LAMPIRE BIOLOGICAL LABS, INC.
How To Handle Privacy Requests
This document describes the responsibilities of the designated Privacy Contact for Lampire Biological Labs, Inc. and provides practical guidance for receiving, tracking, and responding to privacy-related requests under Lampire’s Privacy Policy. It is intended to operationalize the obligations described in Section 9 (Your Privacy Rights and Choices) of the Privacy Policy and related provisions.
The Privacy Contact serves as Lampire’s central intake and coordination point for privacy matters. The role is administrative and procedural rather than legal: ensuring requests are captured, logged, verified where required, responded to within statutory deadlines, and escalated appropriately.
Exhibit A is a Workflow for reviewing, tracking, and responding to requests under the Privacy Policy. Exhibit B includes template responses for each type of request.
1. Role of the Privacy Contact. The Privacy Contact is responsible for:
- Receiving privacy-related requests via email, phone, or web form
- Identifying the type of request (access, deletion, correction, opt-out, appeal, etc.)
- Ensuring identity verification where required
- Coordinating internally to locate and process responsive data
- Communicating with requestors in a timely and consistent manner
- Escalating complex or sensitive issues to management or legal counsel
- Maintaining required documentation of requests and outcomes
The Privacy Contact’s main responsibilities are to capture requests, follow the workflow, meet deadlines, escalate when needed, keep good records, and maintain confidentiality.
2. Types of Requests the Privacy Contact Should Expect
Under Section 9 of the Privacy Policy, the Privacy Contact should expect to receive the categories of communications listed below.
A. Access and portability requests
Requests to confirm whether Lampire processes personal data, and to receive a copy of that data.
B. Correction (rectification) requests
Requests asserting that personal data is inaccurate or incomplete and asking that it be corrected.
C. Deletion requests
Requests to delete personal data, subject to legal, regulatory, contractual, research, or security exceptions recognized in the Privacy Policy.
D. Opt-out requests (U.S. state laws)
Requests to opt out of targeted advertising, “sale” or “sharing” of personal data (as defined by applicable law), or marketing communications.
E. Restriction or objection requests (GDPR and similar laws)
Requests to limit processing or object to processing based on Lampire’s legitimate interests, including profiling or direct marketing.
F. General privacy questions or complaints
Inquiries regarding data collection, use, disclosure, retention, or security practices.
G. Appeals of denied requests (Section 9 – Appeals)
Follow-up communications requesting review of a prior denial or partial denial of a privacy request. These should be treated as higher-sensitivity matters and escalated internally.
3. Response Timing and Legal Deadlines
The Privacy Policy requires Lampire to respond within the timeframes required by applicable law. In practice, this means:
A. U.S. state privacy laws:
Varies by state, but substantive responses typically are due within 45 days of receipt, with one permitted extension if notice is provided.
Because deadlines run from the date the request is received, not from acknowledgment, the Privacy Contact must monitor intake channels regularly and log requests promptly.
B. GDPR / UK GDPR:
Substantive response within one (1) month of receipt (extensions are permitted but must be communicated).
4. Privacy Request Log
The Privacy Contact should maintain a simple internal log in an Excel spreadsheet to track all privacy-related requests from receipt through resolution. The Privacy Log should record, at a minimum:
- date received,
- requestor name and contact information,
- type of request,
- identity verification status (if applicable),
- action taken,
- date closed, and
- brief resolution notes.
The Privacy Request Log must be treated as confidential. It contains personal information and records of rights exercises and must be access-restricted, used solely for compliance purposes, and retained only as long as reasonably necessary to demonstrate compliance.
EXHIBIT A
Privacy Request Response Workflow
A. Initial Set-Up
Dedicated Email Address
Lampire should maintain a dedicated privacy inbox (e.g., privacy@lampire.com) monitored by the Privacy Contact.
- The inbox should be checked at least once each business day.
- An automatic acknowledgment is recommended.
Suggested auto-reply language:
“We have received your privacy request and will review it in accordance with our Privacy Policy and applicable law.”
Phone / Voicemail Intake
Lampire may route privacy-related calls through:
- a dedicated extension (e.g., “For privacy-related requests, press 7”), or
- a clearly identified voicemail box.
Suggested voicemail greeting:
“You have reached the privacy contact for Lampire Biological Laboratories, Inc. Please leave your name, contact information, and a brief description of your privacy request. Messages are reviewed during normal business hours.”
Voicemail messages should be logged and handled in the same manner as email requests.
B. Intake & Logging (Day 0–1)
- Receive request (email, voicemail, contact form).
- Log the request immediately.
- Preserve the original communication.
- Send acknowledgment within 1–2 business days.
C. Categorization & Identity Verification (Day 1–5)
- Identify request type:
- Access/Portability
- Correction
- Deletion
- Restriction/Objection
- Opt-Out
- Appeal
- General Inquiry
- Determine whether identity verification is required:
- Required for Access, Deletion, Portability, and Appeals.
- Not typically required for general inquiries or marketing opt-outs.
If verification is required and insufficient, pause processing and request additional information.
D. Substantive Review & Internal Coordination (Day 5–30)
- Access/Portability: Identify responsive systems and compile data.
- Correction: Confirm corrected information and update records.
- Deletion: Delete where permitted; retain where legally required or as otherwise permitted under the Privacy Policy.
- Opt-Out: Update marketing and advertising systems promptly.
- Appeals: Escalate for second-level review and prepare written determination.
E. Response & Closure
- Provide written response explaining actions taken, any limitations or exceptions, and any remaining rights (including appeal rights, where applicable).
- See Exhibit B for Template Responses.
- Update the log with resolution and closure date.
- Retain documentation securely and confidentially.
EXHIBIT B
Template Responses
The following templates are approved, plain‑English responses that the Privacy Contact may use when responding to privacy‑related requests under Lampire’s Privacy Policy and applicable law. These templates may be adapted as needed for the specific request, but substantive changes should be reviewed internally or with counsel where appropriate.
1. Acknowledgment of Privacy Request
Subject: Privacy Request Received
Thank you for contacting Lampire Biological Laboratories, Inc.
We have received your privacy request and are reviewing it in accordance with our Privacy Policy and applicable law. If we need additional information to verify your identity or clarify your request, we will contact you.
We will respond within the timeframe required by law.
2. Identity Verification Request
Subject: Verification Needed to Process Your Privacy Request
To protect your personal information, we need to verify your identity before processing your request.
Please provide the following information so we can proceed:
[describe limited verification steps]
Once verification is complete, we will continue processing your request.
3. Access / Portability Response
Subject: Response to Your Privacy Request
We have completed our review of your request for access to your personal information.
Attached (or linked) is a copy of the personal data we maintain about you, provided in a portable format where feasible.
If you have questions or believe any information is inaccurate, please let us know.
4. Correction Confirmation
Subject: Correction of Personal Information Completed
We have updated our records to reflect the corrected information you provided.
If you believe additional changes are needed, please contact us.
5. Deletion Response (Partial Deletion Example)
Subject: Response to Your Deletion Request
We have processed your request to delete personal information.
Certain information has been deleted. However, some information has been retained where required for legal, regulatory, contractual, or legitimate business purposes, as permitted by our Privacy Policy and applicable law.
If you have questions about this response, please contact us.
6. Opt‑Out Confirmation
Subject: Opt‑Out Request Completed
Your request to opt out of [marketing communications / targeted advertising / data sharing] has been processed.
Please note that it may take a short period of time for all systems to reflect this change.
7. Appeal Acknowledgment
Subject: Privacy Request Appeal Received
We have received your appeal regarding our prior response to your privacy request.
We are conducting a further review and will respond within the timeframe required by applicable law.
8. Appeal Determination
Subject: Appeal Decision – Privacy Request
We have completed our review of your appeal.
After further consideration, we have [affirmed / modified] our prior decision for the reasons explained below:
[brief explanation]
If you are located in a jurisdiction that provides the right to contact a regulator, you may do so as described in our Privacy Policy.