EFMFM

ALL OUR WORK IS FOCUSED AROUND THE CLIENTS' NEEDS

DATA PRIVACY POLICY

OBJECTIVE
The purpose of this policy is to maintain the privacy of and protect the personal information of employees, contractors, vendors, interns, associates, customers and business partners of NGFV India Private Ltd. and ensure compliance with laws and regulations applicable to NGFV India Private Ltd. (hereafter referred to as “NGFV” or “the organization”).

SCOPE
This policy is applicable to all NGFV employees, contractors, vendors, interns, associates, customers and business partners who may receive personal information, have access to personal information collected or processed, or who provide information to the organization.

This Policy applies to all NGFV employees, contractors, vendors, interns, associates, customers and business partners who receive personal information from NGFV, who have access to personal information collected or processed by NGFV, or who provide information to NGFV, regardless of geographic location. All employees of NGFV are expected to support the privacy policy and principles when they collect and / or handle personal information or are involved in the process of maintaining or disposing of personal information. This policy provides the information to successfully meet the organization’s commitment towards data privacy and meeting the GPDR Compliance Plan
(Annexure 1)

All partner firms and any Third-Party working with or for NGFV, and who have or may have access to personal information, will be expected to have read, understand and comply with this policy. No Third Party may access personal information held by the organization without having first entered into a confidentiality agreement.

RESPONSIBILITIES
The owner for the Data Privacy Policy shall be the Data Privacy Officer. The Data Privacy Officer shall be responsible for maintenance and accuracy of this policy. Any queries regarding the implementation of this Policy shall be directed to the Data Privacy Officer.

This policy shall be reviewed for updates by Data Privacy Officer on an annual basis. Additionally, the data privacy policy shall be updated in-line with any major changes within the organization’s operating environment or on recommendations provided by internal/ external auditors.

POLICY COMPLIANCE
Compliance to the data privacy policy shall be reviewed on an annual basis by Privacy Review Team to ensure continuous compliance monitoring through the implementation of compliance measurements and periodic review processes. For proactive detection of data breaches, please refer breach management policy.

In cases where non-compliance is identified, the Data Privacy officer shall review the reasons for such non- compliance along with a plan for remediation and report them to Privacy Review Team. Depending on the conclusions of the review, need for a revision to the policy may be identified. In instances of persistent non- compliance by the individuals concerned, they shall be subject to action in accordance with the NGFV Disciplinary Policy.

DATA PRIVACY PRINCIPLES
This Policy describes generally acceptable privacy principles (GAPP) for the protection and appropriate use of personal information at NGFV. These principles shall govern the use, collection, disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws:

  • Notice: NGFV shall provide data subjects with notice about how it collects, uses, retains, and discloses personal information about them (Annexure 2)
  • Choice and Consent: NGFV shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information.
  • Rights of Data subject: NGFV shall provide individuals with the right to control their personal information, which includes the right to access, modify, erase, restrict, transmit, or object to certain uses of their information and for withdrawal of earlier given consent to the notice.
  • Collection: NGFV shall collect personal information from data subjects only for the purposes identified in the privacy notice / SoW / contract agreements and only to provide requested product or service.
  • Use, Retention and Disposal: NGFV shall only use personal information that has been collected for the purposes identified in the privacy notice / SoW / contract agreements and in accordance with the consent that the data subject shall provide. NGFV shall not retain personal information longer than is necessary to fulfil the purposes for which it was collected and to maintain reasonable business records. NGFV shall dispose the personal information once it has served its intended purpose or as specified by the data subject.
  • Access: NGFV shall allow data subjects to make inquiries regarding the personal information about them, that NGFV shall hold and, when appropriate, shall provide access to their personal information for review, and/or update.
  • Disclosure to Third Parties: NGFV shall disclose personal information to Third Parties / partner firms only for purposes identified in the privacy notice / SoW / contract agreements. NGFV shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws and other segments, and, where needed, with consent of the data subject.
  • Obligations for Sub-processor: Where a processor (vendor or 3rd party acting on behalf of NGFV’s data processor) engages another processor (Sub-processor) for carrying out specific processing activities on behalf of NGFV (controller), the same data protection obligations as set out in the contract or other legal act between NGFV and the processor shall be imposed on the Sub- processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of GDPR. Where the Sub-processor fails to fulfil its data protection obligations, the initial processor (relevant vendor or 3rd party acting on behalf of NGFV ’s data processor) shall remain fully liable to NGFV for the performance of that Sub-processor’s obligations.
  • Security for Privacy: NGFV shall protect personal information from unauthorized access, data leakage and misuse.
  • Quality: NGFV shall take steps to ensure that personal information in its records is accurate and relevant to the purposes for which it was collected.
  • Monitoring and Enforcement: NGFV shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints and disputes.

NOTICE
Notice shall be made readily accessible and available to data subjects before or at the time of collection of personal information or otherwise, notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided through online (e.g. by posting it on the intranet portal, website, sending mails, newsletters, etc.) and / or offline methods (e.g. through posts, couriers, etc.). All the web sites (including Intranet portals), and any product or service that collects personal information internally, shall have a privacy notice.

In case of any cross-border transfer of personal information, the data subjects shall be informed by a notice sufficiently prior to the transfer.

Privacy notices may include:

  • the organization’s operating jurisdictions; Third Parties involved; business segments and affiliates; lines of business; locations;
  • types of personal information collected; sources of information; who is collecting the personal information, including contact information;
  • the purpose of collecting the personal information;
  • assurance that the personal information will be used only for the purpose identified in the notice and only if the implicit and / or explicit consent is provided unless a law or regulation specifically requires otherwise;
  • any choices the data subject have regarding the use or disclosure of the information; the process and data subject shall follow to exercise the choices;
  • the process for a data subject to change contact preferences and ways in which the consent is obtained.
  • collection process and how the information is collected; how the information is used including any onward transfer to Third-Parties;
  • retention and disposal process for personal information; assurance that the personal information to be retained only as long as necessary to fulfill the stated purposes, or for a period specifically required by law or regulation and will be disposed-off securely or made anonymous post the identified purpose is completed;
  • process of accessing personal information; the costs associated for accessing personal information (if any); process to update / correct the personal information; the resolution of disagreements related to personal information; how the information is protected from unauthorized access or use;
  • how users will be notified of any changes made to privacy notice;
  • disclosure process for Third Parties; the assurance that the personal information is disclosed to Third Parties only for the purpose identified; the remedial actions in place for any misuse of personal information by the Third Parties;
  • security measures in place to protect the personal information; ways of maintaining quality of personal information;
  • monitoring and enforcement mechanisms in place; description of the complaint channels available to data subjects; how the internal personnel, key stakeholders and the customers can contact the Company related to any privacy complaints or breaches; relevant contact information and / or other reporting methods through which the complaints and/or breaches could be registered;
  • Consequences of not providing the requested information.

CHOICE AND CONSENT
Choice refers to the options for the data subjects are offered regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.

  • NGFV shall establish systems for the collection and documentation of data subject consents to the collection, processing, and/or transfer of personal data.
  • Data subjects shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.
  • Consent shall be obtained (in writing or electronically) from the data subjects before or at the time of collecting personal information or as soon as practical thereafter.
  • The changes to a data subject’s preferences shall be managed and documented. Consent or
    withdrawal of consent shall be documented appropriately.
  • The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the notice / SoW / contract agreements at the time of collection, the new purpose shall be documented, the data subject shall be notified, and consent shall be obtained prior to such new use or purpose.
  • The data subject shall be notified if the data collected is used for marketing purposes, advertisements, etc.
  • NGFV shall review the privacy policies of the Third Parties and types of consent of Third Parties before accepting personal information from Third-Party data sources.

COLLECTION OF PERSONAL INFORMATION
Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.

  • Personal information shall not be collected unless either of the following is fulfilled:
  • the data subject has provided a valid, informed and free consent;
  • processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with the organization’s legal obligation.
  • processing is necessary in order to protect the vital interests of the data subject; or
  • processing is necessary for the performance of a task carried out in the public interest
  • Data subjects shall not be required to provide more personal information than is necessary for the provision of the product or service that data subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as optional. Collection of personal information shall be avoided or limited when reasonably possible.
  • Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
  • When using vendors to collect personal information on the behalf of NGFV, it shall ensure that the vendors comply with the privacy requirements of NGFV as defined in this Policy.
  • NGFV shall at minimum, annually review and monitor the information collected, the consent obtained and the notice / SoW / contract agreement identifying the purpose.
  • The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.
  • NGFV shall review the privacy policies and collection methods of Third Parties before accepting personal information from Third-Party data sources.

USE, RETENTION AND DISPOSAL

  • Personal information may only be used for the purposes identified in the notice / SoW /contract agreements and only if the data subject has given consent;
  • Personal information shall be retained for as long as necessary for business purposes identified in the notice / SoW / contract agreements at the time of collection or subsequently authorized by the data subjects.
  • When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
  • NGFV shall have a documented process to communicate changes in retention periods of personal information required by the business to the data subjects who are authorized to request those changes.
  • Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by NGFV or for the benefit of the data subject. Additionally, NGFV has the right to retain the personnel information for legal and regulatory purpose and as per applicable data privacy laws.
  • NGFV shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with the organization’s data privacy policy.

ACCESS
NGFV shall establish a mechanism to enable and facilitate exercise of data subject’s rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.

  • Data subjects shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing. NGFV shall provide its response to a request within 72 hours of receipt of written request.
  • The data subjects shall have the right to require NGFV to correct or supplement erroneous, misleading, outdated, or incomplete personal information.
  • Requests for access to or rectification of personal information shall be directed at the data subject’s option, to the manager of the projects team or support function responsible for the personal information.
  • The privacy coordinators shall record and document each access request as it is received, and the corresponding action taken.
  • NGFV shall provide personal information to the data subjects in a plain simple format which is understandable (not in any code format).

DISCLOSURE TO THIRD PARTIES
Data Subject shall be informed in the privacy notice / SoW / contract agreement, if personal information shall be disclosed to Third Parties / partner firms, and it shall be disclosed only for the purposes described in the privacy notice / SoW / contract agreements and for which the data subject has provided consent.

  • Personal information of data subjects may be disclosed to the Third Parties / partner firms only for reasons consistent with the purposes identified in the notice / SoW / contract agreements or other purposes authorized by law.
  • NGFV shall notify the data subjects prior to disclosing personal information to Third Parties / partner firms for purposes not previously identified in the notice / SoW / contract agreements.
  • NGFV shall communicate the privacy practices, procedures and the requirements for data privacy and protection to the Third Parties / partner firms.
  • The Third Parties shall sign NDA (Non-Disclosure Agreement) with NGFV before any personal information is disclosed to the Third Parties partner firms. The NDA shall include the terms on non-disclosure of customer information.

SECURITY
Information security policy and procedures shall be documented and implemented to ensure reasonable security for personal information collected, stored, used, transferred, and disposed by NGFV.

  • Information asset labelling and handling guidelines shall include controls specific to the storage, retention and transfer of personal information.
  • Management shall establish procedures that maintain the logical and physical security of personal information.
  • Management shall establish procedures that ensure protection of personal information against accidental disclosure due to natural disasters and environmental hazards.
  • Incident response protocols are established and maintained in order to deal with incidents concerning personal data or privacy practices.
  • Individuals noticing or becoming aware of any breach of personal data shall notify the DPO (by email) within 2 hours. It shall be the DPO’s responsibility to analyze and act on the intimation of the same within 12 hours.

QUALITY
NGFV shall maintain data integrity and quality, as appropriate for the intended purpose of personal data collection and use and ensure data is reliable, accurate, complete, and current.

  • For this purpose, the data privacy officer and privacy coordinators shall have systems and procedures in place to ensure that personal information collected is accurate and complete for the business purposes for which it is to be used.
  • NGFV shall perform an annual assessment on the personal information collected to check for accuracy, completeness and relevance of the personal information

MONITORING AND ENFORCEMENT
Dispute Resolution and Recourse
NGFV shall define and document an Incident and Breach Management policy which addresses the privacy related incidents and breaches.

  • The incident and breach management program includes a clear escalation path up to the executive management, legal counsel, and the board based on type and/or severity of the privacy incident/breach. It shall define a process to register all the incidents/complaints and queries related to data privacy.
  • NGFV shall perform a periodic review of all the complaints related to data privacy to ensure that all the complaints are resolved in a timely manner and resolutions are documented and communicated to the data subjects.
  • An escalation process for unresolved complaints and disputes which shall be designed and documented.
  • Communication of privacy incident / breach reporting channels and the escalation matrix shall be provided to all the data subjects.

DISPUTE RESOLUTION AND ESCALATION PROCESS FOR EMPLOYEES
Employees with inquiries or complaints about the processing of their personal information shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Officer.

Dispute Resolution and Escalation Process for Customer / Third Party Customers
Third Party with inquiries or complaints about the processing of their personal information shall bring the matter to the attention of the Grievance Officer in writing. Any disputes concerning the processing of the personal information of non-employees shall be resolved through arbitration.

COMPLIANCE REVIEW
Privacy Review Team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.

  • The internal audit shall consist of the review of the following:
  • personal information collected from data subjects;
  • the purposes of the data collection and processing;
  • the actual uses of the data;
  • disclosures made about the purposes of the collection and use of such data;
  • the existence and scope of any data subject consents to such activities;
  • any legal obligations regarding the collection and processing of such data, and
  • the scope, sufficiency, and implementation status of security measures.
  • The Privacy Review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the Privacy Management committee.
  • The Data Privacy Officer along with Privacy Coordinators shall take actions on the findings from the internal audit and work on the recommendations for improvement of the privacy posture
  • Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.

GLOSSARY

GDPR Compliance Plan

NGFV is committed to compliance with the General Data Protection Regulation (GDPR). The regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

Privacy policy – Individuals have the following rights:

  • To access and export their personal data
  • Delete their personal data
  • Correct errors in their personal data
  • Oppose the processing of their personal data

Audits and disclosures – Companies and organizations must:

  • Protect personal data by taking appropriate security measures
  • Communicate violations of personal data to authorities
  • Receive consent to the collection and processing of personal data
  • Keep records that provide detailed information on data processing activities
  • Transparency

Companies and organizations must implement policies that:

  • They will provide clear disclosure for data collection
  • They will describe the reason and the cases of processing your personal data
  • They will set up data retention and deletion policies

Seven Privacy Principles for Collection of Personal Data

  • Lawful, Fair and Transparent – Data processing must not violate the GDPR tests.
  • Limit your Purpose – Only collect data for “specified, explicit and legitimate” purposes and no others without further consent.
  • Minimize Collection – Limit the amount of data you collect to what’s adequate and relevant for the purpose.
  • Be Accurate – Make sure the data you collect is accurate and kept up to date.
  • Limit Storage Time – Keep data for no longer than necessary and remove data after it’s no longer required.
  • Integrity, Protection and Confidentiality – Handle data carefully so as to secure it against loss, damage and destruction.
  • Accountability – Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance

Employee Privacy Notice

Who We Are
NGFV gathers and processes your personal information in accordance with this privacy notice and in compliance with the relevant data protection Regulation and laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.

Why do we collect your personal information?
NGFV processes your personal information to meet our legal, statutory and contractual obligations and to enable us to recruit, employ and train you in the course of your employment with us. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.

The personal data that we collect can be:

  • Name
  •  Date of Birth
  • Home Address
  • Personal Email
  • Home Telephone Number
  • Mobile Telephone Number
  • Passport
  • Professional References
  • In certain cases, permits and visas
  • Financial information (including but not limited to payroll details and terms)
  • Photograph for inclusion with internal CV

We collect information in the below ways:

  • Submitted CV’s
  • Job Forums & Recruitment Agencies
  • Direct from Candidates & Employees
  • Electronic Vacancy Applications
  • Postal and Email Applications

How We Use Your Personal Data (Legal Basis for Processing)

NGFV takes your privacy very seriously and will never disclose, share or sell your data without your consent unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this notice. The purposes and reasons for processing your personal data are detailed below:

  • We process your personal data in the performance of a contract as your employer, to ensure that we meet our legal employer obligations and the requirements of employment law
  • We process your personal data as part of our legal obligation for business accounting, payroll and tax purposes
  • We process your personal data as part of our contractual obligations with our customers, to ensure that any restrictions or conditions laid down by customers are complied with
  • For determining eligibility for hiring, including the verification of references and qualifications and, where permitted by law, administering background checks
  • Complying with laws and regulations (e.g., labor and employment laws, health and safety, tax, anti-discrimination laws), under judicial authorization, or to exercise or defend legal rights.
  • IT security and administration

Your Rights
You have the right to access any personal information that NGFV processes about you and to request information about:

  • What personal data we hold about you
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from you, information about the source

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing in accordance with the data protection laws. Where applicable, you have the right to data portability of your information.

If we receive a request from you to exercise any of the above rights, we will ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

Sharing and Disclosing Your Personal Information
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement.

Safeguarding Measures
NGFV takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures in place.

Transfers Outside the Country
Your personal data may be collected, used, processed, stored or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different the laws of your country. NGFV only transfers personal data to another country, including within the NGFV corporate family, in accordance with applicable privacy laws, and provided there is adequate protection in place for the data. Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data.

Consequences of Not Providing Your Data
You are not obligated to provide your personal information to NGFV, however, as this information is required for us to employ you, we will not be able to offer employment without certain personal information.

How Long We Keep Your Data
NGFV only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations.

Revisions to This Privacy Notice
We may, from time to time, make updates or changes to this privacy notice because of changes in applicable laws or regulations or because of changes in our personal data practices. We will give you notice of any material changes that impact your personal data, and where consent is necessary to make a change apply to our practices with respect to your personal data, we will not apply the changes to your personal data until we have that consent.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the beginning of this Privacy Notice.

Lodging A Complaint
NGFV only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information please contact:

NGFV Data Protection Officer
NGFV India Private Ltd.
B-91, Panchsheel Vihar, Khirki Extn., (Behind Triveni complex)
Sheikh Sarai Phase – 1
New Delhi – 110017,