FAQ FOR CITIZENS

What’s the price to use the app?

Nothing. It’s absolutely free of charge. The companies can choose to use the WeAreDavid Service Desk as a paid services for higher performance.

Is the app secure?

Making sure that you can use the app with confidence is extremely important to us. We invest heavily in this area.
We follow OWASP recommendations. The recommendations are considered industry best practice when making services secure. On top of this, we rely on only trusted providers to host the platform. We host our services in the cloud using Microsoft Azure, ensuring wide availability and services that ensure data integrity.
On every level of your user journey – from signing up to sending requests – we ensure that the data transportation is encrypted.

What if I can’t find the company I’m looking for in the app?

If you’re looking for a company that isn’t already in the app, you can simply notify us. We’ll then be sure to add it.

Can I send a request to a company if I’m not sure it has my data?

Of course. As we say, when it comes to personal data: better safe than sorry.

Why do I have to accept your Privacy Policy and Terms and Conditions before using the platform?

In order for us to provide you with our software tool, you need to accept our terms and conditions. This is to make sure you agree to some basic obligations such as proper use, breach and our right to modify the service. We’ve done our best to make sure they are both balanced and easy to decipher – and you can always reach out to us if you have any questions.

Where can I find WeAreDavid’s Privacy Policy and Terms and Conditions

Right here for privacy policy and here for terms and conditions.

Do you use cookies on your website?

Nope. We believe that your data belongs to you, and we want to give you back control, not take it away. Cookies are therefore banned at david – unless they are made of dough and chocolate.

Can the company reply to my data request using a channel other than the app?

Yes. Companies aren’t obliged to use the david app when replying to your request. However, they’re obliged to reply to you. And the best way you can start taking back control of your own data is by using the david app.

When can I expect the company to get back to me?

The law is super clear. The company must reply to your data request without undue delay and within 30 days.

Can companies refuse to erase my personal data?

As a rule of thumb, you have the right to be erased. However, in some cases, companies can legally refuse to comply with a request to be erased. They can do this if the personal data is processed for the following reasons:

To exercise the right of freedom of expression and information.

To comply with a legal obligation for the performance of a public interest task or exercise of official authority.

For public health purposes in the public interest.

For archiving purposes in the public interest, scientific research, historical research, statistical purposes or the exercise or defence of legal claims.

What do I do if I haven’t heard back from the company within the 30-day deadline?

We recommend that you could give the company the benefit of the doubt and and follow up with them. However, you’re also entitled to notify the data protection authorities and let them know that you can’t get hold of your own data – which rightfully belongs to you.

What information does the app have on me?

The information you provided when signing up including age and gender.

How often can I request information from companies?

There are no clear, fixed rules but use your common sense, and avoid spamming companies.

According to the regulations, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the company may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

It’s the company that bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

What do I do if I can’t find the answer to my question here?

Just send us an email at support@wearedavid.com and we’ll sort it out. We’re here to help!

What happens if I want to delete my WeAreDavid account?

We would be sad to lose you as our customer, but we’ll also make it very easy for you to go. Currently, our iOS app allows you to completely delete your account by going to the profile page and pressing “delete account”. The android version does not yet support account deletion, so we ask users to contact the support at support@wearedavid.com and then we’ll help with the deletion. Please keep in mind that accounts cannot be restored. Once deleted they are gone, along with the requests and corresponding data.


FAQ FOR COMPANIES

Do we need a tool for handling data requests?

If you can comply with the data protection regulation without an IT tool to support you, you’re fully entitled to do so. However, if you think that handling data requests is something of a challenge and important for your business, the answer could very well be yes.

We’re a fairly small company. Is WeAreDavid still for us?

Small or big – it doesn’t matter. We’ve built a platform that can be used by any company of any size. You can always use our free plan and see if WeAreDavid is the right fit for you and your company.

Is WeAreDavid the proxy holder of the requester?

The enquiries you receive from people using the david app are direct enquiries to your company. This means that WeAreDavid is not a proxy holder, and WeAreDavid will not enter into the dialogue you have with your customers.

How do we get further information to identify the requester?

It’s your obligation to confirm the identity of a data requester. If you’re not sure of the identify of a data requester, you could confirm it by asking questions relating to the information on the data subject that you have registered in your systems. This way, you can ensure that the data subject is, in fact, who he or she claims to be. We recommend using the WeAreDavid service desk for this to ensure the process is easy, safe and compliant. You can use the service desk free of charge.

Where can we find the requester’s contact information?

The name and email of the data subject is available in the sent email with the request. Be aware though that we do not check the identity of the data subject as the process of creating an account and sending the email request is done without our active participation.

Does WeAreDavid use two-step email authentication?

No, not yet. But we’re working on it. For now, you just have to take the same steps to secure the true identity of the data subject as you would have to from any other source.

Can we reply to the requester outside the WeAreDavid platform?

Yes. It’s your choice if you want to use the WeAreDavid service desk or another communication channel for replying to a data request. However, your customer might find it useful if you’re replying in the same channel that they contacted you. We always recommend communicating in a way that keeps your company compliant and refrains from using unsecured communication channels like emails.

Please be aware that it is the obligation of the data controller to “facilitate the exercise of data subject rights under Articles 15 to 22” (cf. art. 12(2) of the GDPR). This means that the company must make an active effort to verify the identity of the data subject and make sure the data subject is able to use his or her right to the fullest extent within the GDPR.

What is the price to use the WeAreDavid service desk?

Any company can use the WeAreDavid service desk free of charge. We also offer paid subscriptions which include multiple agent accounts, access to API, an unlimited number of tickets and personal support. Find out more here.

Is WeAreDavid legally authorized to help manage requests?

Yes. WeAreDavid offers a service to both the data subject and the company. As such, WeAreDavid is authorized to manage requests on behalf of the data subject when the data subject chooses to use our service.

I’m not sure the request we received is legitimate. What do we do?

If you’re not sure of the identify of a data requester, you should confirm the identity of the data subject by asking questions relating to the information on the data subject the request might pertain to. This way you can make sure that the data subject is, in fact, who he or she claims to be.

Can we ask for a copy of personal ID?

Only if the company 1) is in doubt as to the true identity of the data subject and 2) has exhausted all other options for verifying the identity such as asking the data subject questions to provide more information in order for the company to ascertain the identity of the data subject. In other words, companies cannot adopt a way of handling requests by replying to all requests with a demand for personal ID.

Are we obliged to respond to requests?

Yes. Companies which control personal data are considered “controllers”, and Article 12(4) GDPR explicitly states: “If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.” So the regulation is pretty clear.

Can we ask the requester to read our Privacy Policy or contact us directly?

It will never be enough to process a request lawfully by just referring the data subject to the company’s privacy policy. Since it is the responsibility of the company to facilitate the exercise of data subjects’ rights, it will usually not be lawful to simply ask the data subject to contact the company directly.

If the data requester is a non-EU resident, do we then have to process it?

Depending on the applicable data protection regulation, you might not be required o respond to this request. It’s up to your company to decide if and how you respond to the request – and if you want to treat non-EU residents differently to EU residents.

Can we use WeAreDavid to ask for consent?

No. You can't use WeAreDavid to collect consent. Only if you have a valid consent will it be possible to ask the data subject to update their information. However, you may want to use the WeAreDavid service desk to inform the data subject, that you're using the collected data for new purposes.

What happens if we refuse or are unable to answer the requester?

If the requester is an EU resident and you refuse and/or you’re unable to provide an answer to the data request, then you’re legally obliged to inform the requester of his or her option to lodge a complaint with a supervisory authority and seek a judicial remedy directly.

Is WeAreDavid secure?

Making sure that WeAreDavid is secure is extremely important to us. So we follow OWASP recommendations that are considered as industry best practice when it comes to making services secure. On top of this, we rely on only trusted providers to host the platform. We host our services in the cloud using Microsoft Azure, ensuring wide availability and services that ensure data integrity.

Where can I find WeAreDavid’s Privacy Policy and Terms and Conditions?

Right here for privacy policy and here for terms and conditions.

What information does WeAreDavid store on our company?

Based on your registration with us, we store your profile name, your email address and your service desk role. We store your login password in a tokenized format, meaning that it’s not readable to us. Based on requests that you handle through WeAreDavid, we store any information submitted as answers from you in an encrypted form. The communication you have with the requester is stored, and only the company and the requester have access to this communication. As everything is encrypted, no one – besides you – can access any of your data in a readable format.

We want to prevent our company from being shown in the app. Can we do that?

You can ask us to delete the logo of your company in the app. However, we don’t delete any companies from the app, nor do we delete the email address used to send requests. We want to make it easier for businesses to make it right while helping people get access to what rightfully belongs to them: their own data.

Do the authorities recognize the approach of WeAreDavid?

In specific cases, we’ve seen that supervisory authorities will, in fact, send a letter to a company that has not responded to a request by a data subject. This basically means that if no reply is received from the company, the next step for the data subject is to lodge a complaint with the relevant supervisory authority, whereupon the supervisory authority will ask the company to reply to the request.