Effective Date: 01/30/2024

Email: privacy@areteir.com

Purpose

Arete’s Privacy Policy, located here (“Privacy Policy”), and Supplemental Privacy Policy, located here (“Supplemental Privacy Policy”), describe certain rights available to consumers in connection with information which Arete collects about them. The purpose of this procedure is to describe the process through which consumers may exercise their rights.

Scope

This procedure applies to individuals from whom Arete has collected information pursuant to the Privacy Policy and Supplemental Privacy Policy.

Procedure

1. In order to exercise the rights provided in the Privacy Policy and Supplemental Privacy Policy, an individual consumer should make a Data Subject Access Request (“DSAR”) by either sending an email to privacy@areteir.com, by telephone in the U.S. to 866-210- 0955, or by mail to the below address:
   Arete Incident Response
   4800 T-Rex Ave., Suite 350
   Boca Raton, FL 33431
   Attn: Data Privacy Office

2. While there is no specific form required in order to file a DSAR, we recommend that you use this form. This form is for users in California, while data subjects in the United Kingdom and the European Union should use this form. For California residents, Arete is not required to respond to DSARs more than twice for the same consumer in a 12 month period. Note that if Arete is the data processor and not the data controller, Arete will notify the data controller upon receipt of the request and assist the data controller in responding as required under relevant data privacy legislation and/or as agreed to in any data processing agreement with the data controller. Arete will notify the consumer that Arete is the data processor and that the request has been forwarded to the appropriate data controller for handling.

3. The Data Privacy Office will record the receipt of the form. Arete reserves the right to request additional information in order to verify the requestor’s identity. If a third party, relative or representative is requesting the information on behalf of a consumer, Arete will verify their authority to act for that individual; and again, may request additional information to confirm their identity and gain authorization prior to taking action upon the request.

4. The Privacy Office, in consultation with the General Counsel, will determine whether any legal exception applies. If a legal exception applies, Arete will promptly contact the consumer. If Arete has received enough information from the consumer to verify the consumer’s identity, and if the request can be fulfilled, Arete will then conduct a full search of our relevant data and collect all that is applicable to respond to the DSAR. If we do not have enough information to locate relevant records, we will promptly contact the consumer for further details.

5. Once Arete has collated all the relevant personal information, we will then share the data to which the consumer is entitled—again, provided that no legal restrictions apply. The information will be provided in a concise, transparent, intelligible and easily accessible format, using clear and plain language. By default, Arete will dispatch the information electronically via a secure, monitored system and will seek timely confirmation of its receipt by you.

6. The GDPR requires organizations to respond to DSARs within one month. Businesses subject to the CCPA/CPRA must respond within 45 days. Arete seeks to provide the requested information at our earliest convenience, but at a maximum, within 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex, or is subject to a valid delay, the period may be extended by an additional 60 days. If this is the case, we will write to you within 30 days and keep you informed of the delay and underlying reasons. In the event we request additional information to enable us to comply with your request, your request will be dealt with within 30 days following receipt of such information.

7. Arete will not charge a fee for the initial provision of records, whether provided in manual or electronic format. Subsequent copies may incur a charge to cover our administrative costs. Fees may also be charged if a request is “manifestly unfounded or excessive.” In such a case, Arete will charge a reasonable fee that takes into account the administrative costs of responding to the request, or will refuse to act on the request, subject to further discussion.

8. If you are not satisfied by our actions, you may seek recourse by emailing privacy@areteir.com. If you remain dissatisfied, and are an UK data subject, you have the right to refer the matter to the Information Commissioner. The Information Commissioner’s website for data privacy issues is https://ico.org.uk/make-acomplaint/data-protection-complaints/data-protection-complaints/.