CtrlS DataPrivacy
This privacy notice for all PII/ Data Principals (Customers, Suppliers, Vendors, Employees, Visitors, Contractors and Subcontractors or other third party) and other (“Privacy notice”) applies to the CtrlS Data Centers Limited td (hereinafter referred to as “CtrlS”). The CtrlS company for the purpose of providing a service, CtrlS is responsible for processing your personal Information and controls its use in accordance with this privacy notice. We at CtrlS Datacenters Ltd. including its subsidiaries and affiliates (collectively referred to as “CtrlS or “our” or “we”) are strongly committed at to honouring and safeguarding your privacy. CtrlS, protecting your personal information is a top priority. This privacy notice describes our privacy practices regarding collecting, storing, processing and use of our personal data when you availing / providing a service to/for the company or visit our premises / Website.
CtrlS and its subsidiaries are responsible for your personal Information. In accordance with applicable information protection laws, the person responsible for processing your personal Information is the CtrlS subsidiary which communicates with you. Furthermore, other CtrlS subsidiaries may receive and process your information, either as the information controller or the information processor. Accordingly, this privacy notice applies equally to them. In your case, CtrlS or the respective company affiliated with CtrlS, as the “responsible party” applicable laws at the headquarter or Information Center of the country in which of the respective subsidiary, for what and how your personal information will be used in accordance with this privacy notice.
We collect and use the personal information that we receive from you within the scope or an existing business relationship with you or your company (hereinafter: “you”). We may also process personal information that we receive from you either as a result of your contact request, a specific pre-contractual inquiry or a registration for a specific event via our websites, by email or telephone or at a trade fair or event. In addition, to the extent necessary for the purposes stated in this privacy notice, we process personal information that we can obtain from publicly available sources or that is lawfully transmitted by other third parties in pursuant to Business relations. We process the following categories of your personal information to the extent required for the purposes of processing in accordance with this privacy notice:
- Identifying information and contact details that you provide us with, such as first name, last name, profession / position / title, business email address, postal address, telephone, cell phone and fax numbers, gender, date of birth, vehicle registration number, visit date time and number of a valid identification document as per law.
- Additional information that you provide us with during or in connection with your visit, such as registration details for facilities and sites, visits to an employee, purpose of the visit, records of your visit or information relating to the fulfilment of our contractual obligations and precontractual measures; To a certain extent, this information may also include your interests in our products, marketing preferences and registration information provided at training sessions, events or trade fairs, etc.
- Image and video recordings on which you are depicted (“recordings”)and which are produced by our video surveillance systems (CCTV) or by photographers or CtrlS employees working on our behalf at events organized by us.
- Children Information– The Data Fiduciary / Controller Shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed – sec 9(1) of DPDP Act 2023.
- Electronic identification information and information collected from communications systems, IT applications and web browsers (provided that the information you have has access to or is affected by such systems or applications and in accordance with applicable laws),such as use of information technology (system access, IT and Internet use), device identification (mobile device ID, PC ID), registration and login information, IP address, access information and log files, analysis ID, time and URL, search queries, website registration records and cookie information, sound recordings (e.g. voice message, meeting recordings).
If you wish to obtain information about a specific information processing activity, this can be requested from DPO at dpo@ctrls.in.
We process your personal information primarily to carry out and fulfil our business and contractual relations with you and to ensure security in our offices and premises of the people and items, security of confidential Information located in the company’s premises or accessible from the company’s premises. This is done to prevent loss, frauds, health safety thefts, injuries, terrorism, and other events of such kind in the company’s premises. In the context of this business relationship with you and your visit to our offices and premises, we must process your personal information, which we require in order to fulfil the associated contractual and legal obligations or which we are legally obliged to collect and process (e.g. health and safety laws, statutory insurance requirements). In particular, we process the personal information listed above for the following purposes:
- Visitor management which includes Approval, Visitor Registration and Gate pass processing and access creation if required.
- Health and safety management, including medical emergencies.
- Recording by video surveillance system (CCTV) for the purpose of public and employee safety, theft building security and the prevention and detection of crime.
- Monitoring and auditing of compliance with CtrlS and CtrlS’s corporate guidelines, contractual obligations and legal requirements.
- Conducting audits, evaluations and regulatory checks to ensure compliance with regulatory obligations.
We only collect the personal information from you that we require for the purposes described above. This means that you can no longer be directly or indirectly identified as an individual using this information.
In the case of processing operations in connection with your visit to CtrlS (as described above), without certain personal information, CtrlS may not be able to adequately ensure your security and the security of other persons in our offices and premises, monitor the security of the premises and its facilities, or fulfil the related legal obligations or the purposes described above in general. Although we cannot oblige you to provide us with your personal information, please be aware that your refusal could have consequences that could negatively affect your visit to our offices and premises or our business relationship. You will not be permitted, for example, to enter certain or any CtrlS facility or location for security reasons, nor will we be able to take requested precontractual or contractual measures to conclude or fulfil a contract with you.
We process your personal information for the purposes described above (WHY DO WE USE YOUR PERSONAL INFORMATION?) in accordance with the provisions of the the Information Technology Act 2000, IT Rules (2011) and DPDP Act 2023 India, especially in accordance with the following applicable legal bases:
- Where required, we process your personal information within the scope of your specific visit to our offices and premises, or your stay on our premises, as well as the existing business relationship with you or your company,in order to safeguard legitimate interests(ours and that of third parties).
CtrlS has implemented technical, physical, contractual, and organizational safeguards with a view to protecting the security of personal data from loss, damage, or unauthorized use, disclosure, alteration, or access, having regard to the nature of the data, and the risks to which they are exposed by virtue of human action or the physical or natural environment.
The disclosure may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of such other country, pursuant to the laws of the India.
We will only keep your personal data for as long as is reasonably necessary to fulfill the purposes for which it was collected, taking into consideration our need to respond to your queries or resolve problems, any other purpose outlined above or to comply with legal requirements under applicable law(s). This means that we may retain your personal data for a reasonable period after, for example, the end of the contract with the client you represent, or after your query has been addressed. After this period, your personal data will be deleted from all our system.
Our Privacy Notice may be updated from time to time. Any updates will appear on this www.CtrlS.com.
You can contact us by writing to: Data Protection Officer, If you have any questions about our privacy notice please contact the Data Protection Officer on data-protection email dpo@ctrls.in
This Privacy Policy covers the life cycle of data protection and privacy aspects which includes data collection, treating, storing, maintaining, securing and disposing the data including PII (Personally Identifiable Information) which shall be from various channels. The purpose of this policy is to set out the relevant technical and organizational control measures where CtrlS get complied with Industry best practices, regulatory and legal laws of the land. This policy applies to all the interested parties of the organization’s information and privacy systems which includes employees, customers, suppliers, vendors and other third parties who have access to CtrlS systems. CtrlS complies with below Standards, Regulatory and Legal Requirements as per law of the land and supervisory authorities Regulatory and legal requirements, including:
- IT Act 2000,IT Ammendment 2008, IT Act rules 2011, DPDP Act 2023.
- GDPR, Contractual agreements, all other applicable laws.
The information security and privacy program is reviewed annually or upon significant changes to the information security and privacy environment. CtrlS has recognized that our business information and privacy is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success.
The objective of this policy is to make sure that the provisioning of a service is in accordance with the business, security and Privacy requirements with reference to the applicable o laws and regulations.
- protect the CtrlS information assets through safeguarding its confidentiality, integrity, availability and Privacy.
- establish effective governance arrangements including accountability and responsibility for information security and privacy within CtrlS.
- maintain an appropriate level of Customer, Vendor, Supplier, Employees and other stakeholders awareness, knowledge and skill to minimize the occurrence and severity of information security and privacy incidents.
- Ensure CtrlS is able to continue and/or rapidly recover its business operations in the event of a detrimental information security and privacy incident.
- CtrlS is committed to protect information and privacy. This Policy deals with the security and privacy requirements at the level of design / life cycle which includes, collection, storing, maintaining, disclosing, securing and disposing of personal identifiable information as per privacy policy.
- Clou4C proactively addresses data principal’s expectations concerning their privacy and security in order to create and ensure trust and confidence in CtrlS and its services provided.
- Compliance with relevant privacy and data protection laws is maintained thereby minimizing legal liability, regulatory risk, brand and reputational exposure; and A data principal’s PII is collected after acquiring consent and processed in fair and transparent manner and in compliance with applicable laws and regulations. CtrlS is committed to maintaining and improving data protection and privacy within the company and minimizing its exposure to risks.
3.1.THE PERSONAL DATA THAT WE COLLECT FROM THE USER: CtrlS collects information during User’s interactions with CtrlS, whether through business related interactions or online (involuntary), including through CtrlS’s websites that is necessary to conduct its business, to provide the services to the customers, as part of business operations and optimization of its service offerings. CtrlS may collect, use, store and transfer different kinds of personal data which have been grouped together as follows:
- Identity Data: including first name, last name.
- Contact Data: including address, email address, and telephone numbers.
- Marketing and Communications Data: including User’s preferences in receiving marketing from CtrlS (including authorized third parties) and User’s communication preferences.
- Public PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories Visiting Cards, Business telephone number and Business mailing or email address.
3.2.HOW IS YOUR PERSONAL DATA COLLECTED AND USED?
Generally, CtrlS collects personal information related to customers and their representatives when they decide to interact with us, or avail services or express an interest or apply for a position, Employees, Visitors, vendors, contractors, subcontractors and other third party. The kind of data that CtrlS collects and/or has visibility/access to, depends solely on the context and the nature of User’s interaction with CtrlS and in case of CtrlS’s customers, the nature service offering that such customer avails from CtrlS. CtrlS do not solicit and/or collect any sort of personal information that is irrelevant/not necessary for the provision of services to the User. CtrlS further declare that it does not participate in any sort of data mining activities whatsoever, with any third parties. CtrlS uses Customer PII only to the extent such data is required to provide the services agreed upon, and does not mine it for marketing or advertising. In case a Customer decides to suspend the services or terminates the requirement for availing services, CtrlS shall, in accordance with Customer’s requirements, and any applicable laws policies it has, follows strict standards and requisite processes for deleting Customer PII from its servers. If anyone represents an organization, such as business or individual, that utilizes Enterprise services from CtrlS, please see CtrlS privacy statement to learn how we process data. Customer or Individual have choices when it comes to the technology used and the data shared. When CtrlS asks to provide personal data, Customer or Individual can decline. Many of our services require personal data to provide with a service. If Customer or Individual choose not to provide data required to provide with a service or feature, Customer or Individual cannot use that service or feature. Likewise, where CtrlS needs to collect personal data by law or to enter into or carry out a contract with Customer or Individual, and they do not provide the data, CtrlS will not be able to enter into the contract; or if this relates to an existing service being used, CtrlS may have to suspend or cancel it. We will notify Customer or Individual if this is the case at the time. Where providing the data is optional, and Customer or Individual choose not to share personal data, features like personalization that use such data will not work for them. CtrlS undertakes that CtrlS uses personal data strictly in compliance with applicable laws. Purposes for which CtrlS may collect the personal data belonging to the User and the rationale behind such collection: CtrlS uses personal information only where required for specific purposes. The following table serves as an explainer for the purpose for which CtrlS collects/uses of the personal data belonging to the User and the rationale behind such collection/use:
Purpose/Instance | Rationale |
Managing CtrlS’s contractual and/or employment relationship with the User. |
|
Facilitating communication with the User (including in case of emergencies, and to provide User with requested information). | To ensure proper communication and emergency handling within the organization. This kind of collection includes collection of basic contact information of relevant stakeholders. |
Operating and managing CtrlS business operations. | To ensure the proper functioning of Coud4C business operations and optimise CtrlSservice offerings. |
Complying with legal requirements. | This is a legitimate purpose as CtrlS is bound by and is subject to all applicable laws and legal mandates. |
Monitoring User’s use of CtrlS systems (including use of CtrlS website). | To avoid compliance related issues and protecting the standards of CtrlS service offerings, ensuring that they meet the legal requirements and industry standards. |
Improving the security and functioning of CtrlS website, networks and information. | To ensure that User receives an excellent user experience and CtrlS networks and information are secure. |
Undertaking data analytics, i.e. applying analytics to business operations and data to describe, predict and improve business performance within CtrlS and/or to provide a better user experience. | To ensure the proper functioning of CtrlS business operations and optimise CtrlS service offerings. |
Marketing CtrlS products and services to User. | To ensure the proper functioning and growth of CtrlS business operations. However, any kind of collection for this purpose will be subject to User’s consent and privacy rights. To provide improved website and product experience and communications informed by product subscriptions and/or data collected. |
Customers billing address, email address, and telephone numbers and prospective clients information |
|
Employee Name, address, email address, telephone numbers and other personnel information. |
|
Assess your suitability for employment for the role for which you are applying, as well as future roles that may become available. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it recruits the appropriate employees. |
Manage your application. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it recruits the appropriate employees. |
Perform data analytics, including analysis of our applicant pool in order to better understand who is applying to positions and how to attract and keep top talent. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it continually improves its recruitment processes. |
In some cases, record your online interview for review by additional recruiters and hiring managers. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it recruits the appropriate employees. |
If you register for any position. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it recruits the appropriate employees. |
Transfer your contact information, education data, employment data, application information and the CV, all as supplied by you in our recruitment system, to the CtrlS Talent acquisition Team. | Justified on the basis of CtrlS’s legitimate interests of ensuring that it recruits the appropriate employees. |
Administration of employee benefits | Justified on the basis of CtrlS’s legitimate interests of ensuring that our employees receive the applicable benefits. |
Perform any legally required reporting and respond to legal process. | Compliance with a legal obligation. |
To share alumni information with other internal CtrlS systems, specifically our internal sales tool, to contact you with industry relevant information. | Justified on the basis of our legitimate interest for ensuring proper communication with, and sending marketing to, our alumni. |
- Where the above table states that we rely on our legitimate interests for a given purpose, we are of the opinion that our legitimate interests are not overridden by your interests, rights or freedoms, given (i) the transparency we provide on the processing activity.
- In carrying out these purposes, CtrlS combines data collects from different contexts (from the use of two different services of CtrlS ) or obtain from third parties to give you a more seamless, consistent, and personalized experience, to make informed business decisions, and for other legitimate purposes.
3.3.DATA MINIMISATION
- CtrlS shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
3.4.HOW WE SHARE / DISCLOSE YOUR PERSONAL DATA
Purposes for which CtrlS may share personal data belonging to the User: CtrlS shares / disclose the User’s personal data with the User’s consent and/or to carry out any transaction and/or provide any service that the User has authorized or requested. CtrlS also shares/ disclose any such personal data with its wholly owned subsidiaries and affiliates whenever necessary, to optimize CtrlS’s service offerings. Further, CtrlS may also share / disclose User’s personal data with its vendors/suppliers/third parties when customer or user separately consent to or request such sharing on strict need to know basis, ensuring that such parties are bound by the privacy principles detailed herein and are bound by strict confidentiality obligations. Lastly, Coud4C shares /disclose the personal data when required by applicable laws/legal mandates and/or in order to respond to any legal process, including but not limited to protection of the rights and property of CtrlS and its customers.
3.5. IN RESPONSE TO THE LAW. CtrlS may disclose Customer’s information if it required to comply with a law, regulation, or valid legal process. If CtrlS is going to disclose Customer’s information, CtrlS will provide Customer with a notice unless it is prohibited from doing so under law or under judicial or executive order. Further, CtrlS may disclose Customer’s information without providing customer with a prior notice if it reasonably be required that such disclosure is necessary to prevent imminent and serious harm to a person.
3.6.TO PROVIDE SERVICES AND TO FIX ISSUES.CtrlS will provide services as per agreed terms under contract to provide Cloud or other services. This may include applying new product or system versions, patches, updates and upgrades; monitoring and system use and performance; and other issues reported to CtrlS. Based on the request raised by the customer, CtrlS accesses customer setup to resolve particular issue. CtrlS will use temporary access to fix the issue raised by the Customer within agreed time window. CtrlS may share customer personal information with its wholly owned subsidiaries and affiliates whenever necessary, to optimize CtrlS’s service offerings. These includes other companies within the CtrlS Group such as Cloud4C.
Individual PII We may share personal data with one or all of the following:
- Internal Third Parties: these include other companies within the CtrlS Group such as Cloud4C etc.
External Third Parties may include:
- Suppliers / Business Partners who we engage to provide services on our behalf, for example payment processors and marketing services companies.
- Authorities who require reporting of processing activities in certain circumstances.
3.7.VENDOR HAVING ACCESS TO PII?
- Service or work involving vendor access to PII include: A contractor is hired to provide payroll service to assist organization Performance Management system. The potential exists for the contractor to have access to PII of employee such as names, mailing addresses, salary slip, personal telephone numbers, and financial account information.
- A vendor or contractor is hired to perform survey on the organization work culture or corporate program to be used by Organization Top Management. Depending on the nature of the survey, the vendor or contractor may have access to PII such as names of the survey respondents, email addresses, etc.
- A contractor is hired to deploy or upgrade physical access control systems (e.g., card swipe entry readers) and Biometric access card. The potential exists for the contractor to have access to any PII collected via the card swipe and thumb impression such as names, Organization ID numbers and finger print.
3.8.STORING YOUR PERSONAL INFORMATION
How long we hold personal information will vary and will depend principally on:
- the purpose for which we are using personal information – we will need to keep the information for as long as is necessary for the relevant purpose, and
- Legal obligations – laws or regulation may set a minimum period for which we have to keep personal information.
- We will ensure that the personal information that we hold is subject to appropriate security measures.
- Access to personal information is limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
3.8.1.ARCHIVING / REMOVAL
To ensure that personal data is kept for no longer than necessary as per data classification and applicable law, the CtrlS implements retention period for each area in which personal data is processed and review this process annually. The retention period shall consider what data should/must be retained, for how long, and why.
3.9.LAWFULNESS OF PROCESSING
Depending on the legislation involved, there may be a number of alternative ways in which the lawfulness of a specific case of processing of PII may be established. It is CtrlS policy to identify the appropriate basis for processing and to document it, in accordance with the applicable legislation. The main options are described in brief in the following sections.
3.10.CONSENT Where appropriate, will obtain consent from a PII principal to collect and process their data. In case of children below the age specified in applicable legislation parental consent will be obtained. Transparent information about our usage of their PII will be provided to PII principals at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information will be provided in an accessible form, written in clear language and free of charge. If the PII is not obtained directly from the PII principal, then this information will be provided to the PII principal within a reasonable period after the data is obtained and definitely within one month.
3.11.PERFORMANCE OF A CONTRACT Where the PII collected and processed is required to fulfil a contract with the PII principal, consent is not required. This will often be the case where the contract cannot be completed without the PII in question, for example, a delivery cannot be made without an address.
3.12.LEGAL OBLIGATION If the PII is required to be collected and processed in order to comply with applicable law, then consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
3.13.VITAL INTERESTS OF THE PII PRINCIPALIn a case where the PII is required to protect the vital interests of the PII principal or of another natural person, then this may be used as the lawful basis of the processing. CtrlS will retain reasonable, documented evidence that this is the case, whenever this reason is used as the lawful basis of the processing of PII. As an example, this may be used in aspects of social care, particularly in the public sector.
3.14.RIGHTS OF THE PII PRINCIPAL/ INDIVIDUAL/ DATA SUBJECTSThe PII principal also has rights with regard to their PII. These will generally consist of:
1.The right to be informed.
2.The right of access.
3.The right to rectification.
4.The right to erasure.
5.The right to restrict processing.
6.The right to data portability.
7.The right to object.
8.Rights in relation to automated decision making and profiling. Each of these rights are supported by appropriate procedures within CtrlS that allow the required action to be taken within the timescales stated in the applicable privacy legislation. These rights include:
- Obtaining information regarding the processing of personal information and access to the personal information which we hold.
- Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal information. In particular, information that is subject to legal professional privilege will not be disclosed other than to our member and as authorized by our member.
- Requesting that we correct personal information if it is inaccurate or incomplete.
- Requesting that we erase personal information in certain circumstances. Please note that there may be circumstances where we erase personal information but we are legally entitled to retain it.
- Objecting to, and requesting that we restrict, our processing of personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of personal information but we are legally entitled to refuse that request.
- Withdrawing your consent, although in certain circumstances it may be lawful for us to continue processing without your consent if we have another legitimate reason (other than consent) for doing so. CtrlS applied appropriate data management data management practice to govern the processing of personnel data. CtrlS limits the disclosure of personal to authorized persons.
3.15.TASK CARRIED OUT IN THE PUBLIC INTEREST (LAW ENFORCEMENT AGENCIES) Where CtrlS needs to perform a task that it believes is in the public interest or as part of an official duty then the PII principal’s consent will not be requested. The assessment of the public interest or official duty will be documented and made available as evidence where required.
3.16.LEGITIMATE INTERESTS If the processing of specific PII is in the legitimate interests of CtrlS and is judged not to affect the rights and freedoms of the PII principal in a significant way, then this may be defined as the lawful reason for the processing. Again, the reasoning behind this view will be documented.
3.17.PRIVACY BY DESIGNCtrlS has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process PII will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments. The privacy impact assessment will include:
- Consideration of how PII will be processed and for what purposes.
- Assessment of whether the proposed processing of PII is both necessary and proportionate to the purpose(s).
- Assessment of the risks to individuals in processing the PII.
- What controls are necessary to address the identified risks and demonstrate compliance with applicable legislation.
Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate, including at the end of processing, and the mechanisms used to achieve them will be documented.
Personally Identifiable Information (PII) – any information that, by means of use or correlation with other data or information, can be used to uniquely identify an entity. The PII has been categorized by CtrlS into three types
1. Sensitive PII
2. Highly Sensitive PII
3. Non- Sensitive or Public PII.
4.1.SENSITIVE PII Sensitive Personal Identifying Information (PII) is defined as information that if lost, compromised, or disclosed could result in substantial harm, inconvenience, or unfairness to an individual. Sensitive PII include:
- Bank account numbers
- Passport information
- Driver’s license
- Address
- Employees Dependents Data
4.2.HIGHLY SENSITIVE PII:
- Healthcare related information
- Medical insurance information
- Biometric data: Finger print or voice signatures
- Social security number
- Children’s Data (Below 16 Yrs.)
- Government issued IDs
- Social Security Number
- Driver’s License Number
- Passport Number
- Personal Banking, Debit, or Credit Card Account InformationNon-sensitive or Public PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories.
4.3.NON-SENSITIVE OR PUBLIC PII:
- Visiting Cards
- Business telephone number
- Business mailing or email address
- The above list contains pieces of information and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.
However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. CtrlS will ensure that all relationships it enters that involve the processing of PII are subject to a documented contract that includes the specific information and terms required by the applicable legislation, Data Processing Agreement.
4.4.INTERNATIONAL TRANSFERS OF PII Transfers of PII between countries will be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the applicable legislation. This depends partly on the relevant authority’s judgement (for example in the case of the GDPR, the European Commission) as to the adequacy of the safeguards for PII applicable in the receiving country and this may change over time. Where an adequacy decision (or similar statement) does not exist for a destination country, an appropriate safeguard such as standard contractual clauses will be used, or a relevant exception identified as permitted under the applicable legislation.
4.5.DATA PROTECTION OFFICER A defined role of Data Protection Officer (DPO) is generally required under privacy legislation if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider. Based on these criteria, CtrlS has appointed the Data Protection Officer.
4.6.BREACH NOTIFICATION It is policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of PII. In line with the applicable legislation, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, where required the relevant supervisory authority will be informed within the specified timeframe (for example, for the GDPR within 72 hours, as per new DPDP Act 2023 of India (As it stands today, a data breach is a cyber incident that must be reported to the India Computer Emergency Response Team (CERT-In) within 6 hours of first knowledge about the breach)). This will be managed in accordance with our Information Security and privacy Incident Response Procedure which sets out the overall process of handling information security and privacy incidents. Under privacy legislation (Law of the land) the relevant authority DP may have the right to impose a range of fines, often based on a percentage of annual worldwide turnover or a specific amount, for infringements of the regulations.
4.7.ADDRESSING COMPLIANCE TO APPLICABLE PRIVACY LEGISLATION The following actions are undertaken to ensure that CtrlS complies at all times with the accountability principle of privacy legislation within the countries in which it operates:
- The legal basis for processing PII is clear and unambiguous
- A Data Protection Officer is appointed with specific responsibility for data protection in the organization (if required)
- All staff involved in handling PII understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to PII principals wishing to exercise their rights regarding PII and such enquiries are handled effectively
- Regular reviews of procedures involving PII are carried out
- Privacy by design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
- Organization name and relevant details
- Purposes of the PII processing
- Categories of individuals and PII processed
- Categories of PII recipients
- Agreements and mechanisms for transfers of PII to other countries including details of controls in place
- PII retention schedules
- Relevant technical and organizational controls in place
These actions are reviewed on a regular basis as part of the management process concerned with privacy and data protection.
Organizations that collect, process or use personal data themselves or on behalf of others must take the technical and organizational measures necessary to ensure compliance with the provisions of the data protection laws. The measures must be suitable to adequately protect the personal data according to their nature and category. The measures are only necessary if their effort is in a reasonable relation to the intended protection purpose.
- Organizational management and dedicatedstaff responsible for the development, implementation, and maintenance of CtrlS’s information security program.
- Audit and risk assessment proceduresfor the purposes of periodic review and assessment of risks to the CtrlS organization, monitoring and maintaining compliance with CtrlS policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
- Maintain Information securitypolicies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
- Communication with CtrlS applicationsutilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
- Data security controls which include logical segregationof data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
- Logical access controls designedto manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designedto manage and control password strength, and usage including prohibiting users from sharing passwords.
- System audit or event logging and relatedmonitoring procedures to proactively record user access and system activity for routine review.
- Physical and environmental security of data center, server room facilities and other areas containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of CtrlS facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controlsto provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from CtrlS possession.
- Change management proceduresand tracking mechanisms to designed to test, approve and monitor all changes to CtrlS technology and information assets.
- Incident / problem management procedures designedto allow to CtrlS investigate, respond to, mitigate and notify of events related to CtrlS technology and information assets.
- Network security controls that provide for the use of enterprisefirewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management, and threat protectiontechnologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
- Formal Vendor Management program, including vendor security reviews for critical vendors to ensure compliance with CtrlS Information Security Policies.
- A Data Protection Officer (DPO) who is independent, regularly reviews data protection risks and controls.