1. Purpose
This policy outlines the principles and practices for ensuring compliance with data privacy laws relevant to Igile Technologies India Pvt Ltd. It aims to protect the privacy and confidentiality of personal data handled by the company, ensuring adherence to applicable regulations and standards.
2. Scope
This policy applies to all employees, contractors, and third-party service providers who handle or process personal data on behalf of Igile Technologies India Pvt Ltd. It covers all data privacy laws that are applicable within the jurisdictions where the company operates.
3. Definitions
- Personal Data: Any information relating to an identified or identifiable individual, including but not limited to names, contact information, and identification numbers.
- Sensitive Personal Data: A subset of personal data that includes information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, or criminal record.
- Data Subject: An individual whose personal data is processed by the company.
- Data Controller: An entity that determines the purposes and means of processing personal data.
- Data Processor: An entity that processes personal data on behalf of the data controller.
4. Legal Framework
Igile Technologies India Pvt Ltd adheres to the following data privacy laws and regulations:
- General Data Protection Regulation (GDPR): Applicable to data subjects located in the European Union (EU) and European Economic Area (EEA).
- California Consumer Privacy Act (CCPA): Applicable to data subjects located in California, USA.
- Personal Data Protection Bill (PDPB): Applicable to data subjects located in India.
- Other relevant local and international data privacy laws: Depending on the jurisdictions in which the company operates.
5. Data Privacy Principles
Igile Technologies India Pvt Ltd follows the core principles of data privacy:
- Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and transparently.
- Purpose Limitation: Personal data must be collected for specified, legitimate purposes and not processed further in a manner that is incompatible with those purposes.
- Data Minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: Personal data must be accurate and kept up to date.
- Storage Limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than necessary.
- Integrity and Confidentiality: Personal data must be processed securely, protecting against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
6. Data Collection and Processing
Data Collection: Personal data must be collected in a manner that is lawful and fair. The data subject must be informed about the purpose of the data collection.
Data Processing: Personal data must be processed only for the purposes for which it was collected, and appropriate measures must be taken to ensure data accuracy and security.
7. Data Subject Rights
Data subjects have the following rights under applicable data privacy laws:
- Right to Access: The right to obtain confirmation as to whether or not personal data concerning them is being processed, and if so, to access that data.
- Right to Rectification: The right to request the correction of inaccurate personal data.
- Right to Erasure: The right to request the deletion of personal data when it is no longer necessary for the purposes for which it was collected or processed.
- Right to Restrict Processing: The right to request the restriction of processing of personal data in certain circumstances.
- Right to Data Portability: The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
- Right to Object: The right to object to the processing of personal data based on legitimate interests or direct marketing purposes.
8. Data Protection Impact Assessments (DPIAs)
DPIAs must be conducted when processing operations are likely to result in a high risk to the rights and freedoms of data subjects. The assessment will evaluate the necessity, proportionality, and risks associated with the processing and identify measures to mitigate those risks.
9. Data Breach Management
In the event of a data breach, the following steps must be taken:
- Notification: Notify affected data subjects and relevant regulatory authorities within the required timeframes.
- Investigation: Conduct an investigation to determine the cause and impact of the breach.
- Remediation: Implement measures to prevent future breaches and address any vulnerabilities identified.
10. Training and Awareness
All employees must receive regular training on data privacy laws and the company's data protection practices. Awareness programs will be conducted to ensure understanding and compliance.
11. Data Protection Officer (DPO)
A Data Protection Officer will be appointed to oversee compliance with data privacy laws, handle data subject requests, and act as a point of contact for regulatory authorities.
12. Policy Review
This policy will be reviewed annually and updated as necessary to ensure ongoing compliance with data privacy laws and best practices.
13. Compliance and Enforcement
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment. Compliance will be monitored through regular audits and assessments.