- Digital Technologies
- Digital Operations
- Digital Experiences
- ABOUT US
Datamatics Global Services Limited (“Datamatics” or “Company”) is committed to protecting the privacy and security of your Personal Information. The information you share with Datamatics allows us to provide you with the best experience with our products and services
Objective: To ensure that necessary set of guidelines that helps organization to protect personal data as per Data protection act 1998.This policy preserves the rights of individual whether data is held and what organizations shall do regarding data held about them. It also defines the responsibilities of the data users and processors.
A detailed Data Protection Impact Assessment will be conducted for projects under GDPR scope.
Process for conducting DPIA is described in detail under Procedures & Guidelines Manual under Guidelines for Risk Assessment and Mitigation.
Process: Protection of the data is preserved as per 8 principles of data protections act 1998. These eight principles of good information handling outlined in the act that state that data must be:
Data user is person who uses personal information for processing purpose. Data users @ Datamatics ensure that information that requires to be processed for the purpose for which it is downloaded. Only relevant information is downloaded for processing and unwanted information shall not be downloaded. He/shall ensure that data being processed is aadequate for the purpose for which it is downloaded. In case of data inadequacy, communication shall be made directly to that personal user of agency that handle user’s personal data seeking additional data. While transmitting, being at data or processing necessary controls shall be in place to avoid data leakage.
Data in Transit – There shall be secure connectivity between the sources and destination on which it is being downloaded. These secure controls shall be VPN, SFTP etc.
Data at Rest – Necessary encryption on the system on which it is residing such as Hard disk encryption or system encryption shall be in place.
Data in Process – To ensure secure processing of personal data and avoid it from being leaked while processing, necessary controls such as PGP (Pretty Good Privacy) or GPG encryption shall be in place.
This data shall be processed by Datamatics users from its UK facility and shall not be transferred to other countries. In case sending of data is inevitable due to multiple reasons including lack of expertise to process data, cost of processing etc. concerned data owners and firms who are custodian of such data shall be consulted for sending data, however, with adequate protection. These controls can be remotely accessing data using Terminal services, Citrix environment through IPSEC VPN. Encryption used shall not be less than 128 bits.
Datamatics collects information in one or more ways as mentioned below:
We may also collect, store and use the following "special categories" of more sensitive personal data and information (SPDI):
Purposes for which we will collect and use your personal information & SPDI:
Most commonly, we will use your personal information in the following circumstances:
Purposes for which we will collect and use sensitive personal data and information (SPDI):
SPDI requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may collect or process SPDI in the following circumstances:
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
How is your personal data collected?
We use different methods to collect data from and about you including through:
Change of purpose
We will only use your personal information and SPDI for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We will notify you if we need to use your personal information or SPDI for an unrelated purpose.
If you fail to provide personal information & SPDI:
If you fail to provide certain information and SPDI when requested, we may not be able to perform the contract we have entered into with you (such as providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety.)
For how long will you retain my personal information & SPDI?
We will only retain your personal information and SPDI for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information & SPDI, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In certain circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further reference to you
Rights of access, correction, erasure, and restriction
Your duty is to inform us of changes.
It is important that the personal information and SPDI we hold about you is accurate and current. Please keep us informed if your personal information and SPDI changes during your relationship with us.
Your rights in connection with personal information and SPDI
Under certain circumstances, by law you have the right to:
Request access to your personal information and SPDI (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information & SPDI we hold about you and to check that we are lawfully processing it.
Request correction of the personal information and SPDI that we hold about you. This enables you to correct any incomplete or inaccurate information we hold about you.
Request erasure of your personal information and SPDI. This enables you to ask us to delete or remove personal information and SPDI where there is no good reason for us continuing to process it.
We shall not be responsible for the authenticity of the personal information or SPDI supplied by you
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We have put in place security practices and standards and have a comprehensive documented information security program and policies that contain managerial, technical, operational and physical security control measures to protect the security of your information.
Third parties will only process your personal information and SPDI on our instructions and where they have agreed to treat the information confidentially, legally and securely.
We have put in place appropriate security measures to prevent your personal information & SPDI from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information & SPDI to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information & SPDI on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Why might you transfer my personal information and SPDI to third parties?
Why might you transfer my personal information and SPDI to third parties? We will transfer your personal information and SPDI to third parties in India or abroad where required by law, or where it is necessary for the performance of a lawful contract between us, or when we have your explicit consent. We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with government agencies mandated under the law to obtain personal information including SPDI for the purpose of verification of identity or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences or to otherwise comply with the law.
Datamatics retains the right to communicate with You (via e-mail, postal service, courier, mobile messaging services, and telephone or social media extensions) when You have agreed to receive such communication or where operational or regulatory requirements require us to do so. Datamatics further retains its right to communicate through third party vendors. You shall have the option to unsubscribe to receive such email communication.
Once You have raised a request with the Company for any request related to Your data, the Company shall revert to You within thirty (30) days’ of receipt of the request.
To ensure processing of personal data in a lawful manner you process personal data and the individual has given clear consent for processors and controllers to process their personal data for a specific purpose.
Scope: An individual in this case is an European Union’s citizen whose personal data is being processed or analysed.
The GDPR and Consent
The GDPR has set requirement for a consent. Consent refers to the choice & control offered by an individual regarding his/her personal data. As per GDPR an indication of consent shall be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual consent options for distinct processing operations.
Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service. Clear records of the consent shall be maintained.
The GDPR gives a specific right to withdraw consent. You need to tell people about their right to
withdraw and offer them easy ways to withdraw consent at any time.
Organization shall review existing consents and the consent mechanisms in the service to check that
they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
Things to be followed by Datamatics as Data processor
In case of personal data wherein Data controllers expect Datamatics to perform data consent below mentioned steps shall be followed.
Refusal of consent
Datamatics understands that obtaining consent may not always possible, or consent may be refused by an individual. However, not obtaining consent or the refusal to give consent may not constitute a reason for not processing or sharing information. An individual's information can be disclosed without obtaining consent, if there is another lawful basis for processing.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Checklist for seeking consent shall be as under,
Disclaimer: Checklist mentioned above is applicable only for cases wherein Data controller has exclusively asked Datamatics to get consent directly from individual.
Data subject’s rights
As a part of GDPR requirement every data controller and Data processor should respect the right data subjects possess. However these rules are primarily applicable to Data controllers and unless specified clearly either in written or in the form of an agreement processor need not follow these rights. Of course necessary security measures should be in place to ensure sanctity of these rights are not violated. These are as under,
1. Rights of access by data subject
2. Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
4. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one
of the following applies:
5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1). The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
In case of scenario wherein Data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Compliance with legal and contractual requirements shall be handled as per information security ISO27001 requirement of the organization and shall be as under,
Compliance with legal and contractual requirements
To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements.
The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.
Advice on specific legal requirements should be sought from Datamatics’s Legal Department, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to another country (i.e. trans-border data flow).
Identification of applicable legislation & contractual requirement
All relevant statutory, regulatory and contractual requirements and the organization’s approach to meet these requirements shall be explicitly defined, documented and kept up to date for each information system and the organization.
No legal document shall be executed unless cleared by the Legal Department of Datamatics, irrespective of the value or the nature of the document.
All relevant statutory, regulatory and contractual obligations pertaining to Datamatics’s information systems shall be explicitly defined and documented.
The specific controls and individual responsibilities to meet these obligations shall also be defined and documented.
Datamatics complies with all statutory requirements including the following:
|Finance:||1. Accounting Standards.
2. Central Sales Tax Act, 1956.
3. State Sales Tax Acts (Bombay Sales Tax).
4. Customs Act, 1962.
5. Employees’ Provident Fund & Miscellaneous Provisions Act, 1952.
6. Employees’ State Insurance Act, 1948.
7. Income Tax Act, 1961.
8. S.E.E.P.Z. – S.E.Z. Rules & Regulations.
9. S.T.P.I. / E.O.U. Rules & Regulations.
10. Professional Tax.
12. SICOM Ltd.
|Administration:||1. Apprentices’ Act, 1961.
2. Bombay Shops &Establishment Act, 1948.
3. Maternity Benefits Act, 1961.
4. Payment of Bonus Act, 1965.
5. Payment of Wages Act, 1965.
6. Payment of Gratuity Act, 1972.
|Legal:||1. Companies Act, 1956.
2. Copyrights Act, 1957.
3. IT (Amendment) Act, 2008.
4. Arbitration and Conciliation Act, 1996
5. The Trade Marks, 1999
6. Patents Act, 1970.
7. U.K. Data Protection Act, 1998.
8. Health Insurance Portability & Accountability Act (HIPAA)
The above list shall be reviewed on a half yearly basis for changes enacted or additions of new legislation / regulation.
Records to be maintained
The records to be submitted / maintained under the above regulations are detailed in Procedures and Guidelines Manual under Section “Guidelines on controls of records”.
Depending upon the nature of the legislation or legal requirements, the Finance, Human Resources, Administrative, Legal Managers are responsible for compliance.
Intellectual Property Rights (IPR)
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may intellectual property rights and on use of proprietary software products.
|Objective evidence:||List of licensed copies for third party software|
|Verification of Operations Asset register|
Protection of Records
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
Objective Evidence: Physical verification of records
Privacy and protection of personally identifiable information
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.
Personnel files of Datamatics employees are maintained by the HR department and access to those records are restricted only to that department and Datamatics management. However, they may be used for any legal requirements where necessary.
While processing personnel data for international clients, care is taken to ensure compliance with applicable legislation, such as the U.K. Data Protection Act, 1998, GDPR (General Data Protection Regulation). Details on GDPR are provided under Data Protection Policy.
Objective evidence: Physical verification of personal files.
Regulation of Cryptographic Controls
Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations.
Presently Indian laws such as IT Act 2000, IT (amendment) Act 2008 etc.do not provide for regulation of cryptographic controls.
Wherever any data is to be transmitted to a Client in another country in cryptographic or coded form, the contract with the Client shall provide that the Client shall advise Datamatics of the relevant provisions, rules and regulations of the applicable laws of the state or the country where the data is to be transmitted by Datamatics, and specify the methodology to be adopted by Datamatics, to ensure compliance with such applicable laws, rules and regulations.
The Client shall undertake to indemnify Datamatics against any legal proceedings, lawsuits, damages, penalties or fines, including attorneys’ fees that may be incurred or imposed upon Datamatics due to the Client’s inability to provide appropriate advice or methodology.
Objective evidence: SOW (Statement of Work)
Prevention of Misuse of Information Processing Facilities
Users should be deterred from using information processing facilities for unauthorized purposes.
Objective evidence: Physical verification of log-on process.
Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
Independent review of information security
The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
The implementation of information security is reviewed independently to provide assurance that organizational practices reflect the policy. These reviews are conducted by internal auditors or a third party organization specializing in such review. While conducting internal audits due care is taken to make sure auditor does assess the processes he/she owns.
For detailed guidelines please refer Procedures and Guidelines Manual for conducting Internal Audits.
|Objective evidence:||Internal audits reports|
|Surveillance audit reports conducted by external agency|
Compliance with security policies and standards
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
Managers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards
Functional managers shall ensure that all security procedures within their area of responsibility are carried out correctly. In addition, all areas covered by the ISMS shall be periodically audited for compliance with the security policies and standards.
Please refer to section internal audits for detailed description on internal audit.
Objective evidence: Internal audit reports
Data Leakage Policy
Data breach is possibility of confidential information, usually Personally Identifiable Information (PII) falling into the wrong hands that lead to misuse of the same. Data leakage primarily comprises hard copy information and digital information in network, at rest or data in processing tools. This includes unencrypted information on a lost or stolen laptop/USB or other
Objective: To identify possible data leakage points and take proactive steps to prevent this information from leakage.
Policy: Datamatics shall identify information critical to its client, employees & partners and its potential leakage points and shall ensure that necessary preventive measures are in place to safeguard it from leakage.
Scope: Data residing on servers within ISMS certified facilities, data being transmitting between its clients and data processed by applications- In house as well as third party applications.
Possible routes of Data leakage
Sensitive data inappropriately transferred, or sent out via e-mail, Web, file transfers or instant messaging, missing access controls to systems containing sensitive data, from back-end databases and servers to mobile computers, lost or stolen computers, laptops and mobile devices with sensitive data that is unencrypted, hard disks and portable storage (CDs, USB drives) or backup devices; and paper files, insecure transmission of personal identifiable and other restricted data, authorized insider abuse of databases and other back-end systems, insecure or improper destruction of information, encompassing both physical locations and electronic media (laptops and backups), lack of separation of duties and access controls on databases and other shared systems.
Measures to prevent Data Leakage:
Datamatics shall ensure that any sensitive data being transferred to client shall be encrypted using techniques such as IPSEC VPN.
Depending upon client’s requirement email access to employees shall be restricted to certain level and above. However in case of business requirement based on approval from employee’s supervisor an exception to this criterion shall be granted.
Access to employees having email id shall be restricted only to Datamatics.com and client’s domain email ids.
Depending upon client’s requirement Internet access to employees working on specific client’s project shall be restricted and only access to users at team lead above shall be granted.
All non-business sites or sites such as social media sites, logical drive sites such as drop box, google drive etc. shall be blocked.
Employees using laptops shall ensure that their laptops have antivirus updated and latest security patches are installed.
Users shall not be allowed to carry in removable media such as USB /Pen Drive, USB HDD etc.
VPN Access will be provided only to employees working on company owned laptop subject to approval from his/her supervisor.
USB ports of all systems shall be deactivated and no employees are permitted to carry their personal laptop, HDDs, USB drives inside premises.
Access to databases shall be restricted only to DBAs subject to approval from his/her immediate supervisor.
Every employee shall be educated through ISMS awareness session on joining the organization and thereafter once in a year. Awareness session ISMS shall cover dos and don’ts on various security measures that employees need to follow.
Exception: Exception to users to social media sites and some of the logical online drives such as drop box and few other sites that demands business requirements shall be granted. For this user need to seek permission of his Delivery Head/ PMs clearly giving the reasons for exception. Information security team post approval shall conduct the risk assessment and provide approval for a limited period.
Enforcement: All employees are required to follow this policy rigorously. Anyone violating this policy shall be dealt with disciplinary policy through HR department.
Data Protection Officer/Grievance officer
We have designated a Data Protection Officer (DPO) to address any discrepancies and grievances of data subjects with respect to processing of information in a time bound manner. The DPO will redress the grievances expeditiously within thirty (30) days from date of receipt of the grievance except for data breach notification. The details of the DPO are as follows:
Name: Mr. Gopal Ranjan
Tel No: +91-22-61021190
E-mail ID: email@example.com
Postal Address: Knowledge Centre, Street No. 17, Plot No. 58, MIDC, Andheri – (E), Mumbai – 400093, Maharashtra.
Changes to this privacy statement
We reserve the right to update this policy at any time.