User Rights Policy
Last Updated: January 2021
Subject to applicable law requirements, Akeyless Security Ltd. (“Company”, “Akeyless”, “we”, “us” or “our”) will provide individuals with the opportunity to exercise their rights regarding their Personal Data.
Please note that any Data Subject Request Forms (as defined below) submitted to us shall be processed by us in our capacity as a “Data Controller”. Thus, if you are a Participant (i.e., end user of our Customers), the “Data Controller” is the Customer. If we receive a Data Subject Request Form by a Participant, we will notify the relevant Customer and will refer you to the relevant Customer. We will act in accordance with the Customer’s instructions in relation to any Data Subject Request Forms of Participants.
ACCESS TO SPECIFIC INFORMATION AND DATA PORTABILITY RIGHTS
You have a right to request us to confirm whether we process certain Personal Data related you, as well as a right to obtain a copy of such Personal Data, with additional information regarding how and why we use this Personal Data. The GDPR and CCPA provide different protections, the GDPR enables access to all Personal Data processed by the controller, however the CCPA “Access Right” applies only to Personal Information collected in the 12 months prior to the request. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the Personal Data or a description of the Personal Data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the Personal Data that was not provided by you. Our response detailed above will be provided within the period required by law (please see additional information under “Response Timing and Format” below).
DELETION REQUEST RIGHTS
The Company is legally obligated to comply with a request to delete Personal Data if:
- the data is no longer needed for the original purpose and no new lawful purpose exists for continued processing;
- the lawful basis for processing is consent of the data subject and such consent is withdrawn;
- the data subject exercises his or her right to object to the Company’s processing of his or her Personal Data, and the Company has no overriding grounds for processing the data;
- the Personal Data is processed unlawfully;
- erasure of the Personal Data is necessary to comply with applicable laws.
- if the Company has passed on Personal Data to a third party, a data subject also has a right to oblige the Company to tell those third parties that the information should be erased.
The right to erasure is not absolute. Even if a data subject falls into one of the categories described above, the Company is entitled to reject the data subject’s request and continue processing data subject to applicable law, if such processing is:
- necessary to comply with legal obligations;
- necessary to establish, exercise or defend legal claims; or is necessary for scientific research, etc.;
- necessary to perform a contract between you and us;
- necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;
- necessary to debug to identify and repair errors that impair existing intended functionality;
- to enable solely internal uses that are reasonably aligned with your expectations based on our
- relationship with you.
RIGHT TO OBJECT / RIGHT TO OPT OUT
Under the lawful basis of our legitimate interests and with regards to Personal Data processed by us (such as direct marketing), you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the Personal Data in the event that (subject to applicable laws and regulations):
- our legitimate interests for processing override your rights, interests and freedoms;
- the processing of such Personal Data is necessary to establish, exercise or defend a legal claim or right, etc.
YOUR RIGHT TO BE INFORMED
THE RIGHT OF RECTIFICATION
The Company must ensure that all Personal Data that it holds and uses about a data subject is correct. If such data is not accurate, a data subject has the right to require that the Company updates such data so it is accurate. In addition, if the Company has passed on incorrect information about a data subject to a third party, the data subject also has a right to oblige the Company to inform those third parties that this information should be updated.
If Personal Data held by us is not accurate, you may require us to update such data so it is accurate. Further, in the event we have passed on incorrect information about you to a third party, you also have a right to oblige us to inform those third parties that the applicable information should be updated.
THE RIGHT OF RESTRICTION
A data subject may limit the purposes for which the Company may process its Personal Data. The Company’s processing activities may be restricted if: the accuracy of the data is contested; processing is unlawful and data subject requests restriction instead of erasure; the Company no longer needs the data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or consideration of overriding grounds in the context of an erasure request.
You may request us to send or “port” your Personal Data held by us to a third-party entity, however note, the GDPR and CCPA apply differently to this right, thus, we will handle this according to the jurisdiction you are subject to.
Under the CCPA, you must not be discriminated for exercising any of your rights, including by denied goods or services, charging you with different fees for goods or services, including through the use of discounts or other benefits or imposing penalties; suggested you will receive a different price or rate for goods or services.
Notwithstanding the above it is allowed to set up schemes for providing financial incentives and you can opt-in to become part of them.
RESPONSE TIMING AND FORMAT
We endeavor to respond to a verifiable consumer request with undue delay and in any event within 30 days from the receipt of the request subject to GDPR and between 10-45 days from receipt of a request subject to CCPA. If we require more time, we will inform you of the reason and extension period in writing. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Further, note, under the CCPA your rights only apply to the Personal Information collected 12 months prior to the request and you are not entitled to submit more than 2 requests in a 12 months period.
This Policy applies solely to your rights concerning Personal Data / Personal Information (as defined under the applicable law) processed by us.
PLEASE SUBMIT A REQUEST BY EITHER:
* Filling in the Data Subject Request form
* Emailing us at: [email protected]
* Calling us at: +972-544500261