Invert-Logo

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Datamatics Global Services Limited (“Datamatics” or “Company”) is committed to protecting the privacy and security of your Personal Information. The information you share with Datamatics allows us to provide you with the best experience with our products and services

Objective: To ensure that necessary set of guidelines that helps organization to protect personal data as per Data protection act 1998.This policy preserves the rights of individual whether data is held and what organizations shall do regarding data held about them. It also defines the responsibilities of the data users and processors.

Definitions:

  • Personal data: Personal data is any information that can directly or indirectly identify a natural person. Examples of personal data can include:
    • Name and surname
    • Home address
    • Email address
    • Bank details
    • Medical information
    • Location data
  • GDPR: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. It aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
  • Data controller: Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • Data processor: Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  • Data subject: The data subject is a living individual to whom personal data relates
  • Data Protection Impact Assessment (DPIA): A data protection impact assessment (DPIA) is a process to help you identify and minimize the data protection risks of a project.
  • Sensitive Personal Data: means such personal data, which may, reveal, be related to, or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation. This also includes “Sensitive Personal Data” as defined under the Indian Information Technology Act, 2008, Sensitive Personal Data Information Technology Rules 2011 and the Aadhaar number and/or the biometric information associated with an Aadhaar number as defined under the Aadhaar Act, 2016 and associated amendments under the act as per UIDAI (Unique Identification Authority of India).
  • Critical Personal Data: Personal data which may be notified by the Central Government as critical personal data

A detailed Data Protection Impact Assessment will be conducted for projects under GDPR scope.

Process for conducting DPIA is described in detail under Procedures & Guidelines Manual under Guidelines for Risk Assessment and Mitigation.

Process: Protection of the data is preserved as per 8 principles of data protections act 1998. These eight principles of good information handling outlined in the act that state that data must be:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

Data user is person who uses personal information for processing purpose. Data users @ Datamatics ensure that information that requires to be processed for the purpose for which it is downloaded. Only relevant information is downloaded for processing and unwanted information shall not be downloaded. He/shall ensure that data being processed is aadequate for the purpose for which it is downloaded. In case of data inadequacy, communication shall be made directly to that personal user of agency that handle user’s personal data seeking additional data. While transmitting, being at data or processing necessary controls shall be in place to avoid data leakage.

Data in Transit – There shall be secure connectivity between the sources and destination on which it is being downloaded. These secure controls shall be VPN, SFTP etc.

Data at Rest – Necessary encryption on the system on which it is residing such as Hard disk encryption or system encryption shall be in place.

Data in Process – To ensure secure processing of personal data and avoid it from being leaked while processing, necessary controls such as PGP (Pretty Good Privacy) or GPG encryption shall be in place.

This data shall be processed by Datamatics users from its UK facility and shall not be transferred to other countries. In case sending of data is inevitable due to multiple reasons including lack of expertise to process data, cost of processing etc. concerned data owners and firms who are custodian of such data shall be consulted for sending data, however, with adequate protection. These controls can be remotely accessing data using Terminal services, Citrix environment through IPSEC VPN. Encryption used shall not be less than 128 bits.

Information Collection:

Datamatics collects information in one or more ways as mentioned below:

  • Information You give us: availing of our products and some of the services made available on the Website. The registration information typically asked for includes name, e-mail address, etc. which is voluntarily provided from Your end and help us in personally identifying You. This information is necessary to initiate as well as continually use Your online account and products. If the information provided for such registration is wrong or has changed, You can update it quickly or delete it unless we have to keep that information for legitimate business or legal purposes. However, at the back end, audit trail keeping may require us to retain copy/ log of such information for as long as is legally permitted/required.
  • We may collect, store, and use the following personal information about you:
    • Personal contact details such as name, title, addresses, telephone/mobile numbers and personal email addresses.
    • Details of previous employers, Education Details, Information of dependents.
    • Date and place of birth.
    • Residence Status.
    • Nationality.
    • Marital status.
    • Caste.
    • Religion.
    • Family Related Information.
    • Details of previous employees.
    • Education Details.
    • Information on Dependents.
    • Next of kin and emergency contact information.
    • Personal ID’s such as PAN, UAN, PRAN, Aadhaar Card, Passport, Driving License, etc.
    • CCTV footage and other information obtained through electronic means such as door access records.
    • Information about your use of our information and communications systems.
    • Photographs.
    • Attendance & leave records, personal development data, performance management data, payroll & salary data

We may also collect, store and use the following "special categories" of more sensitive personal data and information (SPDI):

  • physical, physiological and mental health condition.
  • sexual orientation.
  • Financial information such as Bank account or credit card or other payment instrument details.
  • Medical records and history & Blood group.
  • Biometric Information.
  • KYC Details.
  • Aadhaar number and related information.

Purposes for which we will collect and use your personal information & SPDI:

Most commonly, we will use your personal information in the following circumstances:

  1. Where we need to perform the contract, we have entered into with you.
  2. For Aadhaar authentication and sharing, storing, using Aadhaar data.
  3. Where we need to comply with a legal obligation.
  4. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  5. Where you have given us explicit consent to do so.
  6. For business management and planning, including accounting and auditing.
  7. For making decisions about grievances.
  8. For making arrangements for the termination of a contract.
  9. For dealing with legal disputes and insurance claims.
  10. For complying with health and safety obligations.
  11. To prevent fraud.
  12. To monitor your use of our information and communication systems to ensure compliance with our IT policy and laws of the land.
  13. To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  14. To conduct data analytics studies to review and better understand customer satisfaction and needs.
  15. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information & SPDI.
  16. To meet requirements of any applicable law, regulation, legal process, enforceable governmental request, or customary practice directly or through our affiliates / banks / financial institutions / credit bureaus / agencies.
  17. For statistical analysis and verification or risk management.
  18. To enforce applicable terms of Service, including investigation of potential violations.
  19. We will take precautions/apply safeguards as required by us under applicable laws, to ensure the confidentiality of any personally identifiable information

Purposes for which we will collect and use sensitive personal data and information (SPDI):

SPDI requires higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may collect or process SPDI in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. For a lawful purpose connected with our business, function or activity and the collection of SPDI is considered necessary for such purpose.
  3. Where we need to carry out our legal obligations.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

How is your personal data collected?

We use different methods to collect data from and about you including through:

  • Direct interactions: You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, and email or otherwise. This includes personal data you provide when you:
    • apply online or otherwise for our products or services;
    • contract to receive our services or provide services to us;
    • read the online marketing information available on the Website, various microsites powered by Datamatics Group and landing pages sent through emails sent either on behalf of the Datamatics Group or our clients;
    • request marketing material to be sent to you;
    • enter a competition, promotion or survey;
    • download our client’s white papers; or
    • give us feedback
  • Automated technologies or interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
  • Third parties or publicly available sources: We may receive personal data about you from various third parties events and in pursuant to entering into a contractual arrangement with third parties.
  • Through our customers: We may receive your data through our customers to whom we provide automation and business solutions. We generally use this data for helping our customers analyze, review and make efficient business decisions through the data provided by you.
  • Technical Data from the following parties:
    • analytics providers such as Google;
    • affiliated marketing networks;
    • search information providers
    • digital portals

Change of purpose
We will only use your personal information and SPDI for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We will notify you if we need to use your personal information or SPDI for an unrelated purpose.

If you fail to provide personal information & SPDI:
If you fail to provide certain information and SPDI when requested, we may not be able to perform the contract we have entered into with you (such as providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety.)

Data retention
For how long will you retain my personal information & SPDI?

We will only retain your personal information and SPDI for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information & SPDI, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

In certain circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further reference to you

Rights of access, correction, erasure, and restriction

Your duty is to inform us of changes.

It is important that the personal information and SPDI we hold about you is accurate and current. Please keep us informed if your personal information and SPDI changes during your relationship with us.

Your rights in connection with personal information and SPDI
Under certain circumstances, by law you have the right to:

Request access to your personal information and SPDI (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information & SPDI we hold about you and to check that we are lawfully processing it.

Request correction of the personal information and SPDI that we hold about you. This enables you to correct any incomplete or inaccurate information we hold about you.

Request erasure of your personal information and SPDI. This enables you to ask us to delete or remove personal information and SPDI where there is no good reason for us continuing to process it.

We shall not be responsible for the authenticity of the personal information or SPDI supplied by you

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Data security
We have put in place security practices and standards and have a comprehensive documented information security program and policies that contain managerial, technical, operational and physical security control measures to protect the security of your information.

Third parties will only process your personal information and SPDI on our instructions and where they have agreed to treat the information confidentially, legally and securely.

We have put in place appropriate security measures to prevent your personal information & SPDI from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information & SPDI to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information & SPDI on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Why might you transfer my personal information and SPDI to third parties?
Why might you transfer my personal information and SPDI to third parties? We will transfer your personal information and SPDI to third parties in India or abroad where required by law, or where it is necessary for the performance of a lawful contract between us, or when we have your explicit consent. We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with government agencies mandated under the law to obtain personal information including SPDI for the purpose of verification of identity or for prevention, detection, investigation, including cyber incidents, prosecution and punishment of offences or to otherwise comply with the law.

Communication:
Datamatics retains the right to communicate with You (via e-mail, postal service, courier, mobile messaging services, and telephone or social media extensions) when You have agreed to receive such communication or where operational or regulatory requirements require us to do so. Datamatics further retains its right to communicate through third party vendors. You shall have the option to unsubscribe to receive such email communication.

Once You have raised a request with the Company for any request related to Your data, the Company shall revert to You within thirty (30) days’ of receipt of the request.

Data Consent Policy

Objective:

To ensure processing of personal data in a lawful manner you process personal data and the individual has given clear consent for processors and controllers to process their personal data for a specific purpose.

Scope: An individual in this case is an European Union’s citizen whose personal data is being processed or analysed.

The GDPR and Consent

The GDPR has set requirement for a consent. Consent refers to the choice & control offered by an individual regarding his/her personal data. As per GDPR an indication of consent shall be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual consent options for distinct processing operations.
Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service. Clear records of the consent shall be maintained.
The GDPR gives a specific right to withdraw consent. You need to tell people about their right to
withdraw and offer them easy ways to withdraw consent at any time.

Organization shall review existing consents and the consent mechanisms in the service to check that
they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

Things to be followed by Datamatics as Data processor

  1. Datamatics being data processor gets details on personal data to be processed directly from the data controller.
  2. Upon signing an agreement with data controller Datamatics shall ask for data consent copies of all data subjects through data controllers.
  3. In case the consent is already given by individuals to data controllers, Datamatics will ensure adherence to GDPR by not sharing the data with anyone else. Similarly it will perform processing of the data as per instructions given by Data controller. Instructions on processing shall form a part of Statement of work (SOW) or MSA.

In case of personal data wherein Data controllers expect Datamatics to perform data consent below mentioned steps shall be followed.

  1. When requesting consent, Datamatics shall ensure that information is provided in a suitable, accessible format.
  2. Where it has been established that an individual is unable to give consent or to communicate a decision, Datamatics shall take decision about the use of information by taking into account the individual's best interests and any previously expressed wishes or by consulting with Data controller.
  3. Where an explicit request by a child that information should not be disclosed to parents or guardians, or indeed to any third party, their decision must be respected except where it puts the child at risk of significant harm, in which case disclosure may take place in the public interest without prior consent
  4. Datamatics shall record the decision to share personal information on an appropriate system which can be readily accessed.
  5. Datamatics shall not refuse to share information solely on the grounds that no consent is in place. Each case shall be judged on a case by case basis as there will be some circumstances where we can share without the consent of the individual.

Refusal of consent

Datamatics understands that obtaining consent may not always possible, or consent may be refused by an individual. However, not obtaining consent or the refusal to give consent may not constitute a reason for not processing or sharing information. An individual's information can be disclosed without obtaining consent, if there is another lawful basis for processing.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Check-list:

Checklist for seeking consent shall be as under,

  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give individual options to consent separately to different purposes and types of processing.
  • We name organisations and any third-party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
  • We keep a record of when and how we got consent from the individual.
  • We keep a record of exactly what they were told at the time.
  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • We have processes in place to refresh consent at appropriate intervals, including any parental consents.
  • We make it easy for individuals to withdraw their consent at any time.
  • We act on withdrawals of consent as soon as we can.

Disclaimer: Checklist mentioned above is applicable only for cases wherein Data controller has exclusively asked Datamatics to get consent directly from individual.

Data subject’s rights

As a part of GDPR requirement every data controller and Data processor should respect the right  data subjects possess. However these rules are primarily applicable to Data controllers and unless specified clearly either in written or in the form of an agreement processor need not follow these rights. Of course necessary security measures should be in place to ensure sanctity of these rights are not violated. These are as under,

1. Rights of access by data subject

  1. he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and if that’s the case, access to the personal data and following information.
    1. the purposes of the processing
    2. categories of personal data concerned;
    3. the recipients to whom the personal data have been or will be disclosed,
    4. the period for which the personal data will be stored;
  2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

2. Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

4. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one
of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

6. Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1). The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

In case of scenario wherein Data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Compliance with legal and contractual requirements shall be handled as per information security ISO27001 requirement of the organization and shall be as under,

Compliance with legal and contractual requirements

Objective

To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements.

The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements.

Advice on specific legal requirements should be sought from Datamatics’s Legal Department, or suitably qualified legal practitioners. Legislative requirements vary from country to country and may vary for information created in one country that is transmitted to another country (i.e. trans-border data flow).

Identification of applicable legislation & contractual requirement

Control

All relevant statutory, regulatory and contractual requirements and the organization’s approach to meet these requirements shall be explicitly defined, documented and kept up to date for each information system and the organization.

No legal document shall be executed unless cleared by the Legal Department of Datamatics, irrespective of the value or the nature of the document.

All relevant statutory, regulatory and contractual obligations pertaining to Datamatics’s information systems shall be explicitly defined and documented.

The specific controls and individual responsibilities to meet these obligations shall also be defined and documented.

Datamatics complies with all statutory requirements including the following:

Datamatics Departments Legislation
Finance: 1. Accounting Standards.
2. Central Sales Tax Act, 1956.
3. State Sales Tax Acts (Bombay Sales Tax).
4. Customs Act, 1962.
5. Employees’ Provident Fund & Miscellaneous Provisions Act, 1952.
6. Employees’ State Insurance Act, 1948.
7. Income Tax Act, 1961.
8. S.E.E.P.Z. – S.E.Z. Rules & Regulations.
9. S.T.P.I. / E.O.U. Rules & Regulations.
10. Professional Tax.
11. Octroi.
12. SICOM Ltd.
Administration: 1. Apprentices’ Act, 1961.
2. Bombay Shops &Establishment Act, 1948.
3. Maternity Benefits Act, 1961.
4. Payment of Bonus Act, 1965.
5. Payment of Wages Act, 1965.
6. Payment of Gratuity Act, 1972.
Legal: 1. Companies Act, 1956.
2. Copyrights Act, 1957.
3. IT (Amendment) Act, 2008.
4. Arbitration and Conciliation Act, 1996
5. The Trade Marks, 1999
6. Patents Act, 1970.
7. U.K. Data Protection Act, 1998.
8. Health Insurance Portability & Accountability Act (HIPAA)

The above list shall be reviewed on a half yearly basis for changes enacted or additions of new legislation / regulation.

Records to be maintained

The records to be submitted / maintained under the above regulations are detailed in Procedures and Guidelines Manual under Section “Guidelines on controls of records”.

Depending upon the nature of the legislation or legal requirements, the Finance, Human Resources, Administrative, Legal Managers are responsible for compliance.

Intellectual Property Rights (IPR)

Control

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements on the use of material in respect of which there may intellectual property rights and on use of proprietary software products.

  • Only licensed copies of third party bought software shall be installed on Datamaticsinformation systems. The usage shall be according to the license, and shall be monitored, wherever possible, by means of software control, or manually.
  • Such software shall form a part of the IT Operations department’s Asset Register
  • Operations Manager shall maintain a list of all third party, bought software. All new requests for installation of such software on Datamatics machines shall be addressed to the Operations Manager. He shall verify such requests for availability of the software and license for its use, and where available, authorize Operations Engineer to install the software.
  • In case the software is not available for installation, the same shall be informed to the person making the original request, to enable him to initiate a request for its purchase.
  • Datamatics employees are not authorized to make copies of software unless formally approved by AGM-IT Operations.
Objective evidence: List of licensed copies for third party software
  Verification of Operations Asset register

Protection of Records

Control

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.

  • Records needed for evidence that Datamatics operates within statutory or regulatory rules, ensure adequate defense against potential civil or criminal action, and confirm its financial status with respect to shareholders, auditors, etc. shall be identified and protected. For this purpose all hard copy records are kept under lock and key.
  • All soft copy records are suitably backed-up as per standard back-up procedure and checked periodically for the readability of the media. Retention periods and method of destruction are noted.
  • Original signed annual accounts, Income Tax; Sales Tax records are stored in fire proof cabinets, after completion of the assessments. They shall be checked once a year as and when new records are placed in the cabinets.
  • Monthly statutory payment challans, such as Provident Fund / ESIC / Professional Tax / Income Tax (TDS), and other general accounting records are kept in respective separate files, in locked cupboards in the Accounts Department. These records are reviewed periodically.
  • Legal records of the organization are kept in locked cupboards in the Legal Department.
  • Customer and Vendor contracts are maintained in physical and online repository by the Legal Department.
  • For soft copy records separate incremental back-up of records shall be taken from the accounts server to the server and a designated desktop on an alternate day basis. Further weekly backups shall be taken by Operations Manager on tape as per the standard operating procedure for back-ups.
  • Records shall be destroyed in a safe and secure manner on completion of their retention period.

Objective Evidence: Physical verification of records

Privacy and protection of personally identifiable information

Control

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Personnel files of Datamatics employees are maintained by the HR department and access to those records are restricted only to that department and Datamatics management. However, they may be used for any legal requirements where necessary.
While processing personnel data for international clients, care is taken to ensure compliance with applicable legislation, such as the U.K. Data Protection Act, 1998, GDPR (General Data Protection Regulation). Details on GDPR are provided under Data Protection Policy.

Objective evidence: Physical verification of personal files.

Regulation of Cryptographic Controls

Control

Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations.

Presently Indian laws such as IT Act 2000, IT (amendment) Act 2008 etc.do not provide for regulation of cryptographic controls.

Wherever any data is to be transmitted to a Client in another country in cryptographic or coded form, the contract with the Client shall provide that the Client shall advise Datamatics of the relevant provisions, rules and regulations of the applicable laws of the state or the country where the data is to be transmitted by Datamatics, and specify the methodology to be adopted by Datamatics, to ensure compliance with such applicable laws, rules and regulations.

The Client shall undertake to indemnify Datamatics against any legal proceedings, lawsuits, damages, penalties or fines, including attorneys’ fees that may be incurred or imposed upon Datamatics due to the Client’s inability to provide appropriate advice or methodology.

Objective evidence: SOW (Statement of Work)

Prevention of Misuse of Information Processing Facilities

Control

Users should be deterred from using information processing facilities for unauthorized purposes.

  • Datamatics’s information processing facilities shall be used for business purposes only and management shall authorize the usage of the same.
  • Any use for non-business or unauthorized purposes, without management approval, is improper and forbidden.
  • Misuse of information processing facilities shall be treated as a disciplinary matter.
  • All employees and third party users must be aware of the precise scope of their permitted access to information systems and same must be restricted on the system.
  • At log-on to data processing resources, a warning message shall be presented to indicate that the information processing facility being entered is owned by Datamatics and that an unauthorized access is not permitted. The user has to acknowledge and react appropriately to the message on the screen to continue with the log-on process.

Objective evidence: Physical verification of log-on process.

Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Independent review of information security

Control

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

The implementation of information security is reviewed independently to provide assurance that organizational practices reflect the policy. These reviews are conducted by internal auditors or a third party organization specializing in such review. While conducting internal audits due care is taken to make sure auditor does assess the processes he/she owns.

For detailed guidelines please refer Procedures and Guidelines Manual for conducting Internal Audits.

Objective evidence: Internal audits reports
  Surveillance audit reports conducted by external agency

Compliance with security policies and standards

Control

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Managers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards
Functional managers shall ensure that all security procedures within their area of responsibility are carried out correctly. In addition, all areas covered by the ISMS shall be periodically audited for compliance with the security policies and standards.
Please refer to section internal audits for detailed description on internal audit.

Objective evidence: Internal audit reports

Data Leakage Policy

Introduction

Data breach is possibility of confidential information, usually Personally Identifiable Information (PII) falling into the wrong hands that lead to misuse of the same. Data leakage primarily comprises hard copy information and digital information in network, at rest or data in processing tools. This includes unencrypted information on a lost or stolen laptop/USB or other
devices.

Objective: To identify possible data leakage points and take proactive steps to prevent this information from leakage.

Policy: Datamatics shall identify information critical to its client, employees & partners and its potential leakage points and shall ensure that necessary preventive measures are in place to safeguard it from leakage. 

Scope: Data residing on servers within ISMS certified facilities, data being transmitting between its clients and data processed by applications- In house as well as third party applications.

Possible routes of Data leakage

Sensitive data inappropriately transferred, or sent out via e-mail, Web, file transfers or instant messaging, missing access controls to systems containing sensitive data, from back-end databases and servers to mobile computers, lost or stolen computers, laptops and mobile devices with sensitive data that is unencrypted, hard disks and portable storage (CDs, USB drives) or backup devices; and paper files, insecure transmission of personal identifiable and other restricted data, authorized insider abuse of databases and other back-end systems, insecure or improper destruction of information, encompassing both physical locations and electronic media (laptops and backups), lack of separation of duties and access controls on databases and other shared systems.

Measures to prevent Data Leakage:

Datamatics shall ensure that any sensitive data being transferred to client shall be encrypted using techniques such as IPSEC VPN.
Depending upon client’s requirement email access to employees shall be restricted to certain level and above. However in case of business requirement based on approval from employee’s supervisor an exception to this criterion shall be granted.
Access to employees having email id shall be restricted only to Datamatics.com and client’s domain email ids.
Depending upon client’s requirement Internet access to employees working on specific client’s project shall be restricted and only access to users at team lead above shall be granted.
All non-business sites or sites such as social media sites, logical drive sites such as drop box, google drive etc. shall be blocked.
Employees using laptops shall ensure that their laptops have antivirus updated and latest security patches are installed.
Users shall not be allowed to carry in removable media such as USB /Pen Drive, USB HDD etc.
VPN Access will be provided only to employees working on company owned laptop subject to approval from his/her supervisor.
USB ports of all systems shall be deactivated and no employees are permitted to carry their personal laptop, HDDs, USB drives inside premises.
Access to databases shall be restricted only to DBAs subject to approval from his/her immediate supervisor.
Every employee shall be educated through ISMS awareness session on joining the organization and thereafter once in a year. Awareness session ISMS shall cover dos and don’ts on various security measures that employees need to follow.

Exception: Exception to users to social media sites and some of the logical online drives such as drop box and few other sites that demands business requirements shall be granted. For this user need to seek permission of his Delivery Head/ PMs clearly giving the reasons for exception. Information security team post approval shall conduct the risk assessment and provide approval for a limited period.

Enforcement: All employees are required to follow this policy rigorously. Anyone violating this policy shall be dealt with disciplinary policy through HR department.

Data Protection Officer/Grievance officer

We have designated a Data Protection Officer (DPO) to address any discrepancies and grievances of data subjects with respect to processing of information in a time bound manner. The DPO will redress the grievances expeditiously within thirty (30) days from date of receipt of the grievance except for data breach notification. The details of the DPO are as follows:

Name: Mr. Gopal Ranjan
Tel No: +91-22-61021190
E-mail ID: gopal.ranjan@datamatics.com
Postal Address: Knowledge Centre, Street No. 17, Plot No. 58, MIDC, Andheri – (E), Mumbai – 400093, Maharashtra.

Changes to this privacy statement
We reserve the right to update this policy at any time.