Privacy Policy

Purpose

RAH Infotech (along with its national as well as foreign branch offices which together comprise “RAH Infotech”), is committed to meeting legal and regulatory requirements regarding data protection and privacy where it conducts its business activities. This Privacy Policy (“Policy”) defines the minimum standards with respect to RAH Infotech collecting, processing, or otherwise using personal data, including information that may be considered as sensitive Personal Data (“Personal Data”).

Scope

This policy applies to all RAH Infotech (“Company”) employees, business contacts, customers or vendors (“Individuals”). RAH Infotech controls other company entities, such other companies will be required to abide by the principles set in this Policy.

Policy statement

Company is committed to conducting its business in accordance with all applicable data protection laws and regulations and in line with the highest standards of ethical conduct. This policy sets forth the expected behaviours of Company’s employees and third parties in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging to a Company contact (i.e. the data subject).

Personal data is any information (including opinions and intentions) that relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations that impose restrictions on how organizations may process personal data.

An organization that handles personal data and makes decisions about its use is known as a Data Controller. Company, as a Data Controller, is responsible for ensuring compliance with the data protection requirements outlined in this policy.

Definitions

Data Controller:

The entity that determines the purposes, conditions and means of the processing of personal data.

Data Processor:

The entity that processes data on behalf of the Data Controller.

Data Protection Authority:

National authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the_______.

Data Protection Officer (DPO):

An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the ________.

Data subject:  

A natural person whose personal data is processed by a controller or processor,

Personal Data:

Any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person.

Processing:

Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc

Regulation:

A binding legislative act that must be applied in its entirety across the _______________.

Subject Access Right:

Entitles a data subject to have access to and information about the personal data that a controller has regarding them.

PRIVACY PRINCIPLES

RAH will handle Personal Data in accordance with the following principles. RAH ensures that its business partners and vendors comply with the principles of this Policy and applicable legal and regulatory compliance standards through appropriate contractual agreements.

• Lawfulness of Processing

RAH will collect, store, process, use, share, transfer, analyse or otherwise handle (“Process” or “Processing”) Personal Data in accordance with applicable legal requirements for legitimate business or compliance purpose or if individuals have provided consent to the Processing or any relevant basis as defined by the applicable laws or regulations.

• Limit Collection and processing

RAH will limit the Processing of Personal Data in terms of scope and duration, as is necessary for the intended purpose.

• Transparency

In accordance with applicable legal requirements, RAH will provide information to individuals that explains the scope and purpose of Processing, and whom to contact to seek clarifications about privacy or data protection.

• Accuracy

RAH will take all necessary measures, as required by applicable laws and regulations, to ensure that Personal Data processed are accurate for the intended purpose. Any inaccurate personal data, in the context of the purposes for which they are processed, will either be erased or rectified without delay. Accuracy of data may be subject to the data subject's duty to notify and/or utilise the options as outlined in Privacy Notices.

• Security and Confidentiality

RAH aims to protect the security and confidentiality of individuals’ Personal Data and implement physical, technical and organizational measures against accidental, unlawful or unauthorized destruction, loss, alteration, disclosure or access. RAH will ensure measures are appropriate to the risks represented by the Processing it carries out and the nature of those Personal Data.

• Privacy by Design

RAH incorporates the principles of Privacy by Design into all of its personal data processes executed using digital systems, technologies or manually. By default, privacy requirements are embedded into every standard, protocol and process followed by RAH.

• Disclosure

RAH discloses, when required/asked, personal data to third parties only for the purposes identified in the privacy notice, with the consent of the individual, or as required for lawful purposes. Third parties refer to public authorities, Law Enforcement Agencies and similar authorities.

Data subject rights

In accordance with applicable legal requirements, RAH will provide opportunity to exercise data subject rights, which are available to the individuals in the context of their engagement with RAH. Such rights may include the right to request access to their Personal Data, to correct inaccurate or incomplete Personal Data or to object to the Processing of their Personal Data. Each Data Subject Request is validated and tracked to closure. As per the applicable law, and the engagement of data subject with RAH, there might be other rights available such as right to be forgotten, right to withdraw consent, right to data portability, etc. RAH will ensure its compliance and deploy all required measures to help data subjects exercise their rights granted.

Cookies

When you visit our site, we may collect personal data from you, automatically using cookies or using similar technologies.

International data transfers

RAH operates on a global level and from time to time it may be required to transfer Personal Data across countries. RAH recognizes that Personal Data needs to be treated with care, including data transfer to countries, which may not have adequate data protection laws. If RAH transfers Personal Data to such countries, it will protect these Personal Data as set out in this Policy and in accordance with the requirements of applicable law.

Data Protection

RAH Infotech will adopt physical, technical, and organizational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorized alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of personal data-related security measures is provided below:

• Prevent unauthorized persons from gaining access to data processing systems in which personal data is
• Prevent persons entitled to use a data processing system from accessing personal data beyond their needs and
• Ensure that access logs are in place to establish whether, and by whom, the personal data was entered into, modified on or removed from a data processing
• Ensure that personal data is protected against undesired destruction or
• Ensure that personal data collected for different purposes can and is processed

Assessment of Adequacy

In making an assessment of adequacy, the Data Protection Officer should take account of the following factors:

• the nature of the information being transferred;
• the country or territory of the origin, and final destination, of the information;
• how the information will be used and for how long;
• the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and
• the security measures that are to be taken as regards the data in the overseas location

Exemption

A transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving

Data retention

RAH will observe retention policies and procedures so that it deletes Personal Data after a reasonable time and the purposes are met. Exception applies if in the context of those purposes, it is necessary to keep the Personal Data indefinitely, or a law requires the Personal Data to be kept for a certain time. When RAH no longer needs to keep Personal Data for the purposes, for which they are held, it will delete them as soon as practicable.

Jurisdiction-specific requirements and implementation

National data protection and privacy laws may impose additional requirements on RAH for the Processing of Personal Data. Where required, RAH will establish procedures and guidelines in order to supplement the principles of this Policy and engage with relevant regulatory/ supervisory authority, as required.

Privacy organization and contact

RAH has set up a IT Department under Mr. Inderjeet Singh, and which is tasked with overseeing and implementing privacy and applicable data protection requirements. Specific data protection or privacy functions and roles may be added for individual countries or geographies. RAH also appoints Data Protection Officers (or comparable function), where required by applicable laws. The privacy function is also responsible for deploying training and awareness programs and supporting the implementation of privacy principles into RAH business operations and processes. If you have questions about this Policy, please direct them to the contact details provided in privacy policy Opens available at Inderjeet.singh@rahinfotech.com.

Compliance audit

Data Protection Officer will carry out an annual data protection compliance audit for the Company. Each audit will assess Compliance with policy in relation to the protection of personal data, including:

• The effectiveness of data protection-related operational practices, including:
• Data subject

• Personal data
• Personal data incident
• Personal data complaints
• The level of understanding of data protection policies and privacy
• The currency of data protection policies and privacy
• The accuracy of personal data being
• The conformity of data processor
• The adequacy of procedures for redressing poor compliance and personal data breaches. The Data Protection Officer, in cooperation with key business stakeholders from each Company service/entity, will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame. Any major deficiencies and good practice identified will be reported to, monitored and shared by the Company’s executive team.

Data Protection Training

All Company employees that have access to personal data will have their responsibilities under this policy outlined to them as part of their staff induction training. In addition, each Company service entity will provide regular Data Protection training and procedural guidance for their staff.

Data breach reporting

All known or suspected incidents involving Personal Data must be reported immediately upon discovery. This includes incidents notified to RAH by any RAH employee, client, third party service provider or other business partner. RAH will provide education and awareness to its workforce regarding the procedures for reporting a suspected or confirmed incident. Each incident is investigated and tracked to closure. If the investigation leads to the conclusion that an illegal, improper or unethical act has been committed, appropriate disciplinary or corrective action will be initiated against the offender as per RAH’ policy and legal provisions.

ROLES AND RESPONSBILITIES

Implementation

RAH has internal arrangements in place to communicate, ensure and verify compliance with this Policy, to protect data, allow effective exercise of individuals' rights set out in this Policy and under applicable law, and to deal with any concerns from individuals or regulatory bodies that RAH may not have complied with the Policy and/or applicable law. All individuals can leverage these arrangements and/or exercise their rights by contacting their local Data Protection Officer.

Consequence of Non-Compliance

RAH handles personal data and makes decisions about its use is known as a Data Controller. Company, as a Data Controller, is responsible for ensuring compliance with the data protection requirements outlined in this policy.

Non-compliance may expose Company to complaints, regulatory action, fines and/or reputational damage. Company’s leadership is fully committed to ensuring continued and effective implementation of this policy and expects all Company employees and third parties to share in this commitment. Any breach of this policy will be taken seriously and may result in disciplinary action or business sanction.

Review

This policy will be reviewed by the Data Protection Officer every three years, unless there are any changes to regulations or legislation that would enable a review earlier.

Records management

Management/ Employees must maintain all records relevant to administering this policy and procedure in electronic form in a recognized Company recordkeeping system. All records relevant to administering this policy and procedure will be maintained for a period of five years.

INDEMNITY

Indemnity You agree and undertake to indemnify Us in any suit or dispute by any third party arising out of disclosure of information by You to third parties either through Our Platform or otherwise, and Your use and access of websites, applications and resources of third parties. We assume no liability for any actions of third parties with regard to Your Information or Personal Information which You may have disclosed to such third parties.

CHANGES TO THE POLICY

RAH may update this Policy from time to time and without prior notice to individuals to reflect changes in law or privacy practices. If you have questions about this Policy, please direct them to Inderjeet Singh or to the respective local Data Protection Officer, contact details of whom can be referred at  Inderjeet.singh@rahinfotech.com .