Objective

This Privacy Policy sets out the rules and procedures relating to the processing of Personal Data and to safeguard the Personally Identifiable Information.

Scope

All Personally Identifiable Information that are managed by the respective functions in the organization.

Policy Statement

The objective of this Policy is to cultivate organization-wide privacy culture to protect the rights and privacy of individuals; to comply with applicable privacy and data protection legislations by implementing privacy principles and controls in cooperation with the Information Security Management System.

All employees should adhere and comply with this Policy and additionally, specific privacy practices that may be adopted by ekAgracit Technologies Private Limited.

Policy Overview

The Information Technology Act, 2000 mandates the secure processing of personal information and prevention of misuse of Information as per the Ministry of Communications and Information Technology passed the Information Technology (Reasonable Security Practices, Procedures and Sensitive Personal Data or Information) Rules which deals with practices and procedures for protection and maintenance of Personal Information.

Policy Statement

• Information Security Committee is responsible for ensuring that all employees and managers are aware of security policies and that they are observed.
• Managers need to be aware they have a responsibility to ensure employees have sufficient, relevant knowledge concerning the security of information and systems.
• Designated owners of systems, who have responsibility for the management of the information systems and information, need to ensure that staff are aware of their responsibilities towards security.
• Designated owners of systems and information need to ensure they uphold the security policies and procedures.

Collection of Personal Data by Ekagracit

Throughout the course of the relationship with the Relevant Individual, ekAgracit needs to collect Personal Data. The type of Information that may be collected includes (but is not limited to), where relevant:

• Basic Information regarding the Relevant Individuals such as Name, Contact details, Address, Gender, Birth Date, Marital Status, Children, Parents Details, Dependent Details, Photos, Photo Id proof, PAN Card, Passport, Voter ID, Aadhaar card, Life Insurance nominees/beneficiaries, Fingerprint information, Emergency Contact details, Citizenship details.
• Recruitment, engagement or training records including CV’s, applications, notes of interview, applicant references, qualifications, education records, test results (as applicable).
• Information about the Relevant Individual’s medical condition – health and sickness records.
• The terms and conditions of employment/engagement, employment contracts with ekAgracit and/or previous employer.
• Performance, conduct and disciplinary records within ekAgracit and/or with previous employers; mobility records generated in the course of employment/work with ekAgracit.
• Information relating to the Relevant Individual’s membership with professional associations or trade unions.
• Leave records (including annual leave, sick leave and maternity leave).
• Financial Information relating to compensation, bonus, pension and benefits, salary, travel expenses, tax rates, taxation, bank account, provident fund account details.
• Information captured as result of monitoring of ekAgracit assets, equipment, network owned and/ or provided byekAgracit.
• Any other Information as required by ekAgracit.

Purposes of Collection and Processing of Personal Data

ekAgracit may collect, process and disclose Personal Data of the Relevant Individual for purposes connected with its business activities including the following purposes, hereinafter the “Agreed Purposes”:

• Managing the Relevant Individual’s employment/ work with ekAgracit including deployment/assignment of the individual to specific client projects.
• Record-keeping purposes; Payroll Administration, Payment of the Relevant Individual’s salary or invoice; Performance Assessment and Training.
• Compliance with a legal requirement/obligations; health and safety rules and other legal obligations; Administration of benefits, including insurance, provident fund, pension plans.
• Back ground verification purposes; credit and security checks.
• Operational issues such as promotions, disciplinary activities, grievance procedure handling.
• Audits, investigations, analysis and statistics, for example of various recruitment and employee retention programs.
• IT, Security, Cyber security and Access Controls.
• Disaster recovery plan, crisis management, internal and external communications.
• For any other purposes as ekAgracit may deem necessary.

Limited Access to Personal Data

Only those Employees who “need-to-know” or require access to function in their role should have access to Personal Data. ekAgracit will not disclose Personal Data to any person outside ekAgracit except for the Agreed Purposes, or with the Relevant Individuals’ consent, or with a legitimate interest or legal reason for doing so, such as where ekAgracit reasonably considers it necessary to do so and where it is permitted by applicable law. In each instance, the disclosed Personal Data will be strictly limited to what is necessary and reasonable to carry out the Agreed Purposes.

 When ekAgracit works with third parties which may have access to Personal Data in the course of providing their services, ekAgracit contractually requires third party to process Personal Data only on ekAgracit's instructions and consistent with ekAgracit's Data Privacy policies and Data Protection laws.

Disclosure and Transfer of Personal Data

ekAgracit may, from time to time, disclose and/or transfer the Relevant Individuals' Personal Data to third parties (including but not limited) listed below:

• Group/affiliate companies and/or other business associates, ekAgracit's insurers and banks.
• External and internal auditors.
• Medical practitioners appointed by ekAgracit.
• Administrator of provident fund scheme.
• Third parties who are involved in a merger, acquisition or due diligence exercise associated with ekAgracit.
• External companies or third-party service providers ekAgracit engages to perform Services on the Company's behalf.
• Third Parties providing certain information technology and data processing services to enable business operations.
• The applicable regulators, governmental bodies, tax authorities or other industry recognized bodies as required by any applicable law or guidelines.
• To any other party as deemed necessary by ekAgracit.

Retention of Personal Data

It is ekAgracit's policy to retain certain Personal Data of the Relevant Individuals when they cease to be employed/ engaged by ekAgracit. This Personal Data may be required for ekAgracit's legal and business purposes, including any residual activities relating to the employment/engagement, including for example, provision of references, processing of applications for re-employment/re-engagement, matters relating to retirement benefits (if applicable) and allowing ekAgracit to fulfil any of its contractual or statutory obligations.

All Personal Data of the Relevant Individuals may be retained for periods as prescribed under law or as per ekAgracit policy from the date the Relevant Individuals cease to be employed/engaged by ekAgracit. The Personal Data may be retained for a longer period if there is a subsisting reason that obliges ekAgracit to do so, or the Personal Data is necessary for ekAgracit to fulfil contractual or legal obligations.

Security of Personal Data

ekAgracit takes reasonable security measures to protect Personal Data against loss, misuse, unauthorized or accidental access, disclosure, alteration and destruction. ekAgracit has implemented policies and maintains appropriate technical, physical, and organizational measures and follows industry practices and standards in adopting procedures and implementing systems designed for securing and protecting Personal Data from unauthorized access, improper use, disclosure and alteration.

Accuracy of Personal Data

ekAgracit aims to keep all Personal Data as accurate, correct, up-to-date, reliable and complete as possible. However, the accuracy depends to a large extent on the data the Relevant Individuals provide. An Individual may access much of his Personal Information online using various “self-service” HR applications deployed in ekAgracit. As such, Relevant Individuals must, agree to:

• Provide ekAgracit with accurate, not misleading, updated and complete Personal Data of the Relevant Individuals and/or any relevant person (including their consents to such disclosures to ekAgracit ).
• Update ekAgracit as and when such Personal Data provided earlier becomes incorrect or out of date, by providing new details.

Monitoring of Relevant Individuals’ use of company network resources

ekAgracit may, from time to time, monitor the Relevant Individual’s use of company premises, property and network resources (including computer systems, e-mails, phone calls, and internet) primarily for following purposes:

• Facilitating business, securing personnel and property of ekAgracit; For example, some of the locations are equipped with surveillance cameras.
• Maintaining a stable network environment for communications within ekAgracit and communications with external parties.
• Responding to any legal processes or to investigate any suspected breach of Relevant Individual’s obligations under this Policy or other ekAgracit's policies or applicable law.
• Providing information to the ekAgracit's management to ensure the proper utilization of ekAgracit's resources.

Data Protection (Grievance Officer)

Any questions, discrepancies, and grievances of the Relevant Individuals with respect to processing of Personal Data may be made to the ekAgracit support team.

Employees/Relevant Individuals Obligations & Consequences of Violations

Every ekAgracit Employee/Relevant Individual, who deals with or comes into contact with Personal Data, shall have a responsibility to comply with the applicable law concerning data privacy, this Policy, and specific privacy practices.

The Employee/Relevant Individual shall be diligent and extend caution while dealing with Personal Data of others, in the course of performance of his/her duties and shall also, at all times:

• Prevent any un-authorized person from having access to any computer systems processing Personal Data, and especially:
  (a) un-authorized reading, copying, alteration, deletion or removal of data;
  (b) un-authorized data input, disclosure, uploading, transmission/transfer of Personal Data
• Abide by ekAgracit internal logical and physical security policies and procedures.
• Ensure that authorized users of a data-processing system can access only the Personal Data to which their access right refers.
• Keep a record of which personal data have been communicated, when and to whom; Not provide any Personal Data to any third party without first consulting with his/her Manager or the Human Resources Department.
• Ensure that Personal Data processed on behalf of a third party (client) can be processed only in the manner prescribed by such third party.
• Ensure that, during communication of Personal Data and transfer of storage media, the data cannot be read, copied or erased without authorization.
• Immediately, on becoming aware report and notify any vulnerabilities and privacy related breach/security breaches (including potential risks).

Failure to comply with the Policy and applicable laws may have serious consequences and can expose both ekAgracit and the Employee/Relevant Individual to damages, criminal fines and penalties. It is important to note that any non-compliance with this Policy is taken very seriously by ekAgracit and may lead to initiation of appropriate disciplinary actions including but not limited to Employee dismissal or Relevant Individual termination.

Employees/Relevant Individuals Obligations & Consequences of Violations

• Personal Data means   any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
• Processing refers to any action performed on Personal Data, such as collecting, recording, organizing, storing, transferring, modifying, using, disclosing, uploading or deleting.
• Sensitive Personal Data of a person, under the Indian Information Technology Rules 2011, means such Personal Data which consists of information relating to:
  • Password 
  • Financial Information such as bank account or credit card or debit card or other payment instrument details
  • Physical, physiological and mental health condition
  • Sexual orientation 
  • Medical records and history 
  • Biometric Information 
  • Any other details relating to the above mentioned, provided by any person to ekAgracit for providing services.
  • Any Information received pursuant to the above mentioned by ekAgracit for processing, or storing such Information under a lawful contract or otherwise.
• Provided that any Information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law  for  the  time  being  in  force  will  not  be  considered  to  be  Sensitive Personal Data.
• “Employee” means a ekAgracit current or former employee. As far as it applies to Employees, the Policy covers all stages of the employment cycle including recruitment and selection, promotion, evaluation and training.
• “Relevant Individual” means an Employee, contractor and/or any other third party working on ekAgracit's behalf and job applicants.