Data subject objection form
Use this form to object to the processing of personal data about you (the “Data Subject”) or to request that certain processing activities be restricted, corrected, deleted, or otherwise limited. Providing the information below will help us process your request quickly and accurately.
1) GUIDLEINES
a) EU (GDPR): We will acknowledge and respond to verified objections or requests under the GDPR within one month of receipt. If your request is complex or you have made multiple requests, we may extend the response period by up to two further months. If we extend, we will inform you within the first month and explain why more time is needed.
b) California (CCPA/CPRA): For requests from California residents, we will respond within 45 calendar days of receipt of a verifiable request. If necessary, we may extend by an additional 45 calendar days and will inform you of the extension and reason within the initial 45-day period.
c) Verification: To protect your privacy, we must verify your identity (or the identity of the Data Subject if you act on their behalf) before we can act on this request. See “Identity verification” below for acceptable documents and evidence we may request.
d) Refusal: Under GDPR we may refuse requests that are manifestly unfounded or excessive. Under California law, we will comply with verification requirements and may deny requests that are fraudulent, duplicative, or that we are not required to honor by law. If we refuse your request (in whole or part), we will explain why and provide information about how to appeal or lodge a complaint with the relevant supervisory authority.
2) Submission instructions
a) Please submit this completed form and required identity documents by email to privacy@encardio.com.
b) If you are acting on behalf of the Data Subject, include:
i) A signed, written authorization from the Data Subject that expressly permits you to act on their behalf; and
ii) Proof of identity for both you and the Data Subject (copies are acceptable).
c) We will not accept a request from an agent without both forms of proof.
3) SECTION A — Details of person making this request
a) Full name: ________________________________________
Relationship to Data Subject (if any): __________________
Postal address: ____________________________________
Email address: ____________________________________
Telephone number: _________________________________
b) Are you the Data Subject?
☐ Yes — go to SECTION C.
☐ No — go to SECTION B and attach a signed authorization and ID documents for both parties.
4) SECTION B — Data Subject (if different from above)
5) Full name: ________________________________________
Postal address: ____________________________________
Email address (if known): ___________________________
Telephone number (if known): ________________________
(Attach copy of ID for the Data Subject as described in “Identity verification” below.)
6) Identity verification
a) To verify identity we typically require one government-issued photographic ID (one of):
i) Passport; or
ii) National identity card; or
iii) Photo driving licence.
b) If your request relates to address changes or access to sensitive data we may also request a secondary document for proof of address.
c) Please do not send original documents. If the documents provided are insufficient to verify identity, we will request additional information.
7) SECTION C — Type of request / remedy sought (tick all that apply)
a) Please indicate the action you request us to take. For each selected box, provide additional detail in the “Details / Explanation” field below:
☐ Object to processing on grounds relating to my particular situation (GDPR Art. 21) — I
request that the processing identified below be stopped pending verification and assessment.
☐ Restriction of processing — I request that processing of my personal data be restricted (i.e., retained but not used) while we review.
☐ Erasure / deletion — I request deletion of my personal data where lawful (e.g., where retention is no longer necessary).
☐ Rectification / correction — I request correction of inaccurate or incomplete personal data.
☐ Portability — I request a copy of my personal data in a structured, commonly used, machine-readable format for transfer to another controller.
☐ Cease sale / sharing — For California residents: I request that Encardio-Rite stop selling or sharing my personal information for cross-context behavioral advertising.
☐ Restriction on profiling / automated decision-making — I object to profiling or automated decisions that have a legal or similarly significant effect.
☐ Other (please specify): ___________________________________________________
b) Details / Explanation (be as specific as possible — include order numbers, account IDs, dates, relevant vendors such as Shop Pay/Shopify, and exactly which processing you object to):
8) Grounds for objection (GDPR specific)
Please indicate which legal basis for processing you are objecting to (choose all that apply, if known):
☐ Processing based on legitimate interests (please explain why those interests do not outweigh your rights): _______________
☐ Processing for direct marketing (including profiling for marketing) — (GDPR: we must stop if you object).
☐ Processing required by public interest / official authority (explain): _______________
☐ Processing for research / statistics (explain): _______________
☐ Other (explain): __________________________________________________________
9) SECTION D — Supporting documents (attach copies)
Please attach copies (not originals) of identity documents and any other material that supports your request (order receipts, account screenshots, proof of previous requests, authorization letter if representing someone else, etc.). Failure to supply appropriate ID may delay or prevent us from fulfilling your request.
Documents attached:
☐ ID ☐ Proof of address ☐ Authorization letter ☐ Other: ___________
10) How we will handle your request
a) Acknowledgement: We will acknowledge receipt of your request within 5 business days, and will inform you of any additional information required to verify your identity.
b) Verification: We will verify your identity and the scope of the request. For agent requests, we will verify the Data Subject’s authorization.
c) Decision and action: After verification, we will take the steps we consider appropriate to fulfil your request and will inform you of the outcome in writing within the applicable statutory timeframe (see “Important information about timeframes” above). If we refuse your request in whole or part, we will explain the reason and the legal basis for the refusal and provide information on how to appeal.
d) Recordkeeping: We will retain a record of your request and our response for our internal compliance purposes for a period of [3 years] (or as required by applicable law).
e) Continued processing: Some processing may lawfully continue despite your objection (for example where we have compelling legitimate grounds that override your interests, or where processing is necessary for the establishment, exercise or defence of legal claims, or to comply with legal obligations).
11) Right to appeal and supervisory authorities
a) EU/EEA residents: If you are not satisfied with our decision under the GDPR, you have the right to lodge a complaint with your local supervisory authority.
b) California residents: If you are not satisfied with our response under the CCPA/CPRA, you may contact the California Privacy Protection Agency or the California Attorney General as applicable. You also have private rights of action in certain data breach cases under California law.
12) SECTION E — Declaration & signature
I declare that the information I have provided is true and accurate to the best of my knowledge. I understand that providing false information in order to obtain access to another person’s personal data is an offence under applicable law.
Signature (electronic signature / typed name): ___________________________
Full name: _______________________________
Date: ____ / ____ / ______