CyRAACS’s business processes may require availability of communication and information systems across the company. The business processes may involve processing, sharing and use of multiple types of information including information about an individual whose identity is apparent (either directly and indirectly), or can be reasonably be ascertained from the information available or likely to be available (Personal Information).
This Policy outlines the general principles which underlie CyRAACS’s specific practices for collecting, using, disclosing, storing, retaining, disposing, accessing, transferring, or otherwise processing Personal Information.
This Policy applies to all CyRAACS personnel, Business Divisions, Teams, and wholly owned subsidiaries worldwide and (as transferred and agreed) with suppliers/business partners who must act consistently with the principles contained in the policy. Country and industry-specific laws and regulations shall take precedence over this policy, to the extent applicable.
CyRAACS is committed to protecting the privacy and confidentiality of Personal Information of its Employees (including prospects and contractors), Clients, Client Customers, Business Partners and other identifiable individuals that it may receive, use, access, process, transfer or store as part of its business. Uniform practices for collecting, using, disclosing, storing, retaining, disposing, accessing, transferring, or otherwise processing such information assists CyRAACS to process Personal Information fairly and appropriately.
CyRAACS may collect personal information from various persons as part of the services it may render to them, or in the course of its business. Based on the information being collected and nature of services or requirement, CyRAACS will apply suitable mechanisms to ensure that CyRAACS has a lawful basis for receiving, accessing, using, processing, transferring, storing and/or disposing such personal information.
4. General Privacy Principles
These general principles apply to the processing of Personal Information at CyRAACS.
CyRAACS understands its accountability and responsibility for any Personal Information that it may receive, use, process, store as part of its business. Accordingly, it will:
- have appropriate corporate instructions, guidelines, and other measures to be able to demonstrate that Personal Information is used/ stored / processed / retained / disposed / transferred in compliance with applicable law and other applicable guidelines.
- designate an individual or individuals who are accountable for the organization’s compliance with the Privacy principles; and ensure the availability of required policies, procedures, and contacts for management of personal information; these being reviewed at a minimum annually or as and when there is a change warranted.
Fairness and Purpose
CyRAACS will collect adequate, relevant, and necessary Personal Information, and will process such information fairly and lawfully for the purpose it is collected. The purpose of collection will be specified not later than at the time of data collection, or on each occasion of change of purpose.
CyRAACS will keep Personal Information as accurate, complete, and up to date as is necessary for the purpose for which it is processed; and provide appropriate channels for the same.
Disclosure and Data Sharing
CyRAACS will make Personal Information available inside or outside CyRAACS under appropriate circumstances for business purpose only or as authorized by law. This may require CyRAACS to transfer personal information to countries other than CyRAACS operation’s country of business (including transfer to other entities or third parties).
CyRAACS will implement privacy principles for the use / processing/ transfer / storing/ disposal of personal information as may be prescribed under applicable laws.
Cross-Border Data Flows:
When conducting business, working on Company projects, or implementing new processes or systems, an operation may require the transfer of personal information to other entities or third parties that are located outside of the CyRAACS operation’s country of business. While permissible data transfer mechanisms are defined by applicable law or regulation, examples include:
- a data transfer agreement with the party who will access or obtain the personal information; or
- notice to and/or approval from a country’s local data protection authority; or
notice to and/or consent from the individual whose data is to be transferred.
CyRAACS will implement reasonable technical and organizational measures to safeguard Personal Information and instruct third parties processing Personal Information on behalf of CyRAACS to process and manage it in a manner which is consistent with CyRAACS standards (for CyRAACS owned information) or CyRAACS Client standards (for Client information), as may be applicable.
Upon request, CyRAACS will, within a reasonable time, manner, and in a readily intelligible form provide individuals appropriate access to Personal Information retained by CyRAACS. CyRAACS has the right to deny the request; however, the reasons of denial will be provided. CyRAACS will erase, rectify, complete, or amend the data pursuant to a justified request.
Retention and Disposal:
CyRAACS will retain Personal information in a form that permits identification for no longer than as necessary for the fulfilment of the stated purpose and should be disposed thereafter.
CyRAACS will be transparent, and make readily available to individuals, specific information related to management of Personal Information.
CyRAACS will follow appropriate policies and practices agreed with its clients for the safe handling of Personal Information that it processes on behalf of its clients.
5. Enforcement and Redressal
CyRAACS will provide appropriate robust mechanisms for assuring compliance with the Principles, and address grievance and / or provide recourse for individuals who are affected by non-compliance with the Principles.
6. Contacting CyRAACS’s Data Privacy Office