This Data Request Policy sets out DeepConverse's procedure for responding to a request received from a third party, law enforcement or other government authority to disclose personal information processed by DeepConverse.
When DeepConverse receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this policy, DeepConverse will comply with the relevant requirements of those applicable data protection law(s).
General principle on Data Disclosure Requests
As a general principle, DeepConverse does not disclose personal information in response to a Data Disclosure Request unless either:
- We are under a compelling legal obligation to make such disclosure
- Taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, DeepConverse will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) to address the Data Disclosure Request.
Handling of a Data Disclosure Request
DeepConverse will respond to a Data Disclosure Request received through the support channels after it is reviewed by Chief Security Officer. Requests will be tracked and maintain a line of communication with the requester.
DeepConverse Team will carefully review each and every Data Disclosure Request on a case-by-case basis. We will liaise with the legal department and outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, and its validity under applicable laws, to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and/or competent data protection authorities in accordance to procedures established.
Notice of a Data Disclosure Request
Notice to the Customer
If a request concerns personal information for which a Customer is the controller, DeepConverse will ordinarily ask the requestor to make the Data Disclosure Request directly to the relevant Customer. If the customer agrees, DeepConverse will support the requestor in accordance with the terms of the customer's contract to respond to the Data Disclosure Request.
If this is not possible (for example, because the requester declines to make the Data Disclosure Request directly to the Customer, does not know the customer’s identity, or if DeepConverse is not permitted by law to disclose the Data Disclosure Request), DeepConverse will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification.
Notice to the competent data protection authorities
If the requester is in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then DeepConverse will also put the request on hold to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
Where DeepConverse is prohibited from notifying the competent data protection authorities and suspending the request, DeepConverse will use its best efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the requestor about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the requestor to put the request on hold, so that DeepConverse can consult with the competent data protection authorities, or to allow disclosure to specified personnel at DeepConverse’s customer, and may also, in appropriate circumstances, include seeking a court order to this effect. DeepConverse will maintain a written record of the efforts it takes.
In no event will DeepConverse transfer Personal Information to a requestor in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.