Public Authorities Access Request Policy
Smart Atoms Limited (“Smart Atoms”) is committed to ensuring the utmost levels of protection and transparency in transferring and disclosing Customer’s Personal Data to third parties.
2. Requirements for data disclosure
2.1. Customer's Notification
Unless otherwise required under applicable law or instructed by a competent Public Authority, before disclosing any Customer Personal Data to a Public Authority, Smart Atoms will promptly notify the affected Customer of the Request. As a Data Controller, each Customer owns their Customer Personal Data, not Smart Atoms. Thus, Smart Atoms believes that any Public Authority seeking the disclosure of Customer Data should address its request directly with that Customer where possible. Additionally, this would allow each Customer the ability to work on its response directly with the Public Authority.
If Smart Atoms is prohibited from notifying Customer under the laws of the country of destination, Smart Atoms will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Smart Atoms will document its best efforts in order to be able to demonstrate them on request of Customer.
Where permissible under the applicable laws, Smart Atoms will provide Customer, at regular intervals for the duration of the Agreement, with as much relevant information as possible on the Requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.) as described in the Section 4 of this Policy.
2.2 Review of Request's legality and data minimisation
Smart Atoms will review the legality of the Request, in particular whether it remains within the powers granted to the requesting Public Authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the Request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Smart Atoms will, under the same conditions, pursue possibilities of appeal. When challenging a Request, Smart Atoms will seek interim measures with a view to suspending the effects of the Request until the competent judicial authority has decided on its merits. Smart Atoms will not disclose Customer’s Personal Data requested until required to do so under the applicable procedural rules.
Smart Atoms will document its legal assessment and any challenge to the Request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to Customer. It will also make it available to the competent Supervisory Authority on Request.
If Smart Atoms finds that a Request is lawful and binding, Smart Atoms will disclose only the minimum amount of information necessary to comply with the Request.
If Smart Atoms finds that a Request is incompatible with European law, Smart Atoms shall promptly identify appropriate measures (e.g., technical or organizational measures to ensure security and confidentiality) to be adopted by Smart Atoms and/or its Sub-Processes to address the situation, if appropriate in consultation with Customer. No transfer will take place until sufficient alternative measures can be taken to allow for compliance with the Agreement between Smart Atoms and Customer. If no alternative measures have been identified, or if instructed by Customer or the Supervisory authority, Smart Atoms will suspend the transfer of Customer’s Personal data until appropriate safeguards and/or terminate the Agreement.
3. Data access request handling process
Smart Atoms and its Sub-processors are committed to the following steps for each and every Request received:
- 1) immediately upon receipt of a Request, each Smart Atoms Sub-processor will forward that Request to Smart Atoms Team, who will notify Smart Atom’s Managing Director;
- 2) to the extent that the Request concerns information by which Smart Atoms is not the Data Controller (as defined under applicable Data Protection Law), and unless such notification is prohibited by applicable law or if otherwise instructed by a competent Public Authority, Smart Atoms’s Team will promptly notify the Customer as further set out in the “Third-Party Disclosure” section of our DPA and Standard Contractual Clauses (Processor to Processor);
- 3) Smart Atoms’s Team will review each Request on a case-by-case basis, and liaise with outside counsel as appropriate, to determine the nature, context, purposes, scope, and urgency of the Request, and its validity under applicable laws. This review takes into account all applicable laws and regulations, and mandates that the Public Authority follow the requisite legal process outlined under the applicable laws (e.g., issuing the request via subpoena, court order, or a warrant signed by a relevant judicial authority). If such a Request is determined to be invalid or unlawful, Smart Atoms will challenge that Request on the basis of overbreadth, appropriateness, or conflict with applicable law. Any requests that are found to be not legally binding will be rejected
- 4) after exhausting steps 1-3 above, Smart Atoms will adhere to and satisfy the Request only to the minimum amount absolutely necessary to comply with the requirements of Section 2 of this Policy.
4. Transparency report
Pursuant to the Section 2.1 of this Policy, Smart Atoms is committed to maintaining an annual report (a “Transparency Report”) which reflects the number and type of Requests that it has received in the preceding year, as may be limited by applicable law or court order. This Transparency Report is available upon request to the relevant Supervisory Authority.