January, 2023
Policy Approval Note: This Data Protection & Privacy Policy was passed and endorsed by the Board of the HDSOFT as fit to run and support the business of HDSOFT SYSTEM PRIVATE LIMITED effective Jan, 2023.
| Ref | Description | Document Owner | Approval Period | Document Issue Version |
|---|---|---|---|---|
| 1 | Data Protection & Privacy Policy | Data Protection Officer | Jan, 2023 | Version 1 |
Data breaches cause tremendous problems, not only for the company affected, but also for its clients. Stolen data can range from relatively benign information to extremely personal details. But in any case, a breach can cost a lot of money for remediation and cause significant damage to a company’s image and as such, HDSOFT requires every stakeholder involved in the process of handling all forms of data to be extremely vigilant and adhere to the guidance provided herein regarding data protection and privacy.
This policy applies to all staff, including part-time, full-time, volunteer, and interns, customers, and researchers engaged by or working at the direction of HDSOFT, who have access to personal data. It also applies to third parties acting on behalf of HDSOFT and its subsidiaries, such as vendors, independent contractors, and consultants – collectively referred to as 'HDSOFT SYSTEM Personnel'.
| Abbreviation | Meaning |
|---|---|
| DPO | Data Protection Officer |
| CEO | Chief Executive Officer |
| Term | Definition |
|---|---|
| Consent | Any freely given, specific, informed, and clear indication of the data subject’s wish, either in writing or by conduct, signifying agreement to the collection or processing of personal data relating to him or her. |
| Data Collector | A person who collects personal data. |
| Data Controller | A person(s) who jointly with other persons or as a statutory duty, determines the purposes for and the manner in which personal data is processed or is to be processed. |
| Data Processor | A person other than an employee of the data controller who processes the data on behalf of the data controller. |
| Data Subject | An individual from whom or in respect of whom personal information has been requested, collected, collated, processed, or stored. |
| Information | Includes data, text, images, sounds, codes, computer programs, software, and database. |
| Minor | A person below the age of eighteen (18) years. |
| Personal Data | Information about a person from which a person can be identified, that is recorded in any form and includes data related to;
Name, date of birth, gender, ethnicity, nationality, sexual orientation, address, contact information (e.g. mobile phone number, home phone number), health care & health insurance information, biometric data (e.g. fingerprints, voice signature), E-mail address, bank account number, identification number (e.g. NIN, Card number, NSSF number, employee ID number, insurance number, driver’s license number, passport number, student ID number), political party affiliation, religion, marital status, employment records, criminal records, IP (Internet Protocol) address and others alike. |
The purpose of the policy is to establish a framework for the implementation of the provisions and compliance requirements as enshrined in the Data Protection & Privacy Act 2018, Data Protection & Privacy Regulations 2020, and other related domestic and international laws, regulations, and guiding principles, in order to fulfill organizational responsibilities as a data collector, data controller, and data processor.
These data privacy laws govern the collection, use, disclosure, retention, and disposal of Personal Information and, in some instances, may afford specific rights to individuals related to their Personal Information. The type of Personal Information covered by the privacy laws, includes but is not limited to, name, address, date of birth, race, ethnicity, and any other information that can directly or indirectly identify an individual (see additional information under Definition section).
This policy establishes the foundation of the HDSOFT key data privacy principles and best practices, complemented by the following additional HDSOFT policies that address specific personal data privacy requirements.
The associated policies and procedures are expected to be followed by the HDSOFT Personnel. These include; Communications Policy; Document Retention Policy; Information Technology Management Policy; and Outsourcing Policy.
It shall be the responsibility of the HDSOFT’s Board of Directors’ through its oversight role, to ensure, the HDSOFT SYSTEM has in a place, an appropriate Data Protect and Privacy policy that is fit to run and support the HDSOFT’s Data management processes.
It shall be the duty of HDSOFT’s Management to ensure that;
a) There is at all times, enhanced oversight of the HDSOFT’s Data protection privacy management processes.
b) Sufficient priority and resources, commensurate with the scope and volume of the records/data handled and held by the HDSOFT are devoted to ensuring appropriate and sustainable records/data management mechanisms.
c) Conduct regular staff awareness campaigns to keep them aware of their data management responsibilities and obligations.
d) Clear procedures are put in place, enforced, and regularly reviewed with regard to how records are handled in all branches, units and departments of the HDSOFT.
e) Any data management related activities of the HDSOFT are conducted in a manner that fully observes the guidelines as provided for in this policy document.
Each business unit team leader shall be the primary overseer of records/data management within the area supervised.
This policy is intended to implement key data protection privacy principles which include; accountability to data subjects, fair and lawful data collection and processing, consent management, data sharing, transfer of data outside India, data retention, information quality, data correction, data erasure, data security, third party relationships, direct marketing, handling of minor’s data and complaints handling.
a) HDSOFT personnel shall collect personal data directly from the data subject.
b) Personal data may also be collected from public sources or legally recognized secondary sources, such as government agencies.
c) The collection and processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purpose of the data.
a) Personal data shall not be collected by the HDSOFT personnel, without the consent of the data subject, unless such consent is not a prerequisite under any law applicable.
b) Personal data relating to a minor shall only be collected with the consent of the parent or guardian of the minor until such minor attains the age of majority.
a) The HDSOFT personnel shall ensure that they maintain a high level of confidentiality and take all reasonable efforts to limit the disclosure of Personal Information to only what the requestor needs to satisfy the objective and only after validating that disclosure is permitted under the circumstances.
b) Reasonable steps shall be taken to confirm the identity and authority of the individual or entity receiving Personal Information.
c) The Information Technology department of HDSOFT shall at all times ensure that personal data (electronically held) is technically safe and that sound security systems are adopted, appropriately designed with reasonable capability of preventing loss, damage, or unauthorized access to personal data.
d) The Information Technology department shall maintain an up-to-date security system that is responsive to any reasonably identifiable risks to personal data (electronic) under HDSOFT’s possession.
e) HDSOFT SYSTEM personnel shall only disclose personal data to the data subject. However, personal data may be disclosed to third parties subject to the data protection laws and this policy, for the purposes below:
(i) to service providers, and other business counterparties in connection with the products and services offered by HDSOFT;
(ii) to the HDSOFT SYSTEMS group entities for purposes of managing the HDSOFT’s clients, service providers, and other business counterparty relationships;
(iii) to counterparty HDSOFT’s payment infrastructure providers and other persons from whom HDSOFT SYSTEMS receives payments, or to whom HDSOFT makes payments on behalf of clients or service providers;
(iv) to export agencies, multilateral agencies, development finance institutions, other financial institutions, government authorities and their agents, insurers, due diligence service providers, and credit assessors, in each case in connection with the products and services provided by HDSOFT SYSTEMS;
(v) to service providers that provide application processing, fraud monitoring, call center or other customer services, hosting services, and other technology and business process outsourcing services;
(vi) to professional service providers such as legal advisors, accountants, auditors, insurers, tax advisors, and others alike;
(vii) to competent regulatory authorities, government body, prosecutor, court, or tribunal in any jurisdiction, law enforcement authorities, or any other competent person involved in or contemplating legal proceedings;
(viii) to prospective buyers as part of a sale, merger, or other disposal of HDSOFT’s business or assets;
(ix) to any other persons where disclosure is required by law or to enable products and services to be provided to the data subject.
a) The responsible function of HDSOFT shall ensure that any data processor engaged and granted access to personal data, maintains the necessary technical and operational measures for the privacy and protection of such data.
b) The responsible function shall ensure that all contracts or agreements between HDSOFT and third-party personal data processors have embedded confidentiality and personal data protection clauses.
a) The HDSOFT may share the data subject’s personal data with foreign service providers to enable service delivery.
b) Personal data may only be shared with foreign service providers or business counterparties where the legal framework regarding data protection and privacy is similar or better than the safeguards in India, and upon execution of an agreement(s) that cover protection and confidentiality of the shared data.
Personal data in possession of the HDSOFT shall be retained for as long as is necessary for the performance of an agreement with the data subject, service provider or business counterparties or complying with a legal or regulatory obligation.
a) HDSOFT SYSTEMS personnel shall ensure that personal data collected is complete, accurate, up-to-date, and not misleading having regard to the purpose of its collection.
b) Where possible or where it is a legal requirement, verification of the authenticity of personal data collected shall always be carried out by the responsible function prior to on-boarding and on an on-going basis, on a risk-based approach.
c) Upon the request by the data subject, the responsible function shall correct or delete inaccurate, irrelevant, excessive, out of date, incomplete, misleading personal data, or data obtained unlawfully, or data to which the HDSOFT no longer has authority to retain, and the data subject shall be accordingly notified.
d) Where the HDSOFT declines to comply with the data subject’s request, the grounds for the rejection shall be communicated to the data subject.
a) Personal data may be erased upon a formal request by the data subject.
b) Personal data may also be erased on the HDSOFT’s initiative if:
(i) the data is inaccurate, irrelevant, excessive, out of date, incomplete, misleading; or
(ii) the data was obtained unlawfully; or
(iii) the HDSOFT no longer has the authority to retain the data; or
(iv) upon expiry of the data retention statutory period.
c) Physical data shall be erased by shredding or using other means to render them unreadable and prevent its reconstruction.
d) Electronic data shall be deleted by the respective device user and permanently deleted by the IT department from the back up storages.
e) It shall be the responsibility of the departmental heads to identify personal data which qualifies for erasure and to oversee the erasure process.
a) Violation of this policy or breaches to personal data or data subject complaints shall be reported to the designated Data Protection Officer as soon as possible, but not later than 24 hours after the incident has been identified. Some of the breaches to personal data include the following:
(i) Unlawfully obtaining, disclosing, or procuring the disclosure to another person, of personal data held or processed by the HDSOFT;
(ii) Unlawfully destroying, deleting, concealing or altering personal data;
(iii) Selling or offering for sale personal data of any person;
b) Subject to section 13.1, the responsible function head shall take immediate remedial actions to prevent further violation of this policy or infringement on the rights of the data subject.
c) Data breaches shall be reported to the concerned client or respective party by the HDSOFT’s dedicated team member within the prescribed regulatory timelines upon review by the office and the CEO or his/her designate.
The data subject may:
a) Request the HDSOFT for a copy of their personal data;
b) Request the HDSOFT to correct their personal data;
c) Request for erasing of their personal data, subject to data retention obligations as by law established;
d) Restrict the processing of their personal data.
The HDSOFT shall have a designated Data Protection Officer by the office of the Chief Executive Officer, to fulfil the responsibilities as prescribed in the Data Protection & Privacy Regulations.
a) The DPO shall review all agreements involving data sharing whether with parties in India or domiciled in a foreign jurisdiction to ensure conformance with the DPDO minimum standards for data sharing agreements.
b) Sharing of personal data held by the HDSOFT whether as a routine requirement or one-off shall be done in accordance with the provisions of the Data Protection and Privacy Act, its implementing regulations, and any other related regulatory recommendations and guidelines prescribed by the Client. The above is notwithstanding any data sharing obligations ensuing from a court order, valid/formal contract, or mandated by any other relevant law of the land.
c) All data sharing agreements between the HDSOFT and any third parties shall be endorsed by the HDSOFT’s Executive (CEO and Company Secretary/Head of Legal).
d) The authority to share personal data held by the HDSOFT with any party by any office of the HDSOFT shall be derived from an existing legal, regulatory, contractual, or approved business policy/procedural obligation.
This policy shall be reviewed annually from the date of approval.
This policy shall commence from the date of approval.
(i) The Data Protection & Privacy Act, 2018.
(ii) The Data Protection & Privacy Regulations, 2020.
(i) Privacy Statement.
(ii) The Information Technology Management Policy.
(iii) The Document Retention Policy.
(iv) Outsourcing Policy.
(v) Communications Policy.