Last Updated: 30/01/2024
GIPL, an Indian Company registered under the Companies Act, 2013, with its registered office at 19 Raj Mahal, 84 Veer Nariman Road, Mumbai 400020. GIPL is a part of the Mahyco Grow® group of companies (“Mahyco Grow Group”).
The purpose of this policy is to provide detailed guidelines and practices to collect, protect, and maintain the privacy of personal information, including sensitive personal information and personally identifiable information, of persons who provide such information to GIPL (hereinafter “Providers”) and ensure compliance with applicable laws and regulations.
Sensitive Personal Data or Information is defined under Rule 3 of the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “Rules”) as:
Sensitive personal data or information of a person means such personal information which consists of information relating to:
– financial information such as bank account or credit card or debit card or other payment instrument details
– physical, physiological and mental health condition
– sexual orientation
– medical records and history
– biometric information
– any detail relating to the above clauses as provided to the body corporate for providing service, &
– any of the information received under the above clauses by the body corporate for processing, stored, or processed under lawful contract or otherwise
Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Personal information is defined under Rule 2(i) of the Rules as:
Personal Information’ means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
Sensitive Personal Data or Information, Personal Information, and any other non-public personal information, together hereinafter “SPDI.”
This policy is applicable to all GIPL employees, as well as third parties such as contractors, vendors, interns, associates, customers, and business partners (“Third Parties”) who may receive SPDI, have access to SPDI collected or processed, or who provide such information to GIPL. GIPL is committed to compliance with applicable law on the privacy of data and information.
Obligations of GIPL relating to collection, use of and access to SPDI
No SPDI shall be collected by GIPL or its employees without obtaining the prior written consent of the Provider, which shall include informing the Provider regarding the purpose and usage of the SPDI to be collected. Provided, the collection of SPDI and the purpose and usage thereof are compliant with the Rules. The Rules are attached to this policy as ‘Schedule 1’.
All GIPL employees and any Third-Party working with or for GIPL, and who have or may have access to SPDI, shall have read, understood, and comply with this policy and Rules. No Third Party may access SPDI held by GIPL without having first entered into a confidentiality agreement and provided that the Provider has accorded his/her prior written consent for the same.
SPDI may only be collected for a lawful purpose connected with a function or activity of GIPL and if necessary for the purpose and may only be used for such purpose. SPDI may only be retained by GIPL for as long as it is required for the said purpose and no longer, or as otherwise required by law. SPDI may be reviewed by the Provider on request and corrected or amended if found inaccurate or deficient if feasible, but
GIPL shall not be responsible for the authenticity of the SPDI as provided by the Provider.
Prior to the collection of information, including SPDI from a Provider, or the employee collecting such information shall provide the option to the Provider not to provide the information sought to be collected. Provider shall also be given the option to withdraw his/her consent previously given, provided that the withdrawal of consent shall be given in writing to the registered office address of GIPL given above and addressed to the Grievance Officer whose name and address is provided below. In the event of withdrawal of consent previously given or non-provision of consent, GIPL shall have the option not to provide the goods or services for which the SPDI was sought to be collected.
Obligations of GIPL relating to security of SPDI
SPDI shall be kept protected from unauthorized access, leaks, and misuse.
GIPL shall keep SPDI secure as per the obligations detailed in Rule 8 of the Rules. GIPL shall implement and maintain security standards, procedures, and practice commensurate with industry standards such as IS/ISO/IEC codes of best practices for data protection.
SPDI security shall be the responsibility of the Information Technology Department of GIPL, which shall implement the security procedures and processes for GIPL as well as develop processes to respond to inquiries and address and resolve unauthorized access, leaks, and misuse.
The Information Technology Department of GIPL shall also be responsible to ensure regular and independent reviews of the security practices and procedures, by third party auditors duly approved by the Central Government.
Obligations of GIPL relating to disclosure and transfer of SPDI
Except where disclosure is necessary for compliance with a legal obligation, SPDI shall not be disclosed by GIPL or any GIPL employee to any Third Party without the prior written permission of the Provider, such permission may be obtained either at the time of collection of the SPDI or at the time of disclosure to the Third Party. For the purposes of providing the permission to GIPL to disclose, the Provider shall be informed of the name of the Third Party transferee, the type of SPDI being disclosed, purpose of such disclosure and location of the Third Party transferee.
Where GIPL is obliged to disclose SPDI to government agencies mandated to collect such information, prior written consent of the Provider shall not be required.
SPDI may only be transferred to a third party, whether in India or in any other country, that ensures the same level of data protection adhered to by GIPL.
Any third party to whom SPDI is disclosed shall not and is not permitted to disclose it further to any other person.
GIPL shall address all discrepancies in SPDI and grievances of Providers in a time-bound manner but in any event within a month from the date of receipt of the grievance or escalate it per the breach management policy. The Grievance Officer appointed for this purpose is:
Mr. Mahendra Chavan
Mailing address: Jalna-Aurangabad Road, Dawalwadi, MH 431202
Email address: email@example.com
Prior informed consent (“PIC”)
A PIC form shall be developed by GIPL for obtaining the prior written consent of the Provider and shall include informing the Provider regarding –
1. Clear and easily accessible statements of its practices and policies,
2. GIPL’s business and areas of operation,
3. Types of personal information to be collected, where such information is to be obtained from and who will collect the SPDI
4. The purpose and usage of the SPDI to be collected.
5. Assurance that SPDI will be securely maintained and protected from unauthorized access and leak.
6. The SPDI will be used only for the purpose identified unless otherwise mandated by law or regulation.
7. Reasonable security practices and procedures as provided under the law.
8. Intended recipients of the information.
9. The name and address of the agency that is collecting the information & the agency that will retain the information.
10. The Provider has the option to refuse to provide SPDI or withdraw consent even after having provided it and the process to be followed to exercise the options.
11. The process for a Provider to change his / her contact details.
12. If there is to be any onward transfer to Third Parties, who such Third Parties are, their business, location, and security measures for protection of SPDI.
13. Assurance that the SPDI will be retained only as long as necessary to fulfill the purposes, or for a period specifically required by law or regulation and will be disposed-off securely or made anonymous post the completion of the purpose.
14. Process of Provider to request to access SPDI and costs, if any, for the same.
15. Process to review / correct the SPDI.
16. Provision for resolution of any discrepancies & grievances with respect to processing of information.
17. The name and contact details of the Grievance Officer.
18. How users will be notified of any changes made to privacy notice.
19. Consequences of not providing the requested information.
Policy Clause 8: Obligations of GIPL related to choice and consent of the Providers
1. Choice refers to the options the Providers are offered regarding the collection and use of SPDI. Consent refers to the agreement of the Providers to such collection and use of SPDI.
2. GIPL shall establish protocols and procedures for the collection and documentation of Provider’s consent to the collection, processing, and/or transfer of SPDI as well as procedure in the event consents are withdrawn after having been given.
3. GIPL shall review the privacy policies of the Third Parties and types of consent obtained by Third Parties before accepting SPDI from Third-
Collection of SPDI
A. After obtaining consent in writing through letter or fax or email from the Provider, SPDI may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all SPDI.
1. SPDI shall not be collected unless at least one of the following is fulfilled:
a. The Provider has provided a valid, informed and free consent.
b. Collection of SPDI is necessary for the performance of a contract to which the Provider is a party or in order to take steps at the request of the Provider prior to entering into a contract.
c. Collection of SPDI is necessary for compliance with GIPL’s legal obligations, or
d. Collection of SPDI is necessary for the performance of a task carried out in the public interest.
2. Providers shall not be required to provide more SPDI than is necessary for the provision of the product or service that Provider has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labeled as optional. Collection of SPDI shall be avoided or limited when reasonably possible.
3. SPDI shall be anonymized when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost.
4. When vendors are used by GIPL to collect SPDI on its behalf, GIPL shall ensure that the vendors comply with the privacy requirements of GIPL as defined in this policy.
5. GIPL shall, at a minimum, annually review and monitor the SPDI collected, the consent obtained and the purpose for which the SPDI was collected.
6. The project team/support function shall obtain approval from IT before adopting the new methods for collecting personal information electronically.
7. GIPL shall review the privacy policies and collection methods of Third Parties before accepting SPDI from Third-Party sources.
Use, Retention and Disposal of SPDI
1. SPDI may only be used for the purposes identified and only if the Provider has given its consent.
2. SPDI shall be retained only for as long as necessary for business purposes identified at the time of collection or subsequently authorized by the Providers.
3. When the use of SPDI is no longer necessary for the purposes for which it was collected, a method shall be in place to ensure that the SPDI is destroyed or is anonymized in a manner sufficient to make the SPDI non-personally identifiable.
4. GIPL shall have a documented process to communicate changes in retention periods of SPDI required by the business to the Providers who are authorized to request those changes.
5. SPDI shall be erased if its storage violates any of the data protection rules or if knowledge of the data is no longer required by GIPL or for the benefit of the Provider. GIPL reserves the right to retain SPDI for legal and regulatory purposes and as per applicable data privacy laws.
6. GIPL shall perform an internal audit on an annual basis to ensure that personal information collected is used, retained and disposed-off in compliance with this policy.
A. GIPL shall establish a system to enable and facilitate exercise of Provider’s rights of access, review, rectification, withdrawal of consent and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of SPDI.
1. Providers shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing to the registered office address of GIPL given above in this policy and addressed to the Grievance Officer. GIPL shall provide its response to a request within 72 hours of receipt of such written request.
2. Providers have the right to require GIPL to correct or supplement erroneous, misleading, outdated, or incomplete SPDI.
3. Requests for access to or rectification of SPDI shall be directed to the Grievance Officer.
4. Each access request shall be recorded and documented as it is received and the corresponding action taken.
5. GIPL shall provide SPDI to the Providers in a simple, understandable format and not in any code.
Disclosure to Third Parties:
A: Disclosure to Third Parties
Providers shall be informed in the PIC form if SPDI shall be disclosed to Third Parties, and it shall be disclosed only for the purposes described in such form and for which the Provider has provided its consent.
1 SPDI of Providers may be disclosed to Third Parties only after obtaining their consent with respect to such transfer and for reasons consistent with the purposes identified or other purposes authorized by law.
2 The Providers may be ensured that such transfer may be allowed only if it is necessary for the performance of the lawful contract between GIPL or any person on its behalf and the Provider of information.
3 GIPL is satisfied that the Third Parties will ensure the same level of data protection that is adhered to by the GIPL, as provided for under the law.
4 GIPL shall notify the Providers prior to disclosing SPDI to Third Parties for purposes not previously identified to the Provider in the PIC form.
5 GIPL shall communicate privacy practices, procedures, and the requirements for data privacy and protection to the Third Parties.
6 The Third Parties shall sign a confidentiality and non-disclosure agreement (“CNDA”) with GIPL before any SPDI is disclosed to such Third Parties, including the terms on non-disclosure of SPDI.
SPDI security policy and procedures shall be documented and implemented to ensure reasonable security for SPDI collected, stored, used, transferred, and disposed by GIPL.
1 Information labeling and handling guidelines shall include controls specific to the storage, retention, and transfer of SPDI.
2 GIPL’s Information Technology Department shall establish procedures that maintain the security of SPDI.
3 GIPL’s Information Technology Department shall establish procedures that ensure protection of SPDI against accidental disclosure due to natural disasters and environmental hazards.
4 Incident response protocols shall be established and maintained to deal with incidents concerning SPDI or privacy practices.
5 Anyone noticing or becoming aware of any breach of SPDI shall notify the Information Technology Department of GIPL immediately. It shall be the responsibility of this department to act on the intimation of the same immediately and in any event within 6 hours of the receipt of information of breach.
Monitoring and Enforcement
A (Dispute Resolution and Recourse)
1. Privacy-related incidents and breaches are addressed by a SPDI breach management policy which includes the following:
a. A clear escalation path from the Grievance Officer up to the senior management, legal counsel / group legal office, and the board based on type and/or severity of the privacy incident / breach. A process to register all the incidents/complaints and queries related to data privacy is defined therein.
b. GIPL shall perform a periodic review of all the complaints related to SPDI privacy to ensure that all the complaints are resolved in a timely manner and resolutions are documented and communicated to the Providers.
c. The law mandates that the Grievance Officer shall redress the grievances of Provider of information expeditiously but within one month from the date of receipt of grievances.
d. An escalation process for complaints unresolved at the level of the Grievance Officer for the period of one month, and disputes, shall be designed and documented.
e. Communication of privacy incident / breach reporting channels and the escalation path shall be provided to all Providers.
B. (Dispute Resolution and Escalation Process for Employees of GIPL)
– Employees with inquiries or complaints about the processing of their SPDI shall first discuss the matter with their immediate supervisor. If the employee does not wish to raise an inquiry or complaint with an immediate manager, or if the manager and employee are unable to reach a satisfactory resolution of the issues raised, the employee shall bring the issue to the attention of the Grievance Officer.
C. (Dispute Resolution and Escalation Process for Providers and Third Parties)
– Providers and Third Parties with inquiries or complaints about the processing of their SPDI shall bring the matter to the attention of the
Grievance Officer in writing. Any disputes concerning the processing of the SPDI of non-employees shall be resolved through arbitration under the Arbitration and Conciliation Act, 1996.
A. privacy review team shall conduct an internal audit annually (at minimum) to ensure compliance with the established privacy policies and applicable laws.
1. The internal audit shall consist of the review of the following:
a. SPDI collected from Providers.
b. The purposes of the SPDI collection and processing.
c. The actual uses of the SPDI.
d. Disclosures made about the purposes of the collection and use of such SPDI.
e. The existence and scope of any Provider consents to such activities.
f. Any legal obligations regarding the collection and processing of such SPDI.
g. The scope, sufficiency, and implementation status of security measures.
2. The privacy review team shall document all the instances of non-compliance with privacy policies and procedures and report the same with the management of GIPL.
3. The Grievance Officer along with the Information Technology Department shall take actions on the findings from the internal audit and work on the recommendations for improvement.
4. Any changes made to the policies shall be communicated to all the employees, the stakeholders and the customers / clients.