal obligation.

The right to erasure may not, in the discretion of the Data Protection Officer, apply if processing is necessaryfor, without limitation, the following reasons:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation;
• for the performance of a task carried out in the public interest or in the exercise of official authority; or
• for the establishment, exercise or defense of legal claims.

3.3 Restriction

Individuals have the right to restrict or limit the processing or use of their Personal Data in certain circumstances. Restricting is a reasonable alternative to requesting the erasure of their data.

Individuals have the right to restrict the processing of their Personal Data where they have a specific reason for it. Such reasons may include issues with the content of the information held, or how the data is processed. It does not necessarily mean that the limitation will continue indefinitely, but it will need to be in place for a certain period of time.

Restricting can be achieved by:

• temporarily moving the data to another processing system;
• making the data unavailable to users; or
• temporarily removing published data from a website.

When we are considering a request for restricting or when the decision has been made to restrict processing Personal Data, we will not process the restricted data in any way unless certain specific exceptions apply to be determined on a case by case basis or unless you ask us to.

As restricting is often temporary, we will inform you before removing any restricting or processing the data again.

3.4 Objection

Individuals may object at any time on reasonable grounds relating to his particular situation to the processing of Personal Data relating to him.

You also have the right to be informed before Personal Data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.

The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the Controller’s stated lawful basis for processing.

Individuals always have the right to object to processing Personal Data for direct marketing purposes. However, the right to object may be limited in other situations, such as where the processing is for:

• a task carried out in the public interest
• the exercise of official authority
• legitimate interests of the Processor or a third party; or
• research or statistical purposes

Such determinations will be made with the review and approval of the Data Protection Officer of Arqaam.

Where an objection is raised and there are no grounds to refuse the objection, we will stop processing the data. This may also mean the Personal Data must be erased. However, this will not always be the most appropriate action, for example if the processing is for other purposes as the data must be retained the data for those purposes. For example, when an individual objects to the processing of their data for direct marketing, it may be appropriate to place their details onto a suppression list to ensure continued compliance with the objection.

In addition to the above, and with a few limitations, you may object to any decision based solely on automated Processing, including Profiling, which has legal or other seriously impactful consequences. You may request that such decision is reviewed manually.