1.1.  Objective

The purpose of this policy is to maintain the privacy of and protect the personal information of employees, contractors, vendors, interns, associates, customers and business partners of Sveer Consulting LLP applicable (hereafter referred to as “Sveer” or “Company”) and to ensure compliance with applicable laws and regulations.

1.2.  Scope

This Policy applies to all Company employees, contractors, vendors, interns, associates, customers and business partners who have personal information from Company, who have access to personal information collected or processed by Company, or who provide information to Company, regardless of geographic location. All employees are expected to support the privacy policy and principles when they collect and / or handle personal information, or are involved in the process of maintaining or disposing of personal information. This policy provides the information to successfully meet the organization’s commitment towards data privacy.

All partner firms and any Third-Party working for Company, and who have or may have access to personal information, will be expected to have read, understand and comply with this policy. No Third Party may access personal information held by the Company without having first entered into a confidentiality agreement.

1.3.  Responsibilities

The owner for the Data Privacy Policy shall be the Chief Technology Officer. The Chief Technology Officer shall be responsible for maintenance and accuracy of this policy. Any queries regarding the implementation of this policy shall be directed to the Chief Technology Officer.

This policy shall be reviewed for updates on an annual basis and shall be updated in-line with any major changes within the Company’s operating environment or on recommendations provided by internal/ external auditors.

1.4.  Policy Compliance

Compliance to the data privacy policy shall be reviewed on an annual basis by Privacy Review Team to ensure continuous compliance monitoring through the implementation of compliance measurements and periodic review processes. In cases, where non-compliance is identified, the Chief Technology officer shall review the reasons for such non-compliance along with a plan for remediation and report them to Privacy Review Team. Depending on the conclusions of the review, need for a revision to the policy may be identified. In instances of persistent non-compliance by the individuals concerned, they shall be subject to action in accordance with the Sveer Disciplinary Policy.

1.5. Data Privacy Principles

This Policy describes generally acceptable privacy principles (GAPP) for the protection and appropriate use of personal information at Sveer. These principles shall govern the use, collection, disposal and transfer of personal information, except as specifically provided by this Policy or as required by applicable laws:

Notice: Sveer shall provide data subjects with notice about how it collects, uses, retains, and discloses personal information about them.

Choice and Consent: Sveer shall give data subjects the choices and obtain their consent regarding how it collects, uses, and discloses their personal information.

Rights of Data subject: Sveer shall provide individuals with the right to control their personal information, which includes the right to access, modify, erase, restrict, transmit, or object to certain uses of their information and for withdrawal of earlier given consent to the notice.

Collection: Sveer shall collect personal information from data subjects only for the purposes identified in the privacy notice/ SoW / contract agreements and only to provide requested product or service.

Use, Retention and Disposal: Sveer shall only use personal information that has been collected for the purposes identified in the privacy notice/ SoW / contract agreements and in accordance with the consent that the data subject shall provide. Sveer shall not retain personal information longer than is necessary to fulfil the purposes for which it was collected and to maintain reasonable business records. Sveer shall dispose the personal information once it has served its intended purpose or as specified by the data subject.

Access: Sveer shall allow data subjects to make inquiries regarding the personal information about them, that Sveer shall hold and, when appropriate, shall provide access to their personal information for review, and/or update.

Disclosure to Third Parties: Sveer shall disclose personal information to Third Parties/ partner firms only for purposes identified in the privacy notice / SoW / contract agreements. Sveer shall disclose personal information in a secure manner, with assurances of protection by those parties, according to the contracts, laws and other segments, and, where needed, with consent of the data subject .

Obligations for Sub-processor: Where a processor (vendor or 3r d party acting on behalf of Sveer data processor) engages another processor (Sub-processor) for carrying out specific processing activities on behalf of Sveer (controller), the same data protection obligations as set out in the contract or other legal act between Sveer and the processor shall be imposed on the Sub processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of IT Act, 2008 / GDPR. Where the Sub-processor fails to fulfil its data protection obligations, the initial processor (relevant vendor or 3rd party acting on behalf of Sveer data processor) shall remain fully liable to Sveer for the performance of that Sub-processor’s obligations.

Quality: Sveer shall take steps to ensure that personal information in its records is accurate and relevant to the purposes for which it was collected.

Security for Privacy: Sveer shall protect personal information from unauthorized access, data leakage and misuse.

Monitoring and Enforcement: Sveer shall monitor compliance with its privacy policies, both internally and with Third Parties, and establish the processes to address inquiries, complaints and disputes.

1.6.  Notice

Notice shall be made readily accessible and available to data subjects before or at the time of collection of personal information or otherwise, notice shall be provided as soon as practical thereafter. Notice shall be displayed clearly and conspicuously and shall be provided through online (e.g. by posting it on the intranet portal, website, sending mails, newsletters, etc.) and / or offline methods (e.g. through posts, couriers, etc.). All the web sites (including Intranet portals), and any product or service that collects personal information internally, shall have a privacy notice. In case of any cross-border transfer of personal information, the data subjects shall be informed by a notice sufficiently prior to the transfer.

Privacy notices may include:

• Company’s operating jurisdictions; Third Parties involved; business segments and affiliates; lines of business; locations;
• Types of personal information collected; sources of information; who is collecting the personal information, including contact information;

1.7.  Choice and consent

Choice refers to the options the data subjects are offered regarding the collection and use of their personal information. Consent refers to their agreement to the collection and use, often expressed by the way in which they exercise a choice option.

• Sveer shall establish systems for the collection and documentation of data subject consents to the collection, processing, and/or transfer of personal data.

• Data subjects shall be informed about the choices available to them with respect to the collection, use, and disclosure of personal information.

• Consent shall be obtained {in writing or electronically) from the data subjects before or at the time of collecting personal information or as soon as practical thereafter.

• The changes to a data subject’s preferences shall be managed and documented. Consent or withdrawal of consent shall be documented appropriately.

• The choices shall be implemented in a timely fashion and respected. If personal information is to be used for purposes not identified in the notice / SoW / contract agreements at the time of collection, the new purpose shall be documented, the data subject shall be notified, and consent shall be obtained prior to such new use or purpose.

• The data subject shall be notified if the data collected is used for marketing purposes, advertisements, etc.

• Sveer shall review the privacy policies of the Third Parties and types of consent of Third Parties before accepting personal information from Third-Party data sources.

1.8.  Collection of Personal Information

Personal information may be collected online or offline. Regardless of the collection method, the same privacy protection shall apply to all personal information.

• Personal information shall not be collected unless either of the following is fulfilled:

The data subject has provided a valid, informed and free consent;

Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;

Processing is necessary for compliance with the Company’s legal obligation;    

Processing is necessary in order to protect the vital interests of the data subject; or Processing is necessary for the performance of a task carried out in the public interest.

• Data subjects shall not be required to provide more personal information than is necessary for the provision of the product or service that data subject has requested or authorized. If any data not needed for providing a service or product is requested, such fields shall be clearly labelled as Collection of personal information shall be avoided or limited when reasonably possible.
• Personal information shall be de-identified when the purposes of data collection can be achieved without personally identifiable information, at reasonable cost .
• When using vendors to collect personal information on the behalf of Sveer, it shall ensure that the vendors comply with the privacy requirements as defined in this Policy.
• Sveer shall at minimum, annually review and monitor the information collected , the consent obtained and the notice/ SoW / contract agreement identifying the purpose.  
• The project team/support function shall obtain approval from the IT Security team before adopting the new methods for collecting personal information electronically.
• Sveer shall review the privacy policies and collection methods of Third-Parties before accepting personal information from Third-Party data sources.

1.9.  Use, Retention and Disposal

• Personal information may only be used for the purposes identified in the notice/ SoW / contract agreements and only if the data subject has given consent;
• Personal information shall be retained for as long as necessary for business purposes identified in the notice/ SoW / contract agreements at the time of collection or subsequently authorized by the data subjects.
• When the use of personal information is no longer necessary for business purposes, a method shall be in place to ensure that the information is destroyed in a manner sufficient to prevent unauthorized access to that information or is de-identified in a manner sufficient to make the data non-personally identifiable.
• Sveer shall have a documented process to communicate changes in retention periods of personal information required by the business to the data subjects who are authorized to request those changes.
• Personal information shall be erased if their storage violates any of the data protection rules or if knowledge of the data is no longer required by Sveer or for the benefit of the data subject. Additionally, Sveer has the right to retain the personnel information for legal and regulatory purpose and as per applicable data privacy laws.

1.10.      Access

Sveer shall establish a mechanism to enable and facilitate exercise of data subject’s rights of access, blockage, erasure, opposition, rectification, and, where appropriate or required by applicable law, a system for giving notice of inappropriate exposure of personal information.

• Data subjects shall be entitled to obtain the details about their own personal information upon a request made and set forth in writing. Sveer shall provide its response to a request within 72 hours of receipt of written request.
• The data subjects shall have the right to require Sveer to correct or supplement erroneous, misleading, outdated, or incomplete personal information.
• Requests for access to or rectification of personal information shall be directed, at the data subject’s option, to the manager of the projects team or support function responsible for the personal information.
• The privacy coordinators shall record and document each access request as it is received and the corresponding action taken.
• Sveer shall provide personal information to the data subjects in a plain simple format which is understandable (not in any code format).