CFTS Documentation

Data Subject Rights Requests

CFTS maintains a documented process for handling communications relating to GDPR data subject rights where applicable.

In most hosting and managed service arrangements, CFTS acts as a Data Processor on behalf of its clients. The client remains the Data Controller and is responsible for determining how personal data should be handled and for responding directly to data subjects.

How Requests Are Handled

If CFTS receives a request relating to personal data, the request is reviewed and logged.

Where the request relates to hosted client data, CFTS will normally refer the request to the relevant client, as the Data Controller.

CFTS may provide reasonable technical assistance to the client where required, but does not independently disclose, modify, erase, or otherwise act on hosted client data without documented instruction from the Data Controller.

Client Responsibilities

Clients acting as Data Controllers are responsible for:

  • assessing the validity of data subject requests,
  • communicating directly with the data subject,
  • determining the appropriate response,
  • providing instructions to CFTS where technical assistance is required,
  • and meeting any applicable regulatory response timelines.

CFTS Responsibilities

Where applicable, CFTS will:

  • log data subject related communications,
  • verify request details where appropriate,
  • identify whether the request relates to CFTS operational records or hosted client data,
  • forward client-data requests to the relevant Data Controller without undue delay,
  • provide reasonable assistance where technically required,
  • and retain records in accordance with applicable retention procedures.

Hosted Client Data

CFTS does not treat hosted client data as its own data.

Where CFTS stores or processes data on behalf of a client, decisions about access, rectification, erasure, restriction, portability, or objection remain the responsibility of the client as Data Controller.

CFTS Operational Records

Where a request relates directly to CFTS operational records, such as billing, support, account administration, or service communications, CFTS will review and handle the request in line with applicable data protection obligations.

Summary

CFTS supports GDPR data subject rights processes by maintaining a documented handling procedure, respecting the distinction between Controller and Processor responsibilities, and assisting clients where technically required.