GDPR

Digy4 Internal Data Protection Compliance Policy

Document ID:D10003

Version No: 01

Effective Date :1 December 2021

This Internal data protection compliance policy “Policy” has been made effective from 22-Nov-2021.

Introduction 

• We, Digy4 Inc (“Digy4” “we”, “us”, “our”), respect data privacy rights and are committed to protecting Personal Data collected / processed/ controlled at our end. This Policy sets forth guidelines to be followed by the employees/stakeholder of Digy4 in relation to the collection, use, retention, transfer, disclosure, and destruction of any Personal Data belonging to a Data Subject.

Intent 

• In light of the European and UK data protection law viz. General Data Protection Regulation (the “GDPR”) processing of all the personal data of people within the European Union “EU” and United Kingdom (“UK”) is governed by the provisions of the GDPR. Such provisions would be applicable to all business who collect, store, or process the personal data of people within the EU and UK. To comply with the provisions of the GDPR related to personal data processing Digy4 has formulated this Policy detailing the principles of the GDPR which the employees/stakeholders need to follow while handling and accessing personal data of persons in the EU and UK. Employees/stakeholder of Digy4 processing Personal Data of Canada Data Subjects are required to follow the guidelines mentioned in Schedule A.

Personal Data 

• Under the GDPR, personal data means any data which directly identifies or along with other information can identify a natural person “Personal Data”. Such data may include names, addresses, email addresses, telephone numbers, gender, location information such as IP address. This information may relate to employees, suppliers, end-users etc (of Digy4 clients or their customers) or any third party.

• From our perspective, we have access to Personal Data through our website and when we provide our products and services to our clients, Personal Data of such persons would be governed by the GDPR. For the purposes of this Policy we will concern ourselves only with Personal Data of Data Subjects.

Important Terms

• “Controller”- is a natural person or a legal entity such as a company, which determines the purposes and means of the processing of Personal Data.

          Digy4 will be the Controller when;

• Digy4 receives Personal Data of Data Subjects through its website, when visitors present in the EU and UK region, they get in touch with Digy4 for its offerings and / or access the website;
• Digy4 markets its product and service offerings to prospects based out of EU and UK region directly or through marketing representatives.
• Digy4 process its employee Personal Data from EU and UK region.

• “Compliance Officer” is a natural person responsible for the overall data compliance of the organisation. The Compliance Officer is Ms Reshmi Ray.

• “Data Subject” means the person to whom any Personal Data belongs.

• “Processor”- is a natural person or a legal entity such as a company, processes personal data on behalf of the controller.

         Digy4 will be the Processor when;

• Digy4 has access to Personal Data of EU Data Subjects, when Digy4’s clients use Digy4’s services offerings.

• “Processing” as per the GDPR, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. For sake of clarity, access to, downloading, and even modifying Personal Data would amount to ‘Processing’ of such data.

• “Data Protection Compliance Team” or the “DPCT” This team will consist of ____[.]__

•  “Sub Processor” is a natural person or a legal entity such as a company, processes Personal Data on behalf of the Controller/Processor. In the event Digy4 India entity processes Personal Data of Digy4 Canada entity’s client on behalf of Digy4 Canada entity then Digy4 India entity will be the subprocessor.

Data Protection/Processing Principles

The employees/stakeholders which deal with the Personal Data must abide by the following data protection principles

• Fairness and Transparency– All employees/stakeholders who have access to Personal Data need to process such data lawfully, fairly and in a transparent manner in relation to the Data Subject.
• Purpose Limitation– Personal Data must be processed as per the instructions of the Controller. In all cases the Processing must be for the purposes for which the data is collected and must not be processed in any manner which is incompatible with the purposes for which it is collected.
• Data Minimisation– Only the data which is relevant and necessary for performing the services must be processed. Personal Data collection must be limited to the purpose of processing such Personal Data. Collection of unnecessary, additional Personal Data must be avoided.
• Accuracy– The employees/stakeholders processing Personal Data must ensure that the Personal Data processed is accurate and is kept up to date. Reasonable steps must be taken to ensure that the Personal Data which is inaccurate in relation to the purpose for which it is being processed must be deleted or rectified without delay.
• Storage Limitation– The employees/stakeholders must not retain any Personal Data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed. Different types of Personal Data, will necessarily be retained for different periods (and its retention periodically reviewed), as set out in Digy4 data retention schedule.
• Integrity and Confidentiality– Digy4 must ensure that appropriate organisational and technical measures are implemented for the security and safeguard of Personal Data. Employees/ stakeholders must not access Personal Data unlawfully. Only those Employees/stakeholders who are authorised to access Personal Data must access Personal Data. In the event any employee/stakeholders believes that Personal Data has been accessed/processed unlawfully without authorisation, employee/stakeholder must inform the Compliance Officer of such unauthorised access.
• Accountability– Digy4 must design and implement relevant policies and procedures required to demonstrate its compliance with Applicable laws

Data Subject Rights

• The Data Subjects under the GDPR can exercise the following Data Subject Rights with respect to Personal Data and request information related to processing of Personal Data:

• Right to access;
• Right to rectification;
• Right to erasure;
• Right to obtain restriction of processing of data;
• Right to data portability;
• Right to object.

• The employees/stakeholders will be responsible for informing the Compliance Officer promptly, without undue delay if they receive any request from the Data Subject to exercise their rights.

• When Digy4 is the Controller the Compliance Officer will:

•  provide information related to information requested from the Data Subject in a clear, concise transparent, intelligible, and easily accessible form.
• Data subject to be notified on action taken on the request of the Data Subject without any undue delay and within 30 days from receipt of request.
• Above period can be extendable to 2 months, any extension must be communicated to the Data Subject within one month from the date of receipt of request. Reasons for such delay and the possibility of lodging a complaint with supervisory authority of the EU region or Information Commissioner Office (ICO) for UK region as the case may be and seeking a judicial remedy should be provided to the data subject for seeking a judicial remedy should be provided to the data subject.

When Digy4 is the Processor Compliance Officer will:

•  Notify the Controller about the Data Subject request without undue delay and assist the Controller to fulfil its obligations in complying with such Data Subject requests.

• Data Transfer/Sharing- The employees/ stakeholders must not transfer/ share any personal data internally with other employees, members of any other department of Digy4, third party and outsiders unless instructed by their Compliance Officer. Data Processing Addendums (“DPA”) or similar data transfer agreements should be executed when Digy4 shares any Personal Data with any Processor/Sub processors as a Controller or Digy4 processes Personal Data for any of its Client as a Processor.

• General Data Protection Measures– The employees/stakeholders must adopt the following minimum data protection measures as given below to ensure the security of Personal Data:

1. The employee/stakeholder must prevent unauthorised persons from gaining access to data processing systems in which Personal Data are Processed.
2. The employee/stakeholder must prevent persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations.
3. The employee/stakeholder must ensure that the Personal Data is protected against undesired destruction or loss.
4. The employee/stakeholder must ensure adequate security of Personal Data and take appropriate measures against unlawful processing.
5. The employee/stakeholder must inform his/ her supervisor/officer in charge and the Compliance Officer immediately after being aware of any violation of this Policy.

Data Breach Reporting

• In any event of Personal Data breach that has occurred due to theft of Personal Data or any other reason, the employee/stakeholders must immediately inform the Compliance Officer and provide him with all the required information about the data breach incident.
• When Digy4 is the Controller- The Compliance Officer must inform the DPCT. The DPCT upon receiving any information regarding data breach from the Compliance Officer must without undue delay inform the supervisory authority of the respective member state of which EU Personal Data is processed (If the Personal Data belongs to a EU Data Subject) or to ICO (If the Personal Data belongs to a UK Data Subject) regarding data breach from the not later than 72 hours after it becomes aware that the incident pertaining to data breach has occurred.

• The DPCT for the purpose of reporting UK Personal Data breach to ICO shall inform ICO at [email protected] with ‘Personal data breach notification’ in the subject line.

• When Digy4 is the Processor– The DPCT must immediately without undue delay inform the Controller/Digy4 client’s or the client’s point of contact (POC) as the case may be and provide it with all required information related to the data breach incident.

Contents of data breach notification-

•  Nature of personal data breach;
•  Categories and approximate number of data subjects concerned;
•  Categories and approximate number of personal data records concerned;
•  Description of the likely consequences of the data breach;
•  Name and contact details of the Compliance Officer or other contact point where more information can be obtained;
•  Measures taken or proposed to be taken by Digy4 to address the personal data breach and measures to mitigate its possible adverse effects.

Personal Data Breach Records

• Compliance Officer will document any Personal Data breaches, comprising the facts relating to the Personal Data breach, its effects and the remedial action taken. This documentation will enable the Supervisory Authority to verify compliance with Article 33 of the GDPR.

Roles and Responsibilities of Compliance Officer 

• The Compliance Officer will be in charge of identifying the Personal Data being handled by the specific department, employees/stakeholders and prepare the requisite Data retention schedule.
• The Compliance Officer will also determine the manner in which the Personal Data is maintained, accessed and shared.
• The employees/ stakeholders will be responsible for informing the Compliance Officer as and when they believe a data disposal trigger event has been achieved. The Compliance Officer will assess the situation and determine whether such trigger event has actually been achieved.
• Once a data disposal trigger has been achieved the Compliance Officer will ensure that the specific Personal Data is to be disposed of as per this Policy.

Access and Correction 

• Employees/Stakeholders must inform the Compliance Officer upon receiving any request from Data Subjects related to access and correction of Personal Data or PII. Response to such access and correction request must be provided to the Data Subjects within the timelines as mentioned in the table below. If response cannot be provided within the timelines a reason for extending the response time should be provided to the Data Subject along with the specific date by which response will be provided.

Sr. No    Location    Response Timelines

1    Canada    30 days

2    Europe    30 days

3    UK    30 days

Sub Processor

• In the event Digy4 appoints a Sub Processor for the purpose of Processing Personal Data, Digy4 will execute Data Processing Agreement with the Sub Processor. The Sub Processor should contact the Compliance Officer for execution of the Data Processing Agreement.

Penalty 

• IF ANY EMPLOYEE OR STAKEHOLDER IS FOUND TO BE VIOLATING THE PROVISIONS OF THIS POLICY DISCIPLINARY ACTION MAY BE TAKEN AGAINST HIM/ HER INCLUDING BUT NOT LIMITED TO TERMINATION OF HIS/HER EMPLOYMENT.

Schedule A

Canadian Privacy Principles

Introduction 

• Digy4 having a presence in Canada and pursuant to its offerings will be having access to Personal Information of Data Subjects from Canada (“PII”). Digy4 will be involved in transfer of such PII between its entities and its clients. The Personal Information Protection and Electronic Documents Act, (“PIPEDA”) has set out Canadian Privacy Principles which are required to be adhered to by the entities accessing/processing PII. In order to comply with the principles, Digy4 has formulated the below guidelines/principles detailing the principles of PIPEDA which the employees/stakeholders need to follow while handling and accessing PII.

Canadian Privacy Principles

• Accountability –   Digy4 must act responsibly with regards to the PII under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
• Identifying Purposes –   The purposes for which the personal information is being collected must be identified by the Digy4 and its employees/stakeholders before or at the time of collection.
• Consent –   Employees/Stakeholders must ensure the Data Subject has knowledge and consent of the Data Subject has been taken for the collection, use, or disclosure of PII.
• Limiting Collection    The collection of PII must be limited to that which is needed for the purposes identified. PII must be collected by fair and lawful means.
• Limiting Use, Disclosure, and Retention –   Unless the Data Subject consents otherwise or it is required by law, PII must only be used or disclosed for the purposes for which it was collected. PII must only be kept as long as required to serve those purposes.
• Accuracy –   PII must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
• Safeguards –   PII must be protected by appropriate security relative to the sensitivity of the information.
• Openness  – Detailed information about policies and practices relating to the management of PII must be readily available.
• Individual Access –   Employees/Stakeholders must ensure there are appropriate mechanisms to deal with Data Subject’s requests. Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. Data Subject must be able to communicate and challenge the accuracy and completeness of the information and have it amended as appropriately.
• Challenging Compliance  – Digy4 must enable a Data Subject to be able to challenge an organization’s compliance with the above principles. Their challenge should be directed to the to the DPCT responsible for the organization’s compliance with PIPEDA.

For more details or any clarifications on the Canadian Privacy Laws please visit https://www.priv.gc.ca/en

• Data Retention – The employees/stakeholders shall not retain any PII for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed. Different types of PII, will necessarily be retained for different periods (and its retention periodically reviewed), as set out in the data retention schedule. Compliance Officer shall be in charge of the data retention schedule. When establishing and/or reviewing retention periods, the following shall be taken into account by the Compliance Officer.

• Data Erasure– PII needs to be destroyed or de-indentified upon expiry of the data retention period.

• Data Breach Reporting. In any event of PII breach that has occurred due to theft of PII or any other reason, the employee/stakeholders shall immediately inform the Compliance Officer and provide him with all the required information about the data breach incident. The Compliance Officer will inform the DPCT, who will notify the Office of the Privacy Commissioner of Canada about the data breach incident.

Contents of Data breach notification. 

•         The identity and contact details of Digy4;
•          a description of the eligible data breach; and any other information as required.

Requirements under Canada’s Anti-Spam Law (“CASL”)

Applicability of CASL

• Digy4 to promote its offerings reaches out to prospects based out of Canada. CASL regulates the sending of commercial messages and prohibits unsolicited messages in Canada. In Addition to PIPEDA, Digy4 complies with the CASL obligations the below guidelines/principles detail the obligations under CASL which the employees/stakeholders need to follow while sending commercial communications.

Requirements under CASL

• Consent 
• The person to whom the message has been sent must have consented (express or implied) to the receiving such communications.
• Express consent must be obtained from individuals while providing the following information: the purpose for which consent is sought, identification details of Digy4 and information as set out under PIPEDA.
• Records of the obtained consent must be maintained by Digy4.

Contents of the message

• Sender Identification: The message must contain information that identifies Digy4 (and the employee/stakeholder) as the sender or the person on whose behalf the message has been sent.
• Contact information: The information provided in the message must enable the person to contact Digy4.
• Unsubscribe mechanism: An explicit unsubscribe mechanism as prescribed in CASL (captured in 2.4 below).

• Validity of Contact information: The contact information provided in the message must be valid for a minimum of 60 days after the message has been sent.

Unsubscribe mechanism

• The unsubscribe mechanism must enable the person at no cost, if they no longer wish to receive any commercial electronic messages.
• The unsubscribe mechanism must be via the same electronic means the message was sent.
• Additionally, a specific electronic address, link, web address which can be accessed through a web browser, allowing the individual to unsubscribe must be provided as a part of the mechanism.
• The web address must be valid for at least 60 days from sending the message.
• The unsubscribe request must be given effect no later than 10 business days after the person unsubscribes.

Withdrawal of Consent

• Digy4 must provide an email to which an individual may send a request to withdraw consent.
• The withdrawal request must be given effect no later than 10 business days after the person withdraws consent.

Additional precautions under CASL

• Contact lists: An internal list of persons who have unsubscribe and/or withdrawn consent must be maintained and implemented. Up to date contact lists must be maintained.
• Accurate records: Express or implied consent related evidence must be maintained internally.