IntroductionContractPodAi and its associated operations in India (“CPSL”) collect and use information about individuals (‘personal data’) in the course of business. Data protection legislation gives individuals the right to know what information is held about them and it provides a framework to ensure that personal information is handled properly. This policy sets out our expectations regarding the control of personal data handled by ContractPodAi. This includes employee, contractor, applicant, customer, prospective customer, and claimant data. It is important that data is processed in a fair and lawful manner to:
- Protect individuals’ fundamental rights and freedoms, notably privacy rights; and
- Enable organisations to process personal information in the course of their legitimate business.
ScopeThis policy covers ContractPodAi. As there are no adequate data protection laws in India, any Data that is processed there is covered by the relevant data protection legislation from the home jurisdiction of the Data Controller. All employees of ContractPodAi, its agents and contractors who work on behalf of ContractPodAi must adhere to this policy.
DefinitionsFor the purpose of clarity, the definitions of some common data protection terms referred to in this policy are set out below: To access the Software, you will have a username and password. This will be set up by us and sent to you within five working days from the date of your acceptance of this Licence Personal Data Any information that an organisation holds and / or uses on living individuals, including name, address, date of birth, telephone numbers etc. Sensitive Data Personal data, which consists of information such as medical information, criminal records, racial or ethnic origin or political beliefs of the individual. Processing Any use to which personal data is put, including obtaining, retrieving, holding, storing or disposal. Examples of processing include:
- Administering or setting up client accounts
- Using data for marketing purposes
- Administering and maintaining employee records.
General PrinciplesContractPodAi requires that all personal data is treated in an appropriate manner. This means that: The Privacy and Electronic Communication Regulations (2011). We are clear and open with individuals about how their information will be used We only use information about individuals in line with their reasonable expectations The information we hold about an individual is relevant and sufficient, but not excessive We take reasonable steps to ensure that the information held is accurate and is kept up to date We do not keep personal data for longer than is necessary We respect an individual’s right of access to a copy of the information we hold about them, and their right to object or prevent our processing of information in certain circumstances We keep all personal data secure We do not transfer personal data to a country outside the EEA that does not have adequate data protection laws or processes in place. It is therefore important that ContractPodAi complies with the eight Data Protection Principles as failure to comply can result in a criminal offence.ContractPodAi requires that all personal data is treated in an appropriate manner. Principle 1 – Data shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met. Principle 2 – Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose Principle 3 – Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Principle 4 – Data shall be accurate and where relevant kept up to date Principle 5 – Data shall not be kept longer than is necessary for that purpose Principle 6 – Data shall be processed in accordance with the rights of the data subjects under data protection legislation (e.g. right of access to personal information) Principle 7 – Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Principle 8 – Data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. A business may act as a Data Processor or a Data Controller. Generally Data Controllers have a higher degree of responsibility than Data Processors. A Data Controller remains fully responsible for its actions and the security of the Personal Data and is subject to all the requirements of the data protection legislation. A Data Controller is also responsible for Data that is transferred to the Data Processor that processes that Personal Data.
Governance6.1 Roles and responsibilities Each of ContractPodAi’s Directors bears the ultimate responsibility for management of data protection within the business. Specifically, the Directors should ensure sound governance arrangements are in place to manage, monitor and control data protection issues. All directors are responsible for ensuring compliance with this Policy within their area of accountability. All employees have a responsibility to treat all personal data in an appropriate manner, in accordance with this Policy and associated guidelines and processes. Employees are required to complete training and awareness on policies, procedures and internal controls and ensure they understand their responsibilities in relation to the use of personal data. The Chief Executive is the appointed Data Protection Officer and is responsible for ensuring appropriate controls are in place to minimise the risk of a breach. CPSL must ensure that when entering into a new business arrangement that the appropriate data protection clauses are included within contract documentation wherever relevant, including consideration of both the purposes for which CPSL may wish to use data, and the controls over the use of data by our third party partners. 6.2 Review ownership and regularity This policy will be reviewed at least annually. Any proposed variations or amendments to this Policy must be approved by the Chief Executive. 6.3 Non-adherence with this Policy Non adherence with this Policy will be dealt with through the normal company disciplinary procedures.
Reporting an IncidentTo report any suspected serious misconduct or any breach or suspected breach of law or regulation, please use our Whistleblower Report Form.
Request a demo
Contact us today for your personalised demo.