policies



PROTECTION OF PERSONAL DATA

ALTEN India is committed to protecting your personal data and ensuring your privacy is respected.

Who is responsible for your data?

ALTEN India, part of the global ALTEN Group, is the Data Fiduciary/Controller and is located at ALTEN India PVT LTD | Tower D, 7th and 9th Floor, IBC Knowledge Park, Bannerghatta Main Road, Bengaluru-560029, India

For any privacy-related queries, you can reach us at: dpo.india@alten-india.com


OBJECTIVE

The Privacy Policy constitutes the reference framework for the protection of personal data of the ALTEN India, a subsidiary of the ALTEN Group (hereinafter “ALTEN”).

It specifies the rules and expresses the governance principles relating to the protection of ALTEN’s personal data.


SCOPE

This document applies to the whole ALTEN India.


INTRODUCTION

ALTEN India, as part of the ALTEN Group, processes Personal Data (as defined by applicable laws) of its Employees, Service Providers, Suppliers, and current and prospective Customers to conduct its business activities.

Committed to adhering to all legal and regulatory obligations concerning data privacy, ALTEN India has established this Policy for the Protection of Personal Data (hereinafter the “Privacy Policy”). This policy outlines the principles and guidelines governing all Personal Data processing, whether conducted directly by ALTEN India or by its subcontractors.

ALTEN India is committed to compliance with all relevant data protection regulations, including the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and the General Data Protection Regulation (EU) 2016/679 (GDPR) of the European Union, along with any other applicable data protection laws.


GOVERNANCE

ALTEN India, as part of the ALTEN Group, is committed to complying with both the GDPR and the DPDP Act, 2023. To ensure this compliance, we have established a dedicated organizational structure. This includes the appointment of a Data Protection Officer or Data Protection Coordinator for each entity within the Group, including ALTEN India. The DPO/DPC is responsible for managing compliance efforts. The Group DPO reports directly to the Head of Compliance, who in turn reports to the Legal Department. Additionally, we have designated GDPR/DPDP Act support roles within each department, known as GDPR/DPDP Act ambassadors, to further strengthen compliance across the organization.


COLLECTION AND PROCESSING OF PERSONAL DATA

ALTEN India, adhering to the principles outlined in the DPDP Act, 2023 and GDPR, mandates that all employees and service providers follow these guidelines when collecting and processing personal data. This policy is designed to protect the rights of data subjects and ensure transparency in our data processing activities. ALTEN India will provide comprehensive training on this Policy for the Protection of Personal Data to all employees and service providers. This policy will be published on the ALTEN India Q Factor.


COLLECTION FOR SPECIFIC, EXPLICIT AND LEGITIMATE PURPOSES

ALTEN India, committed to upholding the principles of the DPDP Act, 2023 and GDPR, ensures that personal data is collected and processed only for specified, explicit, and legitimate purposes. This commitment is reflected in our practices:

  • Clearly defined and sufficiently specific purposes.
  • Relevance to ALTEN India’s business operations.
  • Transparent communication of purposes to data subjects.

Establishment of a lawful basis for data collection. Human resources administrative functions.

  • Payroll management and processing.
  • Career development and human resource planning.
  • Recruitment activities and management.
  • Financial accounting and reporting.
  • Management of client relationships.
  • Management of service provider relationships.
  • Provision of IT tools and resources.
  • Access control and security measures

EXISTENCE OF A LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

At ALTEN India, in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 and the General Data Protection Regulation (GDPR), the collection and processing of Personal Data must be based on a lawful ground. Before initiating such activities, ALTEN Employees and Service Providers must ensure that one of the following conditions is met:

  • The Data Principal (as defined in the DPDP Act) or Data Subject (as defined in the GDPR) has provided explicit consent for the collection and processing of their Personal Data.
  • The processing is necessary for the performance of a contract to which the Data Principal/Subject is a party.
  • ALTEN has a legitimate interest in processing Personal Data, such as for fraud prevention, provided that such interest does not override the rights and interests of the Data Principal/Subject.
  • The processing is necessary to protect the vital interests of the Data Principal/Subject.
  • The processing is required to comply with a legal obligation to which ALTEN is subject.
  • The processing is necessary for the performance of a task carried out in the public interest.

If the collection or processing of Sensitive Personal Data (as defined in the DPDP Act) or Special Categories of Personal Data (as defined in the GDPR) is contemplated, Employees or Service Providers must adhere to the provisions outlined in Point 8 of this Privacy Policy.


MINIMIZATION OF COLLECTED PERSONAL DATA

In accordance with the DPDP Act, 2023 and GDPR principles of data minimization, ALTEN India employees and service providers must ensure that the processing of personal data is limited to what is adequate, relevant, and necessary for the specified purpose(s). Specifically, data processing must adhere to:

  • Appropriateness: The data collected must be suitable for the intended purpose.
  • Relevance: The data must be pertinent to the purpose of processing.
  • Necessity: The data collected must be limited to what is essential for the processing purpose(s).

Furthermore, to maintain data accuracy as required by both the DPDP Act, 2023 and GDPR, employees and service providers must ensure that personal data is kept up-to-date and accurate.


RETENTION OF PERSONAL DATA

ALTEN India, in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the General Data Protection Regulation (GDPR), requires all employees and service providers to ensure personal data is retained only for the duration necessary to fulfill the specific purpose for which it was collected. A defined retention period, aligned with these regulations and considering the nature of the data, must be established and adhered to.

For detailed guidance on personal data retention, ALTEN India employees and service providers should consult their general management.


COLLECTION OF SENSITIVE DATA

At ALTEN India, in alignment with both the DPDP Act, 2023 and GDPR, the collection and processing of Sensitive Personal Data is generally prohibited. However, such processing may be authorized under specific circumstances, provided that:

  • It is necessary and relevant to ALTEN India's legitimate business activities; and
  • One of the following legal bases is met:
    • Explicit consent has been obtained from the Data Principal (under DPDP) or Data Subject (under GDPR) for the processing of their Sensitive Personal Data.
    • The Data Principal/Subject has voluntarily made their Sensitive Personal Data publicly available.
    • Processing is necessary to comply with a legal obligation, particularly in relation to labour or social security law.
    • Processing is essential to protect the vital interests of the Data Principal/Subject (e.g., in life-threatening situations).
    • Processing is necessary for the establishment, exercise, or defence of legal claims.

Prior to any collection or processing of Sensitive Personal Data, employees and service providers must obtain authorization from their line manager or the Data Protection Officer (DPO).


INFORMATION OF DATA SUBJECTS

At ALTEN India, in compliance with the DPDP Act, 2023 and GDPR, employees and service providers must ensure that Data Principals (DPDP) or Data Subjects (GDPR) receive clear, comprehensive, and easily accessible information regarding the processing of their Personal Data. This information must be written in a manner that is understandable to the average person, detailing how and by whom their Personal Data will be used.

When Personal Data is collected indirectly, such as from a business partner or recruitment agency, employees and service providers must ensure that the required information notice regarding indirect data collection is promptly provided to the Data Principal/Subject.


RESPECT FOR THE RIGHTS THAT PERSONS CONCERNED MAY EXERCISE

ALTEN India, adhering to the DPDP Act, 2023 and GDPR, recognizes the importance of data subject rights. Individuals whose Personal Data is collected or processed by ALTEN India have the right to data portability, access, correction, erasure, limitation of processing, and objection for legitimate reasons.

Under both regulations, individuals also have the right to provide instructions regarding the handling of their Personal Data after their death. ALTEN India employees and service providers must ensure that these rights are clearly communicated to data subjects as outlined in Section 2.6.


AUTOMATED DECISIONS HAVING A NEGATIVE EFFECT ON THE PERSON CONCERNED

ALTEN India, committed to the principles of the DPDP Act, 2023 and GDPR, prioritizes the protection of Data Principals/Subjects from adverse effects arising from solely automated decision-making. We recognize that decisions made exclusively through automated personal data processing, without human oversight, can have a substantial negative impact. Therefore, when automated decisions are implemented, ALTEN India employees and service providers are required to:

  • Provide clear and comprehensive information to Data Principals/Subjects regarding the underlying logic of such decisions.
  • Implement necessary safeguards to protect the legitimate interests of Data Principals/Subjects, including the explicit right to request human intervention and contest the decision. ALTEN India strictly prohibits automated decisions based on Sensitive Personal Data.

SECURITY AND PRIVACY OF PERSONAL DATA

ALTEN India, in compliance with the DPDP Act, 2023 and GDPR, has implemented appropriate technical and organizational measures to ensure the security and privacy of Personal Data it collects and processes. Employees and service providers must adhere to the security measures detailed in ALTEN’s “General Policy for the Management and Security of Information Systems (PGSSI).” Specifically, when processing Personal Data, they must implement suitable security measures to prevent:

  • Accidental or unauthorized destruction of Personal Data.
  • Impairment of Personal Data.
  • Accidental access to or unauthorized disclosure of Personal Data.
  • Unlawful processing of Personal Data.

These measures must be proportionate to the nature of the Personal Data and the risks associated with its processing.

When engaging a Data Processor (subcontractor) to process Personal Data, ALTEN India ensures a written contract is in place, stipulating that the Data Processor:

  • Processes Personal Data only as instructed by ALTEN India.
  • Implements appropriate technical and organizational security measures to protect the security and privacy of the entrusted Personal Data.

TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

ALTEN India, adhering to both the DPDP Act, 2023 and GDPR, recognizes that processing Personal Data may involve transfers to third countries (outside the European Union or without an adequacy decision under GDPR) or international organizations. In such instances, ALTEN India commits to providing appropriate safeguards as mandated by GDPR, and to ensuring these safeguards are respected by employees and service providers. This commitment also aligns with the principles of data protection under the DPDP Act, 2023.