Frequently asked questions to help your business

• What is the legal framework of Revoke’s SARs?

The legal framework used by Revoke when processing requests is the data protection /consumer privacy law which is applicable in the country of residence of the Revoke customer unless they are selecting a specific organisation (i.e. data controller) that is located in or operating in another jurisdiction; we then use the relevant data protection/consumer privacy law of that jurisdiction, if appropriate.

Revoke’s services are offered to customers who want to exercise the rights that are afforded to them under the relevant law(s) e.g. CCPA (California Consumer Privacy Act) or GDPR (the EU General Data Protection Regulation) or other such equivalent laws.

Revoke will look to extend its services to customers in other jurisdictions where new data protection /consumer privacy laws come into force.

• In which countries are Revoke services for businesses available ?

Revoke is currently available to businesses with a registered head office or physical presence within the European Economic Area (EEA), the United Kingdom and California (United States of America).

If your country is not currently included, please register your interest here and one of our customer support team will contact you.

• How does Revoke demonstrate it has authority to act on behalf of its users?

Revoke’s authority to act for its users is derived from the contractual agreement between the customer and Revoke in the provision of its services to them. This contractual agreement is entered into when the customer downloads the app, selects a subscription plan (free or paid), and engages with Revoke when they look to exercise their data protection or consumer privacy rights.

Once the Revoke user completes our onboarding requirements, they digitally sign an “Authorisation Letter” as evidence of this same authority for the recipient organisation, when sending requests.

Revoke is also registered as an Authorised Agent in California to assist our users there.

• What type of data protection /consumer privacy requests does Revoke send on behalf of its users?

Companies could receive one of three types of requests from Revoke users (or a combination of all three); either “Stop Marketing”, “Get Data” or “Delete Data”.  The email request will clearly identify what type of request you have received; each request is prefixed by a 3-letter shortcode that corresponds to a specific type of request, for example, the prefix “STO” refers to Stop Marketing.

In addition, consumers and businesses which comply with CCPA can send “Stop Sharing” requests.

• Do businesses need to create an account with Revoke to reply to data subject/ consumer privacy requests?

Under CCPA, “consumers” exercise their privacy rights by submitting requests to a company.

Under GDPR, “data subjects” exercise their data protection rights by submitting requests to a company e.g., referred to as a data subject access request (“DSAR”) or “subject access request” (“SAR”).

If your company is in our database, (our company database allows users to select which companies they want to send requests to). You may receive a subject access request (SAR) which you can manage using our secure Revoke business services and verification process.

You can reply to a request without creating an account if the information provided by users is sufficient for you to match them to your company’s records. If you need additional sensitive data, such as National ID or biometric data, you will need to create an account with Revoke so that you can use the secure, data encrypted services available to businesses users, using either our Essential or Plus plans; both are currently free of charge for organisations.

• What is the difference between Essential and Plus plans?

You will be asked to choose between our two current plans, “Essential” and “Plus”, both of which are free for organisations. Each plan connects to our DM portal and allows Data Controllers and their privacy teams to safely and securely action requests, (“Essential” offers limited features while “Plus” affords Data Controllers and their teams a greater range of functionality). The main difference between the two plans is that “Essential” offers basic tools to deal with a single request at a time. “Plus” gathers all the incoming requests into a dashboard table showing all key information and the status of each request. This is a practical feature for companies who receive a large number of Subject Access Requests. “Plus” also displays all processing statistics and allows other authorised members of your privacy team to use the DM portal.

• What options are available to your business to reply to a Revoke SARs?

All SARs sent by Revoke on behalf of its users include links to “Manage Request” and “Access DM Portal”.

• Where will the “Manage Request” link take me?

Clicking on “Manage Request” will open a window where you will be able to view the data subject’s information and respond to their request by either:

  • uploading data for a GET request,
  • marking that you have removed them from your marketing list(s) for a STO request,
  • marking that you have deleted their data for a DEL request or
  • clicking “Reject” if you find you have no data on the subject, (if you reject the request this will be applied to all other requests from that user).

To view the data subject’s information you will need to click the blue button, “View All” after which you will be prompted to enter a One-Time Code that will be sent to your DPO email inbox.

• Where will the “Access DM Portal” link take me?

Clicking “Access DM Portal” will open a window prompting you to “create a unique password” which will allow you to access the portal once a unique key has been generated to encrypt your communications (which currently can take up to 24 ). If you have already created a unique password and your unique key has been generated, you can access the portal securely with your password.

Once in the portal, you can view the data subject’s verified information as well as request consent from the data subject to view their more sensitive identity document in order to complete your company’s validation checks. You can also request more information from the data subject such as account or customer number etc. if you need it to complete their SAR.

You can respond to their SAR, communicate with the data subject, and complete the entire SAR process in our secure portal. If you choose our “Plus” portal option, the SAR process is made faster by using the app’s QR code scanner feature which provides quick access into your secure portal account.

• Is the Revoke DM Portal available on a Mac/PC?

Revoke is a consumer mobile application -i.e., an app (iOS and Android), with a business Data Management portal service for organisations and is fully compatible with Macs and PCs.

• What are the main objectives of the Revoke DM Portal?

The main purpose of the Revoke DM portal is to provide;

    1. A secure and efficient SAR process for Data Controllers and their privacy teams
    2. Confidence in the security and confidentiality of electronic communications between your organisation and the data subject/user
    3. Confidence in the authenticity of the expertly verified ID
    4. Automatic record and evidence of fulfilling your legal obligations
    5. Pro-active management of SAR request
    6. Easy task coordination for Privacy teams
    7. API integration available to fast-track matching of SARs details to a company’s own database

• What are the benefits of using the Revoke DM Portal?

  1. An efficient system between your organisation and the data subject/consumer using military-grade encryption; only the user who has requested their data will have access to it
  2. An easy-to-navigate and intuitive platform
  3. Straight forward response options embedded in requests sent, which allows Data Controllers or their privacy teams to effectively manage requests
  4. Additional features allow you to quickly upload extra data or request more information to help verify the users’ identity.

• How does the Data Management Portal work?

We have written a detailed DM guide where Data Controllers and their privacy teams can find a comprehensive explanation of all features. The DM guide is available via the following here.

• What verified information is available on the SARs?

Verified information available on the data subject/user through either of the email response links is listed below and can include any of the following which is classified as being either “Standard” or “Sensitive” data which is explained in more detail later on in this document.

Classification:     Standard

  1. Primary email address
  2. All email addresses
  3. Primary phone number
  4. All phone numbers
  5. IP address

Classification:     Sensitive

  1. Identity document
  2. Selfie
  3. Current residential address
  4. All residential addresses
  5. Health data
  6. “Special category” data under GDPR
  7. Financial data

• What are Revoke’s Terms and Conditions for businesses?

We do not have any Terms & Conditions for our free services for businesses. Revoke expects all business users to abide by all relevant laws in your jurisdiction when engaging with, and using our Revoke DM portal. We offer access to our Service, including the Portal (DM Portal) for the purpose of facilitating your response to data subject access requests. Our DM Portal allows you to transfer the required information to the data subject in an encrypted and secure manner. Revoke can neither view nor modify any data transferred by you to the data subject using our platform.

• Can businesses charge a data subject for requesting their data?

You cannot charge a person (or their agent acting on their behalf) for obtaining their data under GDPR and CCPA, provided the request is not unreasonable or excessive. All requests made via Revoke are basic requests under the legislation mentioned above.

What would happen if my company already has an online form to deal with SARs?

Under the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR), an individual may choose to exercise their rights to access information held by an organisation in any appropriate way they choose e.g., electronic or non-electronic communication methods, via email, letter, verbal request or via their third party agent. An organisation cannot insist on a particular process for consumers to follow. However, in certain cases, if your company has a straightforward data management process in place, we can set an autoresponder feature so our users will be redirected to your system to exercise their data rights.

• What happens if my company does not respond within one month under GDPR?

Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.

However, you must inform that data subject within the one-month period, why it is necessary for you to seek an extension for the SAR.

If a company does not fulfil its obligations with respect to the GDPR request(s), the data subject has the right to make a complaint to the relevant data protection regulator (or Supervisory Authority of the data controller) and seek redress or compensation. They also have the ability to bring legal action to the relevant court to seek redress or compensation.

For the most severe type of breach or for repeated breaches of the GDPR Regulation, a company could face a fine of up to a maximum 20 million euros or 4% of global annual revenues, whichever is the highest. Regulatory bodies will consider several factors to determine the fine, including its nature, severity and the frequency of the infraction(s).  The levels of damage or distress suffered by individuals is also taken into account and any action taken by the organisation to mitigate the damage suffered by individuals will be considered.

• What would happen if my company does not respond within 45 days under CCPA?

Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

• Why should I trust Revoke’s security?

Our software utilises the highest security standards in communication technology and data storage to protect both you, the contact organisation and the data subject’s personal data. When data is imported into and stored in the Revoke platform it allows organisations to meet the regulatory requirements in the provision of a secure system to allow an individual to access and store their personal data. Our services provide a robust process when verifying our user’s identity. Our systems capture the customer’s electronic signature and consent, (where appropriate) which evidences a contractual agreement between Revoke and the user required the most relevant data protection regulations around the world.

• Why should I trust Revoke’s security?

Our software utilises the highest security standards in communication technology, encryption and data storage to protect both you, the contact organisation and the data subject’s personal data.

Our services use independent experts, who are experienced in all types of ID verification methods, to provide Revoke, and your company, with a robust process for verifying each Revoke user identity.

Our systems also capture the customer’s electronic signature and consent, (where appropriate) which evidences a contractual agreement between Revoke and the user. This documentation is available to review by all Revoke SAR recipient organisations

When data is imported into and stored in the Revoke platform it allows organisations to meet the high standards envisaged by the GDPR regulation and CCPA law in the provision of a secure system to allow an individual to access and store their personal data.

Cyber Essentials certified logo

Cyber Essentials Certified

We take security seriously which is why we’ve been assessed and certified for addressing cybersecurity effectively and mitigating the risk from Internet-based threats.