Privacy Ploicy
Version 1.1
OBJECTIVES
The objective of this Policy is to cultivate an organization-wide privacy culture to protect the rights and privacy of individuals; and to comply with applicable privacy and data protection legislations by implementing privacy principles and controls in cooperation with the Information Security Management System.
SCOPE
This Policy is applicable to all Personal Data collected, received, possessed, owned, controlled, stored, dealt with, or handled by the Company for any Relevant Individual.
Personal Data and Information that the Company handles for its clients, in the context of providing consulting, shall be processed according to the contractual provisions and specific privacy practices agreed upon with each client, as applicable. This Policy lays emphasis on the obligations of the Relevant Individuals dealing with Personal Data while performing their duties.
It applies to all the employees, as well as to third-party agents authorized to access personal data.
REQUIREMENT
-
Collection of Personal Data
The Company requires to collect Personal Data from Relevant Individuals throughout the duration of the relationship with them. The type of Information that may be collected includes (but is not limited to):
Basic Information of the Relevant Individuals such as Name, Contact Details, Address, Gender, Birthdate, Marital Status, Children, Parents and Dependent Details, Photos, Photo Id Proof, Passport, Life Insurance Nominees/Beneficiaries, Emergency Contact Details, Citizenship, Visa, Work Permit Details, etc.
Previous Recruitment, Engagement, or Training Records including CV’s, Applications, Notes of Interview, References, Qualifications, Education Records.
The Terms and Conditions of an Employment/Engagement, Employment Contracts with our Company and/or Previous Employer(s).
Performance, Conduct and Disciplinary Records within our Company and/or with Previous Employer(s); Mobility Records Generated in the course of employment/work with us.
Information relating to the Relevant Individual’s Membership with Professional Associations or Trade Unions.
Leave Records (including annual leave, sick leave, and maternity leave).
Financial Information relating to Compensation, Bonus, Pension and Benefits, Salary, Travel Expenses, Tax Rates, Taxation, Bank Account, Provident Fund Account Details.
Information captured as result of monitoring of the Company’s Assets, Equipment, Network Owned and/ or provided by us.
Any other Information as applicable/required by us.
-
Purposes of collection and processing of personal data
The Company may collect, process, and disclose Personal Data of the Relevant Individual for purposes connected with its business activities including the following, hereinafter the ‘Agreed Purposes’:
Managing the Relevant Individual’s employment/work with the Company including deployment/assignment of the individual to specific client projects.
Record-keeping Purposes; Payroll Administration, Payment of the Relevant Individual’s Salary, or Invoice; Performance Assessment and Training.
Compliance with a legal requirement/obligation; health and safety rules and other legal obligations.
Administration of benefits, including insurance, provident fund, pension plans; immigration, visa related purposes.
Background verification purposes; credit and security checks
Operational issues such as promotions, disciplinary activities, grievance procedure handling
Audits, investigations, analysis, and statistics, for example of various recruitment and employee retention programs
IT, Security, Cyber Security, and Access Controls
Disaster recovery plan, crisis management, internal and external communications
For any other purposes that we deem necessary.
Our Company only collects, uses, and discloses Personal Data for purposes that are reasonable and legitimate. Such Personal Data shall be processed in a manner compatible with the Agreed Purposes; unless the Relevant Individuals have consented to it being processed for a different purpose or the use for a different purpose is permitted by the applicable law. There may be circumstances, when the Relevant Individual may have volunteered personal information and given explicit/fully informed consent to its processing (for example by submission of a CV).
-
Limited access to personal data
Only those Employees who ‘need-TO-know’ or require access to function in their role should have access to Personal Data. The Company will not disclose Personal Data to any outsider except for the Agreed Purposes, or with the Relevant Individual’s consent, or with a legitimate interest, or legal reason for doing so. This will be done only where the Company reasonably considers it necessary to do so and where it is permitted by applicable law.
In each instance, the disclosed Personal Data will be strictly limited to what is necessary and reasonable to carry out the Agreed Purposes. When our Company works with third parties who may have access to the Personal Data while providing their services, we would contractually require the third party to process Personal Data only on our instructions and consistent with our Data Privacy Policies and Data Protection Laws.
-
Disclosure and transfer of personal data
The Company may, from time to time, disclose and/or transfer the Relevant Individual’s Personal Data to third parties (including but not limited) listed below:
External companies or third-party service providers engaged to perform Services on the Company's behalf.
Third Parties provide certain Information Technology and Data Processing Services to enable Business Operations.
The applicable Regulators, Governmental Bodies, Tax Authorities, or other Industry Recognized Bodies as required by any applicable law or guidelines of any applicable jurisdiction; and
To any other party that we deem necessary.
Notwithstanding anything contained elsewhere, any Personal or Sensitive Personal Data may be disclosed by the Company to any third party as required by a Court of Law or any other Regulatory or Law Enforcement Agency established under a statute, as per the prevailing law without the Relevant Individual’s consent.
Personal information is only transferred to another country, in particular, as far as reasonable level of data protection is assured in the recipient country. When using external data processers or transferring personal data to external third parties, The Company shall enter into agreements with appropriate contractual clauses for protection of Personal Data and Confidentiality including requirements to process the Personal Data only in accordance with instructions from us and to take appropriate technical and organizational measures to ensure that there is no unauthorized or unlawful processing or accidental loss or destruction of or damage to the Personal Data.
-
Retention and deletion of personal data
It is the Company’s policy to retain some Personal Data of the Relevant Individuals when they cease to be employed/engaged by us. This Personal Data may be required for some legal and business purposes, including any residual activities relating to the employment/engagement, for example, provision of references, processing of applications for re-employment/re-engagement, matters relating to retirement benefits (if applicable) and allowing the Company to fulfil any of its contractual or statutory obligations.
All Personal Data of the Relevant Individuals may be retained for periods as prescribed under law or as per the Company Policy from the date the Relevant Individuals cease to be employed/engaged by us. Personal Data may be retained for a longer period if there is a valid reason that requires us to do so, or the Personal Data is necessary to fulfil any contractual or legal obligations. Once the Company no longer requires Personal Data, it is destroyed appropriately and securely or anonymized in accordance with the law.
-
Data Security of personal data
The Company takes reasonable security measures to protect Personal Data against loss, misuse, unauthorized or accidental access, disclosure, alteration, and destruction. The Company implements policies and maintains appropriate technical, physical, and organizational measures and follows industry practices and standards in adopting procedures and implementing systems designed for securing and protecting Personal Data from unauthorized access, improper use, disclosure, and alteration.
-
Accuracy of personal data
The Company aims to keep all Personal Data accurate, correct, up-to-date, reliable, and complete as possible. However, the accuracy depends mostly on the data the Relevant Individuals provide. An Individual may access his Personal Information through online portal using various ‘self-service’ HR applications deployed by the Company. Relevant Individuals must, agree to:
Provide accurate, not misleading, updated, and complete Personal Data for themselves and/or for any relevant person (including their consents to such disclosures); and
Update information as and when such Personal Data provided becomes incorrect or out of date, by providing new details.
-
Employees/relevant individual’s obligations
Every Employee/Relevant Individual, who deals with or comes in contact with Personal Data regardless of its origin shall have a responsibility to comply with the applicable laws concerning data privacy, this Policy, contractual provisions, and other specific privacy practices agreed upon. The Employee/Relevant Individual should seek advice in the event of any ambiguity while dealing with Personal Data or in understanding this Policy, contractual provisions, and specific privacy practices agreed upon with each client.
The Employee/Relevant Individual shall be diligent and extend caution while dealing with Personal Data of others, during performance of his/her duties and shall also, always:
Prevent any un-authorized person from having access to any computer systems processing Personal Data, especially:
-un-authorized reading, copying, alteration, deletion, or removal of data.
-un-authorized data input, disclosure, uploading, transmission/transfer of Personal Data.Abide by the Company’s internal logical and physical security policies and procedures.
sure that authorized users of a data-processing system can access only the Personal Data to which they have access rights.
Keep records of Personal Data that has been communicated, when and to whom.
Not provide any Personal Data to any third party without first consulting with his/her manager or the Human Resources Department.
Ensure that Personal Data processed on behalf of a client can be processed only in the manner prescribed by the client.
Ensure that, during communication of Personal Data and transfer of storage media, the data cannot be read, copied, or erased without authorization.
Immediately, on becoming aware report and notify any vulnerabilities and privacy related breach/security breaches (including potential risks).
Attending mandatory and voluntary trainings on security and data privacy including e-learnings and online sessions.
-
Consequences of violations
Failure to comply with the Policy/Contractual Provisions and Privacy Practices agreed upon with each client and the Applicable Laws, may lead to serious consequences and can expose both the Company and the Employee/Relevant Individual to damages, criminal fines, and penalties. It is important to note that any non-compliance with this Policy/is taken very seriously and may lead to initiation of appropriate disciplinary actions according to the Misconduct Disciplinary action Policy and Process.